-

White Papers

Linux Forensics - Week 2

March 26, 2004

This is the second in a series of Agile Risk Management LLC Linux Forensics articles. We plan on trying to release one brief article each week over the next month. Each article will outline linux forensics techniques, tools, and procedures. We welcome your suggestions and comments, and hope you enjoy the material.

Accessing and Analyzing the Windows Registry

The Microsoft Windows Registry represents another excellent source of potential evidentiary data. Windows registry entries contain information on user accounts, network shares, run commands, and even manually typed urls. We will cover the location and layout of both Windows 9x and NT, 2000, XP Registries, two Linux tools for accessing and analyzing specific registries, and various high impact registry keys we find useful. In our example we acquired registries from Windows XP, and using the specialized Linux tools covered below we were able to access key data and user information.

Windows Registries - Overview

The Windows Registry contains all information relevant to the operating system, hardware, software, and user accounts. Think of it as a large collection of .conf files for all manner of applications and functions. However, unlike .conf files, the Windows Registry is binary, and built around a very specific file specification. This specification is not directly available from Microsoft, however it was retro engineered a few years ago, and has been used by numerous projects, including Wine and Samba. More information on the reverse engineering data for the Windows Registry is available here . While the document covers Windows 95/98 and Windows NT, the information presented is applicable to Windows 2000, XP, and ME.
Briefly stated, the Windows 9x/ME Registry varies greatly from the Windows NT/2K/XP Registry, so much so that all Linux registry viewer applications do not address the older Window 95/98/ME Registry. If your current requirements entail Windows 9x/ME Registry analysis, you must use a native Windows tool, such as Regedit.

Windows Registries - Locations & File Names

As the Linux tools that will be covered in the remainder of this article only address the Windows NT/2K/XP Registy, therefore, we will focus on the following Registry files.

  • WINDOWS[WINNT]\SYSTEM32\CONFIG\SAM (Security Information, SAM)
  • WINDOWS[WINNT]\SYSTEM32\CONFIG\SOFTWARE (HKEY_LOCAL_MACHINE\SOFTWARE), Installed Software, settings, etc.
  • WINDOWS[WINNT]\SYSTEM32\CONFIG\SYSTEM (HKEY_LOCAL_MACHINE\System), System hardware, configurations, etc
  • DOCUMENTS AND SETTINGS\PROFILES\%USERNAME%\NTUSER.DAT (HKEY_CURRENT_USER\{S-1-xxx...}), User specific information.
  • DOCUMENTS AND SETTINGS\PROFILES\%USERNAME%\NTUSER.MAN (HKEY_CURRENT_USER\{S-1-xxx...}), Mandatory user specific profile information.


Gaining access to the above files is a simple process using one of the accepted Linux Forensics tools, including Sleuthkit, foremost, or fatback, and extracting the file listed above. More information on these tools, usage, and their source code is available at opensourceforensics.org.

Once the Registry file(s) has been extracted, one of the following two tools should be used to analyze its contents.

CHNTPW (Change NT Password)

CHNTPW is a well designed and thought out tool made famous by its ability to modify SAM entries, effectively allowing the user to zero out the Administrator password to regain access to a Windows 2000/NT/XP workstation or server. The source code and instructions for using this tool is available here. This tool when coupled with a linux boot disk or cdrom is exceptionally effective, and should be part of any information technology consultant's toolkit.

In contrast to its typical usage, we are going to make use of the less used registry editor function of CHNTPW. In our example, we use CHNTPW to load a registry file and navigate the structure. CHNTPW in editor mode works very much like the standard Unix command line, ls will list directory contents, and cat will dump string contents to the screen.

[mshannon@forensic0 mshannon]$ mkdir chntpw
[mshannon@forensic0 mshannon]$ cd chntpw
[mshannon@forensic0 chntpw]$ unzip ../chntpw-source-040116.zip
Archive: ../chntpw-source-040116.zip
inflating: chntpw.c
inflating: COPYING.txt
inflating: cpnt.c
inflating: HISTORY.txt
inflating: INSTALL.txt
inflating: Makefile
inflating: ntreg.c
inflating: ntreg.h
inflating: README.txt
inflating: sam.h
[mshannon@forensic0 chntpw]$ ls
chntpw.c cpnt.c INSTALL.txt ntreg.c README.txt
COPYING.txt HISTORY.txt Makefile ntreg.h sam.h
[mshannon@forensic0 chntpw]$ make
gcc -c -DUSEOPENSSL -g -I. -I/usr/include -Wall chntpw.c
gcc -c -DUSEOPENSSL -g -I. -I/usr/include -Wall ntreg.c
gcc -DUSEOPENSSL -g -I. -I/usr/include -Wall -o chntpw chntpw.o ntreg.o -L/usr/lib /usr/lib/libcrypto.a
[mshannon@forensic0 chntpw]$ ls
chntpw chntpw.o cpnt.c INSTALL.txt ntreg.c ntreg.o sam.h
chntpw.c COPYING.txt HISTORY.txt Makefile ntreg.h README.txt
[mshannon@forensic0 chntpw]$ cp /home/mshannon/Evidence-Sample/ SoftwareTest
[mshannon@forensic0 chntpw]$ cp /home/mshannon/Evidence/SoftwareTest/NTUSER.DAT .
[mshannon@forensic0 chntpw]$ ls
chntpw COPYING.txt INSTALL.txt ntreg.h README.txt
chntpw.c cpnt.c Makefile ntreg.o sam.h
chntpw.o HISTORY.txt ntreg.c NTUSER.DAT
[mshannon@forensic0 chntpw]$ ./chntpw
chntpw version 0.99.2 040105, (c) Petter N Hagen
chntpw: change password of a user in a NT SAM file, or invoke registry editor.
chntpw [OPTIONS] [systemfile] [securityfile] [otherreghive] [...]
-h This message
-u Username to change, Administrator is default
-l list all users in SAM file
-i Interactive. List users (as -l) then ask for username to change
-e Registry editor. Now with full write support!
-d Enter buffer debugger instead (hex editor),
-t Trace. Show hexdump of structs/segments. (deprecated debug function)
-v Be a little more verbose (for debuging)
-L Write names of changed files to /tmp/changed
-N No allocation mode. Only (old style) same length overwrites possible
See readme file on how to extract/read/write the NT's SAM file
if it's on an NTFS partition!
Source/binary freely distributable. See README/COPYING for details
NOTE: This program is somewhat hackish! You are on your own!


[mshannon@forensic0 chntpw]$ ./chntpw -e NTUSER.DAT
chntpw version 0.99.2 040105, (c) Petter N Hagen
Hive's name (from header): msmith.TESTDOMAIN\ntuser.dat
ROOT KEY at offset: 0x001020
Page at 0x2f3000 is not 'hbin', assuming file contains garbage at end File size 3145728 [300000] bytes, containing 438
pages (+ 1 headerpage) Used for data: 32070/2356192 blocks/bytes, unused: 3517/718176 blocks/bytes.
Simple registry editor. ? for help.


[1020] > ls
ls of node at offset 0x1024
Node has 11 subkeys and 0 values
offs key name
[ 11b8] AppEvents
[ 70a8] Console
[ 7620] Control Panel
[ 13d20] Environment
[ 13e60] Identities
[ 14060] Keyboard Layout
[ 33c00] Network
[ 141a0] Printers
[ 14258] Software
[ 38878] UNICODE Program Groups
[ 2f9d0] Windows 3.1 Migration Status


[1020] > cd Network


[33c00] \Network> ls
ls of node at offset 0x33c04
Node has 5 subkeys and 0 values
offs key name
[ 9bd00] P
[ 76230] q
[ b6258] s
[ 81d40] T
[ b6ae0] x


[33c00] \Network> cd P


[9bd00] \Network\P> ls
ls of node at offset 0x9bd04
Node has 0 subkeys and 6 values
offs size type value name [value if type DWORD]
[ 75e4c] 34 REG_SZ RemotePath
[ 9bc2c] 32 REG_SZ UserName
[ a271c] 52 REG_SZ ProviderName
[ 9e61c] 4 REG_DWORD ProviderType 131072 [0x20000]
[ 9e32c] 4 REG_DWORD ConnectionType 1 [0x1]
[ a16ec] 4 REG_DWORD DeferFlags 4 [0x4]


[9bd00] \Network\P> cat RemotePath
Value RemotePath of type REG_SZ, data length 34 [0x22]
\\testsrver\SampleDIR


[9bd00] \Network\P> cat UserName
Value UserName of type REG_SZ, data length 32 [0x20]
testesrver\jmichaels




[9bd00] \Network\P> q


Hives that have changed:
# Name
None!
[mshannon@forensic0 mshannon]$


Based on the above information we know that msmith.TESTDOMAIN was the user account tied to that Registry file, however they had a network drive mapped using the jmichaels account. This may warrant further investigation.

Kregedit

Kregedit is a QT based gui tool loosely based on the Samba editreg.c functions. The source code and instructions for using this tool are available here. This tool was developed against gcc296, therefore compiling under gcc 3.x is not possible without incorporating specific variable casting changes. Thankfully these problems have been corrected in recent cvs versions. If you are using more recent versions of gcc, you will want to visit the cvs archive available here. We have had sporadic success with this tool, including the inability to consistently load all NT Registries opened. Even with these concerns we believed it was important to present this tool for possible future consideration as consistency improves

Windows Registries Registry Keys

The Windows Registry contains multiple system keys, many of which control user settings, features, and functions. For the Forensics practitioner certain registry keys contain valuable information as to the actions of the user prior to the imaging and investigation. We choose to outline some of the more frequently used Registry Keys, however this list should not be considered complete, there as many additional Registry Keys that may contain additional value, however they will be largely based on the applications and tools installed.

Registry Keys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\TypedURLs\

The above key maintains a listing of URLS as they were typed in the Internet Explorer address bar, this may provide additional information concerning typical web usage on the suspect computer.

HKEY_USERS\Default\Software\Microsoft\Windows\Internet Explorer\Main

The above key maintains information about the current Windows Internet Explorer settings, including favorites, homepage, proxy configurations, etc.

HKCU \Software \Microsoft \Internet Account Manager \Accounts \0000000x

The above key maintains information about the current Microsoft Outlook Express Account, including Name,POP3 Username, POP3 Password, SMTP Server, Email Address, and POP3 Server.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU

The above registry key maintains a list of mapped network drive, including server name and folder.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

The above registry key maintains a list of the recent Run commands executed.

The above information, tools, and recommended keys can be used as part of sound Linux Forensics investigation of a Windows Regsitry.

About the Author:
Matthew Shannon has over five years of professional information security experience in private industry, including KPMG LLP, ExxonMobil, and United Technologies. Mr. Shannon has been the lead investigator on numerous computer forensics engagements, including intellectual property theft and employment law. Mr. Shannon graduated cum laude from The University of Florida in Decision and Information Sciences (BSBA) in 1999. He is an accomplished speaker having presented at the DEFCON 11 Information Security Conference in Las Vegas, Nevada. He is a member in good standing of ISSA. In addition, Matthew holds numerous professional information technology certifications, and has been a contributor to multiple open source information security projects including "The Sleuthkit" and "The Honeynet Project".

About Agile Risk Management LLC: Agile Risk Management, LLC is a premium provider of information security consulting services, committed to providing business value with uncompromised integrity. Agile specializes in delivering consulting services not motivated or influenced by vendor products or relationships. Agile provides services that afford reasonable protection for the information assets of our clients in accordance with their business needs.

Agile service offerings include:

  • Digital Forensics and Litigation Support
  • Security Assessments
  • Security Program Development
  • Crisis Management
  • Business Continuity Planning