Harlan Carvey brings readers an advanced book on Windows Registry. The first book of its kind EVER --Windows Registry Forensics provides the background of the Registry to help develop an understanding of the binary structure of Registry hive files. Approaches to live response and analysis are included, and tools and techniques for postmortem analysis are discussed at length. Tools and techniques will be presented that take the analyst beyond the current use of viewers and into real analysis of data contained in the Registry.
- Packed with real-world examples using freely available open source tools
- Deep explanation and understanding of the Windows Registry--the most difficult part of Windows to analyze forensically
- Includes a CD containing code and author-created tools discussed in the book
An Interview with Harlan Carvey, Author of Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry
Why do you feel a book on the Windows Registry is needed?
The Windows Registry is perhaps one of the least understood sources of digital evidence on a Windows system. Unfortunately, bad guys have used specific locations in the Registry to remain persistent on systems a lot longer than many analysts actually realize. I think that what most analysts don’t realize is that the Registry is an excellent source of both direct and indirect artifacts.
Don Weber, a friend and fellow IBM alum who’s now with InGuardians, was on an engagement where he found that the bad guys were actually storing executable files in binary Registry values. His find makes me wonder how many times this has occurred but not been “seen” because no one was looking.
Intrusions aside, I’ve also dug into the Registry to perform malware detection. As sometimes happens, malware files will change and avoid detection, but as with malware such as Conficker, some Registry artifacts remained relatively stable across the family. The same has been true for the examinations I’ve performed that involved Zeus, or Z-bot. Understanding this has allowed me and others to determine that malware was on a system, when multiple AV scans were negative.
Finally, the Registry contains a wealth of time stamped data, that when taken in context, can be extremely valuable to an analyst.
Why do you think so many analysts overlook the Windows Registry as a source of data?
For the most part, I think that most analysts really aren’t familiar with the Windows Registry as a source of data. From a purely binary perspective, all the way up to an application-level perspective, I think that most analysts simply aren’t familiar with what is and isn’t in the Registry, and how the Registry can be used to further a wide range of analysis.
Many times, however, when some analysts have become familiar with the Registry as a source of evidence, the pendulum swings too far in the other direction. I’ve seen and received questions along the lines of “where are file copy operations recorded in the Registry?”
As the Windows operating systems become even more sophisticated, analysts who are not actively investigating the Registry now will become completely overwhelmed in very short order.
What is your most memorable experience working in digital forensics?
There’ve been several, and all of them have been like turning a corner and suddenly being face-to-face with someone really famous. Sometimes it’s finding that one artifact that ties everything together, while other times it’s been discovering a whole series of artifacts that are essentially a storyboard or script for what the intruder did while on the system. Sometimes you get lucky and find a log file of what the bad guy did . . . sort of a “/.bash-history” file, but on Windows. Other times, you end up constructing a timeline of systems activity from multiple data sources both on and off a system, and when you look at your results, you have what amounts to that storyboard.
Across the board, however, I think that most memorable experiences have come from taking a step back, developing a “new” analysis methodology, and then having that methodology succeed in some pretty amazing and spectacular ways.
"It is no exaggeration to say that nearly everything that happens on a Windows system involves the registry-which makes effective examination of the registry absolutely fundamental to good Windows forensics. By devoting a whole book to this critical Windows artifact, Harlan has delivered a much needed resource to everyone doing forensics investigations of Windows systems. What I appreciate about this book, however, is that it is much more than a mere compilation of registry keys important to forensics investigation. This is a book about how to examine the registry, and it is a good one."
-Troy Larson, Principal Forensic Program Manager, Network Security Investigations, Microsoft
"Windows Registry Forensics provides extensive proof that registry examination is critical to every digital forensic case. Harlan Carvey steps the reader through critical analysis techniques recovering key evidence of activity of suspect user accounts or intrusion-based malware. Using his extensive experience and research, Harlan's case studies provide behind-the-scenes details that enable every analyst to utilize these techniques immediately in their own investigations. This book is a must have reference for current forensic knowledge of the Microsoft Registry Windows XP through Windows 7 and should become core knowledge for any serious digital forensic investigator."
- Rob Lee, SANS Institute