Forums
Main Category
General (Technical,...
Windows Registry In...
 
Notifications
Clear all

Windows Registry Integrity issue

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by Shockmeister 15 years ago
10 Posts
3 Users
0 Reactions
431 Views
RSS
 Shockmeister
(@shockmeister)
Active Member
Joined: 15 years ago
Posts: 6
Topic starter 10/12/2010 7:48 pm  

Hi all,

I'm developing a forensic tool to track user activity (in the hope of re-constructing a timeline of activity) and I within the application I want to use a Windows API function called RegLoadKey. Basically this takes the user's NTUSER.DAT file and loads it into a temporary Registry key so that the subkeys can be accessed. The key is then unloaded using the RegUnloadKey function. I am unsure if this will affect the integrity of the system, from the point of view of running it on a live system.

Has anyone any thoughts on this?


   
Quote
 douglasbrush
(@douglasbrush)
Prominent Member
Joined: 16 years ago
Posts: 812
10/12/2010 9:56 pm  

So this would be an live function on an active user's system?


   
ReplyQuote
MDCR
 MDCR
(@mdcr)
Reputable Member
Joined: 15 years ago
Posts: 376
11/12/2010 2:48 pm  

1. If we're talking LIVE on a users active system

What OS is the target?

From (i think) Vista and onwards, you can enable Registry and Filesystem auditing to the eventlog, or forward that to a Syslog server which the user cannot access.

Loading things into the registry while the system is active could result in corruption, from a quick google i saw that RegLoadKey() loads the data directly into the root of the registry hive, and that could cause the system to crash, become corrupt or cause weird timestamps on the LastWrite timestamp on the registry keys - and i do not think you want any of those.

If you are dead serious about rolling your own solution, it would be better to hook onto the registry functions.

The simplest solution under any windows version would be to shell ProcessMon as a hidden window, and have it log all registry activity for you.

2. If we're talking a "Live system" as in Liveview or a captured image

You can export the registry keys as text, then grab the LastWritten time from the registry dump file.


   
ReplyQuote
 Shockmeister
(@shockmeister)
Active Member
Joined: 15 years ago
Posts: 6
Topic starter 11/12/2010 3:34 pm  

So this would be an live function on an active user's system?

Yes, the application is run, via an external drive/ pen drive, on a currently active computer. It reads the NTUSER.DAT (user profile) of any user (other than the currently logged in user) on that system by using the RegLoadKey/ RegUnloadKey functions. As I said this involves creating a temporary key, into which, the user profile is loaded. I can then run searches etc on these Registry keys. When the function exits, the temporary key is unloaded.

Would it be a better solution to copy the NTUSER.DAT file to another loaction (off the computer) and perform the RegLoadKey function on the copy?


   
ReplyQuote
 Shockmeister
(@shockmeister)
Active Member
Joined: 15 years ago
Posts: 6
Topic starter 11/12/2010 3:45 pm  

@ MDCR,

The target OS is windows Vista onwards. The reason I am developing my own solution is because it is part of a Masters degree )

The aim of my application is to allow the retrieval of user activity information and construction of a comprehensive timeline with as little manual intervention as possible (that is the hypothesis). So would your suggestion of exporting the keys etc be more maually intensive?


   
ReplyQuote
MDCR
 MDCR
(@mdcr)
Reputable Member
Joined: 15 years ago
Posts: 376
15/12/2010 3:42 am  

Well, if you want to make a timeline, you could also benefit from dumping the filesystem MAC, the registry does not contain any last access or creation time timestamps, just the last modified timestamp and that really limits your ability to determine what has happened in a system.

But no, you basically export the entire registry (all hives) to text files, the result is data like this

Key Name HKEY_LOCAL_MACHINE
Class Name <NO CLASS>
Last Write Time 2010-12-31 - 1234

Key Name HKEY_LOCAL_MACHINE\HARDWARE
Class Name <NO CLASS>
Last Write Time 2010-12-31 - 1234

(and so on)
From this you can determine at what tune a certain key was written to, individual values have no timestamps. Should be easy enough to write a parser for that.


   
ReplyQuote
 douglasbrush
(@douglasbrush)
Prominent Member
Joined: 16 years ago
Posts: 812
15/12/2010 8:45 pm  

@ MDCR,
The aim of my application is to allow the retrieval of user activity information and construction of a comprehensive timeline with as little manual intervention as possible (that is the hypothesis). So would your suggestion of exporting the keys etc be more maually intensive?

I guess it depends on what manually intensive is ) I almost always now triage systems and all the keys and run in reg ripper. So then as imaging and other things run on the device I can parse those results. It has been my experience that there is generally quite a bit to do as you are on site collecting/investigation and the more you can multi task the better. Might want to pop over to Harlan's site and take a look at all the reg ripper posts and add ons as there is now work that Matt Churchill did with Windows Ripper http//regripper.net/?p=248 that can possible help you out.


   
ReplyQuote
 Shockmeister
(@shockmeister)
Active Member
Joined: 15 years ago
Posts: 6
Topic starter 06/01/2011 3:00 pm  

Well, if you want to make a timeline, you could also benefit from dumping the filesystem MAC, the registry does not contain any last access or creation time timestamps, just the last modified timestamp and that really limits your ability to determine what has happened in a system.

But no, you basically export the entire registry (all hives) to text files, the result is data like this

Key Name HKEY_LOCAL_MACHINE
Class Name <NO CLASS>
Last Write Time 2010-12-31 - 1234

Key Name HKEY_LOCAL_MACHINE\HARDWARE
Class Name <NO CLASS>
Last Write Time 2010-12-31 - 1234

(and so on)
From this you can determine at what tune a certain key was written to, individual values have no timestamps. Should be easy enough to write a parser for that.

Cool, I didnt know you could do this D The last write times are really all that I needed because I wanted to be able to list any Registry keys that the user had modified when logged on. Thanks for your help!


   
ReplyQuote
 Shockmeister
(@shockmeister)
Active Member
Joined: 15 years ago
Posts: 6
Topic starter 06/01/2011 3:04 pm  

@ MDCR,
The aim of my application is to allow the retrieval of user activity information and construction of a comprehensive timeline with as little manual intervention as possible (that is the hypothesis). So would your suggestion of exporting the keys etc be more maually intensive?

I guess it depends on what manually intensive is ) I almost always now triage systems and all the keys and run in reg ripper. So then as imaging and other things run on the device I can parse those results. It has been my experience that there is generally quite a bit to do as you are on site collecting/investigation and the more you can multi task the better. Might want to pop over to Harlan's site and take a look at all the reg ripper posts and add ons as there is now work that Matt Churchill did with Windows Ripper http//regripper.net/?p=248 that can possible help you out.

I suppose what I meant by manually intensive is the amount of time it would take to retrieve the information. As you said there is a lot to do during the course of an on site investigation so the more efficient the tool at retrieving information, the better. I'll check out the Windows Ripper to see if I can use it/ create my own version D . Thanks for your help!


   
ReplyQuote
 Shockmeister
(@shockmeister)
Active Member
Joined: 15 years ago
Posts: 6
Topic starter 06/01/2011 3:09 pm  

@ MDCR,
The aim of my application is to allow the retrieval of user activity information and construction of a comprehensive timeline with as little manual intervention as possible (that is the hypothesis). So would your suggestion of exporting the keys etc be more maually intensive?

I guess it depends on what manually intensive is ) I almost always now triage systems and all the keys and run in reg ripper. So then as imaging and other things run on the device I can parse those results. It has been my experience that there is generally quite a bit to do as you are on site collecting/investigation and the more you can multi task the better. Might want to pop over to Harlan's site and take a look at all the reg ripper posts and add ons as there is now work that Matt Churchill did with Windows Ripper http//regripper.net/?p=248 that can possible help you out.

I suppose what I meant by manually intensive was the ability of the tool to retrieve information as quickly and efficiently as possible. As you said there is generally much to do on site during the course of an investigation so an efficient tool is a must. I'll check out Matt's Windows Ripper to see if I can use it/ develop my own version D


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: