Upload File

registry analysis what is it? what does it contain?

  • Home
  • Documents
  • Registry Analysis What is it? What does it contain?
21
Registry Analysis What is it? What does it contain?

Post on 19-Dec-2015

228 views

Category:

Documents


2 download

Report

Tags:

TRANSCRIPT

Page 1: Registry Analysis What is it? What does it contain?

Registry Analysis

What is it?

What does it contain?

Page 2: Registry Analysis What is it? What does it contain?

Objectives

• Logical and physical structure of the Registry

• Format of Registry files

• Examination of the Registry

• Forensically important keys

• Analyzing Registry information

Page 3: Registry Analysis What is it? What does it contain?

The Registry

• Hierarchal database

• Maintains configuration settings– Applications– Hardware– Devices– Users

Page 4: Registry Analysis What is it? What does it contain?

Registry Access

• Regedit.exe – A “GUI” interface to the Registry

• Native to XP and above

• NT and 2000 has regedit.exe but with limited capablities

Page 5: Registry Analysis What is it? What does it contain?

Physical Structure

• Binary files

• Stored in RAM and hard drive

• Limited data types

Page 6: Registry Analysis What is it? What does it contain?

File Locations

Page 7: Registry Analysis What is it? What does it contain?

Registry Data Types

Series of nested arrays designed to store a list of resources

A list of resources used by a physical HW device

A list of HW resources used by a device driver

Page 8: Registry Analysis What is it? What does it contain?

Logical Structure

• Highest Level• My Computer

• Contains Five Root Hives

• Each Hive consists of• Keys

• Each key has a set of • <Name Type Value> triples

• Subkeys

Page 9: Registry Analysis What is it? What does it contain?

Root Hives

• HKEY_USERS• Contains all the actively loaded user profiles for the

system

• HKEY_CURRENT_USER• Is the active, loaded user profile currently logged on

• HKEY_LOCAL_MACHINE• Contains configuration information for the system

both HW and SW

Page 10: Registry Analysis What is it? What does it contain?

Root Hives (cont’d)

• HKEY_CURRENT_CONFIG• Contains the hardware profile the system uses at

startup

• HKEY_CLASSES_ROOT• Contains configuration information for which apps

open which files

Page 11: Registry Analysis What is it? What does it contain?

Five Root Hives

Page 12: Registry Analysis What is it? What does it contain?

HKEY_USERSUser Profiles

Page 13: Registry Analysis What is it? What does it contain?

HKEY_CURRENT_USERLogged on user profile

Page 14: Registry Analysis What is it? What does it contain?

Current User One of those listed in HKEY_USERS

Page 15: Registry Analysis What is it? What does it contain?

HKEY_LOCAL_MACHINEHW and SW Configs

Page 16: Registry Analysis What is it? What does it contain?

HKEY_CURRENT_CONFIGStartup Profile

Page 17: Registry Analysis What is it? What does it contain?

HKEY_CLASSES_ROOTApplication to File Mapping

This hive is subclassed to HKCU\Software\ClassesHKLM \Software\Classes

Page 18: Registry Analysis What is it? What does it contain?

Registry Cell Types

• Key cell• Key info, offsets to subkeys and LastWrite time

• Value cell• Holds a value/name and its data

• Subkey list cell• Series of subkey offsets

• Value list cell• Series of offsets to value cells

Page 19: Registry Analysis What is it? What does it contain?

Registry StructureKeys Subkeys Values Type Data

Page 20: Registry Analysis What is it? What does it contain?

Raw Registry File

Key Cell

Value Cell

Page 21: Registry Analysis What is it? What does it contain?

Anarchism: What It Is, What It Ain't

“Equilibrium” What does it mean? What word does it look like? What does it mean? What word does it look like?

about &Answers Epidermolysis Questions · proteins called cytokines and new kinds of dressings to heal blister wounds. What Is the Epidermolysis Bullosa Registry and What Does It

COPERTINA ENG RILEGATA6 8 12 20 24 28 contents 8.it Registry Yearbook 2008 3 ... are subject to periodic revisions by the Registry itself and by the Rules Committee. This ... the Registry

OASIS/ebXML Registry Information Model v2.02 Bug … · Registry Registry to Registry

[Kevin’s Attic for Security Research] Windows Registry Artifactsdandylife.net/docs/Windows-Registry-Artifacts.pdf · 2013. 7. 22. · 2 What to Cover Kevin’s Attic for Security

The Built Works Registry and the Infrastructure to Support it James Shulman

Calculus What is it? What good is it? What is it? What good is it?

The Built Works Registry and the Infrastructure to Support it James Shulman

ICANN...Consideration+of+New+gTLD+Registry+Agreement+ What%isthe%Issue?% TheNGPCisbeingaskedtoconsider therevised+New+gTLD Registry+Agreement+that+will+be+entered+into

Registry Information Model - ebXML · 5.3 What the Registry Information Model does The Registry Information Model provides a blueprint or high-level schema for the ebXML Registry

National Sex Offender Public Registry. What is NSOPR NSOPR, National Sex Offender Public Registry uses the Internet to search public sex offender web

THE LAND REGISTRY MALTA · 2017-05-15 · THE LAND REGISTRY The Receiving Office acts as the front desk and customer care office of the Registry. It receives applications for registrations

Honeymoon Registry for Travel Agents What is a Honeymoon Bridal Registry? On our online honeymoon registry, Brides & Grooms list anything they want to

What is it? What is it? (Quiz)

SCIENTOLOGY WHAT IS IT? · SCIENTOLOGY WHAT IS IT? Subject: SCIENTOLOGY WHAT IS IT? Keywords

Top 10 Reasons to Buy Your .tel Domain - Europe Registry · Top 10 Reasons to Buy Your .tel Domain the .tel registry. the .tel registry What is .tel? The .tel allows you to store,

Aging: What causes it? What slows it?

Institutional Controls Registry MapDirect - Internet ... · Institutional Controls Registry MapDirect - Internet Mapping Application An Introduction Wednesday, May 30, 2012 . What

BENEFICIARY REGISTRY - bhfglobal.combhfglobal.com/downloads/conferences/presentations/2017/Wednesday/... · BENEFICIARY REGISTRY What is it? 2 ... Process, 3 –IT Security, 4 –POPI,

Axon Registry Participation Guide · The Axon Registry Participant Update is a monthly email that informs users about Axon Registry-related efforts. It includes announcements, measures,

Cancer Registry Follow-up How we do it

Doing it Platform - Registry of Interpreters for the Deaf

What is it? What causes it? What can we do about it?

What is a Central Cancer Registry? A

How it works domain name registry protocol icann53

WHAT IS NCCER? · 2016-12-12 · The NCCER Registry Confidential Storage Portable Credentials Documentation of training and skills attainment The Automated National Registry Free,

What is it and why is it important?. What is it? What was it based on?

Service Organization Controls 3 Report - Amazon S3...Amazon EC2 Container Registry (ECR) Amazon EC2 Container Registry is a fully-managed Docker container registry that makes it easy

GEPIR What is it? How does it work? Welcome! This is a short introduction to the Global Electronic Party Information Registry – GEPIR for short

Trends – what do the registries tell us? Swedish registry example

The AAAAI Quality Clinical Data Registry: What the office ... Documents... · The AAAAI Quality Clinical Data Registry: What the office staff needs to know . ... AAAAI Quality Clinical

How It Works: Domain Name Registry Protocols - ICANN · PDF filescript or Chinese characters or Japanese Hiragana, ... getting back to the slide, ... How It Works: Domain Name Registry

US Zika Pregnancy Registry; What Pregnant Women Need to …...CDC’s Response to Zika US Zika Pregnancy Registry What Pregnant Women Need to Know What is the purpose of the registry?

INFORMATION MANAGEMENT TION MANAGEMENT Registry Data Escrow · Registry Data Escrow Basics WHAT is it? - Protection & storage of authoritative data associated with a domain name -