Windows registry files are stored in the %SystemRoot%\System32\Config directory. The files are named with a variety of extensions for each.
- Software
- System
- Sam
- Security
- Default
- UserDiff
Extension | Description |
None | A complete copy of the hive data. |
.alt | A backup copy of the critical HKEY_LOCAL_MACHINE\System hive. Only the System key has an .alt file. |
.log | A transaction log of changes to the keys and value entries in the hive. |
.sav | A backup copy of a hive. |
Registry Hive | Supporting files |
HKEY_CURRENT_CONFIG | System, System.alt, System.log, System.sav |
HKEY_CURRENT_USER | Ntuser.dat, Ntuser.dat.log |
HKEY_LOCAL_MACHINE\SAM | Sam, Sam.log, Sam.sav |
HKEY_LOCAL_MACHINE\Security | Security, Security.log, Security.sav |
HKEY_LOCAL_MACHINE\Software | Software, Software.log, Software.sav |
HKEY_LOCAL_MACHINE\System | System, System.alt, System.log, System.sav |
HKEY_USERS\.DEFAULT | Default, Default.log, Default.sav |
Based on the above lets take a look at the %SystemRoot%\System32\Config directory that we've extracted from our image taken in the previous post.
As you can see from the image to the left we can start to understand which hives we will be most interested in from an incident response perspective.
In the next tutorial we'll go about opening some of these hives with regripper and seeing what information we can gather. As mentioned in my previous post currently we're working with a default windows xp installation. No malware has currently been installed. Once we're familiar with the tools we can attempt to run some malware and see whether or not we can see clear indications of it based on the knowledge we've gained learning the tools.
The information I've provided today has been gained from the following microsoft page http://msdn.microsoft.com/en-us/library/windows/desktop/ms724877%28v=vs.85%29.aspx and its an amazing source of information should you need any thing further.
Please let me know if there are any tools you're interested in hearing about too and we can begin to look at some of them over the next few weeks.
No comments:
Post a Comment