Sunday, September 07, 2014

Windows Phone 8 and RegRipper

Last week, Cindy Murphy (@cindymurph) sent me some Registry hive files...from a Windows Phone 8.  This was pretty fascinating, and fortunate, because I'd never seen a Windows phone, and had no idea if it had a Registry.  Well, thanks to Cindy, I now know that it does!

Looking at the hive files was pretty fascinating.  The first thing I did was open one of the smaller hive files in UltraEdit, and I could clearly see that it followed the basic structure of a Registry hive file (see chapter 2 of Windows Registry Forensics).  Next, I opened one of the hives in a viewer, and saw that the hive file opened nicely; however, there were clearly differences in what I expected to see, with respect to a desktop or laptop running Windows.

Finally, I ran a couple of RegRipper plugins against the System hive that Cindy provided, in part because I saw that there were some keys with the same paths as the ones I generally see on Windows systems.  For example, the compname.pl and timezone.pl plugins worked just fine.  For the Software hive, the profilelist.pl plugin worked just fine, although there was only one profile listed.  Interestingly enough, the SAM hive had the correct structure and a root key, but no subkeys.

So, if there's a question as to whether or not RegRipper works when run against hive files from a Windows Phone 8, the answer is "yes", but with a caveat...you can't expect all of the plugins to work, simply because the current RegRipper plugins are intended to run against hives extracted from Windows computer systems.  I would like to be able to write plugins for the phone hives, but I won't be able to that until more data becomes available and more analysts can identify what it is they find important and of-interest in these hive files.

I'd like to send a thank you to Cindy for sharing the hive files and helping to expand my view into this data source a bit.





No comments: