SANS Digital Forensics and Incident Response Blog

What Programs Do - Part 2

The Registry Key Reference Tool (RiKeR)

The story of this project begins with "What Programs Do - Part 1 - The project & the "What Programs Do" series". Check that out for background if you have not already done so.

In coming entries, I will provide analyses of the registry and file system impacts of various programs. The reports will assume that you understand the Windows Registry. If you need a refresher, see these articles in MSDN, WIkipedia, WinVistaClub

The work that the community has done to understand the registry is excellent. There are many known Registry locations that contain a lot of information of forensic interest. I thank AccessData for collecting a number of useful registry key details in their convenient reference the Registry Quick Find Chart, however, I think this work of collecting such information in a central place must continue and grow.

I have created an electronic Registry Key Reference which I am calling RiKeR. RiKeR will be hosted at the University of Cincinnati Information Security web site. RiKeR contains all of the keys compiled in the quick chart above, but is a living document intended to be a central reference for all useful registry keys uncovered in my research or provided by the community. I invite members of the Digital Forensics field to share their useful registry key information with me for inclusion in RiKeR. (My email is below)

As we progress through the project and standardize on what we want to do, we may change the format of RiKeR from a spreadsheet to something more dyanmic, but for now, this form is highly portable and should serve as a good starting point.

Look for upcoming entries in the "What Programs Do" series where I begin to post analyses of various programs. For details on just what the "What Programs Do" series is all about, see my previous post "What Programs Do - Part 1 - The project"

Quinn Shamblin (quinn.shamblin@uc.edu), GCFA Silver #2801, Investigator, University of Cincinnati Information Security

4 Comments

Posted November 29, 2008 at 8:26 AM | Permalink | Reply

keydet89

Quinn,
I notice that the spreadsheet you provide has nothing in it at this point''if it's based on what AccessData has done already, why would the spreadsheet not be populated?
Also, on the subject of Registry analysis, I see that there's no reference to RegRipper, or any of the work I've done. Just out of curiosity, why is that? I'm asking, because AccessData's work is referenced''could you recommend a way for me to get my work out there so that others exploring this field would be more inclined to reference the work, as well?
Thanks,
Harlan

Posted November 29, 2008 at 1:39 PM | Permalink | Reply

keydet89

To all,
It seems that my comments in my previous post came across as a bit harsh, and for that I apologize. It was not my intent to bash anyone, and rather than having it look that way, I'd like to let everyone know that I apologize for any possibly negative feelings that my previous post may cause.
Thanks,
Harlan

Posted November 29, 2008 at 2:04 PM | Permalink | Reply

qshamblin

Hi Harlan,
Thank you very much for raising these questions. If you have them, someone else will.
1. The spreadsheet is already populated with the Access Data results. (I just went out and confirmed this morning.) Note that the sheet is set up so that the the various groupings are collapsed to conserve space. You need to click one of the "+" symbols on the left hand side to see the actual keys.
2. Your second point is exactly why I wanted to start this project in a public forum. I know that there are many professionals out there that have done great registry work, but, just as you say, coordinating the effort across the whole community is a challenge.
From the perspective of an end user, it is even difficult to find such work. I did not include yours, because, honestly, I didn't know about it. This is our tragedy. My vision for this project is to slowly build to a point where this becomes a known, central resource for our community. This goes for you and for everyone else that wants to contribute, if you are willing/interested in sharing your results with me for inclusion in RiKeR, please email them to me, along with your methodology. If we go ahead with including your research, you will be fully credited by name, company and contact information if you so choose.
As for your results from RegRipper, I would love to take a look at them. Perhaps they can help get the ball rolling'' Plus, I hate duplicating work that has already been done. :)
Let me know. Thanks, Harlan!
-Q

Posted November 29, 2008 at 4:44 PM | Permalink | Reply

keydet89

Quinn,
RegRipper is sort of an implementation of spreadsheets like RiKeR. The first edition of "Windows Forensic Analysis" included my own spreadsheet, which had links to references that described how the keys, values or data were populated or modified. The RegRipper UI is an interface and an engine, whereas the plugins themselves are much like Nessus plugins, in that they describe what's collected and how it's presented to the user.
> As for your results from RegRipper, I would love to take a look at them.
RegRipper is freely available for download.
> ''I wanted to start this project in a public forum''
We've sort of tried that with things like my blog, the forums at RegRipper.net, a Yahoo Group dedicated to Windows forensics, etc. There hasn't been a great deal of response, but I do hope that your efforts fare better. Please let us know when you've got something set up.
Thanks,
Harlan