Windows Registry Analysis for Forensic Investigation

uhunuNd 5ud, 5Iipuhhmud, ^OOihuyuINOhumOd^OOi, OZIu`unO8

Iocu/to/Compute/oadMothemotico/Scieaces
|aive/siti1e/ao/ogi^1, Mo/ovsio
Abstract- Cyber attack comes in various approach and forms,
either internally or externally. Remote access and spyware are forms
of cyber attack leaving an organization to be susceptible to
vulnerability. This paper investigates illegal activities and potential
evidence of cyber attack through studying the registry on the
Windows Home Premium (32 bit) Operating System in using the
application Virtual Network Computing (VNC) and keylogger
application. The aim is to trace the registry artifacts lef by the
attacker which connected using Virtual Network Computing (VNC)
protocol within Windows Operating System (OS). The analysis of
the registry focused on detecting unwanted applications or
unauthorized access to the machine with regard to the user activity
via the VNC connection for the potential evidence of illegal
activities by investigating the Registration Entries fle and image fle
using the Forensic Toolkit (FTK) Imager. The outcome of this study
is the fndings on the artifacts which correlate to the user activity.
Keywords-computer artifacts, Virtual Network Computing
(VNC), digital forensics, registry
I. INTRODUCTION
The increasing use of online workforce has exponentially
increased the cyber attack threat [ 1]. According to 2012 Data
Breach Investigation Report [2] the most attacks experienced
is malware. In 2011, Spy ware is a form of malware stood at
48% of top mal ware threat [2]. Spyware refers to the
computer technology that gathers information such as
recorded strokes (passwords), a list of Web Sites visited by
the user, applications or Operating Systems (OS) that are
installed on the computer without the user knowledge or
consent [3]. Online workforce has cultivated the
implementation of remote access technologies to
economically support their computer confguration and
network issues on the client location [4]. The use of remote
access has an infuence on cyber attacks due to the operating
system and spyware usage [4]. Forensic investigation is about
fnding the suffciently reliable evidence that has relation to
cyber attacks that can be used in court [5].
Keylogger is a type of spyware that are very much used in
large organizations to monitor their system network [ 1]. It has
the features to monitor keyboard (keystroke recorder,
password tracker and clipboard monitor), applications activity
by secretly take screenshots, record applications launched and
track printed documents [ 1].
Virtual Network Computing (VNC) is one of remote
connectivity applications that increasingly being used in
organizations however has been exploited for illegal activities
C!. 978-1-4673-5613-82013 LLL
[4]. These illegal activities might infuence the organizations
to discontinue using the technology despite the fexibility of
the remote access is offering in facilitate the business process.
Microsof Windows, is popular operating system due to
ease of use and effective GUI, become the most attacked [6-
7]. Statistic by StatCounter Global shows the three OS (Feb
2011 Feb 2012) were the Windows OS family [6]. As
Windows source code is unavailable, forensic analysis of
Windows system becomes a challenging task for the
investigators [7].
Forensic analysis can be initiated by investigating the
Windows registry [7]. Windows Registry is a central
repository or hierarchical database of confguration data for
the operating system and most of its programs [8] which
contains abundant information that has potential evidential
value in forensic analysis [9]. Digital forensic examination
helps to prove any activity involved in the past and also the
person that may have been using the machine. This can be
achieved by looking at the artifacts which are any objects
created by the sofware, either during installation or whilst the
program is being used, and usually take the form of fles or
registry entries [lO].
Based on the above brief introduction, key logger, VNC and
Windows OS seems to be very popular yet the information
related to forensic analysis is very few. This investigates the
evidence fom window registry fom the key logger and VNC
activities on Windows 7 OS. Next sections provide
explanation regarding the experimental design, analysis,
fnding and [mally the conclusion.
II. EXPERIMENTAL DESIGN
Overall methodology for this study can be viewed as in Fig. 1.
The study begins with data collection fom user directory and
Windows system directory. Then the data is imaged prior to
the experimental scenario for reference. The data once again
imaged afer the experimental scenario and the fnally the
analysis is done using Yet Another Registry Utility (YARU)
[ 11 ].
132
|O
CXOR fOgSfy
HBgO O DSK
CXOR fOgSfy
HBgO O DSK
Fig. 1. Overall Research Methodology
A. Data Collection
The primary data collected in this study was the registry
hive fles which include the ntuser.dat and UsrClass.dat fom the
Users directory and Default, System, Sofware, Security and SAM fom
the Windows\System32\Confg directory.
Both fles for example registry fle and ADl fle extracted
using Forensic Toolkit (FTK) imager were exported prior to
the experiment and afer the experiment. Table I lists the
Registry fles and their location for Windows 7 OS for the
evaluation of possible artifacts.
Table I. fi RegIstry lies locatIon
^o HcgisIryiIc iIcaIh
I. NTUSER.dat C:\Users\<user name>\NTUSER.DAT
2. UsrClass.dat
C:\Users\<username>\AppData\Local\Micro
sof\ W indows\U srClass.dat
3. Default C:\ Windows\System32\Confg\DEFAUL T
4. System C:\ Windows\System32\Confg\S YSTEM
5. Sofware C:\ Windows\System32\Confg\SOFTW ARE
6. Security C:\ W indows\S ystem32\Con fg\SECURITY
7. Sam C:\ Windows\System32\Confg\SAM
D. Experimental Scenario
The experimentation in this study is being carried out by
performing a scenario-based test. The implementation is on
VM Ware and a client and server (Windows 7 Operating
system (32 bit)) was confgured. Four scenarios were created
as shown in Table II. The registry backup fle ,.reg) and
AD 1 fle ,. ad l) were evaluated for the existence of outcome
of as defmed in each scenario. The .reg fles are the
C!. 978-1-4673-5613-82013 LLL
Registration Entries fle exported fom the Windows registry
Editor; and .adl fle is an image fle collected using the FTK
Imager which consists all the registry fles.
Table II. List of Test Scenario
Po 1u8R/ACIVIy 1X8CI8d LuICom8
!. - Physically accessed the - Registry key of RealVNC
created on the SOFTWARE
registry fle
computer and install
RealVNC Enterprise
Edition
2. - Remotely accessed the - VNC sessions value captured
in the registry computer via VNC
- Create hidden user
account USIDI with
Administrator privilege
on the computer
- User account registry key
created on the SAM registry
fle
- USIDJ hidden fom the
Windows Logon and Control
Panel
3. - Remotely accessed the - VNC sessions value captured
in the registry computer via VNC
- Install WideStep Elite
Keylogger
- No registry key of WideStep
Elite Keylogger created on
the SOFTWARE registry fle
- Information on installer fle
is on the Map Network Drive
registry
- Installer fle originated
fom a mapped network
drive
4. - Physically accessed the - No changes on registry for
the uninstall action of
WideStep Elite Keylogger
- Removal of the RealVNC
registry key
computer
- Uninstall of Wide Step
Elite Keylogger
- Uninstall of RealVNC
Enterprise Edition
L Data Analysis
The registry and AD 1 fles were then analyzed in the Yet
Another Registry Utility (Y ARU) application. Changes of the
registration entries (.reg) fles before and afer experiment
were identifed and reviewed in the Windows registry File
Viewer. Besides changes, any potential artifacts that can be
extracted fom the registry were also being analyzed.
Information gathered fom this two technique was used to
map the footprints made by the registry based on the
experiment conducted listed in Table II.
Fig. 2 shows the example of UsrClass . dat being exported
for analysis by using FTK image.
$"i f'lbic Ut >IIt 1_}t lt NCUIItU
=LYlH
1033 1 IItLOIy 8nt20129: 5!;H."

um 1 IItLOIy 8{7/20129: S8: O...

_fData '8cHt; 1 IItcOIy lSn/20123 :36: ...
'

_8evatedOiaglo l}lCItI 1 IItcOIy 8({20129: 58: O ...

__

5C

lCItI
9
bCials hCHt 1 IItLOIy 8(7/20129: 58: 0 ...
It:OeviceMetad 1tU}CI8Iy HtIHt |Ilt5 1 IItLOIy afl20129: 58: O...
ICFeeds Lh 1 IItLOIy afl201210 :OO : ...
I-C Feeds C
SI30 4 1>HUtxJl!... ant2012 2: 42:2 ...
ExporEie...
-
5f124: 57: ...
_Wndows
.
0 5ILl85 l

Expor Fie !:ash '

120129: 57: 3...
, =_Wndows Mail
_U5ILl855,U /201210;(4: ...
_Wndows Med
_U5ILl855,U
A
dd
to CUstom Content Image (AD!)
nt201210;(4: ...
Wndows Side
16m
~ z D =D L IEQI

|
.
.

. .....
OL = z L e e
Name Adristrators J zL = J dBB. D
Access Mask OOlfOlf
J z J Lz c LJ JJ= L z JL z z zL Jse
oooao J z J Lr c LJ JJ= L z JL z z zL re
Fig. 2. ExportIng regIstry fles USIng the FTK Image to the analysis machine
133
Fig. 3 illustrates the Y ARU application in comparing the
registration entries (.reg) fles. The comparison was made
between before and afer each task as in the scenario test.
_|e e _p|ons _epons
HegdqKeys KeyNo|ueJoto
Comparing reg f iles
G:'.l\regedit'task aO.reg
G:'
,
l\regedit,task Ol.reg
[HKEY_LOCAl_MACHINE'SOFTWARE\Classes'. vncI
; new value
@="VNC,Connectionlnfo"
[HKEY_LOCAl_MACHINE'SOFTWARE 'Classes\ VNC . ConnectlonIn! LI
, new key
[HKEY_lOCAL_MACHINE'.SOFTWARE
,
\C!asses'VNC . ConnectionInf L]
; new value
@="VNC Connection Info"
Fig. 3. Results of comparison between two registration entries fle
Fig. 4 shows the the analysis made in the Windows
Registry File Viewer. Apart fom doing the review in
changes, any potential artifacts that can be extracted fom the
registry are being analyzed here.
wimReqisyMeYeer-{A
[|e Ve !ea|: -:;
0l
_
.J ... .
'- Je
.'
:,,, R|O_ V0CC.a+ee'|+'.
` +
_

..:.Veu

_.
`
F
_
_.
_
k|_%
_,
.,:: ye.-
_::
_.....
I
C32:AAA887
KlS: lC9il91271SBSEB7CCFCCD824121
`
qtr :::..-:
waaaw h!ejiq :.
FIg. 4. Results of companson between two regIstratIOn entnes fle
III. ANAL YSTS
The image of the registry fles captured before and afer the
test was compared to identif the registry changes. Apart fom
the registry changes, any value in registry that is relevant and
has the potential to be used as evidence is being extracted.
The artifacts extracted were only for relevant footprints with
regards to the user and system activities.
cS found artifacts with regards to the installation of
RealVNC Enterprise Edition version: E4.5.4. Upon
completion of the installation, system is restarted.
cS Z found artifacts with regards to the activity of VNC
Client (Windows Vista) accessed the VNC Server
(Windows 7) via RealVNC using the VNC password. VNC
Client then create a new user account with the following
attributes:
Userame: UserOl
- Password: password
- Privilege: Administrator
The client then accessed Registry Editor via Run command
by entering the `lCQClL keyword and set the value of
USIDI to '0' for the registry key of
C!. 978-1-4673-5613-82013 LLL
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\Cu
rrentVersion\Winlogon\SpecialAccounts\UserList to
hide the UserOl account from being available on the
Windows Logon. The Windows Logon is the log-on page
for the user of the machine. By default for Windows 7, an
icon of the user accounts will be displayed on the page. The
reason to make it invisible is to prevent the machine owner
fom noticing the user creation. Client than disconnect the
VNC session.
cS found the artifacts with regards to the activity of
VNC Client (Windows Vista) accessed the VNC Server
(Windows 7) via RealVNC using the VNC password. VNC
Client then map a network drive to system and transfer the
Elite key logger execution fles to the user's desktop. Upon
completion, the mapped network drive is being
disconnected and system was restarted and consequently,
the VNC session was disconnected.
cS + found the artifacts with regards to the activity of
penetrator physically accessed the machine then runs the
uninstallation of the keylogger and RealVNC application
and system was restarted.
IV. FIIGS
As for the [mdings, frther discussion was made in this
section for each of the four tests above.
A. Finding of Test 1. Physically accessed target and install
RealVe Enterprise Edition. Version: E4. 5. 4
Several keys were created respectively. The timestamp of
the registry shows the timeline of the activities occurence.
Keys that was created afer the RealVNC installation are as
below:
1.NTusER . DAT\Software\RealVNC
- Main key for sofware installed
2.NTUSER . DAT \Software\RealVNC\vncconfig
- Hold the Real VNC confguration
3.S0FTWARE\Classes\ . vnc
SOFTWARE\Classes\VNC . Connectionlnfo
SOFTWARE\Classes\VNC . Connectionlnfo\shell\open
- Class ID for the VNC connection
4.S0FTWARE\Microsoft\Windows\CurrentVersion\Uninsta
11\VNCMirror_isl
- Contain the information associated to the RealVNC
mirror module such as follows:
i) Setup preferences
ii) Publisher and versions of application
iii) Path of uninstaller fle
iv) Application's installation date
5.S0FTWARE\Microsoft\Windows\CurrentVersion\Uninstal
l\VNCPrinter_isl
- Contain the information associated to the RealVNC
printer module such as follows:
i) Setup preferences
ii) Publisher and versions of application
iii) Path of uninstaller fle
iv) Application's installation date
6.S0FTWARE\Microsoft\windows\CurrentVersion\Uninstal
l\RealVNC_isl
- Contain the information associated to the RealVNC
application sofware such as follows:
134
i) Setup preferences
ii) Publisher and versions of application
iii)Path of un installer fle
iv) Application's installation date
- In this study, it was found that the perpetrator who
installs the RealVNC application tried to cover up their
track by deselecting the item of desktop icon and quick
launch icon to make it not visible to the user's sight.
7. SOFTWARE\RealVNC
- Contain the application license number
8.S0FTwARE\RealVNC\VNC Printer
-Printer sharing confguration with the VNC clients
9.SOFTWARE\RealVNC\WinVNC4
IO.NTusER.DAT\Software\Microsoft\windows\CurrentVers
ion\Explorer\UserAssist\?*\Count
11. UserAssist shows the user's navigation on the Windows
Explorer. Here, it shows the folder of the RealVNC
application installer which is F: \RIZlcorrect \Real VNC
Enterprise v4 . 5 . 4\VNC Enterprise Edition
4 . 5 . 4\VNC Enterprise Edition 4 . 5 . 4_SETUP . exe
I2.NTusER . DAT\Software\Microsoft\Windows\CurrentVers
ion\Explorer\RecentDocs
RecentDocs keep the history fles of most recent
documents that were accessed by the user. Here, the
RecentDocs keep the link of the VNC Enterprise
Edition 4.5.4
I3.sYsTEM\CurrentControlSet\Services\SharedAccess\Pa
rameters\FirewallPolicy
- The frewall policy was set upon installing the
application to allow the VNC protocol. Two frewall
rules were being set that is for protocol number 17 and
6
I4.sYSTEM\CurrentControlSet\Services\?*\ImagePath
- Service image path was created in the system to
register the VNC service for WinVNC4 and vncmirror.
D. Finding of Test .. Remotely accessed target via RealVNC
and create user account lcr01 w/h .u0u/ru/ur
]rvlcyc
Upon creation of the user, several keys were created
respectively. The timestamp of the registry can show the
timeline of the activities occurrence. Keys that was created for
the user creation is as below:
1. SAM\SAM\Domains\Account\Users\Names\UserOl
- The user key for U serO 1 created
2. SOFTWARE\RealVNC\WinVNC4
The value of the RSA private key in the
SOFTWARE\RealVNC\WinVNC4\RSA_Private_Key was
the encrypted value for the curent VNC session
3. ntuser . dat\Software\Microsoft\Windows\CurrentVer
sion\Explorer\WordWheelQuery\l
- In Windows 7, the data that was run fom the 'Run'
command fom the Windows Start button can be found
in this key instead of
HKCU\Software\Microsoft\Windows\
CurrentVersion \Explorer\RunMRU\ . In this case, it
shows the keyword of "regedit" which was used to run
the Registry Editor.
4. SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winl
ogon\SpecialAccounts\UserList
C!. 978-1-4673-5613-82013 LLL
The value of OxOOOOOOOO for U serO 1 subkey under this
registry key indicates the UserOl user account in the
Windows 7 machine is hidden in the Windows Logon.
This gives a hint that this user existence is intended to
be undisclosed which raised suspicious and examiner
should take extra attention on this user account's
activity.
LFinding of Test J. Remotely accessed target via VNC to
install WideStep Elite Keylagger from a netork drive
Upon installation of the WideStep Elite Keylogger
application, there are no keys that were created specifcally
for the key logger application. However, the registry can still
be used to extract other information that is suspicious.
Following are the keys involved:
I.NTusER . DAT\Software\Microsoft\Windows\CurrentVers
ion\Explorer\UserAssist\?*\Count
- The UserAssist key can be usefl to track user activity.
In this case the examiner can easily spot the suspicious
activity since the key logger installer is being named to
refect itself as a spyware.
- The item name of
\\LULLABI\Public\Documents\WideStep Security
Software Elite Keylogger 4 . 9 incl
serials\ek_setup . exe shows that it the
"ek _ setup.exe" is an executable fle which resides in
the network folder of
"\ \LULLABI\Public\Documents\WideStep Security
Software Elite Keylogger 4 . 9 incl serials"
2. NTUSER . DAT\Software\Microsoft\Windows\CurrentVers
ion\Explorer\Map Network Drive MRU
- The Map Network Drive MRU list out all the content
of the mapped network drive. In this case, it is the same
as the UserAssist value above.
3. NTUSER . DAT\Software\Microsoft\Windows
NT\CurrentVersion\AppCompatFlags\Compatibility
Assistant\?*
The value is same as the item 1 and 2.
D. Finding of Task 4: Physically accessed target and uninstall
of WideStep Elite Keylagger and RealVNC Enterprise
Edition
Upon uninstallation of the key logger, no changes of registry
were identifed since there were no registry keys was created
during its installation. As for RealVNC application, several
changes on registry were made. Following are the keys
involved:
1. NTUSER . DAT\Software\Microsoft\Windows\CurrentVer
sion\Explorer\UserAssist\?*\Count
The UserAssist key gives information on the uninstallation
activities by providing the following items:
i) C:\Users\WIN
7\AppData\Local\Temp\uninstall . exe
ii) (7C5A40EF-AOFB-4BFC-874A
COF2EOB9FA8E}\RealVNC\VNC4\Printer
Driver\printerinst . exe
iii) (7C5A40EF-AOFB-4BFC-874A
COF2EOB9FA8E}\RealVNC\VNC4\Printer
Driver\uninsOOO . exe
i v) (7C5A40EF-AOFB-4BFC-874A
COF2EOB9FA8E}\RealVNC\VNC4\uninsOOO . exe
v) {7C5A40EF-AOFB-4BFC-874A-
COF2EOB9FA8E} \RealVNC\VNC4\vncconfig . exe
135
vi) {7C5A40EF-AOFB-4BFC-874A
COF2EOB9FA8E}\RealVNC\VNC4\Mirror
Driver\uninsOOO . exe
vii) {7C5A40EF-AOFB-4BFC-874A
COF2EOB9FA8E}\RealVNC\VNC4\
2. There are quite a number of registry keys that were
removed fom the registry upon the uninstallation of
RealVNC application. Such keys are:
- SOFTWARE\RealVNC\WinVNC4
- SOFTWARE\RealVNC\VNC Printer
All keys above were removed except for the main key of
SOFTWAR\ReaIVNC.
3. The below keys were deleted for the path
SOFTWARE\Microsoft\Windows\CurrentVersion\
- SOFTWARE\Microsoft\Windows\CurrentVersion\Unin
stall\RealVNC_isl
- SOFTWARE\Microsoft\Windows\CurrentVersion\Unin
stall\VNCPrinter_isl
- SOFTWARE\Microsoft\Windows\CurrentVersion\Unin
stall\VNCMirror_isl
The analysis of the Windows registry image was done by
extracting the registry that has a forensic value to support the
user activities simulated in the experiments. Findings obtained
shows that there are footprints made within the registry to
support each of the user activities. However, due to the
characteristics of key logger that is undetectable, no registry
keys were created upon installation of the application.
Nevertheless, artifacts fom other keys that relate to the
attempt of installing the application can be usefl. On the
other hand, other illegal activities in the scenario task can be
traced in the registry.
V.CONCLUSION /FUTURE WORK
This work aims to trace the registry artifacts lef by the
attacker on Windows registry. This paper exhibits the
importance of registry analysis by demonstrating the
computer artifacts lef by key logger and VNC activities.
Hence, we expect this work could contribute in understanding
the characteristic of key logger, VNC and Windows 7
operating system as part of digital forensic investigation
strategy. Future work is recommended on comparison of
registry and log fle comparison.
ACKNOWLEDGMENT
We greatly appreciate Riziana Ibrahim for her assistance.
She completed her Master of Science (Information
Technology) at the Faculty of Computer and Mathematical
Sciences, UiTM. As part of her Masters degree, her
dissertation involved an examination of the artifacts in
Windows registry fles.
REFERENCES
[I] P. Tuli, P. Sahu, "System Monitoring and Security Using Keylogger,"
interational Joural of Computer Science and Mobile Computing,
Vol.2, Issue 3, 2013, pp: 106-111.
[2] Verizon RISK Team, "2012 Data Breach Investigations Report",
Verizon, DBJR.
[3] M. Erbschloe, Trojans, Worms, and Sware: A Computer Securit
Professional's Guide to Malicious Code. USA: Elsevier, 2005.
[4] P. Kerai, "Remote Access Forensics for VNC and RDP on Windows
Platform," Australian Digital Forensics Conference, Perth, Nov. 2010,
pp. I06-116.
C!. 978-1-4673-5613-82013 LLL
[5] A.Sivaprasad ad S. Jagale, "A Complate Study on Tools and
techniques for Digital Forensic Analysis", 2012 interational
Conference on Computing, Electronics and Electrical Technologies
(iECCEET), 2012, pp: 881 - 886.
[6] StatCounter GlobalStats. [Online]. Available:
htp://gs.statcounter.com/#os-ww-monthly-20 II 02-201302
[7] T.Roy and A.Jain, "Windows Registry Forensics: An Imperative Step in
Tracking Data Thef via USB Devices", international Joural of
Computer Science and information Technologies , VoL3, issue 3, 2012,
pp: 4427-4433.
[8] S. Anson, S. Bunting, R. Johnson, S. Pearson, Mastering Windows
Network Forensics and investigation. Canada: Wiley, 2012.
[9] H. Xie, K. Jiang, X. Yuan, H. Zeng, "Forensic Analysis of Windows
Registry Against Intrusion," international Joural of Network Securit
its Applications (IJNSA), Vol.4, No.2, March 2012, pp: 121-134.
[10] H. S. Lallie, P. J. Briggs, "Windows 7 Registry Forensic Evidence
Created by Three Popular BitTorent Clients," Digital Investigation /,
2011, pp:I27-134.
[II] Yet Another Registry Utilility (Y ARU), 2012 TZWorks Limited
Iiabi I ity Company htp://tzworks. net/prototype -age. php?proto _id=3
136