The earlier versions on Windows were not really intended for office network connectivity
and as a result it was never really considered that no security or access controls existed
for the registry. This was directly true in both Windows 95 and Windows 98 and for the
forensic analyser this is very helpful as it means that the machine can be examined
without specifying any formal security details.
This though is not the case with the following Microsoft products:
• Windows NT
• Windows 2000
• Windows 2003
• Windows XP
Each of which have implemented a more secure registry access control list where only
the administrator can perform certain tasks (although this needs to be explicitly
specified). Each key can have specific access controls making it ideal for a multi-user
Interestingly enough, the software developers who thought that the registry was a useful
place to store application information, also thought it was a convenient place to store
usernames and passwords. Although the developers went through the process of
encrypting the data, it is possible to obtain the stored information using a simple freely
available utility called PassView7 that provides access.
When first inspecting the registry, it worth initially checking the areas that have been
assigned the functionality to specify which applications can be launched during the boot
process. These common keys are as follows:
The UserAssist key, HCU\Software\Microsoft\Windows\CurrentVersion \Explorer\UserAssist, contains two or more subkeys which have long hexadecimal names that appear as globally unique identifiers (GUIDs). Each subkey records values that pertain to specific objects the user has accessed on the system, such as Control Panel applets, shortcut files, programs, etc. These values however, are encoded using a ROT-13 encryption algorithm, sometimes known as a Caesar cipher. This particular encryption technique is quite easy to decipher, as each character is substituted with the character 13 spaces away from it in the ASCII table. A much faster and easier method to decipher this code is with the use of an online ROT-13 decoder, such as http://www.edoceo.com/utilis/rot13.php
Wireless networks today are popular and are only becoming more popular. A wireless ethernet card picks up wireless access points within its range, which are identified by their SSID or service set identifier. When an individual connects to a network or hotspot the SSID is logged within Windows XP as a preferred network connection. Unsurprisingly, this can be found in the Registry in the HKLM\SOFTWARE\ Microsoft\WZCSVC\Parameters\Interfaces key. When opening this Registry key there may be subkeys beneath it, like UserAssist, that look like GUIDs. The contents of these should contain the values “ActiveSettings” and “Static#0000”. There may be additional values that begin with “Static#” and are sequentially numbered. In the binary data of these “Static#” values are the network SSIDs of all the wireless access points that system has connected to. This can be seen by right clicking the value and selecting “modify”, as shown in Figure 4.
In addition to logging the name of the SSID, Windows also logs the network settings of that particular connection – such as the IP address, DHCP domain, subnet mask, etc. The Registry key in which this can be found is HKLM\SYSTEM\ControlSet001\ Services\Tcpip\Parameters\Interfaces\, which is illustrated in
Based on this wireless network information, a Forensic examiner can determine if a user connected to specific wireless access point, the timeframe, and their IP address they were assigned by the DHCP server. For instance, if it were a case about a child pornography suspect that was war-driving to various network connections and using them illegally, these methods would be very useful. Given the suspect’s computer to run an analysis on, would make it possible to see what network connections they were using and the IP address that was assigned to further support a subpoena of the ISP
Windows XP implements a network mapping tool called My Network Place, which allows users to easily find other users within a LAN or Local Area Network. A computer on a properly configured LAN should be able to display all the users on that network through My Network Place. This list of users or computers, like many other things, is stored in the Registry. Therefore, even after the user is no longer connected to the LAN, the list of devices that have ever connected to that system still remain, including desktop computers, laptops, and printers. The Registry key where this information is stored is HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions.