Two possible situations arise when forensically examining a system for evidence of an intrusion: performing live incident response and/or conducting a post mortem examination of hard drives. Incident responders have a number of tools available to examine a live system. One commonly used tool is Autoruns which can provide a snapshot of the system configuration and the order in which Windows processes programs. This includes programs in the startup folder and those listed in the Registry Keys “Run,” “RunOnce,” and others. Post mortem examination would normally start with an acquisition of the hard drive(s) and forensically examining the image(s) for probative information. Although there could be malware or their artifacts in many locations, the Registry is a good place to begin searching.

1. ACTIVE SETUP:

• HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\

Installed programs use CLSIDs for registration purposes. They usually contain the value “StubPath” which specifies a program or application that will be run when Windows is started.

2. AUTORUN LOCATIONS:

• HKCU\Software\Microsoft\Windows\CurrentVersion \Explorer\Shell Folders
• HKCU\Software\Microsoft\Windows\CurrentVersion \Explorer\User Shell Folders
• HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• HKCU\Software\Microsoft\Windows\CurrentVersion\ RunOnce
• HKCU\Software\Microsoft\WindowsNT\ CurrentVersion\Windows
• HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Explorer\Shell Folders
• HKLM\SOFTWARE\Microsoft\Windows\Current Version\Explorer\User Shell Folders
• HKLM\SOFTWARE\Microsoft\Windows\Current Version\Policies\Explorer
• HKLM\SOFTWARE\Microsoft\Windows\Current Version\Run
• HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\RunOnce
• HKLM\SOFTWARE\Wow6432Node\ Microsoft\Windows\CurrentVersion\Run
• HKLM\SOFTWARE\Wow6432Node\Microsoft\ Windows\CurrentVersion\RunOnce
• HKLM\SYSTEM\CurrentControlSet\Control\Session Manager

These Keys usually identify programs or component paths which automatically launch applications during the Boot Process. The “Session Manager” Key queries the “C:\Windows\System32” directory for executables to run.

3. EXECUTABLE FILE LOCATIONS:

• HKCR\batfile\shell\open\command
• HKCR\cmdfile\shell\open\command
• HKCR\comfile\shell\open\command
• HKCR\exefile\shell\open\command
• HKCR\htafile\shell\open\command
• HKCR\htmlfile\shell\opennew\command
• HKCR\https\shell\open\command
• HKCR\InternetShortcut\shell\Open\Command
• HKCR\JSEfile\Shell\Open\Command
• HKCR\piffile\shell\open\command
• HKCR\regfile\shell\open\command
• HKCR\scrfile\shell\open\command
• HKCR\txtfile\shell\open\command
• HKCR\VBSfile\Shell\Open\Command
• HKCR\WSFile\Shell\Open\Command
• HKLM\SOFTWARE\Classes\batfile\shell\open\command
• HKLM\SOFTWARE\Classes\comfile\shell\open\command
• HKLM\SOFTWARE\Classes\exefile\shell\open\command
• HKLM\SOFTWARE\Classes\piffile\shell\open\command

These Keys (and others) contain instructions to execute files with “.exe” extensions. The Keys normally contain one default value with data: [“%1” %*]. If the value is changed to something like [somefilename. exe “%1” %*] the possibility exists of a hidden program or command being invoked automatically when any “.exe” file is executed. The following two Keys may also contain malware artifacts:

• HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
• HKLM\SOFTWARE\Microsoft\Windows\Current Version\Explorer\User Shell Folders

4. INSTALLED PROGRAMS:

• HKLM\SOFTWARE\Microsoft\Windows \CurrentVersion\App Paths
• HKLM\SOFTWARE\Microsoft\Windows \CurrentVersion\Uninstall

When programs are installed, Widows lists them in “Control Panel” under “Programs and Features.” Each program has a Subkey in the Registry. Other installed items such as device drivers, Windows patches, etc. are not listed in “Control Panel.” However, they also get Subkeys. Information, including the names of applications, installation paths, installation source, installation date, and so forth can be obtained from these Keys.

5. REMOTELY CONTROLLING the GUI of OTHER SYSTEMS:

• HKLM\SYSTEM\CurrentControlSet\Control \Terminal Server
• HKCU\Software\Realvnc\Vncviewer4
• HKLM\Software\Realvnc\Winvnc4

A question which often arises is whether a system was the target of a remote attack or if the current system user initiated the attack. A tool such as WinVNC Viewer can remotely control the GUI of another system. If the Key value “fDenyTSConnections” in the first Key is enabled, its value will be “0” meaning that terminal services connections are permitted. Thus when a user invokes the VNC Viewer to connect and control another machine, WinVNC will store the system name or IP address and port number. Examining these Keys may provide a history of the machines an attacker accessed.

6. USER ACCESED PROGRAMS:

• HKCU\Software\Microsoft\Windows\CurrentVersion \Explorer\UserAssist\ {GUID}\Count\

This Key contains Subkeys which have hexadecimal names that appear as GUIDs. The values for specific user accessed objects on the system, such as Control Panel applets, programs, shortcuts, files, etc. are recorded in the Subkeys. Data is encrypted using the ROT-13 encryption algorithm and can be decoded using an application such as ROT 13.

7. WINLOGON:

• HKLM\SOFTWARE\Microsoft\WindowsNT \ CurrentVersion\Winlogon

Malware can alter values in this Key and then run after a system reboot. Normally, Windows determines which executable application to use as the operating system shell. The value “Shell” in the Key normally points to “explorer.exe” without a path and is responsible for loading the desktop and allowing user interaction. Malware can create new executables with the name “explorer.exe.” If stored in the root of the system partition, they would stay persistent across reboots and logins. The value “Userinit” ordinarily points to “userinit.exe” and loads the user’s profile settings. It can be modified to run any executable program upon system-startup.

8. WINDOWS PERSONAL FIREWALL:

• HKLM\SYSTEM\ControlSet001\services\SharedAccess \Parameters\FirewallPolicy
• HKLM\SYSTEM\ControlSet002\services\SharedAccess \Parameters\FirewallPolicy
• HKLM\SYSTEM\CurrentControlSet\services\ SharedAccess\Parameters\FirewallPolicy

Subkeys under these Keys contain the ports the firewall allows, any programs it will let communicate on the network, and other settings. An intruder could disable or reconfigure the firewall to allow malware through to attack the computer or network.

9. WINDOWS SERVICES:

• HKLM\SYSTEM\CurrentControlSet\services

The Key contains a listing of the Windows services. Each Subkey is a service and contains service information. One of the values is the “ImagePath” which is the executable path of the service. Malware can install itself as a service in this Key.

10. WINDOWS COMMAND PROCESSOR:

• HKCU\Software\Microsoft\Command Processor
• HKLM\SOFTWARE\Microsoft\Command Processor

These Keys usually contain the value “AutoRun” which could point to hidden commands to be executed automatically when “cmd.exe” is run. Malware can exploit this by loading and running itself without user intervention. It is also possible to run malware by setting or pointing “AutoRun” to an executable file path.

11. WIRELESS NETWORKS:

• HKLM\SOFTWARE\Microsoft\WindowsNT\Current Version\NetworkList\ Profiles\{GUID}
• HKLM\SOFTWARE\Microsoft\WindowsNT\Current Version\NetworkList\ Signatures\Unmanaged
• HKLM\SYSTEM\ControlSet001\services\Tcpip\ Parameters\Interfaces\{GUID}
• HKLM\SYSTEM\ControlSet002\services\Tcpip \Parameters\Interfaces\{GUID}
• HKLM\SYSTEM\CurrentControlSet\services\Tcpip \Parameters\Interfaces\{GUID}

The first Key stores timestamps and Service Set Identifiers (SSIDs) for every network that the computer accessed. An application such as DCode can be used to obtain the date and time information from the “DateCreated” and the “DateLastConnected” values. The second Key stores the default Gateway MAC address, SSID name, DNS, etc. for every network that the computer accessed. The next three Keys are duplicates of each other, storing network settings such as the IP address, DHCP domain, subnet mask, etc. of a particular connection in each of its Subkeys. Timestamps are stored as Big-Endian UNIX 32 bit Hex values.

Summary
The Keys cited in the multipart Windows 7 Registry Forensics columns are by no means a complete listing of those of forensic importance. It is up to each examiner to determine if the Registry is to be examined and to what extent.

(Note: Software tools mentioned in this column should not to be considered as an endorsement of those tools by DFI News or by the author. Prior to purchasing commercial tools or obtaining freeware tools, investigators and examiners should research those that are available to determine which best meet their technical and operational performance parameters.)

John J. Barbara owns Digital Forensics Consulting, LLC, providing consulting services for companies and laboratories seeking digital forensics accreditation. An ASCLD/LAB inspector since 1993, John has conducted inspections in several forensic disciplines including Digital Evidence. John is the General Editor for the “Handbook of Digital & Multimedia Forensic Evidence” published by Humana Press. He can be reached at jjb@digforcon.com.