1 / 29

Registry Data Analysis: Uncovering Deleted Accounts and Tracking Subkeys

Explore the potential forensic value of registry data, uncover deleted information, and track subkeys to values for detailed account analysis. Learn to interpret SID & RID data for user and group identification.

kordonez
Download Presentation

Registry Data Analysis: Uncovering Deleted Accounts and Tracking Subkeys

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 2 Registry Data Deleted Data SAM file SID & RID Account, F value, V value Password Analysis Accounts, Groups CLSID

  2. Registry data • potential forensic value • Carving from unallocated space • Unistalled software • References to keys no longer active • References to wiped information • Carving from memory • May show most recent behaviour not recorded in system yet

  3. Registry data • Key name (nk) header offsets in decimal

  4. Tracking subkeys to value • 0-3 (0xa0ffffff or 0xa8ffffff) = header • 4-5 = nk header • 6-7 = Key type • 8-15 = Key modify date&time • nk = ”000001F4” – Adminstrator account (RID 500 dec.) • 40-43 = values attached to the subkey = 2 • 44-47 =regf block location (0x702a0000 Little endian = 10864Dec) • add 4096 (regf block size) to obtain the correct offset in the hex editor • Offset => 10864+4096=14960 dec. = 0x03a70 Key type 76-77 = Key name

  5. Value cell lists & vk headers • At least 4 different combinations • AccessData WP • Registry Offsets 9-8-08.pdf is a mustread! Note! Adding 0x1000 (4096 dec.) to a little endian adress in hex editor is much easier than doing the decimal translation!!

  6. Tracking subkeys to value II • Offset 4-7 has a pointer to the first value in value list at 0x03a70 • 0xb82700 little endian => 10168 dec. + 4096 • Offset = 14264 dec. = 0x037b8 • Navigating to this offset adress, 0x037b8 (marked) • Offsets 8-9 = size of the data in the value, in this case 80 dec. • Offset 10-11 = if the data is resident or not resident • 0x0000 = non resident, 0x0080 = resident data • Offset 12-15 represent the link offset to the data itself • 10200 dec. + 4096 => 14296 => 0x037d8 Note: Data and value list stores cell size in negative number Value name Data 80 bytes...

  7. Deleted registry data • Allocation pointer is changed from - to + number • Positive numbers identify unallocated entries of data in the registry • This is the ONLY thing that happens when a subkey or value is deleted • Recovering deleted data from the Windows registry • A highly recommended read! • http://www.dfrws.org/2008/program.shtml

  8. Hypothetical Hive Bin Diagram Potential registry slack with positive headers

  9. Registry tools • We can think of the registry as a complex log on a filesystem that only can grow. • Monitor changes of the registry • Sysinternals Process Monitor - capture in real-time • Registry, open files and processes/threads • Snapshot Regshot • http://sourceforge.net/projects/regshot • Incontrol5 • Regripper • Perl scripts by H.C. • http://www.regripper.net/ • More readings • Mark Russinovich - "Inside the Registry" • http://technet.microsoft.com/en-us/library/cc750583.aspx

  10. SID (Security IDentifier) • Windows manages user accounts based on SID (Security IDentifier) • The SID identifies what operations an entity can perform • SIDs are composed of three distinct areas • SIDs are unique • SIDs also contain a Relative IDentifier • Issuing authority • S Denotes Security IDentifier • 1 Revision number/level • 5 Issuing authority value • 21 Sub issuing authority value • Domain identifier or Machine number • RID (Relative IDentifier) S-1-5-21-1801674531-1177238915-725345543-1004 Issuing authority Subauthorities (Mashine) RID (Relative Identifier)

  11. Machine SID • SID: randomly generated unique numebrs & collisions are not possible • LSA (Local Security Subsystem) takes care of this • Validates logins against the SAM database • LSA which is the heart of Windows security provides • User validation and authentication • Checking user access permissions • Generate access tokens • Manage local security policies • The machine SID is stored in the SAM file • HKLM\SAM\Sam\Domains\Account\V • Last 12 bytes of the V key value and stored as little endian • Also stored in • HKLM\SECURITY\Policy\PolAcDmS

  12. Interpreting a machine SID • SID sections are stored as little endian • Example: 0x235f636b833d2b4607e53b2b • Divide the 12 bytes into 3 sections • Reverse the byte order for each section to big endian • Convert the hex to decimal • 0x 23 5f 63 6b 83 3d 2b 46 07 e5 3b 2b • 0x 6b 63 5f 23 46 2b 3d 83 2b 3b e5 07 • 0x1801674531-1177238915-725345543 ISSUING-1801674531-1177238915-725345543-RID

  13. RID (Relative IDentifier) • Unique number identifying an entity • User accounts • Groups and custom groups • Common RIDs are: 500 adminstrator, 501 Guest • User added RIDs begins at 1000 (first custom user inVista), 1005 (XP) • Increments with one for every group or user added • Used to identify recycler owners (folders) and restore points (XP) • RID = offset 48-49 in the F value • Name of the user associated with the RID = in V value RID in Hex 0x3EC = 1004 ISSUING-1801674531-1177238915-725345543-RID

  14. Account information • SAM file = User account information • Location on disk • RID and username info • Logon dates and time • Login count • Group membership • Password hash • SOFTWARE file = The users file system profile • Location on disk • association between the SID and file system at Software\Microsoft\WindowsNT\CurrentVersion\ProfileList • Profiles can either be local or roaming • profile list identifies the individual users and the locations of their respective profiles in the system

  15. Parsing the F value Notera att när en användare tar bort lösenordet från ett existerande konto med satt lösen så ändras inte värdet från 0 till 4. • The F value in each users subkey contains login info 0 = Active and password set 1 = Not active (?) 4 = Password not set 0 = Account active 1 = Account not active RN= LN=

  16. Password analysis • The V value stores the password hash (LM &/or NTLM) Hash(es) are stored at end. If not logged in or no password entered when created, it’s empty.

  17. Break SAM passwords 101 • You should remember this from Forensic 1! • Export the SAM and SYSTEM files from the image • Export the Full Text Index from FTK (used as a dictionary) • Import the FTI into PRTK • Add other desired dictionaries • Create an attack profile that includes the FTI and other desired dictionaries • Drop SAM file into PRTK • Select the user whose password is to be broken • Point to the SYSTEM file to obtain the syskey (encrypt key) if a password hint is entered it will be located in this path: XP: Software\Microsoft\Windows\CurrentVersion\Hints\<username> Vista: SAM\SAM\Domains\Accounts\Users\<userhex>\UserPasswordHint

  18. Parsing the V value • The V value also stores some key properties V value is like a small filesystem with 12 byte chunks of data pointers (see above) to the beginning offsets (4 byte) of each entry along with the size (4 byte) of the entry. The last 4 of the 12 bytes are not used. Note that there are some variations between different Windows OS The hashes are 16 bytes preceded by a 4 byte header

  19. Accounts I • When a user log on for the first time • A new profile is created from the ”default” profile HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList • User account profile locations are defined in the ProfileList key\<SID> and value ProfileImagePath • Profiles can be on a remote location

  20. Accounts II • User accounts names can be changed in SAM registry i.e. Sam\SAM\Domains\Account\Users\Names\<username> • Via built in tools for user management (User accounts, Comp. Manage) • RID 1004 could have a new name as ”The Dog” • However SOFTWARE keys (red squares prev. page) • SID will not change • Profileimagepath will not change • When an account is deleted • SAM File • Windows will remove account info • RID will not be reused • Software file • XPand newer will remove all account information • W2K will not remove the keys! • Deleted users may be found in registry slack or in registry files from system restore points in C:\System Volume Information

  21. Groups I • Group: is an account created through the SAM and LSA to identify and authenticate users to the group. • Groups are defined in the SAM file • Rights and permissions are asigned to groups. • Builtin subkey (Builtin DB) • Administrators, Users, Guests, Power Users etc. • User created custom groups = fixed SIDs • ACL = contains the users and their rights. • Policies, password rules, trust accounts = SECURITY file • GroupRIDs

  22. Groups II • Group RIDs • Administrators = 544 • Users = 545 • Guest = 546 • Power Users = 547 • Defined as • S-1-5-32-<RID> • User RIDs are listed in the Group <RID> key • In the C value key (there is only one key for all rights) • First 4 bytes in the C value = Group RID • Each associated user is stored in the end of C value, right after the description of the group, in 28 byte entries. • Each 28 byte entry stores a single user’s RID in the last 4 bytes • The header for every 24 byte entry is 0x01050000 • RID entries occur in the order which they were entered RID in Hex 0x0220 = 544 28 byte RID entry

  23. Group RID Same header for every 24 byte entry Last 4 byte is for single user RID user RID in each last 28 byte

  24. Groups III • Group members default groups and custom groups RID in Hex Who is in group 0x0220 = 544 –admin Custom groups will have hex > 1000 dec. Users 0x01F4 = 500 0x03EC = 1004 user

  25. Groups IV • NTUSER.DAT artifacts • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership • Each group the user belongs to will be listed with a SID • If there would be a custom group it would look like Group 0 but with a higher RID Custom group

  26. Groups V • SIDs • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Group • Very small extract of well known RIDs • http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html#id2590538

  27. Network/WiFi Windows Vista/7 • Network information & wireless accounts • SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList • DateTime values are bitstreams in 2 byte sections which can be translated as: • d907 0a00 0500 0e00 0d00 0400 3500 af03 • 2009 10 friday 14th - 13 : 04 : 35 ms Subkey creation date 0 = WiFi router 1 = connected to server domain Simple network

  28. Class Identifier (CLSID) • Identify files and which application that access them. • Identifies and register applications software and the Classes subkey which is mapped to the HKEY_CLASSES_ROOT hive • Each application registers itself to the CLSID hive with a GUID and when OS needs to open a file etc. it can look it up and obtain the information needed to handle it • Almost everything have a GUID in Windows - even Recycle Bin http://www.spywareguide.com/articles/open_letter_to_software_develo_53.html

  29. Readings • DFRWS 2008 proceedings • Timothy D. Morgan • Recovering deleted data from the Windows registry • http://projects.sentinelchicken.org • Brendan Dolan-Gavitt • Forensic analysis of the Windows registry in memory • http://www.dfrws.org/2008/program.shtml • Offline registry tools and password resetter • http://home.eunet.no/pnordahl/ntpasswd/ • WinReg.txt • AccessData white papers • [server]\forensics\docs\AccessData\White Papers • Registry Offsets 9-8-08.pdf • Fler mycket bra AccesData WP finns!

More Related