Although most data present in registry transaction logs is not particularly valuable for intrusion investigations, there are some cases where the data can prove useful. In particular, we found that scheduled task creation and deletion use registry transactions. By parsing registry transaction logs we were able to find evidence of attacker created scheduled tasks on live systems. Although the new log format contains more recoverable information, turning a set of registry pages into useful data is quite tricky.
Through experimentation we discovered that existing registry tools were able to perform better validation resulting in fewer false positives. However, we also identified many cases where existing tools made incorrect deleted value associations and output invalid data. This likely occurs when cells are reused multiple times resulting in references that could appear valid if not carefully scrutinized. We also compared program output to popular registry forensic tools. Although our program produced much of the same output, it was evident that existing registry forensic tools were able to recover more data.
Enumerate unallocated values and attempt to find referenced data cells. Enumerate unallocated keys and attempt to define referenced class names, security records, and values. Enumerate allocated keys and attempt to find deleted values present in the values list. Also attempt to find old deleted value references in the value list slack space.
The data is displayed as a 32-bit (four-byte) long hexadecimal number. ▪REG_BINARY Stores the value as binary data of 0’s and 1’s but displayed in hexadecimal format. Information about most hardware components is stored as binary data. can be extremely valuable to a forensic examiner, particularly when attempting to establish a timeline of system and/or user activity.
Types Of Information In The Registry
- To do that, double-click on the value and enter the “Value Data” as required.
- Once the new value is created and renamed, you need to enter the value data.
- Understanding the structure of the Registry is the first step in the analysis of this important Windows artifact.
- BlackLight simplifies the Registry view showing exactly from where the data is parsed.
The registry can provide a wealth of data for a forensic investigator. With numerous sources of deleted and historical data, a more complete picture of attacker activity can be assembled during an investigation. As attackers continue to gain sophistication and improve their tradecraft, investigators will have to adapt to discover and defend against them. One strategy to handle the large number of snapshots is to build a structure representing the cells of the registry hive, then repeat the process for each snapshot. Anything not in the previous structure can be considered deleted and logged appropriately.
In particular, existing tools were able to recover deleted elements from slack space of allocated cells that had not yet been overwritten. Because the scheduled task was written to the registry using transacted registry operations, a copy of the data is available in the transactional registry transaction log. The data can remain in the log well after the scheduled task has been removed from the system. Information about the scheduled task is stored to the registry. The task scheduler has been observed using transactional registry operations on Windows Vista through Windows 8.1; the task scheduler on Windows 10 does not exhibit this behavior.
Understanding Registry Entries
First, it requires keeping track of all pages in the registry and determining what might have changed in a particular write. It also requires determining if here that change resulted in something that is not present in later revisions of the hive to assess whether or not it contains unique data. It is replaced by applications or services when they use this data. This value usually contains the file path associated with the application or service. ▪REG_DWORD Represents the data as a four-byte number and is commonly used for Boolean values—for instance, 0 is disabled and 1 is enabled.