[ccibomb@CRG]# _bykim

레지스트리 분석도구

• RegRipper (by keydet89) : 텍스트 형태로 출력 (국내 도구)

github.com/keydet89/RegRipper3.0

• Registry Explorer (by Eric Zimmerman) : 전 세계에서 가장 많이 사용함. GUI

ericzimmerman.github.io/#!index.md

• REGA (업데이트X)

forensic.korea.ac.kr/DFWIKI/index.php/REGA(Registry_Analyzer)

• X-ways : 기본적인 분석 가능. 특히, 사용자 정의 포맷으로 레포트를 내보낼 수 있다는 점이 장점

Windows 10에서 새로 봐야하는 Registry

• Windows 10부터는 Registry도 Transaction 수행함 (.log 파일도 수집해서 분석해야함!)

c.f) https://www.fireeye.com/blog/threat-research/2019/01/digging-up-the-past-windows-registry-forensics-revisited.html

• bam (=background application manager)

c.f) BAM/DAM

Description Windows Background Activity Moderator (BAM) Location Win10: SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID} SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID} Investigative Notes Provides full path of the executable file that was run on the system and last execution date/time

• Shimcache

SYSTEM\ControlSet001\Control\Session Manager\AppCompatCache

(윈도우10 호환성 문제로 대체 API 실행한 흔적 -> Malware 흔적을 확인할 수 있음)

Description • Windows Application Compatibility Database is used by Windows to identify possible application compatibility challenges with executables. • Tracks the executables file name, file size, last modified time, and in Windows XP the last update time

Location XP: SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatibility Win7/8/10: SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

Interpretation: Any executable run on the Windows system could be found in this key. You can use this key to identify systems that specific malware was executed on. In addition, based on the interpretation of the time-based data you might be able to determine the last time of execution or activity on the system. • Windows XP contains at most 96 entries - LastUpdateTime is updated when the files are executed • Windows 7 contains at most 1,024 entries - LastUpdateTime does not exist on Win7 systems

c.f) Windows 10 Timeline

Description Win10 records recently used applications and files in a “timeline” accessible via the “WIN+TAB” key. The data is recorded in a SQLite database.

Location C:\Users\\AppData\Local\ConnectedDevices Platform\L.\ActivitiesCache.db

Interpretation • Application execution • Focus count per application

• RecentApps

Description GUI Program execution launched on the Win10 system is tracked in the RecentApps key

Location Win10: NTUSER.DAT\Software\Microsoft\Windows\Current Version\Search\RecentApps

Interpretation Each GUID key points to a recent application. AppID = Name of Application LastAccessTime = Last execution time in UTC LaunchCount = Number of times executed

<DFRWS USA 2019> - 3일차

【 2019. 7. 16. 】

□ Presentations: Artifacts & Interpretation

  ◦ 좌 장 : Erika Noerenberg (Carbon Black)

  ◦ 발표 3

    ※ 기존 프로그램상 Steve Watson(VTO Labs)의 ‘Old Filesystems in New IoT Devices’은 취소됨

     - 주제 : 윈도우 10 운영체제의 Activity 타임라인 포렌식
               (원제 : An Incomplete Tour of the Forensic Implications of the Windows 10 Activity Timeline)

     - 발표자 : Vico Marziale, Ph.D. (BlackBag Technologies)

     - 발표내용

       △ Windows 10 운영체제 버전 1803부터 Activity Timeline 기능이 배포됨

       △ Activity Timeline은 웹사이트 접속, 문서 열람 및 편집, 응용프로그램 실행 등 사용자가 특정 활동(Acitivity)시 많은 유형의 로그를 기록함

       △ 타임라인 기록은 SQLite DB 형식으로 다음 경로에 저장됨

        · C:\Users\<profile>\AppData\Local\ConnectedDevicesPlatform\L.<UserName>\ActivitiesCache.db

       △ ActivitiesCache.db 파일을 열어보면 8개 테이블을 확인됨

       △ 데이터는 30일까지 저장되지만 SQLite DB형식임을 고려할 때, 복구툴을 이용하여 삭제된 내역 복구될 가능성 제시