Beruflich Dokumente
Kultur Dokumente
! Registry
! A database that stores hardware and software configuration
information, network connections, user preferences, and
setup information
! Registry terminology:
! Registry
! Registry Editor
! HKEY
! Key
! Subkey
! Branch
! Value
! Default value
! Hives
L6: Windows System Artifacts
6 Typical HKEYs
7 A Few Interesting Places
! Events occur on a system all the time ! You may begin with a timeline of all events in the system
! System restore points are created (every 24 hours) ! Collect all activities with time stamps
! Hard drive is de-fragmented (every three days) ! Scan through them to find what is meaningful
! Files are created, modified, and deleted
! Registry keys and values are created by applications ! Build a timeline a layer at a time based on the goals of
! … the analysis
! Many of these events are logged in multiple places ! Begin with activity logs that might be related to the event in
across the system question
! Add more data sources to bring the available context into
focus
! A timeline is a summary of these events ordered by
L6: Windows System Artifacts
14 Data Sources
15 File System Metadata
! File System metadata ! Standard Information attribute (0x10) has four time-
! Event logs stamps
! Prefetch files ! MACE: file Modified, file Accessed, file Created, MFT Entry
modified
! Jump lists (Windows 7)
! Filename attribute (0x30) also has same four time-
! Recycle bin stamps
! Registry ! But times here correspond to the time of first creation,
access or modification
! Last access times can be delayed by up to an hour ! Windows records details of events in special log files
! In order to improve performance in high-volume file servers ! Special binary format in Windows 2000/XP/2003
! Updates can be fully disabled by creating a registry entry ! Magic number: “LfLe” at offset 0x4 of each record
! Create NtfsDisableLastAccessUpdate=1 in HKLM\SYSTEM ! Four bytes prior to magic number is record size
\CurrentControlSet\Control\FileSystem ! Binary XML format in Windows Vista/7
! Date and time of event ! Before Windows Vista, log file locations are specified in
! User and host the registry
! Event ID ! HKLM\System\CurrentControlSet\Services\EventLog
! Three subfolders: System, Application and Security
! a number signifying the event
! FILE entry shows path to log files
! www.eventid.net
! Default: C:\Windows\System32\Config
! www.ultimatewindowssecurity.com/securitylog/encyclopedia/
! Source of event
! Starting with Vista
! Type ! HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\
! Error, warning, information, success audit, or failure audit ! Default FILE value C:\Windows\System32\Winevt\Logs
L6: Windows System Artifacts
! List of recently opened files in a given application ! Uses structured storage file format (OLE compound)
! Introduced in Windows 7 ! Entries are called jump list streams
! Right click on program icon in TaskBar to see the list ! Jump list streams have same format as Windows
shortcuts
! Stored in the user’s directory ! All information you can obtain from shortcuts are also
! AppData\Roaming\Microsoft\Windows\Recent available here
\AutomaticDestinations ! They can also hold command line options in certain
! File extension .automaticDestinations-ms programs
! File name are special identifiers of programs ! E.g. C:\Windows\System32\mstsc.exe /v:``192.168.1.24`` in
! E.g. “adecfb853d77462a” is MS Word 2007 the Terminal Services Client
26 Recycle Bin
27 Recycle Bin INFO File
30 References
! THE INTERNET