Cyber Forencics

 

  ForensicsAnalysis of Windows 7 Registry

The Windows Registry holds a great deal of information about the system such as the settings and configuration of the system. There are a number of these values that would be of the interest to a forensic investigator. 

 

----------System Analysis----------

Firstly, the computer name is available in the following Registry sub key: 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName 

The system information Registry sub key has the following path: 

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS 

This key holds several values that contain information about the system such as BIOS information and product information. The BIOS information includes the BIOS release date and BIOS version. Information about the BIOS includes the product name of the system and its manufacturer’s name. Figure 5 shows the system information Registry sub key. 

Figure 1: System hardware description

-------------------------------------------------------------------------------------------------------------------------

The information about the processors of the system is stored in the following Windows Registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1

This information includes the processor name, its speed and vendor identifier.

 

Figure 2: Processor Information

 

---------------------------------------------------------------------------------------------------------------------

Last Shutdown Time

Other valuable information to a forensic investigator is the time of the last shutdown of the system. This information is stored in the Shutdown Time value in the following Windows Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Windows

Figure 3 shows the ShutdownTime value as it is viewed using the Access Data Windows Registry viewer with the last written time which is referred to as the last shutdown time.

Figure 3: Last Shut Down

----------Network Analysis----------

1) Network Cards Present

The Registry holds a list of all network cards whether the network card is built in or is an external network card. In most laptops there are two type of network card: the Ethernet network card and Wi-Fi network card. 

The following Registry key holds a list of network card:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsN\CurrentVersion\NetworkCards

2) All Network Connections

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Profiles

3) Particularly Wireless Connection with its SSID

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsN\CurrentVersion\NetworkList\Signatures\Unmanaged

Figure 4: Wireless Network Identifier

---------------------------------------------------------------------------------------------------------------------------

Decoding the DateCreated and DateLastConnected SSID values From Vista/Win 7

In addition, the Windows Registry holds important information for the forensic investigator about Wireless networks. This information includes the created date and last connected date. They are stored in the following Registry sub key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Profiles

The value DateCreated holds the created date of a specific wireless network and the value DateLast Connected holds the last date that the computer was connected to this wireless network.

 

Figure 5: Decoding date last connecting to a network

The order of the values are as follows:

Year

Month

Weekday

Day

Hour

Minutes

Seconds

1. The length of data of value is 16 bytes.
2. It stored using Little Endian, so convert it to big Endian before decoding the data.

3. The year value = 07dc = 2012

4. Month = 12= December

5. Weekday = 03=Wednesday (0=Sunday, 1= Monday ... & so on)

6. Day = 001a = 26

7. Hour = 00 0b = 11

8. Minutes = 00 3b = 59

9. Seconds = 00 16 = 22 

Which would yield the following:

DateCreated: Wednesday, 26 December 2012 11:59:2012