Embed Size (px)
DESCRIPTION
Windows Registry Forensics is the most important part of Memory Forensics Investigations. With the help of Windows Registry Forensics we can reconstruct user activity as well find the evidence easily. Windows Registry Forensics (WRF) is a one of most important part on malware analysis. The changes made due to malware on Windows that reflect on Registry. If attacker tried to make changes on Windows OS so all the logs like opening, deleting, modifying folder or file as well if attacker executed a file like .exe , everything is stores in Windows Registry that helps investigator to catch cyber criminal.
Citation preview
Windows Registry Forensics
Windows Registry Forensics (WRF) with Volatility
Framework
Speaker :: Kapil Soni (2013)
Content ::
Small Introduction of tools› DumpIt› Volatility Framework
Image Info, Process Analysis, Services Analysis Hive Info, Printkey Hardware Analysis Hash Dumping and LSA Secrets Dump Shellbags Analysis Userassist Analysis & Shimcache
Registry Manage and Basics
DumpIt & Volatility Framework -
DumpIt is a utility for windows. DumpIt dumps memory and create a .raw dump file.
Volatility Framework is a advanced and powerful memory analysis and forensics framework. › Platform Supported - Windows, Linux, Mac.
Image Info, Process Analysis, Services Analysis – Short Desc.
Image Info – In this section we can find out important things that related to dumped memory file.
Process Analysis – Process analysis is the most important part in memory analysis and malicious activity analysis.
Services Analysis – Service analysis is yet another important part in forensics investigations.
Image Info, Process Analysis, Services Analysis – Short Desc.
Image Info, Process Analysis, Services Analysis – Short Desc.
Image Info, Process Analysis, Services Analysis – Short Desc.
Hive Info & PrintKeyHivelist ::
PrintKey ::
Hardware Identification -
Some keys or subkeys contains hardware information in memory.
By registry analysis , this is the good way to gather information about BIOS, Hardware, and other internal external devices.
Command :: Volatility.exe –f Windows7.raw –profile=Win7SP1x86 -o HKLM_VirtualAddress –K DESCRIPTION/System/BIOS
Hardware Identification -
Some keys or subkeys contains hardware information in memory.
By registry analysis , this is the good way to gather information about BIOS, Hardware, and other internal external devices.
Command :: Volatility.exe –f Windows7.raw –profile=Win7SP1x86 -o HKLM_VirtualAddress –K DESCRIPTION/System/BIOS
Hash Dumping ::
User password stores in the form of Hashes in Registry.
Volatility Framework provide plugin for hash dumping from windows registry. › Windows Password Hashes
Command :: Volatility.exe –f WinXP.raw --profile=WinXPSP2x86 hashdump –y system_virutal –s sam_virtual
Hash Dumping ::
Volatility Framework provide hash dumping facility from windows registry. › Windows Password Hashes
Command :: Volatility.exe –f WinXP.raw --profile=WinXPSP2x86 hashdump –y system_virutal –s sam_virtual
LSA Secret Dump ::
We can dump LSA (Local Security Authority) Secrets into the windows registry.› (*Special protected storage for important data
used by LSA in Windows i.e. Local Security Policies, Auditing, Authenticating, Logging users on the system, Storing private data.
› User’s and System’s sensitive data is stored in secrets.
Command :: Volatility.exe –f WinXP.raw –profile=WinXPSP2x86 lsadump –y system_offset –s security_offset
LSA Secret Dump ::
We can dump LSA (Local Security Authority) Secrets into the windows registry.› (*Special protected storage for important data
used by LSA in Windows i.e. Local Security Policies, Auditing, Authenticating, Logging users on the system, Storing private data.
› User’s and System’s sensitive data is stored in secrets.
Command :: Volatility.exe –f WinXP.raw –profile=WinXPSP2x86 lsadump –y system_offset –s security_offset
Shellbags Analysis -
In simple, if you will open or close a folder in windows, that all activity stores in shellbag keys.
This is one of most important part in any investigation or forensics.
In other words, Microsoft Windows uses a set of Registry keys known as “shellbags” to maintain the size, view, icon, and position of a folder when using Explorer.
Command :: Volatility.exe –f WinXP.raw –profile=WinXPSP2x86 shellbags
Shellbags Analysis -
In simple, if you will open or close a folder in windows, that all activity stores in shellbag keys.
This is one of most important part in any investigation or forensics.
In other words, Microsoft Windows uses a set of Registry keys known as “shellbags” to maintain the size, view, icon, and position of a folder when using Explorer.
Command :: Volatility.exe –f WinXP.raw –profile=WinXPSP2x86 shellbags
Userassist Analysis -
Userassist provide a lot information about user activity.
When any file is update or modify by user so these changes also update in registry.› Example..
Userassist Analysis -
Userassist provide a lot information about user activity.
When any file is update or modify by user so these changes also update in registry.› Example..
Shimcache Analysis -
Shimcache shows all the .exe files that executes in windows. If a file is executed with windows “CreateProcess” , It will logged in Shimcache› Example.. Windows7 Shimcache
Thank You !!
