Windows 7 Registry Forensics: Part 7

REGISTRY FORENSICS – SECURITY IDENTIFIERS
Security Identifiers (SIDs) are unique alphanumeric character strings of variable length that are assigned during the log-on-process to each user on a stand-alone system or to each user, group, and computer on a domain-controlled network. Windows uses SIDs instead of usernames. For instance, when a username and password are entered, Windows must verify that the password for the username matches what is stored. The Registry is queried to determine what SID is associated with the username. From that point forward, Windows then grants or denies access and privileges to resources based on Access Control Lists (ACL), which use SIDs to uniquely identify users and/or their group memberships. SIDs can be resolved to users. For a non-domain logon, user authentication is carried out locally in the Security Account Manager (SAM). When a user logs onto a domain, the authentication occurs in the active directory of the domain controller. Essentially, SAMs are security databases which contain hashed passwords and usernames. They are also a Registry Hive.

1. SECURITY ACCOUNTS MANAGER (SAM):

• HKLM\SAM\Domains\Account\Aliases\Members
• HKLM\SAM\Domains\Account\Users

SAM is not accessible through the normal Registry view on a live system. After exporting the Registry, it can be accessed using a tool such as Registry Viewer. Information such as the user name, logon count, last logon time, last password change, last failed logon, and so on are stored in the user account(s). The SAM will also list one or more SIDs.

2. SECURITY IDENTIFIERS (SIDs):

• HKU\
• HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Profilelist

SIDs are located in both of these Keys. User SIDs can be found under the value “Profilelist” as Subkeys (which were created at the time a user logged onto the system). The value “ProfileImagePath” will list the path to that particular user’s profile. At the operating system level, SIDs identify accounts beyond question. A multi-user system would look something like this:

• HKU\.DEFAULT
• HKU\S-1-5-18
• HKU\S-1-5-19
• HKU\S-1-5-20
• HKU\S-1-5-21-1116317227-3122546273-4014252621-1000
• HKU\S-1-5-21-1116317227-3122546273-4014252621-1000_Classes
• HKU\S-1-5-21-1116317227-3122546273-4014252621-1003
• HKU\S-1-5-21-1116317227-3122546273-4014252621-1003_Classes

The first four Keys are the System Accounts and are generally the same from computer to computer. HKU\.DEFAULT contains global user information. HKU\S-1-5-18 pertains to the “LocalSystem Account.” HKU\S-1-5-19 is used to run the local services and is the “LocalService Account.” HKU\S-1-5-20 is the “NetworkService Account” that is used to run the network service(s). The other Subkeys are the unique SIDs which are associated with individual users who have logged onto the system. Their interpretation is as follows:

• “S” identifies the string as a SID.
• “1” is the version of the SID specification.
• “5” is the identifier authority value.
• “21-1116317227-3122546273-4014252621” is the domain or local computer identifier and differs from computer to computer since it corresponds to unique individual user accounts.
• “1000” is the Relative ID (RID). Any group or user not created by default will have a RID of 1000 or greater.
• “1000_Classes” contains the per-user file associations and class registration.
• “1003” is Relative ID (RID) of another user on the same system.
• “1003_Classes” contains the second user’s file associations and class registration.

REGISTRY FORENSICS – FOLDER STRUCTURES

• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

The first two Keys list the various default paths to many locations of potential forensic interest, such as a user’s “Cookies,” “Desktop,” “Favorites,” “History,” “My Pictures,” “My Video,” “Recent Items,” and “Start Menu.” For instance, the default path for a user’s “My Pictures” and “My Video” is “%USERPROFILE%\Pictures” and “%USERPROFILE%\Videos” respectively. Similarly, the third Key lists the paths to the various locations in each of the individual user directories starting from the root directory (“C:\Users\{User Name}\My Pictures” and “C:\Users\{User Name}\My Videos” for the above examples). These can be changed to point to another location, possibly a hidden directory, or a hidden partition where probative information could be stored.

• HKCU\Software\Microsoft\Windows\Shell\Bags\1\Desktop\
  ItemPos1024x768x96(1)

A user may use more than one desktop and may have different files, folders, applications, or shortcuts on each of those desktops. This Key lists the user’s desktop screen resolution under the “ItemPos” value (e.g. “ItemPos1024x768x96(1)”). The “Data” value for a particular screen resolution will contain the user’s links to applications (e.g. “Powerpoint.lnk), applications on the desktop (e.g. Autoruns.exe), the names of files and their extensions (e.g. Registy.pdf), and the names of folders.

(Note: Software tools mentioned in this column should not to be considered as an endorsement of those tools by Forensic Magazine or by the author. Prior to purchasing commercial tools or obtaining freeware tools, investigators and examiners should research those that are available to determine which best meet their technical and operational performance parameters. After procurement, the tools functionality must be verified before being used for forensic examinations.)

John J. Barbara owns Digital Forensics Consulting, LLC, providing consulting services for companies and laboratories seeking digital forensics accreditation. An ASCLD/LAB inspector since 1993, John has conducted inspections in several forensic disciplines including Digital Evidence. John is the General Editor for the “Handbook of Digital & Multimedia Forensic Evidence” published by Humana Press. He can be reached at jjb@digforcon.com.