FTK
|
Windows
Registry


AccessData’s
FTK
:
Windows
Registry

Article
I. 

Section
1.01 Backing
up
a
.REG
file

 Within
registry
right
click
and
select
export


Section
1.02 Acquiring
Registry
files
with
FTK
Imager

 click
“Obtain
Protected
Files”

 browser
to
Registry
files

 select
Password
Recover
and
All
Registry
Files
radio
button




Section
1.03 Other
files
from
Windows
XP
image

 within
FTK
Imager,
file>add
evidence

 image
file
>
browse
to
image

 c:\windows\system32\config

 highlight
SAM,
SECURITY,
SOFTWARE
and
SYSTEM

 export
NTUSER.DAT
too


Section
1.04 Viewing
Registry
Files
within
FTK

 within
FTK
imager,
click
the
yellow
safe
to
obtain
the
registry
files

 password
recovery
and
all
registry
files

 the
yellow
box
procedure
only
works
on
LIVE
systems,
not
images




Section
1.05 Permissions

 Hkey_Local_Machine\system\CurrentControlSet\enum\usbstor

 “Full
Control”
isn't
checked,
therefore
the
sub
key
cannot
be
deleted

 right
click
SAM
folder,
go
to
permissions
and
put
“Full
Control”
for
admin

 in
Vista,
USBSTOR
can't
be
deleted




Section
1.06 NTUSER.DAT


 XP
–
c:\documents
and
settings\username

 Vista
–
c:\users\username


Section
1.07 Internal
clocks

• Microsoft
computers
are
defaulted
to
Pacific
Time.

• Dell
computers
are
defaulted
to
Central
(Texas)
time.




Page
|
1




FTK
|
Windows
Registry


Section
1.08 Within
the
Registry

Registry
files
are
constructed
from
two
types
of
building
blocks


‐File
Headers


 regf

 regf
blocks
offset

(pdf
off
website
for
cheat
sheet)

 72
65
67
66
=
regf
in
HEX

 offset
12‐19
is
the
date
it
was
last
modified

 offset
48
begins
path
and
name
of
Registry
file

 hbin

 68
62
6e
=
hbin
header
in
HEX

 offsets
20‐27
is
the
date
and
time
of
modification



Hkey_local_machine


 holds
per
computer
information

 sam,
system
,
software
and
security
hives




Hkey_classes_root


 where
you
can
see
what
file
extensions
are
opened
by
what
program

 specific
user
settings
come
from
Hkey_Current_User




*Hardware
hive
is
created
at
startup
but
deleted
at
shutdown*


Article
II. 

Section
2.01 To
access
the
SAM
file,
at
the
run
box
type:

 ##:##
/interactive
regedit

 the
##:##
is
the
24‐hour
time
format

 can
be
used
for
remotely
or
scheduling.

 Can
be
used
to
view
SAM
when
a
user
is
active
on
the
computer
as
well
if
it's
pushed
down

via
the
network




Section
2.02 To
see
if
a
user
was
ever
deleted
from
the
system

 go
to
the
SAM,
in
the
Unicode
pane
to
the
right,
right
click
and
select
“find”

 type
in
the
username
you're
looking
for

 if
it's
found,
highlight
the
80
characters
in
front
of
the
username
and
see
if
the
value
is
negative

or
positive
(negative
meaning
it
was
deleted)

 positive
=
unallocated




Page
|
2




FTK
|
Windows
Registry


Section
2.03 Preliminary
Reports
via
Registry
Editor

 accessdata.com
>
support
>
supplementary
files
>
RSR
files
(templates)

 c:\program
files\accessdata\accessdata
registry
viewer\data




1. Open
FTK,
by
default
in
2.0
you
need
to
always
create
a
user
for
the
database
(oracle)
right
away

1. this
is
the
GOD
account

1. add
other
users
once
this
is
set
up
so
if
you're
in
a
shared
environment,
everyone
can

work
on
cases
without
worrying
about
someone
forgetting
or
deleting
cases
etc.
as
root

2. pw's
are
case
sensitive

2. If
you
run
a
report
from
within
registry
viewer,
you
have
to
add
the
reports
as
supplementary

evidence
within
FTK
if
you
run
it
standalone

1. 
if
you
run
from
within
FTK,
there's
a
box
to
check
from
within
the
report
options
wizard
to

automatically
include
with
the
regular
report

3. From
within
the
preliminary
report
wizard,
you
can
choose
with
files
(SAM,
SYSTEM
etc)
to

process...therefore
you
don't
have
to
process
every
SAM
on
every
seized
computer
from
the

crime
scene
if
you
don't
have
to

4. In
registry
editor,
right
click
>
add
to
report
.

This
adds
registry
keys
to
report

1. ex.
‐
currentversion
key
to
display
computers
owner
info


1. can't
select
individual
entries
for
standard
report,
grab
everything
listed

2. not
a
good
idea
to
add
with
report
with
children
because
it
adds
more
garbage
to
the

report
and
then
you
have
to
research
everything
and
what
it
means
because
when
you

testify
in
court,
the
other
prosecutor's
going
to
grill
you
on
what
they
mean
or
why
it's

in
the
report.

1. Summary
report
allows
you
to
add
single
entries
instead
of
everything
listed

1. “selected
values”

2. can
use
wildcards
to
grab
multiple
values

5. Click
on
the
green
key
within
registry
viewer
to
go
to
the
“common
areas”
view
to
make
it
easier

to
find
information

1. wifi
info
not
included
in
here


2. registered
owner,
service
packs,
product
ID
etc.


3. 

the
check
box
over
the
folder
signifies
it's
added
to
the
report

4. can
select
view
>
report
view.

In
case
you
want

to
quickly
verify
what
you
marked
for
the

report
already

5. report
>
generate
report

1. change
the
report
title
because
it
always
says
“Registry
Report”


2. if
outside
FTK,
save
it
to
a
folder
that
will
be
included
with
the
whole
report

3. check
“reduce
excess
data
output”
to
clear
up
some
binary
in
the
report

4. DO
NOT
check
“show
key
properties
only”
unless
you're
doing
the
SAM
file
because
it

clears
almost
all
data
in
report
display

5. the
“DWORD”
check
box
just
adds
the
file
and
date
underneath
the
columns

(InstallDate)
etc.


(a) Summary
reports
(single
values,
no
wildcards)

6. View
>
full
registry

7. Click
the
green
key
to
go
to
the
common
areas


Page
|
3




FTK
|
Windows
Registry


8. Report
>
define
summary
report

9. Change
title
to
something
like
“
Software
–
Registered
Owner
Information”
so
you
know

where
it
goes

10. Highlight
the
available
items,
click
the
match
any
item
so
it's
not
marked,
then
click
add

values
button
to
select
single
values

sort
it
then
save
and
close



11. Report
>
define
summary
report

1. click
the
report
the
preview


1. include
blank
values
so
you
know
if
something
was
missing
or
blank
in
registry


2. report
>
define
summary
report

1. click
the
generate
button
if
outside
FTK




Article
III. 

(a) SAM
artifacts

12. sam
>
domains
>
accounts
>
users
(highlight
it)

1. report
>
define
summary
reports

2. change
title
to
SAM
‐
users


3. at
the
bottom
where
it
says
wildcard,
click
on
“use
current
selected
key”

4. select
any
of
the
user
folders
and
to
the
right
pane
you
see
the
“f”and
the
“v”
values

1. click
the
“match
any
item”
radio
button
to
the
right


2. click
“add
values”

3. save
and
close

4. when
you
generate
this
report,
check
“show
key
properties
only”
to
make
the
SAM

report
cleaner

13. 
In
FTK,
overview
tab
>
file
category

1. OS
/
File
System
Files
>
Windows
Nt
Registry

2. click
on
the
file(s)
you
want
to
include
in
the
bottom
pane

3. file
>
report

4. highlight
registry
selections

1. check
“Include
user
generated
reports”
if
you
have
done
so
outside
FTK


5. 
browse
to
where
you
are
exporting
reports

6. If
you
click
on
the
SAM
link
and
look
to
the
right,
the
Registry
key
is
a
hyperlink
–
EDIT
IT

OUT
in
HTML
or
else
if
you
click
it,
it
will
add
to
your
Registry


(b) SID
breakdown

7. Issuing
,
Machine/Network,
SID
(user
accounts,
custom
groups)

1. known
SID's
in
XP
(1003
is
usually
the
first
user
created
or
a
custom
group,
if
not

then
the
user
was
probably
deleted)

1. 500=admin

2. 501=guest

3. 1001
–
help
assistant

4. 1001
–
help
services
group

5. 1002
–
support
user

2. SID
helps
when
looking
at
the
Recycler
(recycle
bin)
and
see
who
was
deleting
and


Page
|
4




FTK
|
Windows
Registry


NTUSER.DAT
files

8. machine
SIT
is
stored
in
the
SAM
file

1. HKEY_local_machine\sam\sam\domains\account\v


9. F
key
in
SAM\domains\accounts\users\user
number
shows
SID,
logon
count,
last
logon

time
etc.

10. Microsoft
will
say
password
is
there
if
it's
left
blank
but
there
won't
be
a
password
or

hash...
so
to
verify
go
to
the
“v”
key.

14. Cracking
the
SAM
(because
might
had
EFS
files/folders)

1. Export
SAM
and
SYSTEM
files
from
image

2. export
full
text
index
(FTI)
as
a
dictionary

3. import
the
FTI
into
PRTK

4. drop
SAM
into
PRTK
and
point
to
system
file


5. SAM
passwords
in
XP
(hints)

1. SOFTWARE\microsoft\windows\currentversion\hints\username


6. SAM
passwords
in
VISTA
(hints)

1. sam\sam\domains\account\users
/userpasswordhint


15. If
you
change
or
remove
a
users
password
without
being
logged
in
as
the
user
himself,
all

EFS
files
will
be
lost
because
it
will
look
for
the
original
password

16. The
“v”
value
holds
the
user
name
etc.


(c) Indentifying
deleted
users

17. 
SOFTWARE\microsoft\windows
nt
\
currentversion\profilelist

18. system
restore
points
(find
SID
number)

19. registry
slack

6. 
If
the
username
is
changed,
the
SID
stays
the
same
–
profile
name
remains
the
same
(home

folder
etc.)

7. In
windows
2000,xp,2003
;
if
an
account
is
deleted,
the
sam
file
will
remove
the
info
but
the
SID

will
not
be
reused

8. Unique
groups
with
SIDS:


1. administrators
–
544

2. users
–
545

3. guests
–
546

4. power
users
‐
547


9. Hkey_local_machine\sam\sam\domains\builtin\aliases

1. Built
in
groups

(SID
is
in
hex
so
have
to
convert
it)

10. hkey_local_machine\sam\sam\domains\account\aliases

1. custom
groups

(SID
is
in
hex
so
have
to
convert
it)

11. hkey_local_machine\software\microsoft\windows\currentversion\group

policy\groupmembership

1. NTUSER
artifacts
(
to
determine
what
groups
the
user
is
a
member
of)



(d) SYSTEM
artifacts

2. time
zone
/
last
access


1. controlset##\control\TimeZoneInformation

2. is
daylight
time
autocorrecting
or
not

3. time
zone
setting


1. (1
=
disabled)

2. if
value
is
not
present,
system
is
autocorrecting


Page
|
5




FTK
|
Windows
Registry


4. BIOS
time
setting

3. computer
name

1. system\controlset###\control\computername\computername

4. last
shutdown
time

1. controlset###\control\Windows

5. mounted
devices
manager

1. creates
a
symbol

link
to
device
object

2. format
:
\??\Volume{GUID}\

1. to
verify
if
it’s
never
been
mounted
before

2. can't
always
tell
the
drive
letter
because
it
can
be
over
written
by
another
USB

device

1. can
search
for
links,
or
search
for
a
file
name
of
something
on
the
USB
device
to

try
and
see
what
the
device
letter
used
to
be


(e) USB
tracking
(pg221)

3. reference
to
try
and
see
the
firmware
or
what
USB
device
it
was

1. 
www.linux‐usb.org

1. other
helpful
links
>
USB
vendor
ProductID

4. setupapi.log
(c:\WINNT
or
c:\Windows)

5. .lnk
files
can
show
paths
and
date/time
of
files
accessed

6. usb\vid_099&PID_234\234242342423423

1. VID=vendor
id

2. PID
=
product
ID

3. hardware
ID

7. Microsoft
has
usb
identification
software
to
download

8. computer
management>
device
manager
>
storage
volumes
>
rt.
Click,

properties,details

9. SYSTEM\mounteddevices

10. ParentIDPrefixes
with
“5,6
or
7&”
are
Microsoft
made
and
won't
help


(f) Hardware
information

11. SYSTEM\control
set\enum

1. SATA
drives
stored
under
IDE

2. firewire
stored
under
SCSI

12. LPTENUM

1. enumerates
printer
ports


(g) Services

13. SYSTEM\controlset##\Services

14. DHCP

15. tcpip\paramters

1. controlset##\services\tcpip\parameters



(h) Session
manager



16. is
prefetch
on
?

1. keeps
last
128
programs
used

1. can
tell
if
wiping
program
was
just
used

2. system\controlset##\control\session
manager\prefetchparameters


Page
|
6




FTK
|
Windows
Registry


1. “enableprefetcher”


2. “0”
is
off,
“1”
applications
only
,
“2”only
boot
fetch
,
“3”
application
and
boot

enabled

1. layout.ini
is
a
file
not
to
delete
because
it's
a
roadmap
for
Microsoft
with

defragging...
it
won't
be
re‐created

17. is
the
subkey
activated
for
page
swap
in
order
to
wipe
it
when
shut
down

1. System\controlset##\control\session
manager\memory
management

1. (0)
by
default


1. if
is
on
the
may
want
to
grab
memory
and
page
files
while
active

18. 
previous
computer
names
can
be
found
in
unallocated
space
with
an
index
search
or

also
in
event
logs
and
restore
points
as
well
(restore
=
up
to
90
days)


(i) Identifying
USB
drives

19. system\currentcontrolset##\enum\usbstor

1. check
parentID
with
the
“mounteddevices”
key
to
the
left
pane

1. system\currentcontrolset##\mounteddevices


20. system\currentcontrolset##\enum\usb


(j) SECURITY
artifacts

6. hkey_local_machine\security

7. stores
local
security
policies
(user
rights,
password
policy,account
memberships)

1. good
info
for
internal
investigations
to
see
if
someone's
exceeding
powers


8. 
password
caching
(stores
current
and
past)

1. domain
passwords
can
be
cached
as
well
(good

to
turn
off
for
laptops)

1. software\microsoft\windows
nt\currentversion\winlogon

1. cachedlogonscount

9. security\policy\secrets\defaultpassword

1. for
XP
SP3

12. Iin
PRTK,
when
cracking
the
cached/stored
passwords,
the
(*)
tells
us
there's
more
than
one

password.

1. Current
and
past
passwords
used



(k) SOFTWARE
artifacts

2. ReadyBoost
in
Vista
means

you
can
use
a
usb
device
to
extend
your
computer’s
memory

(page
file
memory)

1. SOFTWARE\microsoft\windowsnt\currentversion\emdmgmt

3. Microsoft\windows\currentversion\authentication\logonUI

1. last
logged
on
user

2. records
the
last
written
time
as
the
system
power
down



(l) Identifying
uninstalled
software

3. registry
slack

4. $MFT


5. software\classes

6. do
index
searches


7. 78
00
00
00
→
indicates
PGP
etc.
was
uninstalled
;
then
look
for
date

8. SOFTWARE\microsoft\windows\currentversion\uninstall\AppName


Page
|
7




FTK
|
Windows
Registry


(m) Startup
programs
(p.297)

9. hkey_local_machine\software\microsoft\windows\currentversion\run

1. runonce

2. runonceex

3. runservices

4. runservicesonce

10. SOFTWARE\microsoft\command
processor\auroRun

11. SYSTEM\controlset##\control\session
manager\bootexecute

12. SOFTWARE\microsoft\windows
nt\currentversion\winlogon\userinit


(n) Wireless
artifacts

13. SOFTWARE\microsoft\wzcsvc\parameters\interfaces

14. SOFTWARE\microsoft\EAPOL\parameters\interfaces\>GUID>

15. SOFTWARE\microsoft\windows
nt\currentversion\networklist



(o) Recycle
Bin


16. software\microsoft\windows\currentversion\explorer\bitbucket


(p) 
Printer
entries

17. ntuser.dat\software\microsoft\windows
nt\currentversion\devices

18. software\microsoft\windowsnt\currentversion\print\printers\<printername>


(q) Recent
Docs

4. ntuser.dat\microsoft\windows\currentversion\explorer\recentdocs



(r) 
Restore
points

5. c:\windows\system
volume
information



(s) ComDlg32
–
Common
dialog,
tracks
user
behavior
as
it
pertains
narrowly
to
the
open

and
save
as
dialog
boxes
for
Windows
utilities

6. ntuser.day\software\microsoft\windows\currentversion\explorer\ComDlg32


(t) Run

7. ntuser.dat\software\microsoft\windows\currentversion\explorer\runMRU



(u) 
Vista
protected
storage

8. NTUSER.DAT\software\Microsoft\internet
explorer\intelliforms

13. 
Add
keys
to
common
areas
for
later
searches

1. right
click
>
add
to
common
area

2. EAPOL,

wzcsvc
etc.


(v) 
Vista
USB
devices


3. SOFTWARE\Microsoft\windows
nt\currentversion\edmgmt


(w) 
VISTA
wireless

4. SOFTWARE\microsoft\windows
nt\currentversion\networllist\profiles\<GUID>



(x) To
tell
whether
or
not
the
person
burned
anything
onto
a
CD

5. Right
click
my
computer
>
manage
>
event
logger
>
system


Page
|
8




FTK
|
Windows
Registry


6. Event
#’s
7036
&
7035
tell
when
the
IMAP
CD‐Burning
Com
service
was
started
and
stopped



(y) Finding
what
programs
were
run
before
the
CD
burning
was
done

1. User
Assist
file


a. Located
in
the
NTUSER.DAT

(Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
)


b. Can
see
what
program
or
file
was
accessed,
how
many
times
and
the
last
time


c. If
there’s
no
entry
or
its
deleted,
try
restore
points
close
to
the
burn
time.


2. Shortcut
/
Lnk
files


a. XP
–
c:\documents
and
settings\<user>\start
menu


b. Vista
–
c:\users\<user>\start
menu


3. Prefetch
Files


a. C:\Windows\Prefetch


i. Stores
up
to
the
last
128
programs
used
with
the
.pf
file
extension



1. www.forensicswiki.org\wiki\Prefetch


*
RegRipper
and
Windows
File
Analyzer
can
help
with
parsing
the
information*



Article
IV. Misc.
Notes

• have
an
EI
into
the
USB
drive
if
you're
going
to
grab
the
registry
files
from
incident
response
via

FTK
imager
because
the
hardware
EI
number
will
change


• if
on
DHCP
and
system
is
shut
down,
good
chance
of
losing
IP
address...
is
a
chance
it's
in
the

registry
but
best
to
grab
the
registry
files
and
make
sure


• To
tell
whether
what
you’re
looking
at
is
deleted
or
not,
highlight
first
(4)
in
Unicode
before
the

“nk”,”vk”
etc.,
right
click
and
look
at
value..

(‐)
means
it
was
deleted
and
allocated
in
value

interpreter
...
can
also
put
in
a
scientific
calculator.

This
is
done
in
the
HEX
pane
and
looking
at

the
value
in
the
properties
pane.


Page
|
9