Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry Front Cover

Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry

  • Length: 248 pages
  • Edition: 1
  • Publisher:
  • Publication Date: 2011-02-07
  • ISBN-10: 1597495808
  • ISBN-13: 9781597495806
  • Sales Rank: #1550960 (See Top 100 Books)
Description

Harlan Carvey brings readers an advanced book on Windows Registry. The first book of its kind EVER — Windows Registry Forensics provides the background of the Registry to help develop an understanding of the binary structure of Registry hive files. Approaches to live response and analysis are included, and tools and techniques for postmortem analysis are discussed at length. Tools and techniques will be presented that take the analyst beyond the current use of viewers and into real analysis of data contained in the Registry.

  • Packed with real-world examples using freely available open source tools
  • Deep explanation and understanding of the Windows Registry – the most difficult part of Windows to analyze forensically
  • Includes a CD containing code and author-created tools discussed in the book

Harlan Carvey brings readers an advanced book on Windows Registry. The first book of its kind EVER —Windows Registry Forensics provides the background of the Registry to help develop an understanding of the binary structure of Registry hive files. Approaches to live response and analysis are included, and tools and techniques for postmortem analysis are discussed at length. Tools and techniques will be presented that take the analyst beyond the current use of viewers and into real analysis of data contained in the Registry.

  • Packed with real-world examples using freely available open source tools
  • Deep explanation and understanding of the Windows Registry–the most difficult part of Windows to analyze forensically
  • Includes a CD containing code and author-created tools discussed in the book

An Interview with Harlan Carvey, Author of Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry

Why do you feel a book on the Windows Registry is needed?

The Windows Registry is perhaps one of the least understood sources of digital evidence on a Windows system. Unfortunately, bad guys have used specific locations in the Registry to remain persistent on systems a lot longer than many analysts actually realize. I think that what most analysts don’t realize is that the Registry is an excellent source of both direct and indirect artifacts.

Don Weber, a friend and fellow IBM alum who’s now with InGuardians, was on an engagement where he found that the bad guys were actually storing executable files in binary Registry values. His find makes me wonder how many times this has occurred but not been “seen” because no one was looking.

Intrusions aside, I’ve also dug into the Registry to perform malware detection. As sometimes happens, malware files will change and avoid detection, but as with malware such as Conficker, some Registry artifacts remained relatively stable across the family. The same has been true for the examinations I’ve performed that involved Zeus, or Z-bot. Understanding this has allowed me and others to determine that malware was on a system, when multiple AV scans were negative.

Finally, the Registry contains a wealth of time stamped data, that when taken in context, can be extremely valuable to an analyst.

Why do you think so many analysts overlook the Windows Registry as a source of data?

For the most part, I think that most analysts really aren’t familiar with the Windows Registry as a source of data. From a purely binary perspective, all the way up to an application-level perspective, I think that most analysts simply aren’t familiar with what is and isn’t in the Registry, and how the Registry can be used to further a wide range of analysis.

Many times, however, when some analysts have become familiar with the Registry as a source of evidence, the pendulum swings too far in the other direction. I’ve seen and received questions along the lines of “where are file copy operations recorded in the Registry?”

As the Windows operating systems become even more sophisticated, analysts who are not actively investigating the Registry now will become completely overwhelmed in very short order.

What is your most memorable experience working in digital forensics?

There’ve been several, and all of them have been like turning a corner and suddenly being face-to-face with someone really famous. Sometimes it’s finding that one artifact that ties everything together, while other times it’s been discovering a whole series of artifacts that are essentially a storyboard or script for what the intruder did while on the system. Sometimes you get lucky and find a log file of what the bad guy did . . . sort of a “/.bash-history” file, but on Windows. Other times, you end up constructing a timeline of systems activity from multiple data sources both on and off a system, and when you look at your results, you have what amounts to that storyboard.

Across the board, however, I think that most memorable experiences have come from taking a step back, developing a “new” analysis methodology, and then having that methodology succeed in some pretty amazing and spectacular ways.

Table of Contents

Chapter 1 Registry Analysis
Chapter 2 Tools
Chapter 3 Case Studies: The System
Chapter 4 Case Studies: Tracking User Activity

To access the link, solve the captcha.