Tuesday, February 07, 2006

Registry research

Is anyone out there doing research into the Windows Registry, from a forensic perspective?

I know that there are viewers available to allow you to see what's in the raw Registry files, and that these viewers are available for a variety of platforms. That's not what I'm looking for.

I'm also aware of the lists of Registry keys that are available, particular the one from AccessData that seems to be pretty popular. While it is a good starting point, there really isn't enough information about the keys/values in the list, and what causes them to be created, modified, or deleted to be useful beyond a certain point.

What I'm asking here is this...is anyone doing research into the conditions that cause various keys/values to be added to, modified, or deleted from the Registry (this also applies to the LastWrite time associated with Registry keys)? This is extremely important in the area of Windows forensic analysis, as it adds context to what the investigator sees.

Some things are obvious (though they could be better documented) such as the TypedURLs key...values are added when the user types a URL into the Address bar of IE. Other things aren't so obvious, such as what causes the LastWrite time of the unique ID key for a USB removeable storage device to be updated?

Is there anyone out there doing this kind of research? At the least, I'd like to consolidate a list of links. Ideally, I'd like to see the efforts themselves consolidated and optimized.

3 comments:

Anonymous said...

Don't know if you had heard this but the new MS desktop OS (Vista) will be changing some of the rules for the registry and also file locations given the user access control (UAC). What this basically does is create a virtual location where user specific data is kept. Check out http://windowsconnected.com/blogs/jerry/archive/2005/12/19/86.aspx for a brief writeup.

Clint said...

This might help some:

http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/w2rkbook/regentry.asp

Love the book by the way. It has to have sold more than 3500.

Keydet89 said...

Clint,

> This might help some:

That's just a list, and it's hardly comprehensive. Sure, it's good for some things, but not for real, deep, hard core analysis.

> Love the book by the way.

Thanks.

> It has to have sold more than 3500.

Not yet.