Abstract
Windows registry contains lots of information that are of potential evidential value or helpful in aiding forensic
examiners on other aspects of forensic analysis. This paper discusses the basics of Windows XP registry and its
structure, data hiding techniques in registry, and analysis on potential Windows XP registry entries that are of
forensic values.

Keywords:
Windows registry, forensic analysis, data hiding

Spoiler

INTRODUCTION
Windows 9x/ME, Windows CE, Windows NT/2000/XP/2003 store configuration data in registry. It is a central
repository for configuration data that is stored in a hierarchical manner. System, users, applications and hardware
in Windows make use of the registry to store their configuration and it is constantly accessed for reference during
their operation. The registry is introduced to replace most text-based configuration files used in Windows 3.x and
MS-DOS, such as .ini files, autoexec.bat and config.sys. Due to the vast amount of information stored in
Windows registry, the registry can be an excellent source for potential evidential data. For instance, windows
registry contains information on user accounts, typed URLs, network shared, and Run command history. Aspects
discussed in this paper are based solely on Windows XP (Service Pack 2) registry.


REGISTRY STRUCTURE
Figure 1 shows Windows registry logical view from Register Editor (Windows default register editor). Each
folder in the left key pane is a registry key. The right panes show the key’s value. Subkey is used to show the
relationship between a key and the keys nested below it. Branch refers to a key and all its subkeys. Windows uses
symbolic link (i.e. similar to file system’s shortcut) to link a key to a different path which allows the same key and
its values to appear at two different paths (Russinovich, 1999).

There are 5 root keys (i.e. starting point) in Windows registry. Table 1 shows the root keys and the abbreviation
normally used.
Name Abbreviation
HKEY_CLASSES_ROOT HKCR
HKEY_CURRENT_USER HKCU
HKEY_LOCAL_MACHINE HKLM
HKEY_USERS HKU
HKEY_CURRENT_CONFIG HKCC

Table 1: Root Keys
Value
Each key has one or more values. There are 3 parts in value, which are Name, Type and Data, as shown in Table 2.
Value
Parts
Description
Name Every value has a unique name in that particular key.
Type
Value’s type determines the type of data value contains. The common value types in registry for
instance are: REG_BINARY type contains binary data; REG_DWORD type contains double-word (32-
bit) data; REG_SZ type contains fix-length string data.
Data Value’s data contains data which usually relates to the value’s type.

Table 2: Value Parts
When an application read value’s data in REG_BINARY from the registry, the application decides on how to
decode the value. Application can store data in binary (using REG_BINARY type) using their own data structure,
hence only the application knows how to interpret it. For instance, interpreting REG_BINARY data as 8-bit
ASCII or 16-bit Unicode could result in two different values. This technique could be used to hide data or at least
confuse forensic examiner. Alternatively, some applications store REG_SZ and REG_DWORD data in
REG_BINARY value, decoding and finding them can be difficult (Honeycutt, 2003, p. 25). Offender can use this
technique to hide data. Program can use four-byte REG_BINARY and REG_DWORD values (32-bit)
interchangeably. Since Intel x86-based system uses little endian architecture, REG_BINARY 0x01 0x02 0x03
0x04 is equivalent to REG_DWORD 0x04030201.
Regardless of value’s type, the registry actually stores all values in binary format in the actual file. Since all
values are stored alongside with their corresponding type, it allows the Registry Editor to interpret the value’s
data correctly (Honeycutt, 2003, p. 25).

REGISTRY ROOT KEYS ORGANIZATION
HKLM and HKU are the only root keys that Windows physically stores on files. HKCU is a symbolic link to
subkey in HKU. HKCR and HKCC are symbolic links to subkeys in HKLM. Below are the brief descriptions of
each 5 root keys (Honeycutt, 2003, p. 26).
HKEY_USER
HKU contains per-user (user-specific) information. HKU contains at least these 3 subkeys:
- .DEFAULT
- SID, SID is the security identifier for console user (user currently using the keyboard).
- SID_CLASSES contains per-user class registration and file association.
HKU has other well-known SID in Windows XP.
- S-1-5-18 refers to LocalSystem account.
- S-1-5-19 refers to LocalService account. It is used to run local services that do not require LocalSystem account.
- S-1-5-20 refers to NetworkService account. It is used to run network services that do not require LocalSystem
account.

Any other subkeys in HKU are associated to secondary users. Windows XP has a feature called Secondary Logon,
which allows user to run a program as a different user, usually with elevated privileged. Thus, user can logon to a
limited account for daily routines and uses elevated privileged for occasional administrative task. The secondary
user SID (usually administrative account SID) will only present in the HKU subkeys if the user performs a
secondary logon during the user’s session. If an offender performs a secondary logon on any other accounts, the
secondary user subkey will exist in HKU until secondary user logoff, or the program running in the elevated
privileged is closed.

HKEY_CURRENT_USER
HKCU contains the computer users’ per-user settings. HKCU is actually a symbolic link to HKU/SID, the current
console user’s SID (Russinovich, 1997). This branch contains information on environmental variables, desktop
settings, mapped network drive settings, and application settings. Table 3 briefly describes some HKCU subkeys
that are of potential forensic values (Honeycutt, 2003, p. 28).
Subkeys Descriptions
Environment Each subkey corresponds to an environmental variable user has set.
Identities
Each Identities subkey corresponds to an identity in Microsoft Outlook Express. Outlook
Express allows multiples identities (users) to use a single mail client. However, sinceWindows
XP supports multiple user profiles, users rarely have to share their mail client.
Network
Each Network subkey corresponds to a mapped drive Windows connects during user system
logon. Subkey name is the drive letter to which the network drive is mapped. The subkey
contains configuration to connect the network drive.
Software
Contains user-specific application settings. Programs store their settings in a standard way,
HKCU\Software\Vendor\Program\Version\. Vendor is program’s publisher; Program is the
program’s name; and Version is program’s version.
Volatile
Environment
Contains environmental variables that are defined when user logon to Windows XP.
Table 3: Partial HKCU Subkeys

HKEY_LOCAL_MACHINE
HKLM contains per-computer (computer-specific) settings which apply to all users logging into that particular
computer. Table 4 shows all HKLM subkeys (Honeycutt, 2003, p. 29).
Subkeys Descriptions

HARDWARE
Stores information regarding hardwareWindows XP detects during startup. The subkeys are
dynamically created during system startup. They include information on device driver and
associated resources.

SAM
Security Accounts Manager (SAM) is a local security database which contains local users and
groups information. ACL prevents Administrator from viewing this subkey.
SECURITY
Contains Windows local security database in the SAM subkey. ACL prevents Administrator
from viewing this subkey.

SOFTWARE
Stores per-computer application settings. Programs store their settings in this standard form,
HKLM\Software\Vendor\Program\Version.

SYSTEM
Contains control set, which contains device driver and service configurations.
HKLM\SYSTEM\CurrentControlSet is a symbolic link to ControlSetXXX, and the key
HKLM\SYSTEM\Select indicates which ControlSetXXX is in use.

Table 4: HKLM Subkeys

HKEY_CLASSES_ROOT
HKCR contains two types of per-user settings, file associations, and class registration for Component Object
Model (COM) object. File associations describes the file types and associated programs that open and edit them.
HKCR consumes most of the space in registry (Russinovich, 1997). Windows merges two keys
HKLM\SOFTWARE\Classes (contains default file associations and class registration) and
HKCU\Software\Classes (contains per-user file associations and class registration) to obtain HKCR. In fact,
HKCU\Sofware\Classes is a link to HKU\SID_Classes. By merging the two keys, program can register percomputer
and per-user file associations and program classes (Honeycutt, 2003, p. 29).

HKEY_CURRENT_CONFIG
HKCC is a symbolic link to current hardware profile configurations subkey, HKLM\SYSTEM
\CurrentControlSet\Hardware Profiles\Current. Current is a link to the key HKLM
\SYSTEM\CurrentcontrolSet\Hardware Profiles\XXXX (Honeycutt, 2003, p. 30).


REGISTRY HIVES
Registry Editor only shows the logical structure of the registry. Physically, registry is not stored in a single file in
the hard drive. Windows stores registry in a few separated binary files called hives (Microsoft, 2005a). For each
hives file, Windows creates additional supporting files that contain backup copy of the respective hives to restore
the hives during failed system boot. Only HKLM and HKU has corresponding hives (since the rest are symbolic
links). However, none of 5 root keys are directly associated to a hive file.
Table 5 shows registry path and their corresponding hives on disk. All hives in HKLM are stored
in %SYSTEMROOT%\System32\config\ (%SYSTEMROOT% usually refers to C:\WINDOWS).
HKLM\HARDWARE is a dynamic hive that is created each time the system boots and it is created and managed
entirely in memory (Russinovich, 1999). HKU\.DEFAULT hive file correspond
to %SYSTEMROOT%\System32\config\default. HKU\SID hive file is stored in user home directory, which
is %USERPROFILE%\NTUSER.DAT, while HKU\SID_CLASSES hive file correspond
to %USERPROFILE%\Local Settings \Application Data\Microsoft\Windows\UsrClass.dat. Table 6 describes the
actual hive files and the supporting files extension (Honeycutt, 2003, p. 31).
Registry Path Hive and Supporting Files
HKLM\SAM SAM, SAM.LOG
HKLM\SECURITY SECURITY, SECURITY.LOG
HKLM\SOFTWARE software, software.LOG, software.sav
HKLM\SYSTEM system, system.LOG, system.sav
HKLM\HARDWARE (Dynamic/Volatile Hive)
HKU\.DEFAULT default, default.LOG, default.sav
HKU\SID NTUSER.DAT
HKU\SID_CLASSES UsrClass.dat, UsrClass.dat.LOG
Table 5: Registry Hives
File Extension Description
No extension Actual Hive File
.alt extension Backup copy of hive, used in Windows 2000, not XP
.log extension Transaction log of changes to a hive
.sav extension Backup copy of hive created at the end of text-mode (console) phrase during Windows XP setup



REGISTRY LASTWRITE TIME
All registry key has a value called “LastWrite” time, which is similar to file’s last modification time. In fact, this
value is a FILETIME structure, which is the same as file’s MAC (Modified, Accessed, Created) time (Tan, 2001).
The FILETIME structure is a 64-bit value representing the number of 100-nanosecond intervals since January 1,
1601 UTC (MSDN, 2005c). However, investigator could only obtain the registry key LastWrite time, but not the
registry value LastWrite time. The LastWrite time will be updated whenever a registry value in the key is created,
modified or deleted. Tool such as Keytime.exe (Carvey, 2005a) allows examiner to retrieve LastWrite time of a
specific key. Knowing the time of a key is modified or created allows forensic investigator to infer the
approximate time an event or activity occurred. For instance, if a suspicious registry value is found in the
registry’s Run key, investigator could query the LastWrite time of the key and compare it to the MAC time of the
file to which the registry value is pointing. If there is a match between the key LastWrite time and the MAC time
of the file to which the registry value is pointing, investigator will know the time the registry value was created.


DATA HIDING IN REGISTRY
Suspect can hides all sorts of data including password, text information, and binary files in registry. Suspect can
effectively hide data in registry keys’ value entries. By using different encoding techniques, suspect could
obfuscate or hide data from forensic examiner. Furthermore, Register Editor has an implementation flaw that
allows suspect to hide data.

Registry Keys’ Values
Since registry’s value supports binary data type, suspect can store segments of program or the entire binary in the
registry. These segments of program can be placed in several dispersed keys. Unless forensic examiner knows the
relevant keywords to search in the registry, finding hiding data in tens of thousands of registry keys can be a
tedious task.

An example of a place to hide data is in the time zone information key,
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation (Carvey, 2004). This key
contains time zone information, including the difference in minutes between UTC and local time, and reference
information during daylight saving time. Windows reads this registry key into TIME_ZONE_INFORMATION
structure during system startup.

There are two strings in TIME_ZONE_INFORMATION structure, StandardName and DaylightName, of which
can legally be an empty string (MSDN, 2005b). Any information written to them using
SetTimeZoneInformation() function is returned unchanged by the GetTimeZoneInformation() function (MSDN,
2005a). SinceWindows does not utilize these registry values which are nested somewhere in some registry keys,
and they are merely used for storing string information, suspect can hides information such as passwords or
passphrases in these values effectively. Suspect merely modifies registry values StandardName and
DaylightName manually using Registry Editor to store information. Suspect can retrieve this information using a
piece of benign code by calling GetTimeZoneInformation() function which is loaded in Windows kernel32.dll
without raising much suspicion (Carvey, 2004).

Different Encoding
Suspect may store text-based information using value type REG_BINARY. This technique however does not hide
data, as tool like hex editors automatically interpret binary data into readable format (usually ASCII). Using
different encoding technique to store data, such as using Unicode instead of ASCII does not improve stealthiness,
if suspect only uses common English characters. For instance ASNI ASCII for “pass” is 0x70 0x61 0x73 0x73.
While Unicode (16-bit) encoding translate into 0x70 0x00 0x61 0x00 0x73 0x00 0x73 0x00 (Windows stores 16-
bit characters in little-endian format). Examiner could easily find the word “pass” using tools that features text
finding using different encoding format. Suspect may substitute the 0x00 with random binary numbers to improve
stealthiness. However, forensic examiner could still analyse the suspicious text at different intervals (e.g. even or
odd characters position) and derive possible meaningful information from the incident context.
A better way to hide data is to encode text-based information into binary format in hexadecimal notation and
stored the binary form in registry values as string using type REG_SZ. For instance, storing string 70 61 73 73
(hexadecimal notation for “pass” in ASCII) in the REG_SZ registry value. Thus, only the suspect knows how to
decode it. However, this technique requires a simple piece of code to encode the text before storing it into the
registry, and to decode the binary data to its readable form when retrieving it. It is not-trivial for forensic
examiner to find such hidden data as the binary data (encoded text in hexadecimal form) is stored as it is in the
registry, and binary data is common in registry.

Registry Editor Implementation Flaw
Windows 2000 and XP Registry Editor (regedit.exe or regedt32.exe) have an implementation flaw that allows
hiding of registry information from viewing and editing, regardless of users access privilege (Secunia, 2005). The
flaw involves any registry values with name from 256 to 259 (maximum value name) characters long. The overly
long registry value (regardless of type) not only hides its own presence, but also subsequently created values
(regardless of type) in the same key (Franchuk, 2005). The editor stops displaying the remaining of the values
thinking the overly long value as the last value in that key. Suspect could exploit such Registry Editor flaw to hide
information.

This vulnerability allows malware to hide malicious code in “autorun” entries such as the infamous
HKLM\Software\Microsoft \Windows\CurrentVersion\Run. Any program or components specified in this key
will be automatically run during system startup. Windows will still execute these hidden entries successfully at
startup (Wesemann, 2005).

Some common malware scanners are not able to detect such maliciously crafted registry values (Gregg, 2005).
Fortunately, Windows console registry tool (reg.exe) can display overly long registry values. For instance, to
detect values in registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run, the instruction is reg
query HKLM\Software\Microsoft\Windows\CurrentVersion\Run.

REGISTRY KEYS OF FORENSIC VALUE
The following section highlights some of the important registry keys in Windows XP (Service Pack 2) and how
they can be of benefit to help describing suspect activities on the computer.
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
MRU is the abbreviation for most-recently-used. This key maintains a list of recently opened or saved files via
typical Windows Explorer-style common dialog boxes (i.e. Open dialog box and Save dialog box) (Microsoft,
2002). For instance, files (e.g. .txt, .pdf, htm, .jpg) that are recently opened or saved files from within a web
browser (including IE and Firefox) are maintained. However, documents that are opened or saved via Microsoft
Office programs are not maintained. Subkey * contains the full file path to the 10 most recently opened/saved
files. Other subkeys in OpenSaveMRU contain far more entries related to previously opened or saved files
(including the 10 most recent ones), which are grouped accordingly to file extension.

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

This key correlates to the previous OpenSaveMRU key to provide extra information. Whenever a new entry is
added to the previous OpenSaveMRU key, registry value is created or updated in this key. Each binary registry
value under this key contains a recently used program executable filename, and the folder path of a file to which
the program has been used to open or save it. If a file is saved, the folder path refers to the saved file destination
path; if a file is opened, the folder path refers to the file source path. New registry value will only be created to
this key, if no existing registry values contain the program executable filename. However, if there is a matching
executable filename in the existing values, only the folder path section of the related registry value is updated.

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

This key also maintains list of files recently executed or opened through Windows Explorer. This key corresponds
to %USERPROFILE%\Recent (My Recent Documents). The key contains local or network files that are recently
opened and only the filename in binary form is stored. It has similar grouping as the previous OpenSaveMRU key,
opened files are organized according to file extension under respective subkeys. In addition, the Subkey Folder
contains the folder (without drive letter and parent folder) of the recently open files. Subkey NetHood which
corresponds to %USERPROFILE%\NetHood , contains only LAN shared folder path (server and folder name)
which the file was opened. However, deleting this RentDocs key does not removed the content in both
folders %USERPROFILE%\Recent and %USERPROFILE%\NetHood (Honeycutt, 2003, p. 102).

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

This key maintains a list of entries (e.g. full file path or commands like cmd, regedit, compmgmt.msc) executed
using the Start>Run commands, as shown in Figure 2. The MRUList value maintains a list of alphabets which
refer to the respective values. The alphabets are arranged according to the order the entries is being added, In
Figure 2, “services.msc” which correlates to “g’ is the most recently added entry, while “taskmgr” is the earliest.
However, most recently added entry does not imply most recently used command as suspect may have reexecuted
previous commands. Windows does not modify the key LastWrite time or MRUList if there is an
existing entry in the key. If a file is executed via Run command, it will leaves traces in the previous two keys
OpenSaveMRU and RecentDocs. Deleting the subkeys in RunMRU does not remove the history list in Run
command box immediately. However, when either button Start>Log Off or Turn Off Computer is clicked
(without actually logging off or shutdown), the respective entries in Run history list are then removed.

By using Windows “Recent Opened Documents” Clear List feature via Control Panel>Taskbar and Start Menu, suspect can
remove the Run command history list. In fact, executing the Clear List function will remove the following registry
keys and their subkeys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\
HKCU\Software\Microsoft\Internet Explorer\TypedURLs\
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Content of RunMRU Key
HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\Memory Management
This key maintains Windows virtual memory (paging file) configuration. The paging file (usually C:\pagefile.sys)
may contain evidential information that could be removed once the suspect computer is shutdown. This key
contains a registry value called ClearPagefileAtShutdown which specify whether Windows should clear off the
paging file when the computer shutdowns. By default, windows will not clear the paging file. However, suspect
may modify this registry value to 1 to signify paging file clearing during system shutdown (Microsoft, 2003).
Forensic investigator should check this value before shutting down a suspect computer during evidence collection
process.

HKCU \Software\Microsoft\Search Assistant\ACMru

This key contains recent search terms using Windows default search. Subkey 5603 contains search terms for
finding folders and filenames, while subkey 5604 contains search terms for finding words or phrases in a file


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Each subkey in this key represent an installed program in the computer. All programs listed in Control
Panel>Add/Remove Programs correspond to one of the listed subkeys. However, they are other installed
programs (e.g. device driver, Windows patch) that are not listed in Add/Remove Programs. Each subkey usually
contains these two common registry values – DisplayName (program name) and UninstallString (application
Uninstall component’s file path, which indirectly refers to application installation path). Other possible useful
registry values may exist, which include information on install date, install source and application version.

HKLM\SYSTEM\MountedDevices
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\

The first key contains a list of mounted devices, with associated persistent volume name and unique internal
identifier for respective devices (Carvey, 2004). This key lists any volume that is mounted and assigned a drive
letter, including USB storage devices and external DVD/CDROM drives. From the listed registry values, value’s
name that starts with “\DosDevices\” and ends with the associated drive letter, contains information regarding that
particular mounted device. For instance, if the binary data for registry value “\DosDevices\F” contains
“\??\Storage#RemoveableMedia” at the beginning of the value, it signifies a USB removable disk was connected
to the system USB port. By correlating the entry with registry key LastWrite time, investigator would know when
the removable device is connected. The second key also contains similar information as MountedDevices key,
which is located under the respective device GUID (Globally Unique Identifiers) subkey and in the binary registry
value named Data.

HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR

This key contains addition information about list of mounted USB storage devices, including external memory
cards. This key when used in conjunction with two previous keys will provide evidential information. To illustrate
the method, assume a USB thumb drive named “USB Card IntelligentStick” with serial number
“20000101061325-00” was connected to a suspect system. USB storage device unique serial number can be
acquired via UVCView program, under the field “iSerialNumber” (UVCView, 2005). However, not every USB
thumb drive has a serial number (Carvey, 2005e). This key will have a subkey containing device name, such as
“Disk&Ven_USB_Card&Prod_IntelligentStick&Rev_1.00 “. Under this subkey is the device ID subkey which
contains the device serial number; “20000101061325-00&0”. The latter subkey has a ParentIdPrefix value
(data=”7&1064d032&0”) which corresponds to the binary registry value in HKLM \System\MountedDevices ;
\DosDevices\F for instance. The latter value will contain binary data similar to
“\??\Storage#RemoveableMedia#7&1064d032&0……”. By mapping this two key, forensic examiner will know
which USB device (using device serial number) is mounted to which drive letter. Apple iPod devices leave
similar trace (Carvey, 2005d).
HKLM\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run
HKLM\ SOFTWARE \Microsoft\Windows\CurrentVersion\RunOnce
HKLM\ SOFTWARE \Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\ SOFTWARE \Microsoft\Windows\CurrentVersion\RunServices
HKLM\ SOFTWARE \Microsoft\Windows\CurrentVersion\RunServicesOnce


This first key usually contains programs or components paths that are automatically run during system startup
without requiring user interaction. Malware usually leaves trace in this key to be persistent whenever system
reboots. Subsequent four subkeys may also contain suspicious entries. Similar 5 sets of “Run” registry keys may
exist under root key HKCU, pertaining to the logged on user configuration (Carvey, 2004).

HKLM\SOFTWARE\Microsoft\Command Processor
HKCU\Software\Microsoft\Command Processor

This key has a registry value named Autorun, which could contain command that is automatically executed each
time cmd.exe is run (Microsoft, 2005b). However, modification to this key requires administrative privilege.
Malware exploits this feature to load itself without user’s knowledge (Symantec, 2004). Suspect could also
covertly run a malicious program under the cover of cmd.exe, by setting the Autorun data to the executable file
path.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

This key has a registry value named Shell with default data Explorer.exe. Malware such as Kwbot appends the
malware executable file to the default value’s data, modifying it into
Shell=Explorer.exe %system%\System32.exe to stay persistence across system reboots and logins (Symantec,
2003). Suspect could append executable file path to this registry value to run program covertly as done by Trojan
Watson (Symantec, 2004). Furthermore, there is another registry value in this key named TaskMan which allows
user to run an alternate task manager (Microsoft, 2005c). Though by default it is not created in Windows XP,
suspect can create it and point it to an executable file. Both registry values are executed automatically whenever
the system boots. Suspect can utilize these two registry values to run program secretly. However, modification to
this key requires administrative privilege.

HKLM\SYSTEM\CurrentControlSet\Services\

This key contains list of Windows services. Each subkey represents a service and contains service’s information
such as startup configuration and executable image path. Some malware such as BackOrifice2K will install itself
as service. Thus, it leaves trace in this key (Carvey, 2001).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
This key allows administrator to map an executable filename to a different debugger source, allowing user to
debug a program using a different program. Modification to this key requires administrative privilege. Suspect
could exploit this feature to launch a completely different program under the cover of the initial program (Epp,
2005). First, suspect creates a subkey named for example, notepad.exe (taskmgr.exe, compmgmt.msc or any
benign looking executable). Then under the subkey notepad.exe, suspect creates a new string (REG_SZ) value
named Debugger, and directs it to an undercover program (e.g. C:\Windows\system32\telnet.exe). When the
suspect executes notepad.exe, telnet client is launched instead of Notepad. If the suspect runs notepad.exe through
Windows Run for instance, its history list will only shows notepad.exe. Thus, suspect could use this technique to
deceive forensic examiner. Suspect could also redirect the initial program to a Trojan version of the program
which launches a backdoor whenever the initial program is run. Malware exploits this feature to load itself
without user’s knowledge (Symantec, 2005).

HKCR\exefile\shell\open\command\

This key contains instruction to execute any .exe extension file. Normally, this key contains one default value
with data “%1“ %* (ShaolinTiger, 2003). However, if the value’s data is changed to something similar to
somefilename.exe "%1" %* , investigator should suspect some other hidden program is invoked automatically
when the actual .exe file is executed. Malware normally modify this value to load itself covertly (File Extensions,
n.d.). This technique apply to other similar keys (Carvey, 2004), including
HKEY_CLASSES_ROOT\batfile\shell\open\command
HKEY_CLASSES_ROOT\comfile\shell\open\command

HKCR\Drive\shell\
HKCR\Folder\shell\

These two key contains subkeys that refer to menu items in Windows context menu. The first key points to the
context menu when right clicking on Windows drive letter, while the second key refers to folder’s context menu.
Suspect could create a key to launch command prompt from the drive letter context menu, through key
HKCR\Drive\shell\cmd\command\. It is a very helpful feature especially if users need to open command prompt
at folder level, via HKCR\Folder\shell\cmd\command. By default, Windows does not have this key. The default
registry value has data cmd.exe /k "cd %L". Suspect could append for instance && notepad.exe to this value to
launch both programs at once (Carvey, 2005b). However, the second program (notepad.exe) is loaded within the
same cmd.exe window (cmd.exe is not fully loaded until notepad.exe is closed). By modifying the default registry
value’s data to cmd.exe /k "cd %L" && start notepad.exe , the two programs are launched separated under
different windows. Thus, the second program can be loaded covertly.

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\GUID

This key contains network adapter recent settings such as system IP address and default gateway for the
respective network adapters. Each GUID subkey refers to a network adapter (AccessData, 2005a). The data is
retained even though the network connection is disconnected.

HKLM\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\GUID

This key contains wireless network information for adapter using Windows Wireless Zero Configuration Service.
Under the GUID subkey, there are binary registry values named Static#0000, Static#0001, etc. (depending on the
number of listed SSID) which correspond to the respective list of SSID in “Preferred Networks” box in Wireless
Network Connection configuration (Carvey, 2005e). The registry value contains the SSID name in binary form. If
registry value ActiveSettings contains an SSID name, it may signify last connected SSID. However, the result is
not consistent when tested. If suspect connect to wireless networks using other 3rd party program that is usually
bundled with the network adapter, instead of using Wireless Zero Configuration, no trace is left on this key.
Forensic examiner can use this key with the previous network adapter GUID key to determine the last assigned IP
address (Carvey, 2005e).

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

The first key maintains a list of mapped network drive, including the server name and shared folder (Shannon,
2004). The value in this key is still retained even though the mapped network drive has been permanently
removed or disconnected. In addition, permanent subkey (unless manually removed from registry) regarding
mapped network drive is also created in the second key, and the subkey is named in the form of
##servername#sharedfolder.

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

This key contains two GUID subkeys. Each subkey maintains a list of system objects such as program, shortcut,
and control panel applets that a user has accessed. The GUID subkey beginning with “5E6” corresponds to IE
toolbar, while subkey starting with “750” pertains to Active Desktop (Carvey, 2005c). However, registry values
under these subkeys are weakly encrypted using “ROT-13” algorithm which basically substitutes a character with
another character 13 position away from it in the ASCII table (Carvey, 2005e). Even though each registry value is
not associated with specific time and date the event occurred, it could imply suspect has accessed certain file or
object. For instance, the existence of an attack tool’s filename on the entries could indicate suspect is trying to
execute the malicious tool.

HKCU\Software\Microsoft\Protected Storage System Provider

Windows Protected Storage is maintained under this key. Protected Storage is a service used by Microsoft
products to provide a secure area to store private information (Carvey, 2004). Information that could be stored in
Protected Storage includes MSN Explorer and Internet Explorer AutoComplete strings and passwords, Microsoft
Outlook and Outlook Express accounts’ passwords, and MSN Messenger password. Registry Editor hides these
registry keys from users viewing, including administrator. There are tools that allow examiner to view the
decrypted Protected Storage on a live system, such as Protected Storage PassView (NirSoft, 2004) and
PStoreView (PStoreView, 2005). AccessData Registry Viewer is capable of accessing and decrypting the subkeys
in an offline manner (AccessData, 2005b).
HKCU\Software\Microsoft\Internet Explorer\TypedURLs

This key contains a listing of 25 recent URLs (or file path) that is typed in the Internet Explorer (IE) or Windows
Explorer address bar. It shows websites suspect has recently been surfing. However, the key will only show links
that are fully typed, automatically completed while typing, or links that are selected from the list of stored URLs
in IE address bar. Websites that are accessed via IE Favorites are not recorded. IE will only write all the typed
URLs during that session to the key when IE is closed (AccessData, 2005a). If suspect clears the URL history
using Clear History via IE Internet Options menu, this key will be completely removed.

CONCLUSION

Windows registry is an excellent source for potential evidential data. Knowing the type of information that could
possible exist in registry and location to it gives forensic examiner the edge in the forensic analysis process.
Investigator will get a better picture of the whole case. This paper illustrates some of techniques to hides data in
registry and registry keys of evidential value. The fact that Microsoft and other organizations treat the registry
settings as in-house information without providing sufficient and comprehensive documentation about the registry
keys used causes registry analysis difficult, which undermines the resourcefulness of registry. Thus, there is a
need to unveil and publish evidentiary registry keys to assist forensic investigation on Windows system.

 

Thanks Guru, I'm mainly a Mac guy but I always wanted to expand my knowledge of some windows functionalities.
And registry is one of those for sure. Interesting read, gonna dive deeper into this

 

This is should be required reading for everyone. Thanks so much Kontakt Guru.

 

No problem Guys.. Catalyst made me open my old archives for a lost file and i found Gold

this is just an introduction if more info is needed let me know

 

Do registry cleaners, like PrivaZer (it does a lot more of course), clean all this forensic info?

 

if MORE..... is needed?

some of u must have a lot to hide..

 

It's not about hiding, it's about understanding the inner workings of the registry. It's actually very important that this is here.

 

That's a great start but not enough i would also look into DFF (Digital Forensics Framework)
and a program that can securely wipe a file immediately, why leave traces in the first place? Checkout a program like BCWipes.
If your looking for an all-in-one tool checkout CyberScrub Privacy Suite

Remember DoD compliant 7-pass, Gutmann's method is your friend

My one problem with these tools is that they leave their traces that forensic teams can access since they only wipe the direct blocks... but the indirect blocks are exposing the fact of you using a file shredding software, that can and will be used as indirect evidence in crime investigation. COURTHOUSE

One way to remedy this action is to wipe free space the partition or better yet the whole drive, which would wipe the indirect blocks. Leaving you with a fresh new drive *yes*

We all have OUR secrets

 

Darik's Boot And Nuke

DoD 5220.22-M, RCMP TSSIT OPS-II, Gutmann, Random Data, Write Zero

 

Thanks Kontakt for your info.
You are talking about bringing a hard disk back to its fresh state. And I totally agree with you and the tools you suggest.
But that is not the usual/ordinary/everycase case.
I use the PrivaZer to clean all the muck from my computer on a regular basis. It does have a multi-pass wiping selection (for both used and unused space), but I do not use it regularly because it is time-consuming.