Content feedback is currently offline for maintenance. Please try again in a few minutes. Show Instructions provided describe how to identify which folder stored in the registry under HKEY_USERS is associated with each user profile on the computer. Note: The Security Identifier (SID) is a unique name (an alphanumeric character string) that is assigned by a Windows Domain controller during the login process that is used to identify a user.This procedure enables administrators to make modifications to specific user profiles located in HKEY_USERS, mimicking those found in HKEY_CURRENT_USER when that user is logged in.
Last Published: 8/8/2019 Article ID: 000010572 Software: ArcGIS Engine 9.3.1, 9.3, 9.2, 9.1, 9.0.1, 9.0 ArcGIS Production Mapping for Server 10.7.1, 10.7, 10.6.1, 10.6, 10.5.1, 10.5, 10.4.1, 10.4, 10.3.1, 10.3 ArcMap 10.4.1, 10.4, 10.3.1, 10.3, 10.2.2, 10.2.1, 10.2, 10.1, 10 ArcGIS Production Mapping 10.7.1, 10.7, 10.6.1, 10.6, 10.5.1, 10.5, 10.4.1, 10.4, 10.3.1, 10.3, 10.2.2, 10.2.1, 10.2, 10.1, 10 Computer Forensics is a sub-field of cybersecurity, that pertains to gathering evidence of usage of a computer. Generally, it would fall under the larger field of Digital Forensics, dealing with all kinds of digital devices, from examination and recovery to analysis of the data found within them. Digital forensics is used, and needed, widely, from the private sector – where you might want to analyze your organization internally, or if you, for example, are doing incident response/analysis. In a legal sense, digital forensics can be used to support some hypotheses in a civil/criminal case – or vice versa. There are even cases that went cold for years before actually being solved through the techniques used in this field. One famous example is the BTK serial killer case that has gone cold for years, but the perpetrator met his downfall once he started taunting the authorities by sending letters to them. Eventually, the police managed to recover a deleted MS Word document from the drive, analyze the metadata of the document, pinpoint the killer, and finally arrest him! From the Wikipedia page, that can be found here: Police found metadata embedded in a deleted Microsoft Word document that was, unknown to Rader, still stored on the floppy disk.[54] The metadata contained the words "Christ Lutheran Church", and the document was marked as last modified by "Dennis".[55] An Internet search determined that a "Dennis Rader" was president of the church council.[52] When investigators drove by Rader's house, a black Jeep Cherokee—the type of vehicle seen in the Home Depot surveillance footage—was parked outside.[56] This was strong circumstantial evidence against Rader, but they needed more direct evidence to detain him.[57] As you can see, computer forensics can be quite useful, and can provide us with a lot of insight on what has happened on/to our computer systems. Connecting the dots further, it can even help us ascertain what someone might have done – as illustrated in the example above. WindowsThis is de facto the most used Desktop OS right now – 75% of the market share, to be precise. That’s mostly why I intend to focus on Windows forensics but will talk about Linux forensics in the future as well. Why is the Windows Registry important from a forensic perspective?The Registry in Windows is practically the Database for the OS itself. It contains all the configuration data for the system – and is organized in a hierarchical way. From MS docs: The registry is a hierarchical database that contains data that is critical for the operation of Windows and the applications and service that run on Windows. The data is structured in a tree format. Each node in the tree is called a key. Each key can contain both subkeys and data entries called values. This means that the registry holds information about the software, hardware, and even the user. This includes data about recently used programs or files as well as the devices that may have or are connected to the system. You probably can infer how this can be of great value to a forensic investigator. The registry on your Windows systems comprises of these five root keys:
HKEY_CURRENT_USER – Contains the root of the configuration information for the user who is currently logged on. The user’s folders, screen colors, Control Panel settings are stored here. This information is associated with the user’s profile. This key is sometimes abbreviated as HKCU. HKEY_USERS – Contains all the actively loaded user profiles on the computer. HKEY_CURRENT_USER is a subkey of HKEY_USERS. HKEY_USERS is sometimes abbreviated as HKU. HKEY_LOCAL_MACHINE – Contains configuration information particular to the computer (for any user). This key is sometimes abbreviated as HKLM. HKEY_CLASSES_ROOT – Is a subkey of HKEY_LOCAL_MACHINE\Software. The information that is stored here makes sure that the correct program opens when you open a file by using Windows Explorer. This key is sometimes abbreviated as HKCR. Starting with Windows 2000, this information is stored under both the HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER keys. The HKEY_LOCAL_MACHINE\Software\Classes key contains default settings that can apply to all users on the local computer. The HKEY_CURRENT_USER\Software\Classes key contains settings that override the default settings and apply only to the interactive user. The HKEY_CLASSES_ROOT key provides a view of the registry that merges the information from these two sources. HKEY_CLASSES_ROOT also provides this merged view for programs that are designed for earlier versions of Windows. To change the settings for the interactive user, changes must be made under HKEY_CURRENT_USER\Software\Classes instead of under HKEY_CLASSES_ROOT. To change the default settings, changes must be made under HKEY_LOCAL_MACHINE\Software\Classes. If you write keys to a key under HKEY_CLASSES_ROOT, the system stores the information under HKEY_LOCAL_MACHINE\Software\Classes. If you write values to a key under HKEY_CLASSES_ROOT, and the key already exists under HKEY_CURRENT_USER\Software\Classes, the system will store the information there instead of under HKEY_LOCAL_MACHINE\Software\Classes. HKEY_CURRENT_CONFIG – Contains information about the hardware profile that is used by the local computer at system startup. These root keys, combined with values and subkeys, are what make the Registry Hive. You can check this by opening regedit.exe to look around the registry – directories you see are the Registry Keys, and the values are whatever data is stored within – as mentioned above. Access Hives OfflinePlease note that the above is true if you’re accessing a live system – through the in-built utility regedit.exe. But, if you only have the disk image, you will go on about this in a slightly different way. First, you should now that the registry hive is located on the disk in the C:\Windows\System32\Config directory. Let me just digress here for a bit. Why is this important? Well, in an investigation you would typically clone the disk first – hence the disk image – and you would conduct your investigation on the clone. You don’t want to mess up your potential evidence by working on the original. As mentioned here, even though cloning is a straightforward process in theory, in practice it can be quite different. The goal is simple – you want to clone one disk to another. The drive you want to clone is typically removed from the computer and connected to another computer or a cloning device. However, it is vital to have some sort of control over the writing process i.e. a hardware write block which is placed between the cloned (source disk) and the destination disk (one we’re cloning to). You need this, because you don’t want to accidentally mess up your investigation by writing data to the cloned/source disk. You should also forensically clean the destination disk beforehand. Forensic imaging tools (FTK Imager, Autopsy, etc.) will usually create some sort of proof that the cleaning had happened. Finally, when all the preparations have been made successfully and the process starts, upon successfully cloning the disks you would have matching hashes for the source and the clone – i.e. your proof that you have an exact clone of the disk that’s investigated. I will mention the tools above, and others, in my future articles on this topic, but for now let me get back on track and talk about the locations of the aforementioned hives on the respective disk(s). These hives are:
Aside from these hives, there are two more hives that keep information about the user and can be found in the User directory. The path is found at C:\Users\<username> (this is true for Windows 7 and above versions of the Windows OS) The two hives are these:
NTUSER.DAT is found in the C:\Users\<username> and the USRCLASS.DAT is found in the C:\Users\<username>\AppData\Local\Microsoft\Windows. Please note that both of these hives are hidden. NTUSER.DAT USRCLASS.DAT Finally, the Amcache hive, which is quite important in the Windows OS since it keeps information about programs that have been run recently. It is located at C:\Windows\AppCompat\Programs\Amcache.hve Amcache Hive ConclusionTo conclude, I covered some basics about Computer/Digital Forensics in general, as well as the Windows OS Registry Hive. This is exactly what threat actors exploit in numerous ways, and we will be looking at how to ascertain what they did to our devices in the next article. I will also talk about the mentioned forensic tools such as Autopsy, FTK Imager, and others. (Linux forensics will be covered too!) Stay tuned. Cover image by Immo Wegmann #registry #forensics #windows |
Which registry key contains information about all of the user profiles that exist on the computer?
zusammenhängende Posts
Urheberrechte © © 2024 wiewird Inc.
