Registry Analysis using FRED in Linux Ubuntu 12.04

Sep 26, 2012

epyxpete

Blog

0

The Windows registry is used by the operating system to store information about its configuration, users, applications and much more.  It is an excellent source of evidence for the forensic examiner.

While looking for an open source solution to examine the registry, a colleague of mine recommended the Forensic Registry EDitor (FRED).  FRED is a GUI based registry editor/viewer, created by Daniel Gillen, that has a built in hex viewer and data interpreter.  FRED also has reporting features to provide you with reports for some of the most popular keys like the “RecentDocs” and the “TypedURLs” keys.

Today we will discuss how to use FRED to navigate the registry and to access the reporting features of some of the Windows registry’s most popular keys.

The goal:

The plan is to use a freshly installed version of Windows 7 in a way that will lead to our data being added to the registry.  We will accomplish this in our own controlled environment.  We will then use FRED to examine our registry.  The purpose of creating our own registry is so that we can determine if FRED is actually providing us with accurate results.

For the analysis part of the test, I used an examination computer with Ubuntu 12.04 installed on it.

Controlled Environment:

So that we could create our own registry history from scratch, I began by installing a new Windows 7 Home Premium Operating System on my Laptop.

When it came time to set the time clock, I selected Eastern Standard Time, as I am currently living in the East Coast of the US.  The time zone of the computer is recorded by the registry under the

HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation key.

The installation completed and I logged in as user “Carlos”.  I gave the laptop an internet connection and opened the Internet Explorer (IE) Browser.

IE launched and the “Welcome to IE 8” screen appeared asking me to set it up.  I clicked on the “Ask me Later” button to avoid the set up process.  A second Tab immediately opened, redirecting me to another Microsoft owned website.

I waited for the second tab to load, and I then typed “www.epyxforensics.com” in the address bar.  This is an action that is recorded in the registry under the NTUSER.DAT registry hive belonging to user “Carlos”.  To be specific, it is recorded under the

NTUSER.DAT\Software\Microsoft\Internet Explorer\TypedURLs key.

After visiting www.epyxforensics.com, I launched Windows Explorer and opened the Penguins.jpg picture located in the “C:\Users\Public\Pictures\Sample Pictures” folder.

Opening the Penguins.jpg picture is another action that is recorded by the NTUSER.DAT registry hive belonging to user “Carlos”.  To be specific, it is recorded under the

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs key.

I then closed all windows and shut down the computer.  This concludes the controlled environment part of our test.  Let’s move on to the next part.

Installing the tools:

The tool that we will use for the examination is not included in Ubuntu by default.  FRED can be downloaded from the developer’s website https://www.pinguin.lu/index.php.  If you have a 32bit machine, download the i386.deb packages.  You will need two packages, fred and fred-reports.  As of the date of this writing the latest packages are called “fred_0.1.0beta4_i386.deb” and “fred-reports_0.1.0beta4_i386.deb”.  After you have downloaded the appropriate packages, right click on a package and open it with the Ubuntu Software Center.

After the Ubuntu Software Center opens, click on the install button.  You will be prompted for your root password.  Enter your root password and wait for the program to install.  Repeat the process for the second package.

Now that we have the programs that we need, close the Ubuntu Software Center, and let’s move on to the next step.

The Examination:

For the examination part of the test, I removed the hard drive from the test laptop and connected it to my Ubuntu examination computer via a USB enclosure.

I did not write-block the hard drive. If you do not have a write-blocker handy, you do not have to use one either, just remember to never connect evidence media to a computer without the use of a previously validated write-blocking procedure.  From now on, we will refer to the hard drive containing the Windows 7 installation as our “Test Media.”

Make sure your test media is connected to the computer and open Nautilus.  Nautilus is the file manager for the GNOME desktop environment.  You can launch Nautilus by left clicking on the “folder” looking icon in your taskbar.  Nautilus is going to display your connected devices on the top left side of the window.  My test media is the one that says “250 GB Filesystem”.  Click on the name of your test media to mount it (if it isn’t mounted already).  By default, Ubuntu mounts its connected devices inside of the “media” folder.

Now open a Terminal Window.  In Ubuntu you can accomplish this by pressing Ctrl-Alt-T at the same time or by going to the Dash Home and typing in “terminal.”

Once the terminal window is open, Type the following into the terminal to determine which devices are currently mounted in your system.

df -h

Notice that my test media was mounted under the “media” folder as 0E86018186016B13.

We are almost ready to use FRED.  FRED can be launched by going to the Dash Home and typing in “fred” or it can be invoked from the command line.  Invoking it from the command line is a bit faster, so that’s what we will do.  Let’s use FRED to examine the SYSTEM hive and check the TimeZone setting.  To do this we need go to the directory where the SYSTEM hive is located on the test media.  On a Windows 7 operating system the SYSTEM hive is at: /Windows/System32/config/.

We will use the CD command to change directory into the config folder.  Type the following into the terminal.

cd /media/0E86018186016B13/Windows/System32/config/

Replace “0E86018186016B13” with the directory assigned to your test media.  After doing so, press enter.

The dollar sign after config indicates that “config” is your current directory, exactly what we wanted.

Now it’s time to call FRED.  Type the below command into the terminal and press enter.  This command will point FRED to the SYSTEM hive and will cause FRED’s graphical user interface to open and display the contents of the SYSTEM hive.

fred SYSTEM

Navigate the hive’s directory structure to determine the TimeZone setting: SYSTEM\CurrentControlSet\Control\TimeZoneInformation.

Now let’s use FRED to examine the NTUSER.DAT hive to check for TypedURL’s and Recent Docs.   To do this we need to go to the directory where the user’s NTUSER.DAT hive is located on the test media.  On a Windows 7 operating system the user’s NTUSER.DAT hive is located at: /Users/<<user>>/

We will use the CD command to change directory into the <<user>> folder.  Type the following into the terminal.

cd /media/0E86018186016B13/Users/Carlos/

Replace “0E86018186016B13” with the directory assigned to your test media and replace “Carlos” with the user name of the subject in your test or investigation.  After doing so, press enter.

Lets call FRED again.  Type the below command into the terminal and press enter.

fred NTUSER.DAT

This time we will use the built-in reporting features to determine the TypedURLs.  Mouse over to the reports tab and select “NTUSER”, “TypedUrls.”

This is the report.

Do the same for “Recent Documents”.

You can copy the data from the reports to txt files or print the reports to PDF.  And there you have it.

Conclusion:

FRED is a free and easy to use registry browser that can quickly provide you with the information that your investigation calls for.

If this procedure worked for your case, and you are able to use it in the course of your investigation, we would like to hear from you.  E-mail the author of this article at carlos@epyxforensics.com.

Post by Pete McGovern

Comments are closed.