Tan, You are quite correct in your concern. We have incident response people in our firm who look at live registry information sometimes in the course of investigations. However, when it comes to securing evidence for prosecution or litigation, we will always try to obtain an evidentiary image of the hard drives and then to conduct our investigation using the evidentiary images. The registry will almost certainly change to reflect what the investigator does on a live machine. I think we have had a few posts where this was pointed out. As you said, booting the machine will cause modifications, as may searching around the system for information. It is probably best, therefore, to conduct the registry review using non-live registries files than to examine live registries on a possibly compromised computer. The most available programs to use to review a set of registry files copied from a compromised system or evidentiary image files are regedit and regedt32, for NT/2000/XP systems, and regedit and regdat (a shareware program), for Windows 9x/ME registry files. For NT/2000/XP systems, you can load the registry hive files into the live registry of the examining workstation using regedt32 ("Registry|Load Hive" on the regedt32 menu). You will be asked to provide a key name after select the hive file to load--choose a name that is meaningful to you rather than the registry (e.g. "badguy_software" or "badguy_system"). The hive will load and you can review that portion of the registry contained in that hive file in its native format. If you need to change permission to see the data in certain keys, use can use regedt32 (menu-"Security|Premissions"). To search the registry, it is best to use regedit, which has a more sophisticated and complete search function. You can have both regedit and regedt32 open at the same time. Remember to unload the foreign hive when you are done. I have never had a problem, but since you will have added a chunk of foreign data to your registry, there is always the possibility of really screwing your forensic workstation up. To view registry files copied from Win9x/Me computers, try Regdat which appears to view the user.dat and system.dat in their native format. For regdat, see http://people.freenet.de/h.ulbrich/. You can also use the Win9x/Me version of regedit, in dos mode, to convert the registry files copied from suspect computers or evidence images into readable text files. (Boot to DOS, command line: Regedit /L:[path to system.dat]\system.dat /R:[path to user.dat]\user.dat /E [path for output file]\Registry.txt.) You can go the extra step of making the text file viewable in regedit, and hence readable in a native registry format by doing the following: Open the registry text file with Word. Replace all occurrences of HKEY_LOCAL_MACHINE with HKEY_LOCAL_MACHINE\["subject name"]. Replace all occurrences of HKEY_USER with HKEY_USER\["subject name"]. Change the extension of the registry text file from .txt to .reg. Click on the resulting *.reg file to import it into the active registry. Open regedit. You should see "subject name" keys under HKEY_LOCAL_MACHINE and HKEY_USER. These are the registry keys and values from your subject registry files. You can now review and search through the subject registry, seeing the data in its native, hierarchical structure. Delete the imported "subject name" keys when you are done. A previous post on the list mentioned the registry tool Resplendent Registrar. See, http://www.resplendence.com/ This is an excellent tool for reviewing the registry (NT/2000/Win9x/ME). It searches the registry extremely fast, and presents the search results in a very usable fashion. I welcome questions, comments and critique of the above suggestions. Troy Larson Computer Forensics, Electronic Evidence and Legal Support Fiderus Strategic Security and Privacy Services (Direct) 425-793-1988 (Cell) 425-503-5845 tlarsonat_private www.fiderus.com AIM Address: WestCoastCFS ---------------------------------- 24 Hour Emergency Response Hotline 1-877-595-8491 ---------------------------------- -----Original Message----- From: Tan Sze Yan [mailto:tszeyanat_private] Sent: Monday, June 04, 2001 7:25 PM To: Security Related Cc: forensicsat_private Subject: Re: Registry Key LastWrite times I am wondering if there are any programs that work on a set of registry files (e.g. registry files copied from compromised system to your computer for forensics analysis), rather than on a "live registry". My concern is that once you boot up a compromised system and the registry is being loaded, some of the keys would have already being modified. Or am I wrong? Cheers! -- Tan Sze Yan | Computer Security Lab Research Engineer | DSO National Laboratories Tel: (65)7727379 | 20 Science Park Drive Fax: (65)7755943 | Singapore 118230 Security Related wrote: > > You are probably all aware of it already, but another handy registry tool is > 'registrar', or the free one 'registrar lite', it will search the registry > and find all instances of a string and present them in a list, rather than > the "find->find next" method, it will also do search and replace on the > entire registry too... > > ES > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com
This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 14:49:28 PDT