Find out what the user did through a registry dump
When investigating computer incidents, one of the most important activities is collecting evidence. So, it is very important for us to have a RAM dump, because from it we can obtain information about what processes were running in the system, and, for example, we can select and dump processes created by malware for subsequent analysis of this dump.
Also of great importance is information about what applications the user launched, what documents he opened in office programs, what network connections he established with third-party resources using protocols such as RDP and SSH. And the Windows registry can help us in solving these and similar problems.
The Windows Registry is a hierarchically built database of settings and settings in Microsoft Windows operating systems. The registry contains information and settings for hardware and software, user profiles, presets, etc. Most changes in the Control Panel, file associations, system policies, and a list of installed software are recorded in the registry. Thus, the registry contains a lot of important information.
Virtual registry
When the computer starts, it takes information from the hardware from the registry files and creates a so-called virtual registry in the machine's RAM. It is in this virtual registry that the current configurations are stored and from the virtual registry changes in the system are transferred to a file, which are then saved on the hard drive. Since this interaction process lasts throughout the entire operating system session, the virtual registry is constantly located in the computer’s memory.
A virtual registry can be very useful when analyzing user actions, since with its help we can learn a lot of interesting things about the user's actions in the system. So, you can get information about groups and users, including rights, passwords, date of last login, connected USB devices, installed programs, last viewed documents, most frequently launched programs and much more.
Next, we'll talk about using Volatility to work with the virtual ledger and get useful information about user activity.
Good old Volatility
The Volatility tool is perhaps the most common tool for analyzing memory dumps. With this tool we can analyze information from the virtual registry stored in a memory dump. In this article I will not describe the installation process of this tool, since there are enough publications on this topic.
Volatility has various plugins for working with the registry. Let's start with Hivelist. This plugin allows you to find virtual addresses of registry nodes in memory and full paths to the corresponding node on disk. If you want to print registry hive values starting from a specific node, run this command first to see the node addresses.
$ vol.py -f win7_trial_64bit.raw --profile=Win7SP0x64 hivelist
To display the subkeys, values, data, and data types contained in a specified registry key, use the printkey plugin. By default, the printkey function searches all registry keys and prints the key value information (if found) for the requested key. Thus, if a key is in multiple cells, the key information will be printed for each cell that contains it.
Let's say you want to navigate to the key HKEY_LOCAL_MACHINE\Microsoft\Security Center\Svc. You can do it like this.
$ vol.py –f win7_trial_64bit.raw --profile=Win7SP0x64 printkey -K "Microsoft\Security Center\Svc"
To recursively list all subkeys in a hive, use the hive dump command and pass it the virtual address of the desired branch. You can get this address, for example, using the hivelist plugin.
We work with accounts
The next task is relevant not only for computer forensics experts, but also for pentesters. To retrieve and decrypt cached domain credentials stored in the registry, use the hashdump plugin.
Here, in order to use hashdump, pass the virtual address of the system storage as -y and the virtual address of the SAM storage -s (take also from hivelist output). For example, like this:
$ vol.py hashdump -f win.raw -y 0xe1035b60 -s 0xe165cb60
Next, you can try to pick up the resulting hashes using John The Ripper, Hashcat, or use them in Pass The Hash attacks. But let's return to studying user actions.
Going back in time with ShellBag
Shell Bags is a widely used term to describe a set of registry keys that allow Windows to keep track of the user's window browsing preferences specific to Windows Explorer. These keys can contain interesting information and can help paint a clearer picture of what the user is doing on the computer. For example, in Shell packages you can find the following information: files that were used recently and the type of file (zip, directory, installer), also files, folders, zip files, installers that existed at some point on the system ( even if they have been deleted), network shares and folders within those shares, and the metadata associated with those types.
Shellbags are located in different branches depending on the version of Windows OS. So, in accordance with the Microsoft Knowledge Base article (KB 813711), for Windows 7, the dump of which we use in the examples, it will be:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\BagMRU
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags
Let's try to extract Shellbag from our dump:
$ vol.py -f win7.vmem --profile=Win7SP1x86 shellbags
This is a snippet of command output showing which files the user has recently launched.
If necessary, you can include the machine ID in the main file header with the –machine flag (this is useful when merging timelines from multiple machines).
Dump, just dump
Finally, let's look at the dump registry plugin, which allows you to write registry data to disk. By default, the plugin flushes all registry files it finds (including virtual registries such as hardware) to disk, however you can specify a hive-specific virtual offset to flush only one registry block at a time. One caveat to using this plugin is that there may be spaces in the remote registry file, so standalone registry tools may fail if they are not reliably configured to handle “corrupt” files. These spaces are indicated in the text output by lines of type Physical layer returning None at index 2000, padded with NULL.
You can also dump only a single registry branch. In this case, we will again need the address from the hivelist list:
vol.py -f voltest.dmp --profile=Win7SP1x86 dumpregistry -o 0x8cec09d0 -D output/
Conclusion
The plugins presented in this article for working with the registry in Volatility are not a complete list of all available tools in this application. Plugins such as userassist, slimcache and others can also be useful. And besides Volatility, there are also many other tools for analyzing the virtual ledger.
All current information security methods and tools can be mastered in OTUS online courses: in the catalog you can see a list of all programs, and in the calendar — sign up for open lessons.
