Friday, November 19, 2010

Diving into windows registry for forensic data

As a forensic examiner, looking at a cloned system for possible timestamps of a drive-by-download attack, windows registry has some small foot holes to gather evidence (real or not). Atleast, will surely give an idea about how, when the attack has happened. Trusting the system time was intact and all the sole purpose for this exercise was to learn, having a look at registry keys armed with some freeware tools provide some data. Correlation plays a key role in identifying how and when the devices were connected to the system.

Freeware tools used to achieve the above are:
USB Device Viewer - A tool which provides a complete history of all removable devices connected to a Windows based host.
http://www.nirsoft.net/utils/usbdeview.zip

Direct Registry Browser from
http://www.sysdevsoftware.com/soft/dreg.php which can be used to browse the registry in case of offline image based forensic analysis.

Registry Browser from SoftSpot Software.
http://www.softspotsoftware.com/pages/downloads/RegBrowser.zip which can be used to view the timestamps on the registry key. There is a Nirsoft tool to view the same, but I prefer using this software.

And lastly, the infamous ProcMon from Microsoft Sysinternals Lab.
The latest version can be downloaded from http://live.sysinternals.com/Procmon.exe
It can used to get knowledge about the registry keys being accessed during the use of the above tools.
Tip: Set a filter on the process names to reduce the output while using the above tools.

The rest is left as an exercise to the readers (??!!!) as how find out the usb devices connection time and et all!

Happy forensics!