Tan,
You are quite correct in your concern. We have incident response people in
our firm who look at live registry information sometimes in the course of
investigations. However, when it comes to securing evidence for prosecution
or litigation, we will always try to obtain an evidentiary image of the hard
drives and then to conduct our investigation using the evidentiary images.
The registry will almost certainly change to reflect what the investigator
does on a live machine. I think we have had a few posts where this was
pointed out. As you said, booting the machine will cause modifications, as
may searching around the system for information. It is probably best,
therefore, to conduct the registry review using non-live registries files
than to examine live registries on a possibly compromised computer.
The most available programs to use to review a set of registry files copied
from a compromised system or evidentiary image files are regedit and
regedt32, for NT/2000/XP systems, and regedit and regdat (a shareware
program), for Windows 9x/ME registry files.
For NT/2000/XP systems, you can load the registry hive files into the live
registry of the examining workstation using regedt32 ("Registry|Load Hive"
on the regedt32 menu). You will be asked to provide a key name after select
the hive file to load--choose a name that is meaningful to you rather than
the registry (e.g. "badguy_software" or "badguy_system"). The hive will
load and you can review that portion of the registry contained in that hive
file in its native format. If you need to change permission to see the data
in certain keys, use can use regedt32 (menu-"Security|Premissions"). To
search the registry, it is best to use regedit, which has a more
sophisticated and complete search function. You can have both regedit and
regedt32 open at the same time. Remember to unload the foreign hive when
you are done. I have never had a problem, but since you will have added a
chunk of foreign data to your registry, there is always the possibility of
really screwing your forensic workstation up.
To view registry files copied from Win9x/Me computers, try Regdat which
appears to view the user.dat and system.dat in their native format. For
regdat, see http://people.freenet.de/h.ulbrich/.
You can also use the Win9x/Me version of regedit, in dos mode, to convert
the registry files copied from suspect computers or evidence images into
readable text files. (Boot to DOS, command line: Regedit /L:[path to
system.dat]\system.dat /R:[path to user.dat]\user.dat /E [path for output
file]\Registry.txt.) You can go the extra step of making the text file
viewable in regedit, and hence readable in a native registry format by doing
the following: Open the registry text file with Word. Replace all
occurrences of HKEY_LOCAL_MACHINE with HKEY_LOCAL_MACHINE\["subject name"].
Replace all occurrences of HKEY_USER with HKEY_USER\["subject name"].
Change the extension of the registry text file from .txt to .reg. Click on
the resulting *.reg file to import it into the active registry. Open
regedit. You should see "subject name" keys under HKEY_LOCAL_MACHINE and
HKEY_USER. These are the registry keys and values from your subject
registry files. You can now review and search through the subject registry,
seeing the data in its native, hierarchical structure. Delete the imported
"subject name" keys when you are done.
A previous post on the list mentioned the registry tool Resplendent
Registrar. See, http://www.resplendence.com/ This is an excellent tool for
reviewing the registry (NT/2000/Win9x/ME). It searches the registry
extremely fast, and presents the search results in a very usable fashion.
I welcome questions, comments and critique of the above suggestions.
Troy Larson
Computer Forensics, Electronic Evidence and Legal Support
Fiderus Strategic Security and Privacy Services
(Direct) 425-793-1988
(Cell) 425-503-5845
tlarsonat_private
www.fiderus.com
AIM Address: WestCoastCFS
----------------------------------
24 Hour Emergency Response Hotline
1-877-595-8491
----------------------------------
-----Original Message-----
From: Tan Sze Yan [mailto:tszeyanat_private]
Sent: Monday, June 04, 2001 7:25 PM
To: Security Related
Cc: forensicsat_private
Subject: Re: Registry Key LastWrite times
I am wondering if there are any programs that work on a set of registry
files (e.g. registry files copied from compromised system to your
computer for forensics analysis), rather than on a "live registry". My
concern is that once you boot up a compromised system and the registry
is being loaded, some of the keys would have already being modified. Or
am I wrong?
Cheers!
--
Tan Sze Yan | Computer Security Lab
Research Engineer | DSO National Laboratories
Tel: (65)7727379 | 20 Science Park Drive
Fax: (65)7755943 | Singapore 118230
Security Related wrote:
>
> You are probably all aware of it already, but another handy registry tool
is
> 'registrar', or the free one 'registrar lite', it will search the registry
> and find all instances of a string and present them in a list, rather than
> the "find->find next" method, it will also do search and replace on the
> entire registry too...
>
> ES
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com
This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 14:49:28 PDT