[Kevin s Attic for Security Research] Windows Registry Artifacts kevinkoo001@gmail.com DO NOT FORGET TO REMAIN THE ORIGINAL SOURCE WHEN YOU MAKE USE OF THIS MATERIAL OR (RE)DISTRIBUTE IT.
What to Cover 1. What is Registry? 2. Location and Components 3. Root Keys 4. Hive Structure 5. Windows Registry Artifacts Basic System Information, Installed Software List, MRU List, USB Information, Mounted Devices, Timezone information, Shared Resources, Mapped Network Drives, Startup Services, Internet Explorer, Wireless SSIDs, Network Interfaces, SAM, UserAssist (Application Usage), Shellbags, Explorer Searches, RDP Connection Information, Hardware Information, Restore Point Kevin s Attic for Security Research 2
General Information What is registry? 광활한 Microsoft Windows 운영체제정보저장소 운영체제와프로그램구성데이터의계층형데이터베이스 (Hierarchical Database in binary) Drawbacks: 단일실패점 (SPoF, Single Point of Failure) Booting/Login Process, Service/Application Execution, User Activities, 마지막성공구성설정 저장 / 복구가능 Windows 3.11 이후부터사용 http://en.wikipedia.org/wiki/windows_registry 3
Location Location %SYSTEMROOT%\System32\Config\, %SYSTEMROOT%Document and Settings\[Account] HKU HKLM 4
Components Components (regedit.exe) Value Type Data Key Subkey 5
Root Keys Registry Root Keys HKEY_CLASSES_ROOT: 파일과 COM(Component Object Model) 객체등록정보 HKEY_CURRENT_USER: 시스템에로그인한사용자 Profile HKEY_LOCAL_MACHINE 시스템하드웨어, 소프트웨어설정과환경정보 HKEY_USERS 시스템모든사용자와그룹 Profile HKEY_CURRENT_CONFIG 시스템시작에사용되는하드웨어 Profile 6
Root Keys Registry Root Keys Master Key: HKEY_LOCAL_MACHINE, HKEY_USERS Derived Key: HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_CURRENT_CONFIG Key HKEY_CLASSES_ROOT (HKCR) HKEY_CURRENT_USER (HKCU) HKEY_LOCAL_MACHINE (HKLM) HKEY_USERS (HKU) HKEY_CURRENT_CONFIG (HKCC) HKEY_DYN_DATA 설명 HKLM\SOFTWARE\Classes 와 HKU\<SID>\Classes Symbolic Link Default Setting 과개별사용자 Setting 혼합 HKEY_USERS 사용자프로파일 Hive 하위키 Symbolic link Console 사용자환경구성 System Hive, Memory Hive 모음 (SYSTEM, SOFTWARE, SAM, SECURITY) 대부분의 computer setting 정보보관, Master Key 로그온계정의사용자프로파일 hive 를담고있는장소 (NTUSER.DAT) Console 사용자와다른사용자환경구성, 최소 3 개 subkey (.DEFAULT, SID, SID_Classes) 현재하드웨어정보 (Profile) 를가지고있는키 Symbolic link (HKLM \SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles 하위 ) 데이터탐색성능을위한장소이며물리적 hive 는존재하지않음 http://technet.microsoft.com/en-us/library/cc750583.aspx 7
Root Keys Registry Root Keys - HKCU HKCU: HKU 하위 Profile 중현재 Login 사용자의하위키 8
Root Keys Registry Root Keys HKCU Subkey HKCU Subkey Details AppEvents: 사운드, 이벤트관련 CLSID: COM 객체연결정보 Console: 명령프롬프트윈도우설정정보 ControlPanel: 데스크탑테마, 키보드 / 마우스환경설정정보 Environment: 환경변수정의 EUDC: 최종사용자가정의한문자정보 Identities: 윈도우메일계정정보 Keyboard Layout: 키보드레이아웃설정정보 Network: 네트워크드라이브매핑정보, 환경설정값 Printers: 프린트연결설정 Session Information: 작업표시줄표시현재실행프로그램설정 Software: 로그인한사용자소프트웨어목록 System: HKLM/SYSTEM 하위키의일부 (Control, Policies, Services) UNICODE Program Groups: 로그인사용자시작메뉴그룹정의 Volatile Environment: 휘발성환경변수 http://forensic-proof.com/archives/1515 9
Root Keys Registry Root Keys HKLM HKLM: 시스템전체 Hardware, Software 설정과환경정보 10
Root Keys Registry Root Keys HKLM Subkey HKLM Subkey details BCD00000000 Boot Configuration Data 관리 (Windows XP Boot.ini 대체 ) COMPONENTS 설치된 Components와관련된정보관리 HARDWARE 시스템하드웨어 description 모든하드웨어의장치드라이버 mapping 정보 (Volatile) SAM 로컬계정정보와그룹정보 시스템계정만접근가능 SECURITY 시스템보안정책과권한할당정보 시스템계정만접근가능 SOFTWARE 시스템부팅에필요없는소프트웨어정보 SYSTEM 시스템부팅에필요한시스템전역구성정보 http://forensic-proof.com/archives/1515 11
Root Keys Registry Root Keys HKU HKU: 모든사용자의 Profile 과사용자 Class 등록정보 Key HKU\<LocalServices SID> HKU\<NetworkServices SID> HKU\<User SID> HKU\<User SID>_Classes HKU\.DEFAULT http://forensic-proof.com/archives/1515 Hive File Location XP - %UserProfile%\LocalService\NTUSER.DAT Vista/7 - %SystemRoot%\ServiceProfiles\LocalService\NTUSER.DAT XP - %UserProfile%\NetworkService\NTUSER.DAT Vista/7 - %SystemRoot%\ServiceProfiles\NetworkService\NTUSER.DAT XP - %UserProfile%\<UserName>\NTUSER.DAT Vista/7 - %UserProfile%\NTUSER.DAT XP - %UserProfile%\<UserName>\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Vista/7.%UserProfile%\AppData\Local\Microsoft\Windows\UsrClass.dat %SystemRoot%\System32\Config\DEFAULT 12
(Hive) Files Registry (Hive) Files 6 개의물리적파일과 2 개의휘발성파일로구성 Registry Path HKLM\System HKLM\SAM HKLM\Security HKLM\Software HKLM\Hardware HKLM\System\Clone HKEY_USERS\User SID %WINDIR%system32\config\SYSTEM %WINDIR%system32\config\SAM File Path %WINDIR%system32\config\SECURITY %WINDIR%system32\config\SOFTWARE 휘발성 Hive 휘발성 Hive 사용자 Profile (NTUSER.DAT) "Document and Settings\User" (WinXP), "Users\User" (Vista 이후 ) HKEY_USERS\Default %WINDIR%system32\config\DEFAULT http://kevin9life.blogspot.kr/2012/09/demystifying-registry-1.html 13
(Hive) Files Registry (Hive) Files HKLM\SYSTEM\CurrentControlSet\Control\hivelist http://kevin9life.blogspot.kr/2012/09/demystifying-registry-1.html 14
Hive Structure Hive Structure (1/4) Cell Data Type Key cell Value cell Subkey-list cell Value-list cell Security-descriptor cell 키를저장하고, 키노드라고도부름 (Signature: 키 -kn, 심볼릭링크 -kl) * 키가최종업데이트된 timestamp (LastWrite) 키값과데이터를저장하는셀 (Signature : kv) * 유형 : REG_DWORD, REG_BINARY 등 키셀을가리키는일련의인덱스로구성 값셀을가리키는일련의인덱스로구성 보안식별자를가지고있는셀 (Signature: ks) http://sentinelchicken.com/data/thewindowsntregistryfileformat.pdf 15
Hive Structure Hive Structure (2/4) Hive File은 Block (4,096Byte = 4KB) 단위로 Data를저장함 가장처음은 Base Block (=Hive File Header, 4KB) 와 Empty Bin (4KB) 이자리잡고있음 그이후부터는모두 Hive Bin이라는연속적인논리적구조가이어짐 http://technet.microsoft.com/en-us/library/cc750583.aspx 16
Hive Structure Hive Structure (3/4) Base Block (=Hive File Header, 4KB) 의 Signature 는 regf 임 http://forensic-proof.com/archives/1515 17
Hive Structure Hive Structure (4/4) Hive Bin(4KB) 의 Signature는 hbin임 Timestamp는 LastWrite 시간이며 Registry Key의생성 / 변경 / 접근 / 삭제시 Update! (Registry value의 LastWrite 시간은알수없음 ) http://forensic-proof.com/archives/1515 http://www.forensicfocus.com/downloads/windows-registry-quick-reference.pdf 18
Artifacts > System information Registry Artifacts at a glance Basic System Information Installed Software List MRU List USB Information Mounted Devices Timezone information Shared Resources Mapped Network Drives Startup Services Internet Explorer Wireless SSIDs Network Interfaces SAM UserAssist (Application Usage) Shellbags Explorer Searches RDP Connection Information Hardware Information Restore Point Many Other Application Artifacts 19
Artifacts > System information Artifacts - System Information HIVE: SYSTEM, SOFTWARE Computer Name HKLM\SYSTEM\ControlSet\Control\ComputerName\ComputerName HKLM\SYSTEM\ControlSet00[#]\Control\ComputerName\ActiveComputerName Shutdown Time HKLM\SYSTEM\ControlSet00[#]\Control\Windows System Information HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion [Lessons Learned or Notes] ComputerName은제어판 시스템또는 cmd.exe에서 hostname 명령어를통해알수있다. 20
Artifacts > Installed Software Artifacts - Installed Software List HIVE: SOFTWARE Uninstall Information HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall [Lessons Learned or Notes] Standalone Software 의경우알수없다. 21
Artifacts > MRU Lists (Recent Accessed Items) Artifacts MRU Lists in Windows (1/4) HIVE: NTUSER.DAT Recent Docs NTUSER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs 많은 binary 정보로구성, timeline 을만드는데추가정보제공, MRUListEx 는순서유지 22
Artifacts > MRU Lists (Recent Accessed Items) Artifacts MRU Lists in Windows (2/4) HIVE: NTUSER.DAT Recent Runs NTUSER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU 23
Artifacts > MRU Lists (Recent Accessed Items) Artifacts MRU Lists in Applications (3/4) HIVE: NTUSER.DAT Adobe Acrobat Reader NTUSER\Software\Adobe\Adobe Acrobat\[VER]\AVGeneral\cRecentFiles Office Documents NTUSER\Software\Microsoft\Office\[VER]\{Word, Excel, Powerpoint}\File MRU NTUSER\Software\Microsoft\Office\[VER]\{Word, Excel, Powerpoint}\Place MRU Wallpaper NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU [Lessons Learned or Notes] 최근실행문서나바로가기 (lnk) 와함께참조해서확인필요 24
Artifacts > MRU Lists (Recent Accessed Items) Artifacts MRU Lists in Applications (4/4) HIVE: NTUSER.DAT Wordpad NTUSER\Software\Microsoft\Windows\CurrentVersion\Applets\wordpad\Recent File List 버전별한글 (2005) NTUSER\SOFTWARE\HNC\Hwp\6.5\RecentFile (2007) NTUSER\SOFTWARE\HNC\Hwp\7.0\HwpFrame\RecentFile (2010) NTUSER\SOFTWARE\HNC\Hwp\8.0\HwpFrame\RecentFile Media Player NTUSER\Software\Microsoft\MediaPlayer\Player\RecentFileList NTUSER\Software\Microsoft\MediaPlayer\Player\RecentURLList [Lessons Learned or Notes] 최근실행문서나바로가기 (lnk) 와함께참조해서확인필요 25
Artifacts > USBs Artifacts USB information* (1/7) HIVE: SYSTEM HKLM\SYSTEM\ControlSet\Enum\USBStor Device Class ID: Vendor 정보, 제품명, Revision number 표시 Disk&Ven_[vendor_info]&Prod_[product_name]&_Rev_[revision_num] Unique Instance ID: Device Class ID 하위키로 Serial 정보여부에따라두가지로분류 (1) Serial Number가있을경우 : [Serial_Number]&# (2) Serial Number가없을경우 : #&[PnP_Generation_Number]&# USBStor 키의경우마지막수정시간 (Last Written Time) 이 Windows 보안정책에의해임의갱신될수있음 26
Artifacts > USBs Artifacts USB information* (2/7) HIVE: SYSTEM HKLM\SYSTEM\ControlSet\Enum\USB 제조사 ID, 제품 ID 표시 VID_[vendor_id]&PID_[product_id] USB 키의경우마지막수정시간 (Last Written Time) 이 Windows 보안정책에의해임의갱신될수있음 27
Artifacts > USBs Artifacts USB information* (3/7) HIVE: SYSTEM Volume Name of each Connection HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices 하위키는 Product Name 이나 Serial Number를포함하고있으므로이정보로검색 FriendlyName 값의경우장치명설정이존재하면그값을, 아닐경우연결 Volume명을가짐 Volume명의경우다른장치를꽂을때동일하게할당할수있으므로유의해야함 28
Artifacts > USBs Artifacts USB information* (4/7) HIVE: SYSTEM Booting 이후최초연결시각검색 ( 최종수정시간 ) HKLM\SYSTEM\CurrentControlSet\Control\DeviceClasses\{GUID} (Disk) {53f56307-b6bf-11d0-94f2-00a0c91efb8b} (Volume) {53f5630d-b6bf-11d0-94f2-00a0c91efb8b} (USB) {a5dcbf10-6530-11d2-901f-00c04fb951ed} (Portable Device) {6ac27878-a6fa-4155-ba85-f98f491d4f33} 하위키는 Product Name 이나 Serial Number를포함하고있으므로이정보로검색 29
Artifacts > USBs Artifacts USB information* (5/7) HIVE: SYSTEM, NTUSER.DAT Booting 이후마지막연결시각검색 ( 최종수정시간 ) HKU\[USER]\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoint2 HKLM\SYSTEM\ControlSetXXX\Enum\USB\VID_[vendor_id]&PID_[product_id] 하위키는 Product Name 이나 Serial Number를포함하고있으므로이정보로검색 30
Artifacts > USBs Artifacts USB information* (6/7) USBDView from Nirsoft 31
Artifacts > USBs Artifacts USB information* (7/7) C:\windows\setup.api 32
Artifacts > Mounted Devices Artifacts Mounted Devices HIVE: SYSTEM HKLM\SYSTEM\MountedDevices ParentIdPrefix 값을이용해 USBSTOR 과 MountedDevices 키의상관관계를알수있음 ParentIdPrefix 33
Artifacts > Timezone Information Artifacts Timezone Information (1/2) HIVE: SYSTEM HKLM\SYSTEM\ControlSet\Control\TimeZoneInformation GMT(Greenwich Mean Time) & DST(Daylight Saving Time) Information http://msdn.microsoft.com/en-us/library/ms725481.aspx 34
Artifacts > Timezone Information Artifacts Timezone Information (2/2) HIVE: SYSTEM HKLM\SYSTEM\ControlSet\Control\TimeZoneInformation Value Name Data Type Description ActiveTimeBias 32bit 정수현재시스템시간 (GMT + 분 offset) Bias 32bit 정수시간대설정에기반 (GMT + 분 offset) DaylightBias 32bit 정수시간대설정에기반 ( 일광절약제적용, GMT + 분 offset) DaylightName Unicode Text String 시간대설정이름 ( 일광절약제적용 ) DaylightStart Binary (2Byte 구성, 이후 8Byte 무시 ) http://forensic-proof.com/archives/321 http://forensicinsight.org/wp-content/uploads/2012/10/insight-digital-times.pdf 일 월 주 시간 - 일 : 2Byte, 일요일 (0) 기준, 0-6 - 월 : 2Byte, 1 월 (1) 기준, 1-12 - 주 : 2Byte, 1 주차 (1) 기준, 1-52 - 시간 : 24 시간기준, 1-24 StandardBias 32bit 정수시간대설정에기반 ( 표준시간적용, GMT + 분 offset) SandardName Unicode Text String 시간대설정이름 ( 표준시간적용 ) StandardStart Binary (4Byte 구성, 이후 8Byte 무시 ) 일 월 주 시간 (DaylightStart 참조 ) 예 ) 00 00 0A 00 05 00 02 00 일요일 10 월 5 주차 2 시 35
Artifacts > Shared Resources Artifacts Shared Resources HIVE: SYSTEM Network Shares HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares Type=0 (Drive share), Type=1 (Print Queue share) Special Purpose Parameters HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters 공유폴더는명령어행에서 net share를통해알수있음 AutoShareServer: 숨김관리공유생성기능제거 http://support.microsoft.com/kb/288164 36
Artifacts > Mapped Network Drive Artifacts Mapped Network Drive HIVE: NTUSER.DAT Network Drive Connection ( 네트워크드라이브연결 ) NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU 사용자가시스템에추가한 Volume NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 37
Artifacts > Startup services Artifacts Startup Services (1/3) HIVE: SOFTWARE Startup services in oder when a user login 1. HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 2. HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Ploicies\Explorer\Run 3. HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4. HKCU\ SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Run 5. HKCU\ SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6. HKCU\ SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 신규사용자가로그인할때마다 1,3,5,6 분석후실행 RunOnce 값 (1,6) 이별표 (*) 로시작하면안전모드에서도실행 38
Artifacts > Startup services Artifacts Startup Services (2/3) HIVE: SOFTWARE Startup services user activities HKLM\SOFTWARE\Classes\exefile\shell\open\command HKCR\exefile\shell\open\command 일반적으로위경로에기본값 "%1" %* 만존재함 (ftype exefile 명령어로확인가능 ) 악성코드등에서자주사용하는방식 1. HKCR\Wordpad.Document.[version]\shell\open\command ( 문서를더블클릭할때마다실행 ) 2. HKLM\SOFTWARE\Microsoft\Command Processor\AutoRun (cmd.exe를실행할때마다실행 ) 3. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (GUI Application 이시작될때마다 DLL 을 memory 내로 Load 함 ) 4. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify ( 사용자로그온 / 로그오프, 화면보호기시작등이벤트에외부기능을차단하는알림 ) 39
Artifacts > Startup services Artifacts Startup Services (3/3) HIVE: SYSTEM Startup services when system booting HKLM\SYSTEM\CurrentControlSet\Services 시스템시작후현재 ControlSet 값을결정하고해당설정을시작함 (Start=0x02) 40
Artifacts > Startup services Artifacts Startup Services with Autoruns from sysinternals 41
Artifacts > Startup services Artifacts Startup Services with Autoruns from sysinternals Logon Explorer Internet Explorer Services Drivers Scheduled Tasks AppInit DLLs Boot Execute Image Hijacks Known DLLs Winlogon Notifications Winsock Providers LSA Providers Printer Monitor Drivers Sidebar This entry results in scans of standard autostart locations such as the Startup folder for the curre nt user and all users, the Run Registry keys, and standard application launch locations. Select this entry to see Explorer shell extensions, browser helper objects, explorer toolbars, activ e setup executions, and shell execute hooks. This entry shows Browser Helper Objects (BHO's), Internet Explorer toolbars and extensions. All Windows services configured to start automatically when the system boots. This displays all kernel-mode drivers registered on the system except those that are disabled. Task scheduler tasks configured to start at boot or logon. This has Autoruns shows DLLs registered as application initialization DLLs. Native images (as opposed to Windows images) that run early during the boot process. Image file execution options and command prompt autostarts. This reports the location of DLLs that Windows loads into applications that reference them. Shows DLLs that register for Winlogon notification of logon events. Shows registered Winsock protocols, including Winsock service providers. Shows registers Local Security Authority (LSA) authentication, notification and security packages. Displays DLLs that load into the print spooling service. Displays Windows Vista sidebar gadgets 42
Artifacts > Startup services Artifacts Startup Services with Built-in system configuration utility msconfig 43
Artifacts > Internet Explorer Artifacts Internet Explorer: Settings (1/4) HIVE: NTUSER.DAT Internet Explorer Start page, Search page, Toolbar 등각종세부설정값저장 NTUSER\Software\Microsoft\Internet Explorer\Main 44
Artifacts > Internet Explorer Artifacts Internet Explorer: TypedURLs (2/4) HIVE: NTUSER.DAT Typed URLs in Internet Explorer ( 사용자가직접입력한 URL) NTUSER\Software\Microsoft\Internet Explorer\TypedURLs Windows Shell 내부열기, 다른이름으로저장대화상자 (CommonDialog32) NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU 45
Artifacts > Internet Explorer Artifacts Internet Explorer: Download Directory (3/4) HIVE: NTUSER.DAT Download directory in Internet Explorer NTUSER\Software\Microsoft\Internet Explorer\ [Lessons Learned or Notes] http://forensicinsight.org/wp-content/uploads/2012/03/insight_web-browser-forensics_part1.pdf http://forensicinsight.org/wp-content/uploads/2012/03/insight_web-browser-forensics-part-ii.pdf 46
Artifacts > Internet Explorer Artifacts Internet Explorer: Stored Data (4/4) HIVE: NTUSER.DAT (Form Data) (Account Data) NTUSER\Software\Microsoft\Internet Explorer\IntelliForms\Storage1 NTUSER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 47
Artifacts > Wireless SSIDs Artifacts Wireless SSIDs HIVE: SOFTWARE Wireless Information HKLM\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\[Interface Guid] Windows Vista 이후부터아래경로에저장 c:\programdata\microsoft\wlansvc\profiles\interfaces\[interface Guid] 암호화한키를 xml 파일에저장함 48
Artifacts > Network Information Artifacts Network Interfaces (1/2) HIVE: SYSTEM, SOFTWARE Network Information HKLM\SYSTEM\ControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318} Network Cards HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkCards Network Configuration HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318} Network Interface HKLM\SYSTEM\ControlSet00[n]\Services\Tcpip\Parameters\Interfaces MAC HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318} 49
Artifacts > Network Information Artifacts Network Interfaces (2/2) 50
Artifacts > SAM (User Accounts) Artifacts SAM (user accounts) (1/3) HIVE: SAM HKLM\SAM\SAM\Domains\Account\Users\[RIDs] HKLM\SAM\SAM\Domains\Account\Users\Names\[Accounts] [Lessons Learned or Notes] SAM 영역은 system 권한으로실행해야볼수있다. Sysinternals 의 psexec 를이용하자. PsExec.exe -i -d s c:\windows\regedit.exe 51
Artifacts > SAM (User Accounts) Artifacts SAM (user accounts) (2/3) 개별사용자계정정보는 {RID} 의 F, V 값에저장함 F value 최종로그인시각 [Offset 8-15] 패스워드재설정시각 [Offset 24-31] 계정만료시각 [Offset 32-39] 로그인실패시각 [Offset 40-47] RID (SID 의마지막식별부분 ) 계정상태정보 ( 활성여부, 패스워드설정여부 ) 국가코드 ( 국제전화코드 ) 로그인실패횟수 로그인성공횟수 로그인계정명 전체이름 계정설명 LM Hash NT Hash V value http://forensic-proof.com/archives/1515 52
Artifacts > SAM (User Accounts) Artifacts SAM (user accounts) (3/3) HIVE: Software User Profile Lists HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\{SID} 53
Artifacts > UserAssist Artifacts UserAssist (1/3) HIVE: SOFTWARE, NTUSER.DAT HCU\[USER]\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist 자주사용하는프로그램바로가기, 시작메뉴의자주사용하는프로그램 실행횟수, 마지막실행시간기록 ROT13 Encoding Q:\Gbbyf\Zvfpryynarbhf\GvzrYbeq\Nccyvpngvba Svyrf\GvzrYbeq_0_1_5_6\GvzrYbeq.rkr D:\Tools\Miscellaneous\TimeLord\Application Files\TimeLord_0_1_5_6\TimeLord.exe http://rot13-encoder-decoder.waraxe.us/ http://commons.wikimedia.org/wiki/file:rot13.png 54
Artifacts > UserAssist Artifacts UserAssist (2/3) HCU\[USER]\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist Windows 2000/XP/Vista {5E6AB780-7743-11CF-A12B-00AA004AE837}\Count {75048700-EF1F-11D0-9888-006097DEACF9}\Count Data Format in Windows 2000/XP/Vista 0-3: Session # 4-7: Application 실행횟수 ( 기본값 : 5) 8-15: 마지막실행시간 55
Artifacts > UserAssist Artifacts UserAssist (3/3) HCU\[USER]\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist Windows 7 {CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count {F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count Data Format in Windows 7 0-3: Session # 4-7: Application 실행횟수 ( 기본값 Application 에따라다름 ) 60-67: 마지막실행시간 56
Artifacts > Shellbags Artifacts Shellbags HIVE: NTUSER.DAT HKCU\Software\Microsoft\Windows\ShellNoRoam HKCU\Software\Microsoft\Windows\Shell HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell (Windows Vista or higher) 57
Artifacts > Windows Searches Artifacts Windows Searches (1/2) HIVE: NTUSER.DAT (WinXP) HKU\{USER}\SOFTWARE\Microsoft\Search Assistant\ACMru\[????] Number 5001 인터넷검색 Meaning 5603 모든파일및폴더검색 5604 문서에들어있는단어또는문장, 그림 / 음악 / 비디오검색 5647 컴퓨터또는사람검색 58
Artifacts > Windows Searches Artifacts Windows Searches (2/2) HIVE: NTUSER.DAT (Win7) HKU\{USER}\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery Windows XP 는낮은순번이최근검색인반면 Windows 7 의경우 MRUListEx 에서사용순서를저장함 (Windows Vista 는검색어목록을 registry 에담고있지않음 ) 59
Artifacts > RDP Connection Artifacts RDP Connection HIVE: NTUSER.DAT HKU\{USER}\SOFTWARE\Microsoft\Terminal Server Client\Default HKU\{USER}\SOFTWARE\Microsoft\Terminal Server Client\Servers 낮은숫자가최근기록임 60
Artifacts > Hardware Information Artifacts Hardware Information HIVE: SYSTEM HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore 61
Artifacts > Restore Points Artifacts Restore Points HIVE: Software HKLM\SYSTEM\ControlSet00[#]\Control\Class HKLM\SYSTEM\ControlSet00[#]\Enum 62
Kevin s Attic for Security Research 63