Thursday, 12 April 2012

Registry Hives explained

So I thought before I got started on my next tutorial on how to use RegRipper, against our image taken with FTKImager, that I'd briefly discuss windows registry for windows 2000, XP and 2003.

Windows registry files are stored in the %SystemRoot%\System32\Config directory. The files are named with a variety of extensions for each.
  • Software
  • System
  • Sam
  • Security
  • Default
  • UserDiff
The extensions for each hive determine the information contained within them. As highlighted on the microsoft support page the break down of the extensions is as follows

ExtensionDescription
NoneA complete copy of the hive data.
.altA backup copy of the critical HKEY_LOCAL_MACHINE\System hive. Only the System key has an .alt file.
.logA transaction log of changes to the keys and value entries in the hive.
.savA backup copy of a hive.
The following table shows the hives and their supporting files as they were explained above

Registry HiveSupporting files
HKEY_CURRENT_CONFIGSystem, System.alt, System.log, System.sav
HKEY_CURRENT_USERNtuser.dat, Ntuser.dat.log
HKEY_LOCAL_MACHINE\SAMSam, Sam.log, Sam.sav
HKEY_LOCAL_MACHINE\SecuritySecurity, Security.log, Security.sav
HKEY_LOCAL_MACHINE\SoftwareSoftware, Software.log, Software.sav
HKEY_LOCAL_MACHINE\SystemSystem, System.alt, System.log, System.sav
HKEY_USERS\.DEFAULTDefault, Default.log, Default.sav

Based on the above lets take a look at the %SystemRoot%\System32\Config directory that we've extracted from our image taken in the previous post.

As you can see from the image to the left we can start to understand which hives we will be most interested in from an incident response perspective.

In the next tutorial we'll go about opening some of these hives with regripper and seeing what information we can gather. As mentioned in my previous post currently we're working with a default windows xp installation. No malware has currently been installed. Once we're familiar with the tools we can attempt to run some malware and see whether or not we can see clear indications of it based on the knowledge we've gained learning the tools.

The information I've provided today has been gained from the following microsoft page http://msdn.microsoft.com/en-us/library/windows/desktop/ms724877%28v=vs.85%29.aspx and its an amazing source of information should you need any thing further.

Please let me know if there are any tools you're interested in hearing about too and we can begin to look at some of them over the next few weeks.


No comments:

Post a Comment