WIXLIB

Tanushree Roy et al, / (IJCSIT) International Journal of Computer Science and Information Technologies, Vol. 3 (3) , 2012, 4427- Contents“regf” signaturetimestamproot key offsetoffset to last hbin in the hivefile name (Unicode)*(size in bytes)Table 2: Important fields of base blockWindows organizes the Registry data that a hive storesin containers called cells. A cell can contain a key, a list ofsubkeys, a value, a security descriptor, or a list of keyvalues. A field at the beginning of a cell’s data describes thedata’s type. Bins also have headers that have a signature,hbin, a field that contains offset to the hive file of the binand the bin’s size.Cell TypesKey cellValue cellSecurity Descriptor cellnkvkskSub-key list celllf / lh / ri / liValue-list cellData cell––Signature0x6B6E0x6B760x6B730x666C / 0x686C /0x6792 / 0x696CN/A (No header)N/A (No header)Table 3: Cell types and their signatures3) Traversing the Registry Hive: The base block pointsto the first hbin structure that in turn comprise the offset tothe root key of the registry hive. All key/subkey in theregistry hive is having a signature NK. Key cell include anoffset to the value-list member containing the valuespresent under the keys and an offset to the related sub-keystructure that point to an LH, an LF or an RI cell.The LH or LF entry includes a member that holds a listof offsets to all the other sub-keys of the key. The value-listcontains pointers to value keys. The value entry containsinformation related to the value present under a key and theassociated data. If the data size contains a 1 in its MSB(0x80), the key contains inline data, i.e. – the offset to thedata is the actual data rather than an offset to the data. Incase of non-inline data, the offset to the data is the offset ofthe data cell. In case the first two bytes of the data cellcontain the signature ‘db’ (0x6264), it is a data cell withnon-contiguous data. This may be because the size of thedata is very large, and cannot be accommodated in a singlebin. The data is then spread over a number of bins. The nexttwo bytes then tell us how many bins the data is spreadover. Following these two bytes is a list of offsets to thedata cells that make up this data entry. The data from allthese cells can be concatenated to form the actual data ofthat particular value.B. Tools Used1) Collection of Registry hive files: Registry files areopened by the Kernel in restricted mode which means thatthey cannot be copied while the system is in use, except forthe User Registry Files (NTUSER.DAT) that are notcurrently loaded.A method was needed for extracting example RegistryFiles for research use. The chosen method was:i. Hive files are collected from several machines bybooting them from a Linux disc (as hive files arelocked while the Windows operating system isrunning).ii.ERUNT tool also may be used to obtain hive filesfrom a live system, without shutting-down thesystem.It is noted that, a collection method like listed above cancapture only the stable hives present in the hard-disk, andnot the volatile hives (the in-memory version of disk hives).2) Registry Examination: Analysis of the registry hive filescan be done manually using WinHex [12] or by parsing thehive using an offline parser. For the purpose of examinationan offline registry parser r parser.pl was developed inPerl based upon the available knowledge about the Registrystructure. The code was further modified to generatespecific keys related to USB devices, as explained in thefollowing section. Another utility regkey time.pl wasdeveloped, that listed the keys in a descending order of theirlast-write times.C. Footprints left by a USB Device1) setupapi.log: Since almost all devices now-a-days,are of the type “plug-and-play”, containing their associateddriver files written on the device firmware, the system caninstall them directly, ruling out need for a separateinstallation disk. Whenever such Plug-and-Play USBdevice is connected to a system, Plug-and-Play (PnP)manager receives this event and queries the devicedescription in its firmware, such as manufacturer, serial no,etc. Upon receiving the information, the PnP managerlocates device drivers and a set of Registry keys are created,as described below. Above events are recorded \setupappi.log) when the device getsconnected to the system for the first time.The device detail is not a part of memory area and thus,is not available when we make its clone.2) Registry Keys created: After the device is identified, aset of registry keys gets created as follows:i.HKEY LOCAL MACHINE\SYSTEM\ControlSet00x\Enum\USBSTOR\ device class \ deviceunique id \ii. HKEY LOCAL \{ disk devicesGUID }\iii. device class#device unique id#{disk devicesGUID} \iv. HKEY LOCAL \{ volume devices GUID }\v. STORAGE RemovableMedia#ParentId Prefix#{volume devices GUID} \vi. HKEY LOCAL eMedia\ ParentID Prefix \These keys contain details about the device id, driverdescription, manufacturer, friendly name, parented prefix,etc. When we connect the same USB to the system again, asub-key named control is created under the above keys. Asa result the time-stamp of these keys reflect the last time theUSB was connected to the system.3) Drive letter to which the device gets mounted: USBdevice when connected to the system gets assigned to adrive letter (G, H, etc.), which can be identified through thefollowingkey:HKEY LOCAL MACHINE\SYSTEM\MountedDevices4429

Tanushree Roy et al, / (IJCSIT) International Journal of Computer Science and Information Technologies, Vol. 3 (3) , 2012, 4427- 4433This key contains a value starting with \?\Volume\that contains binary data having ParentId Prefix in the form STORAGE RemovableMedia#ParentId Prefix#{volume devices GUID} . This data is also presentin the value \DosDevices\ drive letter , if thisUSB device was the last device mapped to that drive letter.4) Finding the user profile through which USB devicewas connected: The value present in the key\MountedDevices starting with \?\Volume\{ }occurs only once more in the ntuser.dat hive of the userprofile in which the USB device was connected. Using thisvalue, we can find out the user profile through which theUSB device was connected.5) Time the drive was last connected to the system: Thefirst time USB device was connected to a system is foundfrom the setupapi.log file and the corresponding registryentries. To associate this time with the actual time, Version\Time Zones, present in theSoftware hive is checked.6) To track if file opened or copied through explorer: Ifany file is opened through the explorer by double click onthe file name, an entry is created in the Registry lorer\RecentDocs\If file opened using open file menu or saved using saveas file menu in any application program, it is noted in nSaveMRUThese entries are present in the ntuser.dat registry hiveof the user profile identified in 4) above.7) File copy to USB through other modes: Analysis ofthe file MAC times: If file is transferred to USB using thecopy, cut or send-to context menu option, no registry entrygets created; and one has to examine both the system andUSB device file system to track the file copy.Whenever a file is accessed (i.e., copy, move, open oredit), their MAC (modified, accessed, created) times stAccessUpdate present in theSystem hive under the key ControlSet00x\Control\FileSystem\ is enabled, then MAC timesare not updated. By default this value is not present inWindows XP systems. The MAC times of the filessuspected of being copied is checked.8) Analysis of the USB device: Once we have identifiedthe user profile through which the USB device wasconnected, and it is established that files have been copiedto the USB, case can be established against that person, andhis USB device is confiscated for analysis. If the copiedfiles are present in the USB device then, their md5 hashvalues are compared to the values of original files. And iffiles are not present, then unallocated space is analyzed andfiles are recovered, if not overwritten till now.For tracking data transfer from system to USB devicesevaluating the performance we connected some USBdevices to a system for the first time and copied a few filesfrom system to USB using different modes. To be able tothe compare the changes, we took a snapshot of MACtimes, before and after files were copied from the system.Table 4 below shows the operations performed on the filesand the files’ original MAC times. Thereafter, the Registryfiles of the system were extracted and analyzed usingr parse.pl. The analysis process is discussed step bystep in section 4 for an USB device.DateDateOperationModified Date Created AccessedPerformedFeather2/28/20062/28/2006 12/13/2011Copy PasteTexture.bmp2:00 AM2:00 AM9:21 PMGone2/28/20062/28/2006 12/13/2011Send-toFishing.bmp2:00 AM2:00 AM9:21 PMOptionGreen2/28/20062/28/2006 12/13/2011MoveStone.bmp2:00 AM2:00 AM9:21 PM(Cut Paste)ie7beta2.log11/21/2011 11/21/2011 11/21/2011Rename4:47 PM4:43 PM4:47 PMii6.log11/21/2011 4/25/2006 11/21/2011Edit5:54 PM6:00 PM5:54 PMie7.log11/21/2011 11/21/2011 11/21/2011Open5:54 PM5:52 PM5:54 PM (double click)Prairie2/28/20062/28/2006 12/13/2011 Save throughWind.bmp2:00 AM2:00 AM9:21 PMSave-AsRiver2/28/20062/28/2006 12/13/2011 Open throughSumida.bmp2:00 AM2:00 AM9:21 PMexplorerTable 4: Files’ original MAC times and operations performed on themFile nameFor the sake of simplicity, this work we have assumedthat the system fingerprints were not removed deliberatelyby the user, and are present within the registry and otherlocations.IV. RESULTS AND DISCUSSIONSThe result of the systematic analysis for one USB deviceis follows:A. setupapi.log fileThe setupapi.log file is analyzed to find the entriesrelated to driver installations for the USB device whenconnected to the system for the first time. The figure 4.1below shows the entries created for the USB device inquestion. The device unique instance-id, ParentId prefixand the time-stamp values are highlighted.Figure 4.1 (a): Entries of setupapi.log for a “SanDisk Cruzer Blade” USBdrive with 4GB capacity was connected to the system for the first time.4430

Tanushree Roy et al, / (IJCSIT) International Journal of Computer Science and Information Technologies, Vol. 3 (3) , 2012, 4427- 4433C. Finding the drive the USB was mountedThe above USB was mapped to E: drive and we got thevalues as below.Figure 4.1 (b): Entries of setupapi.log for a “SanDisk Cruzer Blade” USBdrive with 4GB capacity was connected to the system for the first timeB. Registry entries in SYSTEM and ntuser.dat hiveThe registry keys retrieved for the device from theSystem hive using our parser is shown in figure 4.2.D. Finding the user profile through which USB device 693df12} was found in the ntuser.dat hive of theuser 1. This means the system user 1 must have connectedthe USB to the system.E. Time the drive was last connected to the systemThe time USB device was first connected to a systemcan be found from the setupapi.log file and thecorresponding entries in the Registry shows the last timethe USB device was connected to the system. To associatethis time with the actual time, the Registry e Zones, present in the Softwarehive is checked.F. Find if files were opened or copied to USBWe look for entries corresponding to the USB driveletter in the ntuser.dat hive of the identified user (if notdeleted explicitly) under the following keys (see figure 32\LastVisitedMRUFigure 4.2 (a): Registry values for the USB device in question.Figure 4.2 (b): Registry values for the USB device in question.Figure 4.3: An excerpt of the result showing values of RecentDocsRegistry key of the identified user.4431

Tanushree Roy et al, / (IJCSIT) International Journal of Computer Science and Information Technologies, Vol. 3 (3) , 2012, 4427- 4433H. Analysis of the confiscated USB deviceUpon knowing the user profile through which the USBdevice was connected, a case may be build up against theowner of that profile. After confiscating the USB devicefrom that person, a thorough analysis of device’s filesystem is done to find the copied files. We found the files inthe USB device and their MAC times were compared to theoriginal files.OperationPerformedCopy PasteSend-toOptionMove (Cut Paste)RenameEditFigure 4.4: An excerpt of the result showing values of OpenSaveMRURegistry key of the identified user.From the figure 4.4, it is evident that the files PrairieWind.bmp was opened from the system (C:\) then saved toUSB (E:\) while River Sumida.bmp was opened only. Thisfact is derived from the entry in OpenSaveMRU. Also thefiles ie7.log and ii6.log was accessed through explorer,found from entry in RecentDocs (figure 4.3). However, thefiles that were copied or moved to USB using the contextmenu option, has no entry is made in the Registry.G. Analysis of the file MAC timesWhen we access (i.e., copy, move, open or edit) a file,their MAC (modified, accessed, created) times getsupdated. The MAC times of the files suspected of beingcopied is checked and compared to the time obtainedthrough Registry analysis. It was observed from MACtimes of files in the system that, access times are changedfor the files in question and is same as the time the USBdevice was connected. Hence, it can be concluded that thesefiles were copied.OperationPerformedFeatherCopy een(CutStone.bmp Paste)File Sumida.bmpRenameEditOpen(double teAccessed5/4/201211:50 AM5/4/201211:55 AMFile Not nge5/4/201211:55 AM5/4/201211:56 AM5/4/201211:55 AMNochangeNochange5/4/201211:59 AMNochangeNochange5/4/201212:01 AMTable 5: Change in MAC times of files present in the ughexplorerDateModifiedSame asoldSame asoldSame asoldSame asoldTimeModifiedDateCreatedNew, timeof copyNew, timeof copySame asOldNew, timeof copyNew, timeof copySame asoldNew, timeof copyNew, timeof saveNew, timeof saveSame asoldNew, timeof copyDate AccessedSame as dateCreatedSame as dateCreatedNew, time ofmoveSame as dateCreatedSame as date timeModifiedAccess TimeNew, time ofsaveSame as dateCreatedTable 6: Comparison of MAC times of files found in USB with theoriginal files present in the system.Hence, from setupapi.log file, we found the time theUSB device (Unique ID- 200402033009D8D25377&0,ParentID Prefix- 7&251e0f1a&0) was connected to thesystem. The last write times of the corresponding registrykeys matched this time. This device was mapped to E: driveand has been connected to the system by User 1. The entriesin RecentDocs and OpenSaveMRU key establish the factthat those files were saved E: drive. Finally by analyzingthe MAC times of files, details of files copied is found.The table 7 below summarizes the steps followed ininvestigating this case and table 8 lists how to track thespecific file transfers.Sl.Action PerformedNo.1 Capture registry files from the systemFind the time the USB device was connected2to the systemCheck the first time the USB device was3connectedFind the drive letter to which the device was4 mounted, match with the time obtained instep 2 and step 3Find through which user profile the USB5drive was connected to the systemFind if files were opened or saved through6 explorer, match path with the drive letterobtained in step 4Find if the valueNtfsDisableLastAccessUpdate7is enabled; MAC time of files are checked ifvalue is set to 1Subject ofAnalysis–registry hiveSYSTEMSetupapi.logregistry hiveSYSTEMregistry hiventuser.datregistry hiventuser.datregistry hiveSYSTEM4432

Tanushree Roy et al, / (IJCSIT) International Journal of Computer Science and Information Technologies, Vol. 3 (3) , 2012, 4427- 4433Sl.No.8910111213Subject ofAnalysisMAC time ofFind if files were copied by other modesfiles presentin the systemUnallocatedCheck for deleted files in the systemspace of thesystemOnce it is established that files were copied, case is build upagainst the person using that identified user profile and hisUSB device is confiscated for analysisCheck for files in USB device, if foundMAC time ofcompare with original filefiles in USBUnallocatedIf files not found in the USB device, look inspace of USBdeleted spacedeviceEstablish file copy by comparing the hash values of originalfiles present in the system and files obtained from the USBAction PerformedTable 7: Steps followed in examining file copy to an USB.OperationPerformedTracking Method / Footprint Present InCopy PasteSend-to OptionMove (Cut Paste)RenameEditOpen(doubleclick)Save throughSave-AsOpen throughexplorerFile System analysis of system and USB,MAC times comparedFile System analysis of system and USB,MAC times comparedFile System analysis of system and USB,MAC times comparedFile System analysis of system and USB,MAC times comparedRecentDocs Registry keyRecentDocs Registry keyRecentDocs Registry keyOpenSaveMRU Registry keyTable 8: Tracking specific file 3]REFERENCESCarvey, H., The Windows registry as a forensic resource, DigitalInvestigation, vol. 2(3), pp. 201–205, Elsevier 2005.Chang, K., Kim, G., Kim, K. and Kim, W., Initial Case AnalysisUsing Windows Registry in Computer Forensics, Future GenerationCommunication and Networking, Volume 1, 6-8 Dec. 2007Page(s):564 – 569. [Online] DOI: 10.1109/FGCN.2007.151[Accessed 02/11/2011].Dashora, K., Tomar, D. S. and Rana, J. L., A Practical Approach forEvidence Gathering in Windows Environment, International Journalof Computer Applications, Volume 5(10), August 2010.Farmer, D. J., A Forensic Analysis of Windows Registry, Availableonline from yquick-reference.pdf, 2007.Farmer, D. J., A Windows Registry Quick Reference: for ners.com/forensics/contents/A Forensic Examination of the Windows Registry.pdf, 2009.Kim, Y. and Hong, D., Windows Registry and Hiding Suspects’Secret in Registry, In the Proceedings of the 2008 InternationalConference on Information Security and Assurance, IEEE 2008.Manchanda, M., Manchanda, V., Gupta, V., Bisht, M., ForensicInvestigation of Window Registry, International Transactions inApplied Sciences, Volume 2(1), pp. 11-21, January 2010.Morgan, T., D., The Windows NT Registry File Format df, June 2009.Norton Cyber Crime report, 2011, Symantec Corporation, /us/home homeoffice/html/cybercrimereport/, [accessed April 2012].Russinovich, M. E. and Solomon, D. A., Management Mechanismsin Windows Internals Covering Windows Server 2008 and WindowsVista, (Fifth Edition), Microsoft Press, 2009.Windows Registry information for advanced users, .microsoft.com/kb/256986, [accessed April 2012].WinHex, , WinHex: Computer Forensics & Data Recovery Software,Hex Editor & Disk Editor, Available online from http://www.xways.net/winhex/Wong, L. W., Forensic Analysis of the Windows Registry. icfocus.com/index.php?name Content&pid 73&page 1, 2007.V. CONCLUSION AND FUTURE SCOPEForensic investigations play a significant role in today'sworking and legal environments, and thus it should becarefully considered. The evidence provided in the registryis the most significant source of any investigation. Theactions performed on the computer gives the examiner aninsight of the system. Thus, a careful analysis of theWindows system Registry from a forensic point of view isthe need of the hour and a hot area of research in the presentscenario.This paper has gathered and verified the existingknowledge about the registry hive files. We also attemptedto exhibit the importance of registry analysis bydemonstrating how it can help an investigator to progress ina case of tracking data transfer from

generating a forensic timeline of the events that has occurred in a system. Documentation regarding the Registry internal structure has been provided in detail by Russinovich [10]. . Tanushree Roy et al, / (IJCSIT) International Journal of Computer Science and Information Technologies, Vol. 3 (3) , 2012, 4427- 4433 4427. III. METHODOLOGY A .