Wednesday, March 23, 2005

Registry HOWTO format

I've been working out some ideas regarding a HOWTO for the Registry and wanted to post what I'd come up with so far, and solicit thoughts and ideas on the format. So far what I've got is:
  • A description of the Registry (gotta get us all on the same page)
  • What is stored in the Registry?
  • What to look for in the Registry when dealing with specific issues/cases (ie, CP, malware, intrusion, etc.)

What else would be of value?

Oddly enough, I haven't received a single comment to my "The Registry as a log file" blog entry. I thought that perhaps that one would be controversial enough so that someone would at least tell me that I'm out of my mind. So...either I'm completely on target, or I'm so far off base with that one, no one wants to even acknowledge it. ;-)

4 comments:

Brandon said...

Hey Harlan,

I skimmed your book again this weekend looking primarily at what you had to say about reg entries. There is already a good amount of information in there and some scriptes to parse it.

I am interested in what you have to add to it though. I must have missed "The Registry as a log file" entry but have just now read it. Right now I am only in a position to take your word for it as I am not all too familiar with the LastWrite time for the registry. I don't understand, is this kept for each reg entry?

Keydet89 said...

Brandon,

I'm glad you found something in the book useful.

With regards to Registry key LastWrite times, these values are only associated with keys; ie, in RegEdit, what you see as folders in the left-hand pane of the window. The stuff on the right...values and data...don't have a LastWrite time. However, whenever the key is modified (ie, values added, changed, deleted), the LastWrite time is updated. Knowing when, how, and via what means different keys can be updated or modified will provide the analyst with information to make use of the LastWrite time.

Does that help?

Brandon said...

Gotcha,

I have never really given the use of the the registry any thought as a possible source of time stamped or time related information. This could assist when a bad guy changes MAC times on a file that may be also tracked in the registry or when a possible entry was entered, say an entry in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" we could get an idea whether the MAC on the file match the time on the registry entry IF the key had not been modified later whether legitimately or not.

Interesting.

Keydet89 said...

Brandon,

You've got it!

Harlan