Tuesday, September 18, 2012

Network Artifacts found in the Registry

My Twitter account lit up with the "#HTCIACON" hash tag this passed Monday morning, apparently due to the HTCIA Conference.  I was seeing a lot of tweets from HBGary, etc., so I went by the conference web page and took a look at the agenda.  As you can imagine, anything with the word "Registry" in it catches my eye immediately, and I saw that there was a lab that had to do with "network artifacts in the Registry".  I took a look at the abstract for the lab, and it seemed to focus on the NetworkList key in the Vista+ Registry...that's great for showing wired and wireless networks that a system has connected to, as well as providing some useful information that can be used in WiFi geolocation (discussed here, updated tool named "macl.pl" is here).

This is a great start, but what about after the system is connected to particular networking media?  What other "network artifacts" can be found in the Registry? That's where we can dig into additional sources of information, specifically other Registry keys and values, to look for those additional network artifacts. 

Something else to think about is, what if some of the artifacts that you're pursuing have been deleted?  Some tools (CCleaner, etc.) will "erase" lists of known artifacts.  Some tools, such as USB Oblivion, are targeted to more specific artifacts.  As such, knowing more about the artifacts or artifact categories that you're interested in will help you determine (a) if some sort of "cleaning" has likely occurred, and (b) provide you with other indicators that you might be able to pursue.

This information can be useful in cases involving violations of acceptable use policies within organizations; however, they are not specifically restricted to such cases.  I've used these artifacts in a number of intrusion cases, particularly where the compromised system was accessed remotely via RDP.

Here are some of the RegRipper plugins you can use to collect some other network artifacts, primarily from the user's hives:

networklist.pl - The networklist.pl plugin gives me what was described in the abstract for the conference lab I mentioned; network profile, first/last connection date (in SYSTEMTIME format, based on the system's localtime), gateway MAC address, and the network type (wired, wireless, broadband).  The TLN version of this plugin will allow you to incorporate this information into your timeline.

shellbags.pl - As I mentioned previously, shellbags can provide a great deal of information regarding access to network resources; you might not only find indications of access to UNC paths, but also the use of Windows Explorer to access FTP resources (my publisher used to have me do this in order to transfer chapters...).  I should note that I've found entries such as these during exams.  If you do find information regarding access to FTP in the user's shellbags, you might also want to check out the Software\Microsoft\FTP\Accounts subkeys within the user hive, as well...not only will you find the host connected to, as well as the username used to access the site (if successful).

muicache.pl - If the user uses the command line FTP utility that is native to Windows (ftp.exe), rather than Windows Explorer, to access an FTP site, you may find a reference to that executable in the user's MUICache key (in Windows 7, located in the USRCLASS.DAT hive).  Of course, if another GUI FTP client was used, you might expect to find information about that usage via the userassist.pl plugin.

mndmru.pl - This plugin parses the users "Map Network Drive MRU" key data, showing the network drives that the user has mapped via the Map Network Drive Wizard.

runmru.pl - A user may decide to click the Start button, and then simply type a UNC path into the "Run:" box; this information will be available via the runmru.pl plugin.

typedpaths.pl - The TypedPaths key maintains a history of the locations typed into the Windows Explorer Address Bar; similar to the RunMRU key, a user can type UNC paths to network resources into this location.

tsclient.pl - If the user accesses other systems via RDP, you will find references to those connections in the Software\Microsoft\Terminal Services Client subkeys, specifically beneath the Default and Servers subkeys.  Of course, if you do find indications of off-system communications via this key, and you're analyzing a Windows 7 system, be sure to include the user Jump Lists in your analysis, as well.

There are also application-specific Registry entries to consider, as well.  For example, the vncviewer.pl plugin is in version 20080325 at the moment, which means that it was originally written almost 4 1/2 years ago. 

Are there any other network artifacts within the Registry that you might be interested in that aren't covered here?  If so, let me know, or comment here.


dfirfpi said...
This comment has been removed by the author.
dfirfpi said...

Thank you for the summary!

To add one location, in the NTUSER hive under key "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" (Web Proxy Autodiscovery Protocol) you could find gateways MAC addresses and when (last) used.