Saturday, September 15, 2007

Registry Analysis

You've probably noticed a huge gap between posts...sorry about that. Contrary to popular belief, I don't just sit around all day writing books. ;-) In addition to actually working, I like to think about ways to make my job easier, and to make the final product of my analysis better. Like many, I've known for sometime that considerable, valuable data exists in the Registry...there's a quite a bit there, whether you're looking for evidence of devices attached to the system, or of user activity. One of the things I've noticed is that there are a good number of tools available that allow you to do Registry data extraction...that is, pull data from the Registry, presenting the data found in a key or value. AccessData has their Registry Viewer, tools such as EnCase and ProDiscover allow you to visualize the Registry data...however, all of these are just tools, and each has their own strength and weakness.

One of the issues that confronts us today is knowing what we're looking at or looking for. Having a tool present data to us is nice, but if we don't know how that data is populated, then what good is the tool when some one-off condition is encountered? If the analyst does not understand how the artifact in question is created or modified, then what happens when the data that he or she expects to see is not present? Remember Jesse's First Law of Computer Forensics and my own subsequent corollary?

Why is this important? Well, for one, there's been a great deal of discussion about antiforensics lately, starting with a couple of articles in CIO and CSO magazines. "Antiforensics" and "counterforensics" (thanks to Richard for definitions) are not new concepts at all...the use of such activities has been around for quite some time. However, systems are becoming more and more complex, and at the same time, feature-rich. One of the benefits of Windows XP, for example, is that the feature-rich nature of the operating system goes some lengths in offsetting the inherent antiforensic features of the operating system.

So...let's try to come full circle...Registry analysis comes into play in assisting the investigator in determining what happened, and in many cases, when. Registry analysis can provide key or corroborating data. No tool out there will provide everything an investigator's up to the investigator to understand what's needed (ie, which Registry keys pertain to a particular P2P client, or which show the files most recently accessed with an image viewing utility?) and then understand how to get it. There are tools out there that do not have pretty GUIs and buttons you can push that will provide you with that information.


Richard Bejtlich said...


I read this post

because I believe I will have to use the methods you describe to review a hard drive soon.

I was wondering if you knew of any open source utilities to analyze the Windows XP registry on a DD image?

H. Carvey said...


> I was wondering if you knew of any
> open source utilities to analyze
> the Windows XP registry on a DD
> image?

Only my own...most of which I am currently developing. The problem I've been seeing is that most of the Registry "analysis" tools out there don't do any analysis at all, but rather simply make the Registry viewable. Even on the commercial side, Registry tools don't seem to be written by or for forensic analysts...

If there's something specific I can assist with, please feel free to contact me.