Registry

Registry Format

Loading Dirty Hives

Use the transactional .log1 files to update UsrClass.dat and NTUSER.dat files to ensure no data is lost when parsed.

rla.exe -d "F:\tools\investigate\logs" --out F:\tools\investigate\logs\CleanReg

Recover Deleted Registry Keys:

Because the registry is structured similar to a file system, we have the ability to recover deleted registry keys. Use Registry Explorer to accomplish this.

Analysis at Scale

Analyze full directories and output important keys in csv format. Use TimeLineExplorer to analyze data.

RECmd.exe --bn F:\Tools\Get-Zimmerman\RECmd\BatchExamples\Kroll_batch.reb -f F:\Tools\Investigate\logs\NTUSER.dat\ --csv F:\tools\investigate\logs --csvf recmd.csv

Considerations

Keys and subkeys have last write timestamps, values do not.

NTUSER.DAT

HKU and HKCU are comprised of two files NTUSER.DAT and UsrClass.dat. Below are the registry keys contained in NTUSER.DAT.

UsrClass.dat

below are the keys contained in UsrClass.dat

MuiCache

ShellBags

Shows folders that user traversed to within Explorer.exe. Does not track files, EXCEPT .zip files.

HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
- Contain folders navigated to and subkey access order.
HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
- Contains display information about folder.

Considerations:

Shellbags last forever (siutationally).
Feature updates can wipe shellbags or skew timestamps, check for last update if needed.
Deleting path will not remove shellbag entry, can find paths that do not exist.
Use ShellbagsParser and compare MRUListEx entry order in RegExplorer to find correct accessed time.

https://www.giac.org/paper/gcfa/9576/windows-shellbag-forensics-in-depth/128522#:~:text=The%20ShellBag%20information%20will%20be,once%20the%20keys%20are%20created.

PreviousRecycle Bin NextLogged in Accounts

Last updated 7 months ago

UsrClass.dat

below are the keys contained in UsrClass.dat

MuiCache

ShellBags

Shows folders that user traversed to within Explorer.exe. Does not track files, EXCEPT .zip files.

HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

Contain folders navigated to and subkey access order.

HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags

Contains display information about folder.

Considerations:

Shellbags last forever (siutationally).

Feature updates can wipe shellbags or skew timestamps, check for last update if needed.

Deleting path will not remove shellbag entry, can find paths that do not exist.

Use ShellbagsParser and compare MRUListEx entry order in RegExplorer to find correct accessed time.