Thursday, December 01, 2005

Registry Reference

One thing I've really noticed over the years is that while some information is available out there on some Registry keys and values, there really isn't much that is useful/credible and geared toward forensic analysis. So I've been considering starting up a reference resource...well, I brought the subject up on a couple of lists, mostly looking for input, and the overwhelming response was, "Great! Let me know what I can do to help."

I haven't really settled on a format, per se, outside of basic elements, such as key/value path, data type of the value(s), a description or explanation of the key/value and what conditions lead to the creation/modification of the key/value, credible references, and the name of the submitter. One thought I had was to list everything in HTML, making it easily portable. Another thought was to use a database of some sort, because in doing so, scripts can be written to search the database, or extract information into text, HTML, XML, etc....whatever format suits the user.

Again, the goal is to provide credible, referenced information about Registry keys, as Registry analysis is something that simply hasn't been explored up to this point...at least, not in any great depth.

If you've got any thoughts on this, let me know. And yes, I am aware of the paper AccessData put out...thanks.

7 comments:

Anonymous said...

Here's a (not so complete) reference for Win2k:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/c4dd12f8-d96a-476a-8e31-6c2043fe77a7.mspx

bryan AT adminfoo DOT net

H. Carvey said...

Good link to the Windows 2003 reference, and there are some good leads there...thanks.

Anonymous said...

What about a format along the lines of www.eventid.net?

H. Carvey said...

That'd be great...but then it's a matter of content.

Where do we get the content?

Anonymous said...

Where were you planning on getting it from? Based on the post, it appears you were looking to put together a single source for forensics specific registry information.

Reviewing and extracting the pertinent information from he W2K3 DepKit previously mentioned could be a starting place. The second, is input from followers of your blog and/or the community. Perhaps in a Wiki type format. Alternatively, items are submitted to you directly with associated documentation for verification and review and subsequent approval, with the database being able to be searched a la eventid.net.

H. Carvey said...

Where were you planning on getting it from? Based on the post, it appears you were looking to put together a single source for forensics specific registry information.

That's exactly right...I'd like to put together a single source. One complaint I hear a lot is that there is a lot of information out there...but it's "out there" and not in one place.

As far as where to get the information, my intention has been to produce the initial set-up and from there, take submissions from the community. There will be submission criteria, a review process, etc. After all, the goal is to provide credible, useful information.

The process you mention in your comment is a good start.

Anonymous said...

I like this idea and would be willing to help with it. How about using a format similar to OSVDB?

Travis