Post on 20-May-2015
description
Windows Registry Forensics
Windows Registry Forensics (WRF) with Volatility
Framework
Speaker :: Kapil Soni (2013)
Content ::
Small Introduction of tools› DumpIt› Volatility Framework
Image Info, Process Analysis, Services Analysis Hive Info, Printkey Hardware Analysis Hash Dumping and LSA Secrets Dump Shellbags Analysis Userassist Analysis & Shimcache
Registry Manage and Basics
DumpIt & Volatility Framework -
DumpIt is a utility for windows. DumpIt dumps memory and create a .raw dump file.
Volatility Framework is a advanced and powerful memory analysis and forensics framework. › Platform Supported - Windows, Linux, Mac.
Image Info, Process Analysis, Services Analysis – Short Desc.
Image Info – In this section we can find out important things that related to dumped memory file.
Process Analysis – Process analysis is the most important part in memory analysis and malicious activity analysis.
Services Analysis – Service analysis is yet another important part in forensics investigations.
Image Info, Process Analysis, Services Analysis – Short Desc.
Image Info, Process Analysis, Services Analysis – Short Desc.
Image Info, Process Analysis, Services Analysis – Short Desc.
Hive Info & PrintKeyHivelist ::
PrintKey ::
Hardware Identification -
Some keys or subkeys contains hardware information in memory.
By registry analysis , this is the good way to gather information about BIOS, Hardware, and other internal external devices.
Command :: Volatility.exe –f Windows7.raw –profile=Win7SP1x86 -o HKLM_VirtualAddress –K DESCRIPTION/System/BIOS
Hardware Identification -
Some keys or subkeys contains hardware information in memory.
By registry analysis , this is the good way to gather information about BIOS, Hardware, and other internal external devices.
Command :: Volatility.exe –f Windows7.raw –profile=Win7SP1x86 -o HKLM_VirtualAddress –K DESCRIPTION/System/BIOS
Hash Dumping ::
User password stores in the form of Hashes in Registry.
Volatility Framework provide plugin for hash dumping from windows registry. › Windows Password Hashes
Command :: Volatility.exe –f WinXP.raw --profile=WinXPSP2x86 hashdump –y system_virutal –s sam_virtual
Hash Dumping ::
Volatility Framework provide hash dumping facility from windows registry. › Windows Password Hashes
Command :: Volatility.exe –f WinXP.raw --profile=WinXPSP2x86 hashdump –y system_virutal –s sam_virtual
LSA Secret Dump ::
We can dump LSA (Local Security Authority) Secrets into the windows registry.› (*Special protected storage for important data
used by LSA in Windows i.e. Local Security Policies, Auditing, Authenticating, Logging users on the system, Storing private data.
› User’s and System’s sensitive data is stored in secrets.
Command :: Volatility.exe –f WinXP.raw –profile=WinXPSP2x86 lsadump –y system_offset –s security_offset
LSA Secret Dump ::
We can dump LSA (Local Security Authority) Secrets into the windows registry.› (*Special protected storage for important data
used by LSA in Windows i.e. Local Security Policies, Auditing, Authenticating, Logging users on the system, Storing private data.
› User’s and System’s sensitive data is stored in secrets.
Command :: Volatility.exe –f WinXP.raw –profile=WinXPSP2x86 lsadump –y system_offset –s security_offset
Shellbags Analysis -
In simple, if you will open or close a folder in windows, that all activity stores in shellbag keys.
This is one of most important part in any investigation or forensics.
In other words, Microsoft Windows uses a set of Registry keys known as “shellbags” to maintain the size, view, icon, and position of a folder when using Explorer.
Command :: Volatility.exe –f WinXP.raw –profile=WinXPSP2x86 shellbags
Shellbags Analysis -
In simple, if you will open or close a folder in windows, that all activity stores in shellbag keys.
This is one of most important part in any investigation or forensics.
In other words, Microsoft Windows uses a set of Registry keys known as “shellbags” to maintain the size, view, icon, and position of a folder when using Explorer.
Command :: Volatility.exe –f WinXP.raw –profile=WinXPSP2x86 shellbags
Userassist Analysis -
Userassist provide a lot information about user activity.
When any file is update or modify by user so these changes also update in registry.› Example..
Userassist Analysis -
Userassist provide a lot information about user activity.
When any file is update or modify by user so these changes also update in registry.› Example..
Shimcache Analysis -
Shimcache shows all the .exe files that executes in windows. If a file is executed with windows “CreateProcess” , It will logged in Shimcache› Example.. Windows7 Shimcache
Thank You !!