We’ve just gotten back from RSA Security in San Francisco. The talk went great as it seemed there were a few hundred people in the room. The jist of the presentation was that registry forensics can be useful for more than just standard forensics investigations. Co-Founder, Dr. Lodovico Marziale, went over three types of scenarios and how registry artifacts can be helpful.
First, for data exfiltration investigations, the registry can be helpful in several ways. The file names of recently opened files of various types, including doc, xls, pdf, zip, and rar files are all tracked in the registry in MRU lists. USB device usage, installed printers, and mapped network drives can all point to where sensitive data could have been pulled from/pushed to. Shellbags can uncover file and directory names that have long been deleted. Further, within the Registry Decoder (RD) UI, we can analyze these artifacts across several machines in an infrastructure at once. This quickly uncovers collusion between employees for exfiltrating sensitive data.
Second, for malware detection/analysis, the registry can contain a wealth of information. Userassist track program executions, so any suspicious exes that a user clicked can be found here. Many times malware will install itself as a service, and these, along with configuration information are all stored in the registry. Run keys are often (still) used for persistence. Image File Execution Options can be used to intercept the execution of any process and run another executable first; the intended purpose if for debuggers, but malware can use it to intercept the execution of antivirus or Windows updates. Malware trying to block update services for AV can register bogus persistent routes and these are also tracked in the registry. Plenty of fun to be had here.
The third scenario discussed was defeating anti-forensics with the registry. Malicious actors will often try to destroy file based evidence, but neglect to destroy registry resident evidence. MRU lists and Userassist can point out recently run applications and documents accessed. Shellbags maintains lists of file and directory paths for not only deleted files and folders, but also the contents of encrypted containers like TrueCrypt volumes. When a system has been timestomped timelines based on registry key LastWrite times can still shed light on previous user and system activity.
In all, the registry can be a tremendous source of information even in cases where it is not traditionally the main artifact of interest. Now go download RD and find some more cool stuff!