Wednesday, July 24, 2024
EHA

Windows Registry Analysis – Tracking Every Activity That You Do on the Windows System

The purpose of this article is to provide you with a depth understanding of the Windows Registry and the Wealth of information it holds.

Today most administrators and forensic analysts, the registry probably looks like the entrance to a dark.

Besides Configuration information, the Windows Registry holds information regarding recently accessed files and considerable information about user activities.

The truth is that the Registry is a veritable goldmine of information for both the administrator and forensics investigator.

What is the Registry?

If you remember back to DOS and early versions of Windows(3.1,3.11 and so on ), configuration information (drivers, settings) for the system was largely managed by several files-specifically, autoexec.bat, config.sys, win.ini (on Windows), and system.ini.

Various settings within these files determined what programs were loaded and how the system looked and responded to user input, Later versions of Windows replaced these files with the Registry, a central hierarchical database that maintains configuration settings for the application, hardware devices, and users.

How Windows Registry Structure Looks!

When the administrator or Forensics expects to open Regedit.exe, he sees a tree-like structure with five root folders, or “hives”.

  • HKEY_CLASSES_ROOT hive contains configuration information relating to which application is used to open various files on the system.
  • HKEY_CURRENT_USER hive is the active, loaded user profile for the currently logged-on-user.
  • HKEY_LOCAL_MACHINE hive contains vast configuration information for the system, including hardware settings and software settings.
  • HKEY_USERS hive contains all the actively loaded user profiles for that system.
  • HKEY_CURRENT_CONFIG hive contains the hardware profile the system uses at startup.

Registry Examination

MRU lists:

MRU, throughout or”most recently used” list, contains entries made due to specific actions performed by the user. There are numerous MRU LISs throughout various Registry keys.

The Registry maintains these lists of items in case the user returns to them in the future. It is similar to how the history and cookies act in a web browser.

The location of this key is HKEY_CURRENT_USER\software\microsoft\windows\currentversion\Explorer\RunMRU and it contains

With the information provided by the RunMRU key, an examiner can gain a better understanding of the user they are investigating and the application that is being used. In the above figure, you can see the user has opened cmd, Notepad, MSPaint, etc.

USB Devices:

Anytime a device is connected to the Universal Serial Bus (USB), Drivers are queried and the device’s information is stored in the Registry(Thumb Drives).

This key stores the contents of the product and device ID values of any USB devices that have ever been connected to the system.

So forensics experts will drill down to the path HKEY_LOCAL_MACHINE\SYSTEM\controlset001\Enum\USBSTOR.

Internet Explorer:

Internet Explorer is the native Web browser in the Windows operating system. It utilizes the Registry extensively in the storage of data, like many applications.

Internet Explorer stores its data in the HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs.

Attached Hardware:

Navigating to the following key HKEY_LOCAL_MACHINE\SYSTEM|MountedDevices.This information can be useful to a forensic examiner as it shows any connected storage device has been recognized by the operating system.

If the examiner notes a discrepancy between the physically attached devices and the ones reported here, it can be an indication that some device was removed prior to the evidence being seized.

Malicious Software:

Navigating to this following key HKEY_CURRENT_USER\Software\  this information will be juicy stuff for Forensics Examiner as it could see the hacker used CyberGhost Vpn which is used for being anonymous.

Recent Applications:

Navigating to this following key will give information for the last accessed applications list HKEY_CURRENT_USER\SOFTWARE\Microsoft\Currentversion\Search\RecentApps.

This user has a vast list of applications, one of which was Vmworkstation found.

Crucial information can be obtained by performing an efficient and effective forensic examination.

So you can investigate to find ongoing malicious Activities in your Environment. Happy Investigating !!!!!

You can follow us on LinkedinTwitter, and Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Also, Read

Website

Latest articles

ShadowRoot Ransomware Attacking Organizations With Weaponized PDF Documents

A rudimentary ransomware targets Turkish businesses through phishing emails with ".ru" domain sender addresses....

BreachForumsV1 Database Leaked: Private messages, Emails & IP Exposed

BreachForumsV1, a notorious online platform for facilitating illegal activities, has reportedly suffered a massive...

250 Million Hamster Kombat Players Targeted Via Android And Windows Malware

Despite having simple gameplay, the new Telegram clicker game Hamster Kombat has become very...

Beware Of Malicious Python Packages That Steal Users Sensitive Data

Malicious Python packages uploaded by "dsfsdfds" to PyPI infiltrated user systems by exfiltrating sensitive...

Chinese Hackers Using Shared Framework To Create Multi-Platform Malware

Shared frameworks are often prone to hackers' abuses as they have been built into...

BlueStacks Emulator For Windows Flaw Exposes Millions Of Gamers To Attack

A significant vulnerability was discovered in BlueStacks, the world's fastest Android emulator and cloud...

Google Chrome 127 Released with a fix for 24 Security Vulnerabilities

Google has unveiled the latest version of its Chrome browser, Chrome 127, which is...

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles