Windows Registry and Hiding Suspects’ Secret in Registry

  • 格式:pdf
  • 大小:195.43 KB
  • 文档页数:6

Windows Registry and Hiding Suspects’ Secret in Registry 1Youngsoo Kim, Dowon HongElectronics & Telecommunications Research Institute (ETRI)/Convergence Security Group{blitzkrieg, dwhong}@etri.re.kr1This work was supported by the IT R&D program of MIC/IITA. [2007-S019-01, Development of Digital Forensic System for Information Transparency].AbstractWindows registry, a central repository for configuration data, should be investigated for obtaining forensic evidences, since it contains lots of information that are of potential evidential value. Using some forensic tools, forensic examiners can investigate values of windows registry and get information can be forensic evidences. However, since windows registry contains huge amount of values and these values can be modified by users, suspect can hide his secret like password in registry values. In this paper, we discuss the basics of Windows XP registry and extract some registry entries related to forensic analysis. Finally, we show that some countermeasures are needed, listing up consideration items for hiding secrets in registry as suspect’s viewpoint .1. IntroductionWindows 9x/ME, Windows CE, Windows NT/2000/XP/ 2003, and Windows Vista store configuration data in registry, a central repository for configuration data that is stored in a hierarchical manner. System, users, applications and hardware in Windows use the registry to store their configuration and it is constantly accessed for reference during their operation. Windows registry can be an excellent source for potential evidential data, since the vast amount of information, such as user accounts, typed URLs, network shared, and run command history, is stored in it. Using some forensic tools, forensic examiners can investigate values of windows registry and get information can be forensic evidences. However, since windows registry contains huge amount of values and these values can be modified by users, suspect can hide his secret like password in registry values. In this paper, we discuss the basics of Windows XP registry in chapter 2 and extract to categorize some registryentries related to forensic analysis in chapter 3. Finally, we show that some countermeasures are needed, listing up consideration items for hiding secrets in registry as suspect’s viewpoint in chapter 4, and give some concluding remarks in chapter 5.2. Windows registryBy clicking Start\Run and typing ‘legedit’ on Windows, we can see Windows registry logical view from Register Editor, Windows default register editor. Each folder in the left key pane is a registry key and the right panes show the key’s value. Subkeys are used to show the relationship between a key and the keys nested below it. Windows uses symbolic link to link a key to a different path which allows the same key and its values to appear at two different paths. There are 5 root keys in Windows registry: HKEY_CLASSES _ROOT (HKCR), HKEY_CURRENT_USER (HKCU), HKEY_LOCAL_MACHINE (HKLM), HKEY _USERS (HKU), and HKEY_CURRENT_ CONFIG (HKCC). Each key has some values consist of name, type and data. Value’s type determines the type of data value contains. The common value types in registry are REG_BINARY type contains binary data, REG_DWORD type contains double-word (32-bit) data, and REG_SZ type contains fix-length string data. However, the registry actually stores all values in binary format in the actual file. Since all values are stored alongside with their corresponding type, it allows the Registry Editor to interpret the value’s data correctly [1]. Windows physically stores only HKLM and HKU root keys on files. HKCU is a symbolic link to subkey in HKU, and HKCR and HKCC are symbolic links to subkeys in HKLM.① HKCR contains two types of per-user settings, file associations, and class registration for Component Object Model (COM) object. File associations describes the file types and associated programs that open and edit them [2]. This root key consumes most ofthe space in registry. Windows merges two keys HKLM\SOFTWARE\Classes (contains default file associations and class registration) and HKCU \Software\Classes (contains per-user file associations and class registration) to obtain HKCR. In fact, HKCU \Software\Classes is a link to HKU\SID_Classes. By merging the two keys, program can register per computer and per-user file associations and program classes. ② HKCU contains the computer users’ per-user settings. It is actually a symbolic link to HKU/SID, the current console user’s SID. This branch contains information on environmental variables, desktop settings, mapped network drive settings, and application settings. HKCU subkeys that are of potential forensic values are Environment, Identities, Network, Software, and Volatile Environment. Environment’s each subkey corresponds to an environmental variable user has set, and each Identities subkey corresponds to an identity in Microsoft Outlook Express. Each Network subkey corresponds to a mapped drive Windows connects during user system logon and contains configuration to connect the network drive. Subkey name is the drive letter to which the network drive is mapped. Software subkey contains user-specific application settings. Programs store their settings in a standard way, HKCU\Software \Vendor\Program\Version\. Volatile Environment contains environmental variables that are defined when user logon to Windows XP. ③ HKLM contains per-computer (computer-specific) settings which apply to all users logging into that particular computer having subkeys such as HARDWARE, SAM, SECURITY, SOFTWARE, and SYSTEM. HARDWARE stores information regarding hardware Windows XP detects during startup. The subkeys are dynamically created during system startup. They include information on device driver and associated resources. SAM(Security Accounts Manager) is a local security database which contains local users and groups information. ACL prevents Administrator from viewing this subkey. SECURITY contains Windows local security database in the SAM subkey. ACL prevents Administrator from viewing this subkey. SOFTWARE stores per-computer application settings. Programs store their settings in this standard form, HKLM\Software\Vendor\Program\Version. SYSTEM contains control set, which contains device driver and service configurations. HKLM\SYSTEM \CurrentControlSet is a symbolic link to ControlSet XXX, and the key HKLM\SYSTEM\Select indicates which ControlSetXXX is in use. ④ HKU contains at least these 3 subkeys for per-user (user-specific) information: - .DEFAULT- SID, SID is the security identifier for console user (user currently using the keyboard). - SID_CLASSES contains per-user class registration and file association. HKU has other well-known SID in Windows XP. - S-1-5-18 refers to LocalSystem account. - S-1-5-19 refers to LocalService account. It is used to run local services that do not require LocalSystem account. - S-1-5-20 refers to NetworkService account. It is used to run network services that do not require LocalSystem account.Any other subkeys in HKU are associated to secondary users. Windows XP has a feature called Secondary Logon, which allows user to run a program as a different user, usually with elevated privileged. Thus, user can logon to a limited account for daily routines and uses elevated privileged for occasional administrative task. The secondary user SID (usually administrative account SID) will only present in the HKU subkeys if the user performs a secondary logon during the user’s session. ⑤ HKCC is a symbolic link to current hardware profile configurations subkey, HKLM\SYSTEM \CurrentControlSet\Hardware Profiles\Current. Current is a link to the key HKLM\SYSTEM\CurrentcontrolSet \Hardware Profiles\XXXX Registry Editor only shows the logical structure of the registry. Physically, registry is not stored in a single file in the hard drive. Windows stores registry in a few separated binary files called hives (Microsoft, 2005a). For each hives file, Windows creates additional supporting files that contain backup copy of the respective hives to restore the hives during failed system boot. Only HKLM and HKU has corresponding hives (since the rest are symbolic links). However, none of 5 root keys are directly associated to a hive file. Table 1 shows registry path and their corresponding hives on disk. All hives in HKLM are stored in %SYSTEMROOT%\System32\config\(%SYSTEMRO OT% usually refers to C: \WINDOWS). HKLM\HARDWARE is a dynamic hive that is created each time the system boots and it is created and managed entirely in memory. HKU\.DEFAULT hive file correspond to %SYSTEMROOT% \System32 \config\default. HKU\SID hive file is stored in user home directory, which is %USERPROFILE% \NTUSER.DAT, while HKU\SID_CLASSES hive file correspond to %USERPROFILE%\Local Settings \Application Data\Microsoft\Windows\UsrClass.dat. Actual hive file has no extension and backup copy of hive has alt extension. Additionally, transaction log ofchanges to a hive has log extension and backup copy of hive created at the end of text-mode (console) phrase during Windows XP setup has sav extension.Table 1. Registry hivesPath Hives and related filesHKLM\SAM SAM, SAM.LOG HKLM\SECURITY SECURITY, SECURITY.LOGHKLM\SOFTWAREsoftware, software.LOG,software.savHKLM\SYSTEM system, system.LOG, system.sav HKLM\HARDWARE (Dynamic/Volatile Hive)HKU\.DEFAULT default, default.LOG, default.sav HKU\SID NTUSER.DATHKU\SID_CLASSES UsrClass.dat, UsrClass.dat.LOG 3. Forensic-related registry keysIn this chapter, we extract some registry keys requiredto be investigated forensically in Windows XP andshow how they can be of benefit to help describingsuspect activities on the computer.3.1. Most recently used registry keysDetermining what files, folders, or applicationswere most recently used is a key task in investigations. Showing that an individual openeda file, saved a file, or searched for a file can provethe suspect know the file. Sometimes a suspectwill delete a file after viewing it. Unless explicitlycleared, the file name may still appear in the MostRecently Used (MRU) registry keys. In additionto the following Microsoft-specific MRU lists,installed applications may have their own mostrecently used keys. The most likely location forthese is under the HKCU\Software\%application%hierarchy.HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRUThis key maintains a list of recently opened orsaved files via typical Windows Explorer-stylecommon dialog boxes [3]. For instance, files thatare recently opened or saved files from within aweb browser like IE are maintained. However,documents are opened or saved via MicrosoftOffice programs are not maintained. Subkey *contains the full file path to the 10 most recentlyopened/saved files, and other subkeys in OpenSaveMRU contain far more entries related to previously opened or saved files.HKCU\Software\Microsoft\Windows\CurrentV ersion\Explorer\ComDlg32\LastVisitedMRUThis key correlates to the previous OpenSaveMRU key to provide extra information. Whenever a new entry is added to the previousOpenSaveMRU key, registry value is created orupdated in this key. Each binary registry value under this key contains a recently used programexecutable filename, and the folder path of a file to which the program has been used to open orsave it. If a file is saved, the folder path refers tothe saved file destination path; if a file is opened, the folder path refers to the file source path. Newregistry value will only be created to this key, ifno existing registry values contain the program executable filename. However, if there is amatching executable filename in the existing values, only the folder path section of the relatedregistry value is updated. HKCU\Software\Microsoft\Windows\CurrentV ersion\Explorer\RecentDocs This key also maintains list of files recently executed or opened through Windows Explorer. This key contains local or network files that are recently opened and only the filename in binary form is stored. Opened files are organized according to file extension under respective subkeys and the Subkey Folder contains the folder of the recently open files. Subkey NetHoodcontains only LAN shared folder path (server and folder name) which the file was opened. HKCU\Software\Microsoft\Windows\Current Version\Explorer\RunMRU This key maintains a list of entries executed using the Start\Run commands. The MRUList value maintains a list of alphabets which refer to the respective values. The alphabets are arranged according to the order the entries is being added. However, most recently added entry does not imply most recently used command as suspect may have re-executed previous commands. Windows does not modify the key LastWrite time or MRUList if there is an existing entry in the key. If a file is executed via Run command, it will leaves traces in the previous two keys OpenSaveMRU and RecentDocs. Deleting the subkeys in RunMRU does not remove the history list in Run command box immediately. However, when either button Start>Log Off or Turn Off Computer is clicked (without actually logging off or shutdown), the respective entries in Runhistory list are then removed.HKCU\Software\Microsoft\Windows\CurrentV ersion\Explorer\Map Network Drive MRUThis key maintains a list of mapped network drive, including the server name and shared folder. The value in this key is still retained even though the mapped network drive has been permanently removed or disconnected.HKCU\Software\Microsoft\InternetExplorer\Typed URLsThis key contains a listing of 25 recent URLs (or file path) that is typed in the Internet Explorer (IE) or Windows Explorer address bar. It shows websites suspect has recently been surfing. However, the key will only show links that are fully typed, automatically completed while typing, or links that are selected from the list of stored URLs in IE address bar. Websites that are accessed via IE Favorites are not recorded. IE will only write all the typed URLs during that session to the key when IE is closed. If suspect clears the URL history using Clear History via IE Internet Options menu, this key will be completely removed.HKCU\Software\Microsoft\SearchAssistant\ACMruThis key contains recent search terms using Windows default search. Subkey 5603 contains each terms for finding folders and filenames, while subkey 5604 contains search terms for finding words or phrases in a file.3.2. Folder location registry keysMain folders on Microsoft systems such as My Documents folder, Startup folders, Recent folders, and Internet folders(Cache, History, Favorites and Cookies) are the most likely location for files of interest in an investigation. By altering registry settings, an individual user can change these folders, generally for legitimate reasons. By confirming the locations of these folders, an investigation can be directed at target locations for initial analysis.HKCU\EnvironmentThis key identifies the environment variables that provide the location of the Windows temp directories. The temp directories are likely locations for temporary copies of files that may or may not exist elsewhere.HKCU\Software\Microsoft\Windows\CurrentV ersion\Explorer\Shell Folders\This key enables users to change the locations of specific folders, such as My Documents, Recent, and Startup through the various subkeys. Changing these folder locations changes the links from all locations that point to the particular special folder.HKLM\Software\Microsoft\Windows\CurrentV ersion\Explorer\Shell Folders\This key contains the links relevant to folders used by All Users. These can likewise be redirected to point to alternate file system locations for malicious or legitimate reasons. HKLM\System\CurrentControlSet\Control\Hiv elistThis key identifies the locations of registry hive files on Windows XP.3.3. Startup related registry keysSpyware, viruses, and other malicious code will frequently continue to infect a computer after a reboot. To accomplish this, the code needs to be run automatically. Some registry keys containing numerous locations from which code can automatically be run are detailed in here. Anything suspicious found in these keys may require further investigation, but many legitimate programs also make use of these keys.HKCU\Software\Microsoft\Windows\CurrentV ersion\RunThis key identifies any user-specific software set to run the next time that individual logs in. This is less frequently used than the HKLM keys, as it is user dependent.HKLM\Software\Microsoft\Windows\CurrentV ersion\RunThis key shows the items that are automatically executed on every system logon. This is the old favorite location for malware to start but is becoming less commonly used as malware authors are hiding their software in more obscure key locations.HKCU\Software\Microsoft\Windows\CurrentV ersion\RunServices andHKLM\Software\Microsoft\Windows\CurrentV ersion\RunServicesThese keys list services set to run automatically at startup either once or every time. These keys can be used to trigger executables before a user logs on. These keys are not always present, but can be created by the programs taking advantage of them. HKCU\Software\Microsoft\Windows\CurrentV ersion\Policies\Explorer\RunHKLM\Software\Microsoft\Windows\CurrentV ersion\Policies\Explorer\RunThese key list programs associated with Windows Explorer that are permitted to run automatically when the users logs in. The HKCU key isassociated with a particular user, while the other key runs with any user.HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonThis key has a registry value named Shell with default data Explorer.exe. Malware such as Kwbot appends the malware executable file to the default value’s data, modifying it into Shell =Explorer.exe%system%\System32.exe to stay persistence across system reboots and logins. Suspect could append executable file path to this registry value to run program covertly. Furthermore, there is another registry value in this key named TaskMan which allows user to run an alternate task manager. Though by default it is not created in Windows XP, suspect can create it and point it to an executable file. Both registry values are executed automatically whenever the system boots. Suspect can utilize these two registry values to run program secretly. However, modification to this key requires administrative privilege.3.4. General registry keysSeveral registry keys are not necessarily specific to a given area, even though they are examined in numerous types of investigations. These keys include basic system information (who used the system and what applications are installed) andmore detailed information on key system areas (what hardware was installed and what drives were mounted). HKCR\This key provides the name of the application handler associated with a file extension. Looking up the application handler name may provide the associated executable. When unknown file extensions are encountered, they can be traced to an executable here. HKCU\Control Panel\This key stores all of the control panel settings under subkeys. If a particular control panel setting needs to be known for an investigation, this is the location to check.HKCU\Software\ and HKLM\Software\These keys refer to software installed on the system. Software that has been deleted or uninstalled frequently leaves registry keys with user settings or machine settings after removal. HKLM\SOFTWARE\Microsoft\Windows\Curr entVersion\UninstallEach subkey in this key represent an installed program in the computer [4]. All programs listed in Control Panel>Add/Remove Programs correspondto one of the listed subkeys. However, they are other installed programs (e.g. device driver, Windows patch) that are not listed in Add/Remove Programs. Each subkey usually contains these two common registry values’ DisplayName and UninstallString. Other possible useful registry values may exist, which include information on install date, install source and application version.HKLM\SYSTEM\MountedDevicesThis key contains a list of mounted devices, with associated persistent volume name and unique internal identifier for respective devices. This key lists any volume that is mounted and assigned a drive letter, including USB storage devices and external DVD/CDROM drives. From the listed registry values, value’s name that starts with ‘\DosDevices\’ and ends with the associated drive letter, contains information regarding that particular mounted device. By correlating the entry with registry key LastWrite time, investigator would know when the removable device is connected.HKLM\SYSTEM\CurrentControlSet\Services\ This key contains list of Windows services. Each subkey represents a service and contains service’s information such as startup configuration and executable image path. Some malware such as BackOrifice2K will install itself as service. Thus, it leaves trace in this key.4. Considerations for hiding data in registry as suspects’ viewpointSince registry’s value supports binary data type, suspect can store segments of program or the entire binary in the registry. These segments of program can be placed in several dispersed keys. Unless forensic examiner knows the relevant keywords to search in the registry, finding hiding data in tens of thousands of registry keys can be a tedious task. Suspect may consider the followings to hide all sorts of data including password, text information and binary files in registry.Suspect may hide his information in registr y values which may not affect the system its elf. Since Windows does not utilize these registry values which are nested somewhere in some regist ry keys, and they are merely used for storing string information, suspect can hides information such a s passwords or passphrases in these values effectiv ely.Suspect may hide his information in registry values which forensic examiners don’t co nsider as important. Since forensic analysis sh ould be processed quickly, the categorized items d escribed in previous chapter are the primary target to analyze. If suspect can hide his information in r outine registry values, examiner may not be able t o find them easily[5].Suspect may hide his information in registr y values related to uninstalled programs. E ven though some programs or applications are deleted from the system, registry values for t hem are not removed yet. It is not easy for foren sic examiners to find suspect’s secret, if suspect m ay conceal them in registry values related uninstall ed program. Figure 1 and 2 depict registry values i n case of removing Skype, P2P internet telephony network program. Generally in case of uninstalling programs or applications, related registry values i n HKCU are still remain, even those of HKLM are goneSuspect may not hide his information in reg istry values already analyzed and dealt wit h good areas to hide. For example, there are tw o strings in TIME_ZONE_INFORMATION struct ure, StandardName and DaylightName (HKLM\Sy stem \CurrentControlSet\Control\TimeZoneInform ation). Suspect merely modifies registry values of t wo strings manually using Registry Editor to store information. Since Windows does not utilize these registry values which are nested somewhere in so me registry keys, and they are merely used for stor ing string information, suspect can hides informati on such as passwords or passphrases in these value s effectively[6].Suspect may hide his information in registr y keys having REG_SZ value type. If suspec t encode text-based information into binary format in hexadecimal notation and store the binary form in registry values as string using type REG_SZ, e xaminer may not be able to find them easily. Suspect may hide his information in registr y keys having REG_SZ value type. When an application read value’s data in REG_BINARY fr om the registry, the application decides on how to decode the value. For example, since application c an interpret REG_BINARY data as 8-bit ASCII or16-bit Unicode, it could result in two different values. Suspect can use this technique to hide data. Some applications store REG_SZ and REG_DWORD data in REG_BINARY value, decoding and finding them can be difficult. This technique also could be used to hide data or at least confuse forensic examiner.5. Concluding remarksWe have discussed the basics of Windows XP registry and have extracted to categorize some registry entries related to forensic analysis. As a proposal, we have listed up consideration items for hiding secrets in registry as suspect’s viewpoint. If forensic examiners focus on forensic related registry keys (chapter 3) and considerations for suspect’s viewpoint (chapter 4), they can collect and analyze more forensic evidences effectively on forensic investigation. It seems to be impossible to prevent from hiding data in registry, so finding techniques should be the main countermeasure. It can be a reasonable method to use a hashset for checking integrity of registry keys. If a hashset for registry keys of specific programs is created in advance, forensic examiners can use it on investigation. By comparing it with the hash value of current registry keys, they can decide whether it is changed or not. However, this method is limited to registry keys of well-known programs like MS office. The better way is required to detect data hidden in any registry key values.6. References[1] J.Honeycutt, Microsoft Windows XP Registry Guide, Microsoft Press, 2003.[2] M.Russinovich, “Inside the Registry”, Windows NT Magazine, 1997.[3] C.Steel, Windows Forensics, Wiley Publising, Inc., 2006.[4] K.J .Jones, R. Bejtlich, and C.W. Rose, Real Digital Forensics, Addison-Wesley, 2006.[5] H.Carvey, Windows Forensics and Incident Recovery, Addison-Wesley, 2004.[6] L.W.Wong, “Forensic Analysis of the Windows Registry,” Forensic Focus, 2006。