Windows Registry and Forensics - Hacking by Solis Tech: How to Hack Computers, Basic Security and Penetration Testing (2014)

Hacking by Solis Tech: How to Hack Computers, Basic Security and Penetration Testing (2014)

Chapter 23: Windows Registry and Forensics

Since you are now aware that hackers leave trails on their target’s computer that can be linked back to theirs, it is high time that you know how to actually find these trails for evidence.

Here is something that most newbie hackers are not aware of – if they are attacking a Windows operating system, they are leaving most, if not all, of their artifacts in a single location. This location is called the registry.

What the Windows Registry Does

Almost all Windows users know that there is such a thing called Windows Registry in their system, but only a few understand how to locate and manipulate it. For a forensics investigator, the registry is the home of digital evidence, since it houses all information that tells when, where, what, and how any change in the system happened. More importantly, it can tell which user initiated the change, and how it happened.

Within the Windows Registry are five root folders, which are referred to as hives.

HKEY_USERS – houses all the user profiles that are loaded into the operating system

HKEYCLASSES_ROOT – contains all config information on any application that are used to open files

HKEYLOCAL_MACHINE – contains all config information, including every software and hardware setting

HKEYCLASSES_CONFIG – contains hardware configuration profile of a client system upon startup

When you type “regedit” on the Windows search bar, you would be able to launch these root folders and their subfolders, which are called subkeys. These subkeys would show descriptions and values on the right pane. The values that you may see are either 0 or 1, which means on or off, and the more complex information are often displayed as hexadecimal values.

From this, you would see the following information and more:

1. All devices that have been mounted on the system, including flash drives, external hard drives, cellular devices, keyboards, or speakers

2. List of all files that have been accessed and when they were last opened or modified

3. When the system connected to a specific access point

4. Most recently used software

5. User profiles and the last instance they used the system

6. All searches done on the system

Since you are now aware of what you can find in your operating system’s registry, all you need to know is to learn where you can find information that may have been left during an unauthorized access or attack in the computer that you are investigating.

RecentDocs Key

If you suspect that your computer has been breached, the first thing that you would want to know is if an unauthorized user has accessed any of your sensitive files. You can find that out by accessing this location:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

If you are trying to see whether an attacker have accessed a Word file, all you need to do is check the list of the .doc or .docx files that have been recently accessed, which can be pulled up by clicking the appropriate subkey on the left pane. If you pulled up the document that you want to investigate, you would see that the data is in hex at the left side, and then ASCII on the right.

Now, if you are trying to find an evidence of a possible breach, you would want to find any file that may be unrelated to your system. Here’s an example: a .tar is uncommon for a Windows OS, but can be usually found in a Linux or Unix system. Its job is similar to a .zip file, but what could it be doing there in your file directory? It is possibly a malware that unpacks when triggered. You can check the contents of the .tar file to get more information about an attack or the one who launched it.

Typed URLs Key

When you run a URL in Internet Explorer, that specific information is also stored in your registry at this path:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs

If you are not using this browser to surf the Internet, it is very likely that the attacker is using IE to launch an attack by downloading a malware. It may also reveal what the user was looking at or was trying to find when the attack was launched.

Stored IP Addresses

The registry makes sure that it holds all the IP addresses of all users that it connects to, including all the interfaces that have connected to the targeted computer.

When you look at the list of IP addresses, you would find all addresses assigned in all interfaces, including details about the time when the DHCP server leased them. If you suspect that your computer was attacked through an access point, you can also see the IP address assigned to your suspect during the time of the intrusion.

Startup Locations

Forensic investigators make sure that they are aware of all applications and services that are triggered to start whenever the targeted computer boots. An example of a file that may run during startup would be a malware or a listening payload that needs to run in order to keep an attacker connected to his victim’s device. Knowing this information would also make you aware that there are several other locations in the computer that are infected by the same file, which tells you the locations that the attacker wants to monitor.

The most-used location for hackers is this:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

When a malware is attached to your computer in this location, it would be set to run every time you start your computer, along with other software or directories that are linked to this path. For this reason, this path is also the best location to make sure that rootkits and other types of malicious software are running.

RunOnce Startup

If you suspect that a file that only needs to run once during startup infects your computer, you would most likely find the suspected file here:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

Startup Services

You would sometimes notice that there are several services in your computer (particularly the ones that you need to deter intrusions) that do not seem to load during startup. If you want to see if the settings have been altered to let a malicious file in without your knowledge, you would find the information in this path:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

Start When a Specific User Logs In

If you suspect that strange behavior in your computer happens only when a particular user logs into your system, then you can check if a particular service or file is set to run in this path:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Of course, a skilled criminal hacker should have knowledge on how to use this information to conceal his tracks. For this reason, it would be wise to make sure that you’re familiar with a few good tools that an attacker may have his hands on. It’s also advantageous to be fully knowledgeable of your operating system’s current state.