Artifact Analysis: Windows Registry Forensics

Note

Executive Summary: The Windows Registry is a hierarchical database that stores configuration settings and options for the operating system and installed applications. While Windows Event Logs (EVTX) record sequential actions (what happened), the Registry acts as the “State Memory” of the system. However, as a byproduct of tracking state, it inadvertently hoards a massive amount of historical user activity. For DFIR analysts, acquiring and parsing the physical Registry Hives is mandatory to prove execution, map lateral movement, and uncover persistence mechanisms.

1. Physical Structure: The Hives

The Registry is not a single file. It is composed of multiple binary files known as Hives, stored in specific locations on the disk. During a “Dead-Disk” forensic analysis or KAPE triage, analysts must extract these files directly.

Danger

The Transaction Log Catch: When extracting hives, analysts must also collect the corresponding Transaction Logs (.LOG1, .LOG2). Windows holds recent registry changes in these temporary logs before committing them to the main hive file. Parsing a “Dirty Hive” without its transaction logs will result in missing the most recent (and often most critical) attacker activity, such as newly created persistence keys.

The System Hives (C:\Windows\System32\config\)

• SYSTEM: The core OS configuration. It contains Windows Services, timezone data, USB connection history (USBSTOR), and critical execution artifacts like the Background Activity Moderator (BAM) and Shimcache.
• SOFTWARE: Information about installed applications, OS versioning, and system-wide autostart persistence (e.g., Run and RunOnce keys).
• SAM (Security Account Manager): Local accounts, groups, and local password hashes (NTLM). This is the hive attackers target to dump local credentials.
• SECURITY: Local security policies and cached LSA secrets.

The User Hives

• NTUSER.DAT: Located in C:\Users\<User>\. This is the absolute goldmine for user attribution. It tracks what the user interacted with, storing UserAssist, MRU Lists, and user-level persistence.
• UsrClass.dat: Located in C:\Users\<User>\AppData\Local\Microsoft\Windows\. It contains file extension associations and a significant portion of the Shellbags artifacts.

2. DFIR Cheat Sheet: Artifact Index by Hive

To accelerate triage, analysts map specific forensic questions to specific hives.

Execution Evidence

• UserAssist: (NTUSER.DAT) Proves a user launched an app via the GUI (includes run counts).
• BAM: (SYSTEM) Proves execution explicitly linked to a User SID.
• Amcache: (Amcache.hve) Provides the SHA1 hash of executed binaries.

User Activity & Intent

• Shellbags: (NTUSER.DAT & UsrClass.dat) Reconstructs the exact folder navigation history.
• MRU Lists: (NTUSER.DAT) Reveals files opened, saved, or commands typed in the “Run” dialog.

Adversarial Persistence

• Run Keys: (SOFTWARE & NTUSER.DAT) Malware executing at boot or logon.
• Windows Services: (SYSTEM) Look under CurrentControlSet\Services\ for malicious services (Event 7045).

3. The Forensic Superpower: Last Write Time

Unlike a standard text log, every single key within the Windows Registry possesses a Last Write Time timestamp, akin to a file’s modification date.

This is arguably the most critical feature of the registry for DFIR analysts. If an analyst discovers a malicious persistence entry in the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key, the Last Write Time of that key reveals the exact millisecond the threat actor established persistence. This timestamp can then be used to pivot to the USN Journal or Event 4688 logs to see what else the attacker was doing at that precise moment.

4. DFIR Triage & Tooling

Manually browsing binary hive files using an offline viewer is inefficient. DFIR teams rely on automated parsing tools that ingest the hives, replay the transaction logs, and generate consolidated timelines.

Registry Explorer & RECmd

parse_registry_hives.cmd

:: RECmd (Registry Explorer Command Line) by Eric Zimmerman
:: Extracts data using pre-defined Batch files tailored for DFIR
RECmd.exe -d "C:\Forensics\Export\RegistryHives" --bn BatchExamples\Kroll_Batch.reb --csv "C:\Forensics\Results"

Note: The GUI version, Registry Explorer, features built-in “Bookmarks” that instantly highlight UserAssist, BAM, and Run keys, automatically decoding obfuscated values (like ROT13).

KQL (Hunting Run Keys)

hunt_registry_persistence.kql

// Detects suspicious executables or scripts added to Run/RunOnce registry keys
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey has_any ("\\CurrentVersion\\Run", "\\CurrentVersion\\RunOnce")
// Filter for common malicious extensions living in writable directories
| where RegistryValueData has_any (".ps1", ".vbs", ".bat", "cmd.exe", "powershell.exe")
| where RegistryValueData has_any ("\\AppData", "\\Temp", "\\Users\\Public")
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, RegistryKey, RegistryValueName, RegistryValueData
| sort by TimeGenerated desc

---

References & Further Reading

• SANS Institute: Windows Forensic Analysis
• Eric Zimmerman’s Tools: Registry Explorer / RECmd
• Related Artifact: Windows Event Logs (EVTX)
• Related Artifact: UserAssist & MUIcache