SlideShare a Scribd company logo

In-depth forensic analysis of Windows registry files

M
Maxim Suhanov

The document provides an in-depth analysis of Windows registry files, detailing the structure, formats, and transaction log mechanisms used in the NT family. It discusses the storage and recovery of deleted data, the implications of failed write operations, and the challenges faced by registry viewers. Additionally, it highlights specific tools and libraries that assist in properly parsing and recovering registry data with forensic considerations.

Technology
1 of 20
Downloaded 93 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
In-depth forensic analysis of Windows registry files Maxim Suhanov
Registry basics A typical registry path: HKEY_LOCAL_MACHINESoftwareMicrosoft This path is different in a kernel: • RegistryMachineSoftwareMicrosoft This hive is non-volatile (stored on a disk), backing files: • C:WindowsSystem32configSOFTWARE • C:WindowsSystem32configSOFTWARE.LOG (+ .LOG1/.LOG2) Predefined key Mount point of a hive Key Some hives do not have a visible mount point!
Hive format (NT family) Seven versions of the format: from 1.0 (pre-release versions ofWindows NT 3.1) to 1.6 (introduced inWindows 10 “Redstone 1”, not used yet) The structure of a hive file: Base block (file header) Hive bin Hive bin More hive bins Remnant data The base block contains the size of all [allocated] hive bins.
Hive format (NT family) A hive bin contains a header and cells. Hive bin Header Cell Cell More cells A cell may contain: • Key node (nk) • Key value (vk) • Key security (sk) • List of subkeys (li, lf, lh) • List of subkeys lists (ri) • List of values • Value data • Big data records (db) • List of segments • Value data segments The first 4 bytes of a cell are used to record the size of this cell (positive value: unallocated cell, negative value: allocated cell) The header contains the size of this hive bin.
Hive format (NT family) Records (entities) point to other records (entities) using a relative offset of a cell.A base block points to a root key node. File offset of a cell = Length of a base block + Relative offset of a cell File offset of a cell = 4096 + Relative offset of a cell Key node Key security List of subkeys List of values Key node Key node Key value Value data
Hive format (NT family) All registry structures are documented here: https://github.com/msuhanov/regf/
Transaction log files (NT family) • Before writing dirty data to a primary file, this data is stored in a transaction log file. • If a system crash occurs when writing to a transaction log file, a primary file will be intact. • If a system crash occurs when writing to a primary file, a transaction log file will be used to repeat the write operation. The old format (before Windows 8.1): Base block (backup copy) Dirty vector (bitmap) Dirty sectors (pages) Remnant data G a p
Transaction log files (NT family) • Every bit of the bitmap corresponds to a single 512-byte sector of the hive bins data in a primary file. • If set, a sector is dirty (and modified contents are in the transaction log file). Relative offset of a dirty sector in a transaction log file = Index of a bit in the bitmap * 512 Relative from the start of dirty sectors (pages). Zero-based. As of Windows XP, a single run of dirty data is not smaller than a page (4096 bytes).
Transaction log files (NT family) • A bad sector in a primary file results in the following:  Dirty data cannot be written to a primary file (to the location with a bad sector).  We cannot overwrite dirty data in an existing transaction log file (otherwise a system crash may leave us without a good copy of dirty data).  We cannot mark mounted hives as read-only.  No further writes (after a failed one) to a primary file will be allowed (new dirty data will be discarded).
Transaction log files (NT family) • Solution: the dual-logging scheme (starting from Windows Vista).  After a failed write to a primary file, switch the log file being used (.LOG1 -> .LOG2, .LOG2 -> .LOG1), and try the write operation again.  Repeat this until a bad sector is gone. Microsoft left the CmpFailPrimarySave kernel variable used to simulate failed writes!
Transaction log files (NT family) • The old format requires dirty data to be written to a disk twice. • The new format is used to stash dirty pages in a transaction log file without writing them to a primary file.These pages will be written to a primary file later. The new format (as ofWindows 8.1): Base block (backup copy) Log entries Remnant data Also, each log entry has a checksum for dirty data (Marvin32). • When all users are inactive. • During the full shutdown. • After 3600 seconds since the latest write.
Deleted data (NT family) • When a key or a value is deleted, all corresponding cells are marked as unallocated. • A cell will be coalesced with an adjacent unallocated cell. • A single unallocated cell may contain multiple delete records (entities).
Deleted data (NT family) Well, not all cells are marked as unallocated when a corresponding record (entity) is deleted… • In recent releases of Windows 10, renaming a key will leave an old key node in an allocated cell. • This key node will be present until the hive is defragmented. Thus, Cells with deleted data = All cells – Referenced cells
Deleted data (NT family) Also, deleted records (entities) can be found in: • Remnant data at the end of a primary file. • Slack space of allocated and referenced records (especially, in cells with subkeys/values lists). • Transaction log files (old log entries, remnant data, gaps). Distribution of recoverable deleted keys and values in primary files: • Unallocated cells: 97.9% • Remnant data at the end of a file: 0.6% • Slack space in allocated and referenced cells: 1.5% • Allocated but unreferenced cells: 0% (only 1 key was found) Preallocated space.
Caveats • Most registry viewers ignore data in transaction log files.  Registry Explorer, Windows Registry Recovery, Registry Recon, libregf, reglookup.  Latest changes to registry keys and values (made in Windows 8.1 and later versions of Windows) may be invisible to such tools.  Malicious programs can hide data from offline registry viewers by manipulating the CmpFailPrimarySave kernel variable (modified keys and values will be stored outside of a primary file). Example: A laptop with a USB cellular modem, building the timeline for the Software hive, looking for timestamps related to the activity of the modem. With transaction log files: 13 different key modification timestamps were found for a single registry key. Without transaction log files: 1 timestamp for that key.
Caveats • Offline registry libraries in antivirus software ignore transaction log files too.  Kaspersky Rescue Disk 10 (based on Linux) will delete malicious keys/values from a primary file only, without applying dirty data from a transaction log file.  When running Windows 8.1 and later versions of Windows, it is possible to create a malicious autorun entry that will not be deleted when performing an antivirus scan from Kaspersky Rescue Disk 10.  The same is also possible with older versions of Windows by exploiting the CmpFailPrimarySave kernel variable.
Caveats • When recovering deleted data from primary files, many tools skip the slack space of allocated records (entities). • 1.5% of recoverable keys and values are not recovered! Slack space A cell with a subkeys list Signature Number of elements Offset Offset Offset Offset Offset Cell size
Caveats • Treating the registry as a typical file system is dangerous too!  A subkey and a value of a single key can share the same name.  A name of a key or a value could be “.” or “..”.  Also: null byte, “/”, and “”. GRR: a value shadows a key with the same name
Yet another registry parser (yarp) https://github.com/msuhanov/yarp/ (library & tools, Python 3) - Parse Windows registry files in a proper way (with forensics in mind). - Expose values of all fields of underlying registry structures. - Support for truncated registry files and registry fragments. - Support for recovering deleted keys and values. - Support for carving of registry hives. - Support for transaction log files.
?

More Related Content

PPTX
Windows Forensic 101
Digit Oktavianto
 
PPTX
Memory Forensics
Anshul Tayal
 
PPTX
Mobile Forensics
primeteacher32
 
PPT
Unix File System
student(MCA)
 
ODT
Operating System Forensics
ArunJS5
 
PDF
Fat File Systems
ArthyR3
 
PPTX
Memory forensics.pptx
9905234521
 
PDF
Next Generation Memory Forensics
Andrew Case
 
Windows Forensic 101
Digit Oktavianto
 
Memory Forensics
Anshul Tayal
 
Mobile Forensics
primeteacher32
 
Unix File System
student(MCA)
 
Operating System Forensics
ArunJS5
 
Fat File Systems
ArthyR3
 
Memory forensics.pptx
9905234521
 
Next Generation Memory Forensics
Andrew Case
 

What's hot (20)

PDF
Email Forensics
Gol D Roger
 
PPT
Registry forensics
Prince Boonlia
 
PDF
Data recovery
Nithin Sathees
 
PPTX
Anti forensic
Milap Oza
 
PPTX
Digital forensic tools
Parsons Corporation
 
PPTX
Directory implementation and allocation methods
sangrampatil81
 
PPTX
Controls events
Dalwin INDIA
 
PPTX
Introduction to filesystems and computer forensics
Mayank Chaudhari
 
PDF
LTEC 2013 - EnCase v7.08.01 presentation
Damir Delija
 
ODP
Introduction to Version Control
Jeremy Coates
 
PPT
Windowsforensics
Santosh Khadsare
 
PDF
MindMap - Forensics Windows Registry Cheat Sheet
Juan F. Padilla
 
PDF
Oops Quiz
Dr. C.V. Suresh Babu
 
PPTX
Windows form application_in_vb(vb.net --3 year)
Ankit Gupta
 
PPTX
Processing Crimes and Incident Scenes
primeteacher32
 
PPT
Digital Forensic
Cleverence Kombe
 
PDF
Digital Forensic: Brief Intro & Research Challenge
Aung Thu Rha Hein
 
PPTX
Introduction git
Dian Sigit Prastowo
 
PDF
Introduction to Data Flow Diagram (DFD)
Gurpreet singh
 
PPTX
file compression ,zip file
Taslima Yasmin Tarin
 
Email Forensics
Gol D Roger
 
Registry forensics
Prince Boonlia
 
Data recovery
Nithin Sathees
 
Anti forensic
Milap Oza
 
Digital forensic tools
Parsons Corporation
 
Directory implementation and allocation methods
sangrampatil81
 
Controls events
Dalwin INDIA
 
Introduction to filesystems and computer forensics
Mayank Chaudhari
 
LTEC 2013 - EnCase v7.08.01 presentation
Damir Delija
 
Introduction to Version Control
Jeremy Coates
 
Windowsforensics
Santosh Khadsare
 
MindMap - Forensics Windows Registry Cheat Sheet
Juan F. Padilla
 
Oops Quiz
Dr. C.V. Suresh Babu
 
Windows form application_in_vb(vb.net --3 year)
Ankit Gupta
 
Processing Crimes and Incident Scenes
primeteacher32
 
Digital Forensic
Cleverence Kombe
 
Digital Forensic: Brief Intro & Research Challenge
Aung Thu Rha Hein
 
Introduction git
Dian Sigit Prastowo
 
Introduction to Data Flow Diagram (DFD)
Gurpreet singh
 
file compression ,zip file
Taslima Yasmin Tarin
 
Ad

Viewers also liked (20)

PPTX
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
 
PPTX
In-Memory Computing Essentials for Architects and Engineers
Denis Magda
 
PPTX
Docker Networking
Kingston Smiler
 
PPTX
Walk through an enterprise Linux migration
Rogue Wave Software
 
PDF
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
Aj MaChInE
 
PDF
Scale Up with Lock-Free Algorithms @ JavaOne
Roman Elizarov
 
PPTX
Graduating To Go - A Jumpstart into the Go Programming Language
Kaylyn Gibilterra
 
PPTX
Communication hardware
Hans Mallen
 
PDF
OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...
OCCIware
 
PDF
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
Patricia Aas
 
PPTX
What in the World is Going on at The Linux Foundation?
Black Duck by Synopsys
 
PDF
numPYNQ @ NGCLE@e-Novia 15.11.2017
NECST Lab @ Politecnico di Milano
 
PPT
DevRomagna / Golang Intro
Simone Gentili
 
PDF
Advanced memory allocation
Joris Bonnefoy
 
PDF
Go Execution Tracer
André Carvalho
 
PPTX
Virtualization
Kingston Smiler
 
PPTX
Server virtualization
Kingston Smiler
 
PPTX
SDN Architecture & Ecosystem
Kingston Smiler
 
PPTX
OpenFlow
Kingston Smiler
 
PPTX
Network Virtualization
Kingston Smiler
 
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
 
In-Memory Computing Essentials for Architects and Engineers
Denis Magda
 
Docker Networking
Kingston Smiler
 
Walk through an enterprise Linux migration
Rogue Wave Software
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
Aj MaChInE
 
Scale Up with Lock-Free Algorithms @ JavaOne
Roman Elizarov
 
Graduating To Go - A Jumpstart into the Go Programming Language
Kaylyn Gibilterra
 
Communication hardware
Hans Mallen
 
OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...
OCCIware
 
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
Patricia Aas
 
What in the World is Going on at The Linux Foundation?
Black Duck by Synopsys
 
numPYNQ @ NGCLE@e-Novia 15.11.2017
NECST Lab @ Politecnico di Milano
 
DevRomagna / Golang Intro
Simone Gentili
 
Advanced memory allocation
Joris Bonnefoy
 
Go Execution Tracer
André Carvalho
 
Virtualization
Kingston Smiler
 
Server virtualization
Kingston Smiler
 
SDN Architecture & Ecosystem
Kingston Smiler
 
OpenFlow
Kingston Smiler
 
Network Virtualization
Kingston Smiler
 
Ad

Similar to In-depth forensic analysis of Windows registry files (20)

PPT
Vista Forensics
CTIN
 
PPTX
Windows Registry analysis with RegRipper
Detectalix
 
PPTX
3170725_Unit-4.pptx
YashPatel132112
 
PDF
FINDING FORENSIC ARTIFACTS FROM WINDOW REGISTRY
nitinparashar786
 
PDF
Windows Registry Analysis
Himanshu0734
 
PDF
FORENSIC ANALYSIS OF WINDOWS REGISTRY AGAINST INTRUSION
IJNSA Journal
 
PDF
Windows registry troubleshooting (2015)
James Konol
 
PDF
www.indonezia.net Hacking Windows Registry
Chandra Pr. Singh
 
PPT
Registry Forensics
Somesh Sawhney
 
PDF
Windows Forensics
Hossein Yavari
 
PPTX
Windows Registry
primeteacher32
 
PPTX
Windows File Systems
primeteacher32
 
PDF
CNIT 152 12 Investigating Windows Systems (Part 2)
Sam Bowne
 
PDF
CNIT 152: 12b Windows Registry
Sam Bowne
 
PPTX
Windows File Systems
primeteacher32
 
PDF
Hta f42
SelectedPresentations
 
PDF
How to erase private data permanently
Lisa Liao
 
PPTX
Windows forensic
MD SAQUIB KHAN
 
PDF
Registry
messyclick
 
PDF
AntiForensics - Leveraging OS and File System Artifacts.pdf
ekobelasting
 
Vista Forensics
CTIN
 
Windows Registry analysis with RegRipper
Detectalix
 
3170725_Unit-4.pptx
YashPatel132112
 
FINDING FORENSIC ARTIFACTS FROM WINDOW REGISTRY
nitinparashar786
 
Windows Registry Analysis
Himanshu0734
 
FORENSIC ANALYSIS OF WINDOWS REGISTRY AGAINST INTRUSION
IJNSA Journal
 
Windows registry troubleshooting (2015)
James Konol
 
www.indonezia.net Hacking Windows Registry
Chandra Pr. Singh
 
Registry Forensics
Somesh Sawhney
 
Windows Forensics
Hossein Yavari
 
Windows Registry
primeteacher32
 
Windows File Systems
primeteacher32
 
CNIT 152 12 Investigating Windows Systems (Part 2)
Sam Bowne
 
CNIT 152: 12b Windows Registry
Sam Bowne
 
Windows File Systems
primeteacher32
 
Hta f42
SelectedPresentations
 
How to erase private data permanently
Lisa Liao
 
Windows forensic
MD SAQUIB KHAN
 
Registry
messyclick
 
AntiForensics - Leveraging OS and File System Artifacts.pdf
ekobelasting
 

Recently uploaded (20)

PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Cloud computing and distributed systems.
kkkkkhan
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Approach and Philosophy of On baking technology
30anthuong17
 

In-depth forensic analysis of Windows registry files

  • 1. In-depth forensic analysis of Windows registry files Maxim Suhanov
  • 2. Registry basics A typical registry path: HKEY_LOCAL_MACHINESoftwareMicrosoft This path is different in a kernel: • RegistryMachineSoftwareMicrosoft This hive is non-volatile (stored on a disk), backing files: • C:WindowsSystem32configSOFTWARE • C:WindowsSystem32configSOFTWARE.LOG (+ .LOG1/.LOG2) Predefined key Mount point of a hive Key Some hives do not have a visible mount point!
  • 3. Hive format (NT family) Seven versions of the format: from 1.0 (pre-release versions ofWindows NT 3.1) to 1.6 (introduced inWindows 10 “Redstone 1”, not used yet) The structure of a hive file: Base block (file header) Hive bin Hive bin More hive bins Remnant data The base block contains the size of all [allocated] hive bins.
  • 4. Hive format (NT family) A hive bin contains a header and cells. Hive bin Header Cell Cell More cells A cell may contain: • Key node (nk) • Key value (vk) • Key security (sk) • List of subkeys (li, lf, lh) • List of subkeys lists (ri) • List of values • Value data • Big data records (db) • List of segments • Value data segments The first 4 bytes of a cell are used to record the size of this cell (positive value: unallocated cell, negative value: allocated cell) The header contains the size of this hive bin.
  • 5. Hive format (NT family) Records (entities) point to other records (entities) using a relative offset of a cell.A base block points to a root key node. File offset of a cell = Length of a base block + Relative offset of a cell File offset of a cell = 4096 + Relative offset of a cell Key node Key security List of subkeys List of values Key node Key node Key value Value data
  • 6. Hive format (NT family) All registry structures are documented here: https://github.com/msuhanov/regf/
  • 7. Transaction log files (NT family) • Before writing dirty data to a primary file, this data is stored in a transaction log file. • If a system crash occurs when writing to a transaction log file, a primary file will be intact. • If a system crash occurs when writing to a primary file, a transaction log file will be used to repeat the write operation. The old format (before Windows 8.1): Base block (backup copy) Dirty vector (bitmap) Dirty sectors (pages) Remnant data G a p
  • 8. Transaction log files (NT family) • Every bit of the bitmap corresponds to a single 512-byte sector of the hive bins data in a primary file. • If set, a sector is dirty (and modified contents are in the transaction log file). Relative offset of a dirty sector in a transaction log file = Index of a bit in the bitmap * 512 Relative from the start of dirty sectors (pages). Zero-based. As of Windows XP, a single run of dirty data is not smaller than a page (4096 bytes).
  • 9. Transaction log files (NT family) • A bad sector in a primary file results in the following:  Dirty data cannot be written to a primary file (to the location with a bad sector).  We cannot overwrite dirty data in an existing transaction log file (otherwise a system crash may leave us without a good copy of dirty data).  We cannot mark mounted hives as read-only.  No further writes (after a failed one) to a primary file will be allowed (new dirty data will be discarded).
  • 10. Transaction log files (NT family) • Solution: the dual-logging scheme (starting from Windows Vista).  After a failed write to a primary file, switch the log file being used (.LOG1 -> .LOG2, .LOG2 -> .LOG1), and try the write operation again.  Repeat this until a bad sector is gone. Microsoft left the CmpFailPrimarySave kernel variable used to simulate failed writes!
  • 11. Transaction log files (NT family) • The old format requires dirty data to be written to a disk twice. • The new format is used to stash dirty pages in a transaction log file without writing them to a primary file.These pages will be written to a primary file later. The new format (as ofWindows 8.1): Base block (backup copy) Log entries Remnant data Also, each log entry has a checksum for dirty data (Marvin32). • When all users are inactive. • During the full shutdown. • After 3600 seconds since the latest write.
  • 12. Deleted data (NT family) • When a key or a value is deleted, all corresponding cells are marked as unallocated. • A cell will be coalesced with an adjacent unallocated cell. • A single unallocated cell may contain multiple delete records (entities).
  • 13. Deleted data (NT family) Well, not all cells are marked as unallocated when a corresponding record (entity) is deleted… • In recent releases of Windows 10, renaming a key will leave an old key node in an allocated cell. • This key node will be present until the hive is defragmented. Thus, Cells with deleted data = All cells – Referenced cells
  • 14. Deleted data (NT family) Also, deleted records (entities) can be found in: • Remnant data at the end of a primary file. • Slack space of allocated and referenced records (especially, in cells with subkeys/values lists). • Transaction log files (old log entries, remnant data, gaps). Distribution of recoverable deleted keys and values in primary files: • Unallocated cells: 97.9% • Remnant data at the end of a file: 0.6% • Slack space in allocated and referenced cells: 1.5% • Allocated but unreferenced cells: 0% (only 1 key was found) Preallocated space.
  • 15. Caveats • Most registry viewers ignore data in transaction log files.  Registry Explorer, Windows Registry Recovery, Registry Recon, libregf, reglookup.  Latest changes to registry keys and values (made in Windows 8.1 and later versions of Windows) may be invisible to such tools.  Malicious programs can hide data from offline registry viewers by manipulating the CmpFailPrimarySave kernel variable (modified keys and values will be stored outside of a primary file). Example: A laptop with a USB cellular modem, building the timeline for the Software hive, looking for timestamps related to the activity of the modem. With transaction log files: 13 different key modification timestamps were found for a single registry key. Without transaction log files: 1 timestamp for that key.
  • 16. Caveats • Offline registry libraries in antivirus software ignore transaction log files too.  Kaspersky Rescue Disk 10 (based on Linux) will delete malicious keys/values from a primary file only, without applying dirty data from a transaction log file.  When running Windows 8.1 and later versions of Windows, it is possible to create a malicious autorun entry that will not be deleted when performing an antivirus scan from Kaspersky Rescue Disk 10.  The same is also possible with older versions of Windows by exploiting the CmpFailPrimarySave kernel variable.
  • 17. Caveats • When recovering deleted data from primary files, many tools skip the slack space of allocated records (entities). • 1.5% of recoverable keys and values are not recovered! Slack space A cell with a subkeys list Signature Number of elements Offset Offset Offset Offset Offset Cell size
  • 18. Caveats • Treating the registry as a typical file system is dangerous too!  A subkey and a value of a single key can share the same name.  A name of a key or a value could be “.” or “..”.  Also: null byte, “/”, and “”. GRR: a value shadows a key with the same name
  • 19. Yet another registry parser (yarp) https://github.com/msuhanov/yarp/ (library & tools, Python 3) - Parse Windows registry files in a proper way (with forensics in mind). - Expose values of all fields of underlying registry structures. - Support for truncated registry files and registry fragments. - Support for recovering deleted keys and values. - Support for carving of registry hives. - Support for transaction log files.
  • 20. ?