Pretty much anything performed in Windows refers to or is recorded into the registry, meaning any actions taken by a user reference the Windows registry.
Therefore, a definition for the Windows registry could be a hierarchical
database used to store information necessary to configure the system for one or more users, applications, and hardware devices.
Some functions of the registry are to load device drivers, run startup programs, set environment variables, and store user settings and operating system
parameters. You can view the Windows registry by typing the command regedit in the Run window.
The Windows registry can contain very valuable information that is useful to cyber forensic professionals. It can contain information about recently run
programs, programs that have been installed or uninstalled, users who perhaps have been removed or created by a threat actor, and much more.
The Windows subsystem that manages the registry is called the Configuration Manager. The Windows registry appears as a single hierarchy in tools such as regedit; however, it is actually composed of a number of different binary files, called hives, on disk. The hive files themselves are broken into fixed-sized bins of 0 × 1000 bytes, and each bin contains variable-length cells. These cells hold the actual registry data. References in hive files are made by the cell index. The cell index is a value that can be used to determine the location of the cell containing the referenced data. The structure of the registry data is typically composed of two distinct data types: key nodes and value data.
The structure of the registry is similar to a file system. The key nodes are similar to directories or folders, and the values can be compared to files. On the other hand, data in the registry always has an unequivocal associated type, unlike data on a file system. To work with registry data in memory, it is
necessary to find out where in memory the hives have been loaded and know how to translate cell indexes to memory addresses. It will also be helpful to understand how the Windows Configuration Manager works with the registry internally, and how we can make use of its data structures to tell us what the operating system itself maintains about the state of the registry.
The folders listed on the left start with the five hierarchal folders called hives, each beginning with the term HKEY (meaning “handle to a key”). Two of the hives are real locations: HKEY_USERS (HKU) and
HKEY_LOCAL_MACHINE (HKLM). The remaining three are shortcuts to other elements within the HKU and HKLM hives. Each of these main five hives is composed of keys, which contain values and subkeys. Values are the names of specific values pertaining to the operation system or applications within a key. One way to think of the Windows registry is to compare it to an application containing folders. Inside an application, folders hold files. Inside the Windows registry, the hives hold values.
The following list defines the function of the five hives within the Windows registry:
HKEY_CLASSES_ROOT (HKCR): HKCR information ensures that the correct programs open when executed in Windows Explorer. HKCR also contains further details on drag-and-drop rules, shortcuts, and information on the user interface. The reference location is HKLM\Software\Classes.
HKEY_CURRENT_USER (HKCU): HKCU contains configuration information for any user who is currently logged in to the system, including the user’s folders, screen colors, and Control Panel settings. The reference location for a specific user is HKEY_USERS. The reference for a general user is HKU\.DEFAULT.
HKEY_CURRENT_CONFIG (HCU): HCU stores information about the system’s current configuration. The reference for HCU is
HKLM\Config\profile.
HKEY_LOCAL_MACHINE (HKLM): HKLM contains machine hardware-specific information that the operating system runs on. This includes a list of drives mounted on the system and generic configurations of installed hardware and applications. HKLM is a hive that isn’t
referenced from within another hive.
HKEY_USERS (HKU): HKU contains configuration information of all user profiles on the system. This includes application configurations and visual settings. HKU is a hive that isn’t referenced from within another hive.
Some interesting data points can be abstracted from analyzing the Windows registry. All registries contain a value called LastWrite time, which is the last modification time of a file. This can be used to identify the approximate date and time an event occurred. Autorun locations are registry keys that launch programs or applications during the boot process. This is extremely important to protect because Autorun could be used by an attacker for executing
malicious applications. The most recently used (MRU) list contains entries made due to actions performed by the user. The purpose of an MRU is to contain a list of items in the event the user returns to them in the future. Think of an MRU as similar to how a cookie is used in a web browser. The
UserAssist key contains information about what resources the user has accessed.
Many other things, such as network settings, USB devices, and mounted
devices, have registry keys that can be pulled up to identify activity within the operating system.
The registry can specify whether applications start automatically when the system is booted or when a user logs in. A good reference about this is the following Microsoft Sysinternals document: https://technet.microsoft.com/en-us/sysinternals/bb963902. Malware can change the registry to automatically
start a program when the system is booted or when a user logs in.
A good example of Windows registry categories related to program execution and other functions can be found at
https://blogs.sans.org/computer- forensics/files/2012/06/SANS-Digital-Forensics-and-Incident-Response-Poster-2012.pdf.
The Security hive is one of the Windows registry hives that includes
information that is related to the running and operations of the system. The information available in this and other hives is all about the system, rather than specific users on the system. The Windows Registry Security hive contains useful information regarding the system configuration and settings.
Information about local users on a system is maintained in the SAM “database”
or hive file. In corporate environments, the SAM hive may not have a great deal of useful information. User information may be found on a domain
controller or LDAP server. However, in environments where the users access their system using local accounts, this hive file can provide great information.
In some cases, during investigations you may need to crack a user’s password
—for instance, a user created by a threat actor and used in malware. There are several free password cracking tools available, including Cain & Abel
(http://www.oxid.it/cain.html), OphCrack (http://ophcrack.sourceforge.net), and John the Ripper (http://www.openwall.com/john).
The System hive contains a great deal of configuration information about the system and devices that were included in it and have been attached to it.