29
Design a Structure toAggregate Windows
Registry for Digital Forensics Investigation
Premal C. Patel
1, Dr. B.K. Sharma
2Ph.D. Research Scholar, Rai University, Ahmedabad, Gujarat
1Head of Department, R.B. Institute of Management Studies, Ahmedabad, Gujarat
2Abstract
—
There are many resources available to detect criminal event from Computer system. For the Investigation of Computer System there are various area obtainable to gain evidences. In Computer system Registry is very helpful to investigate in several cases. There are many tools available to collect registry from computer system but they all uses their proprietary technique to store the registry so there can’t be interoperable or platform independent. In this paper, the Registry structure of Windows system is discussed together with severalelements of information which can be used to prove the suspicious system.We have discussed some implementation in storage structure of windows registry. Also discussed some area in windows registry which might be supportive for litigation purpose.Keywords
—
Digital Forensic XML (DFXML), AFF (Advance Forensic Format), Investigators, Evidences, REG-XML (Registry XML)I. INTRODUCTION
The recovery of digital evidence of crimes from storage media is an increasingly time consuming task as well as the capacity of the storage media is increasing. It is also a difficult and complex task for the forensic investigator to analyse all of the locations in the storage media.
From these definitions it is clear that the aim of computer forensics is to find digital evidence that is acceptable for litigation purpose. It is generally accepted that the recovery of digital evidence of crimes from storage media is increasingly time consuming and space complex. One way to make the process faster and simpler is to start searching for evidence in the locations thatare most likely to contain information that is of value to the forensics investigator. One of the best areas to start such an investigation is in the Windows Registry.
Windows Registry is very valuable for forensics investigation. First the structure of Windows Registry was analysed, then elements within the Windows Registry that may be of evidential so it must be store in proper structured manner.
Right now, there is no specific standard structure and there is no any rules and regulation which can define the storage methodology of registry for Digital forensics investigation purpose. There should some basic standards to store the digital information so that it can be interoperable or platform independents.
II. STRUCTUREOFTHEWINDOWSREGISTRY
The Registry contains two basic elements: keys and values. Registry keys are container objects similar to folders. Registry values are non-container objects similar to files. Keys may contain values or further keys. Keys are referenced with a syntax similar to Windows' path names, using backslashes to indicate levels of hierarchy. Keys must have a case insensitive name without backslashes.
The HKEY_ USERS hive holds all the actively loaded user profiles for that machine. HKEY_CURRENT_ USER is the active, loaded user profile for the currently logged-on user. The HKEY_LOCAL_ MACHINE hive contains a vast array of configuration information for the system, including hardware settings and software settings. The HKEY_CURRENT_CONFIG hive holds the hardware profile the system uses at startup. Finally, the HKEY_CLASSES_ROOT hive holds configuration information relating to which application is used to open various files on the system.
The Windows Registry is stored in multiple files.By opening the Registry Editor (by typing 'regedit' in the run window), the Registry can be seen as one unified 'file system'. The left-hand pane, also known as the key pane contains an organized listing of what appear to be folders. The five most hierarchal folders are called 'hives' and begin with 'HKEY' (an abbreviation for Handle to a Key). Although five hives can be seen, only two of these are actually 'real', HKEY_USERS (HKU) and HKEY_LOCAL_MACHINE (HKLM). The other three are shortcuts or aliases to branches within one of the two hives. Each of these five hives is composed of keys, which contain values and subkeys. Values are the names of certain items within a key, which uniquely identify specific values relating to the operating system.[1]
30
Here main thing is all information are in textual format so it require textual supportive storage format.Fig.1 Structure of the Windows Registry
The Windows Registry is one of the essential components of current Microsoft Windows operating systems.The Windows registry performs two critical tasks for the Microsoft Windows operating system. The first is thatit is the repository for settings for the Windows operating system and applications that are installed on thesystem. The second is that it archives the database of the configuration of all installed hardware.[2]
Due to this important information registry is very essential part of investigation process so it must be aggregate and archive in proper format.
III. IMPORTANCE OF REGISTRY IN DIGITAL INVESTIGATION
Forensic analysis can be initiated by investigating the Windows registry. Windows Registry is a central repositoryor hierarchical database of configuration data for the operating system and most of its programs. This contains abundant information that has potential evidential value in forensic analysis. Digital forensic examinationhelps to prove any activity involved in the past and also the person that may have been using the machine. This can beachieved by looking at the artefacts which are any objects created by the software, either during installation or whilst the program is being used, and usually take the form of files or registry entries.[3] Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components and for applications running on the platform that have opted to use the Registry. The kernel, device drivers, services, SAM, user interface and third party applications can all make use of the Registry. The Registry also provides a means to access counters for profiling system performance.
Internet Explorer:
From Internet explorer investigator can collect important information as[HKCU\Software\Microsoft\ Internet Explorer\TypedURLs] – TypedURLs stores the URL which are typed by user so investigator can identify visited websites history.
HKCU\Software\Microsoft\ Internet Explorer\Download Directory
– This key displays the last directory used to store a download file from Internet Explorer so it define where the user stores his/her files.
Attached Devices
: Whenever any device is connected to the Universal Serial Bus (USB) its driver installed automaticallyRegistry store all information about a particular device with its name, type and time. These information are very important in case for theft of data or information.[HKLM\SYSTEM\ControlSet00x\Enum\USBSTOR]
– This key contains subkeys that represent the device descriptor with vendor ID and product ID when a USB device connect
31
Fig.2RunMRU list of accessed location from RUN menuThis figure contains location path of last resent accessed path from run menu. There are also several MRU lists are in registry which can be helpful for digital forensics investigations.
IV. LIMITATIONS IN REGISTRY STORAGE STRUCTURE No any specific international standard to store registry information.
No facility to make interoperable information structure. Platform independent analysisis very difficult.
Lack of security interface.
Registry errors are not uncommon, but in most cases they are harmless.. V. A PROPOSED STRUCTURE
There has been considerable forensic research aimed at recovering allocated data from Windows Registry hive filesand from unallocated space inside the hive Because of limitations of the ASCII-based registry file format defined by Microsoft’s RegEdit tool, several developers created tools for extracting Registry entries from hive files and representing the resultant information as XML
The National Institute of Standards and Technology’s WIRED project has developed a program called reg-diff.rb, which ingests two ASCII files generated by RegEdit and produces an XML file describing the differences.XML structure may work to less the limitations of registry.[5]
Here is a small structure which identify the XML storage structure for digital evidence collection usingDFXML methods Registry object information
Msreg : Microsoft registry
Hive: describe hive information
Key: main key path of registry
Subkey: subkey information path of registry
Name: name of registry data
Type: registry data type
Data: actual data of registry Proposed Structure for Registry <msreg> <hive> <name>HKEY_CURRENT_USER</name> <key>software</key> <subkey> <subkeyname>Adobe</subkeyname>
32
<name>AdobeHome</name> <type>REG_SZ</type> <data>C:\Program Files\Adobe</data> </subkey> </hive> </msreg> DTD for Registry<!DOCTYPEmsregistry [
<!ELEMENTmsregistry (hive+)>
<!ELEMENT hive (key+)>
<!ELEMENT key (subkey+)>
<!ELEMENTsubkey (name, type, data)>
<!ELEMENT name (#PCDATA)>
<!ELEMENT type (#PCDATA)>
<!ELEMENT data (#PCDATA)>
]>
.XML Structure is used to store textual data so we can store vital information which prove the criminal activity or became helpful for finding suspicious system. All Information are very Important so it must be follows CIA- Triad security level. The information must keep in secure physical device for long-term record the information.
This structure defines storage methodology with all the registry information with its value. It can be minimizing the limitation regarding based on investigations. This approach is makes the data interoperable so it can be produce or consume by any tool. Aggregation of windows registry based on investigation should be archive in proper format so it can be reuse any time for litigation purpose. The data should be untemper so there should some security aspects in that file. In this format we can include HASH value of the file to provide Integrity of information.
Preserve REG-XML Information CollectREG-XML Information
Stop Start
33
Fig.3Flow of REG-XML Structure methodThis Flow defines the structure of methodology to make registry investigation storage process. Registry should be gathered in secure mode and then archive the all information in proper structure mode.The structure must be maintained HASH Signature to provide integrity.
CONCLUSION
XML format is well known for aggregation of the data and storing textual information. It helps making the forensic data investigation easy by preserving the integrity of data and also by making it interoperable with other tools and applications.Main aim of this research paper is to provide a technical format in order to store digital forensics information which further provide better outcome of forensic investigation process. Preserving and Archiving is also a most important thing in forensic investigation. To make all forensics evidences secure and un-tempered so it can be used for litigation process.
ACKNOWLEDGEMENT
I would like to express my heartily gratitude towards my guide Dr. B.K. Sharma for this guidance on various aspects of this document and his contribution on the betterment of my work. I appreciate the thoughtful contributions that he has made to my efforts. It has been a great privilege to work under him. With his guidance and persistent help this research becomes possible.Lastly I would also like to give a special thanks to my friends, colleagues and Parents for playing an important role in strengthening my approaches in this work.
REFERENCES
1. A Forensic Analysis Of The Windows RegistryBy Derrick J. Farmer, Champlain College, Burlington, Vermont
2. Forensic Analysis of the Windows 7 Registry By Khawla Abdulla Alghafli
3. Windows Registry Analysis for Forensic Investigation By RaihanaMdSaidi* in IEEE, 2013
4. www.msdn.microsoft.com
5. Digital Forensics XML and the DFXML ToolsetBySimsonGarfinkelin Naval Postgraduate School, 900 N. Glebe,
Arlington, VA 22203.
6. www.forensicswiki.org/wiki/Registryasxml
