Timeline Analysis on Partial Registry

Yesterday I found myself trying to work out why a remote machine had suddenly had its MRU keys and subkeys deleted. Unfortuately, or fortuately depending on how you want to look at it, there was nothing obvious so I had the excuse to “play”. When I started to look into the machine I was working off two potential scenarios. I had a malware infection or an end user who was trying to cover their tracks by using a 4″x2″ to clean the registry(deleting the whole LastVisitedMRU+OpenSaveMRU trees, and not just wiping the values is a fairly brutal approach).

Because the computer wasn’t giving up its secrets easily, I have ended up spending more time then normal working on the machine, instead of just getting the desktop team to re-image it. Let me just say, this is not a scenario where I needed to be careful to preserve evidence, its more a case of using forensic techniques for incident response. Plus, if I polluted the evidence, then it just meant I would send the box off to be rebuilt.

Since the machine was remote, and I didnt have the bandwidth to undertake a remote image, I went looking for a way to be able to grab the live registry to do some timeline anlaysis on. I had previous worked out the time window when the changes occurred by comparing System Restore snapshot hives. My googling led me to HD Moore’s blog post on “Exporting the Registry for Fun and Profit“.

When you use the SAVE option with reg.exe it will export the keys and save the output in the HIVE file format. From what I have seen so far, when it does the export it also preserves the lastwrite timestamp details on the keys and values also.

So now, if you want to do basic timeline analysis only on portions/key areas of a remote registry, you can use reg.exe SAVE to export a small section of the registry. Plus, its much quicker to download key areas of the registry hives when your bandwidth is limited.

Some keys areas may be:-

       reg.exe SAVE \HKLM\Software\Windows
       reg.exe SAVE \HKLM\System\CurrentControlSet\Services
       reg.exe SAVE \HKCU\Software\Windows

Some of the tools and techinques I have used for the first time on this machine were:-

analyzeMFT.py (extract filesystem info from the MFT table)

shellBag registry analysis

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: