Tuesday, April 01, 2008

More Registry Analysis...

I think that in discussing Registry analysis, one of the shortcomings we're facing is the translation to the analyst of why something like this is (or can be) important, and how it can be used to benefit the analyst, as well as support an examination. After all, I think that most folks understand, perhaps somewhat intuitively, the usefulness of files within the active file system (as well as file metadata, such as MAC times), log file entries, etc. Where Registry analysis is falling short (from an adoption perspective) is (a) a solid understanding by the analyst of how this can benefit an exam, and (b) easy, intuitive tools for conducting Registry analysis.

Well, I think we've covered (b) pretty well...or, at the very least, started addressing it.

A short, Reader's Digest version of (a) is that the Registry holds a great deal of configuration information about the system, as well as information specific to the user's activities on the system. Much of this information is timestamped, as well (Note: recent experience shows that Win98/ME Registry keys do not enjoy the privilege of a LastWrite time...), making the Registry extremely useful and akin to a log file.

Now, Registry analysis will not benefit every exam, of course...each exam has it's own unique twists, and if you're a consultant, requirements. However, a great deal of Registry analysis is straightforward, simple, and easily accomplished...and in some cases can greatly benefit your exam. For example, consider this blog post by SynJunkie...a while back, I'd figured out that some AV vendors we're maybe passing some spurious info in their malware write-ups, and decided to look into the MUICache key. In the absence of any credible documentation from the vendor, some folks have found something very useful about this key.

Traditional file system-based computer forensic analysis may show the analyst that an image or movie is or was on a system...Registry analysis will show you who viewed it, and possibly even when. In the past, I've used Registry analysis to show that one employee was connecting to another employee's system and grabbing copies of her Trillian logs, and reading all of her conversations...I was even able to demonstrate that he'd viewed some of her log files and then deleted them, as well as the most recent time that he'd read one of those log files.

3 comments:

Unknown said...

It sounds to me like Registry Analysis is a great way to help take evidence and put it into context. That context becomes particularly important on computers with multiple users. Another thing to consider is the value of corroboration. We know that file system data like MAC times or file owner can be altered, so hopefully we can use Registry Analysis as a way to corroborate the information that we gather elsewhere. It just seems like an important part of being thorough.

Unknown said...

One other thing...in the Pimp my Registry Analysis post comments you talked about putting something up on Sourceforge. I was wondering if this project is on Sourceforge and if you're letting people take a look at it yet.

H. Carvey said...

Kevin,

Great comments on Registry analysis...definitely important things to keep in mind.

WRT making the tool available, I've found that posting it on public sites such as the Win4n6 Yahoo Group or SourceForge lets folks grab the software, but doesn't get me any feedback or input. In many cases, I think people are downloading it and never using it. I've been more inclined to send a copy to interested folks...that way I can follow up and pester folks for input... ;-)