Quelques clés de registre

https://protonts.wordpress.com/2015/05/01/registry-forensics-some-interesting-registry-entries/

Often during forensic examination of a system, it is required to verify, extract or preserve some information from Microsoft Windows registry. Registry as we all know is a key component for Microsoft based operating systems. For every display, action and other stuff Microsoft operating systems interact with Registry Keys as these are the configuration settings for the operating system.

It is thus important to identify some of the interesting registry keys which can help in profiling the system, and to search for some artifacts.

First, to start – Registry are like files only which resides on the hard disk at following locations –

HKEY_LOCAL_MACHINE\\SYSTEM: C:\\Windows\\system32\\config\\system

HKEY_LOCAL_MACHINE\\SAM: C:\\Windows\\system32\\config\\sam

HKEY_LOCAL_MACHINE\\SECURITY: C:\\Windows\\system32\\config\\security

HKEY_LOCAL_MACHINE\\SOFTWARE : C:\\Windows\\system32\\config\\software

HKEY_USERS\\.DEFAULT : C:\\Windows\\system32\\config\\default

HKEY_USERS\\ : C:\\Users\\<UserName>\\NTUSER.DAT

Location of these hives may be different on other systems, but you can check the location of the hive list from the following registry key

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\hivelist

Now that we have identified the location of our registry files, it is time to know some key locations which are of our interest –

Most Recently Used (MRU) List:

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Doc Find Spec MRU

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FindComputerMRU

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PrnPortsMRU

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU

Where – Doc Find Spec MRU = MRU for the Find Files command; FindComputerMRU = MRU for the Find Computer command; PrnPortsMRU = MRU for printer ports; and RunMRU = MRU for the Run command.

Run Programs on Logon:

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run

Banner Shown During Interactive System Logon:

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\LegalNoticeCaption

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\LegalNoticeText

System Hostname:

HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\ComputerName\\ComputerName

Last System Shutdown Time:

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Windows\\ShutdownTime

Date and Time from above key can be decoded using “DCODE” which can be obtained from http://www.digital-detective.net/digital-forensic-software/free-tools/