Sunday, September 25, 2011

Forensics Term Paper - Windows 8 Registry

I have been tossing around a few ideas for my term paper this fall. And yes, I am still alive..

Part of me wanted to do Malware Analysis and finding unknown evil in the enterprise by investigating interesting traffic, processes, communications and just plain dumb luck to find something. Then utilizing multiple methodologies and utilities to track down the infection and remove it.

Then I read an article on Windows 8 Beta and Jump Lists (Thanks Harlan) and that got me to thinking a little more on the subject of finding out what I can in that OS in regards to the Jump List and Registry. .

A few minutes ago I submitted my initial proposal to my professor on my work. Hopefully I will be presenting this at BSides Iowa in 2012..

Proposal that was Sent:

One of the most difficult processes of digital forensics is understanding how new technology interacts with current technology and how we can utilize current Digital Forensics technologies and processes to recover and find information hidden. Recently Microsoft released the Developer Beta Preview of Windows 8, with this release Microsoft has added some features to the Operating System that will present some interesting complications to digital forensics.
The first thing I plan to look at is the way that Windows 8 handles the Registry Hive Traditionally the registry has been known to house a myriad of useful information for the digital forensic investigator. This information has contained but not limited to; removable media that is plugged into the device, current configuration of the machine that the operating system is installed on, recently accessed files by users, orphaned artifacts of uninstalled software, as well as potential identifiers of malware infection.

To analyze the Registry data variances from Windows 7 to Windows 8 it will require utilizing multiple virtual machines to create useable environements and the creation of a baseline file to compare the changes against. Once these baselines have been established then we can compare the registry files between the two versions and see what is different between Windows 7 and Windows 8. We will then install various software versions and compare the changes to the registry from these installs across the environment. After we have installed our software we will uninstall them and compare the registries to see what artifacts have been left behind because of the uninstall process. This will allow us to see what Registry entries remain across both versions. Finally we will infect both virtual machines with malicious code to see how the registries handle malware infection across both versions of the tested windows operating systems.

The second thing I intend to look at is the Jump Lists. This was a new artifact that was found in Windows 7. The Jump List allows quick access to recently accessed files, or most frequently access files[1]. There are other capabilities in the jump lists in Windows 7 that should carry over. From my initial look at the Windows 8 operating system it appears that you can customize the jump lists. I am interested to see if customizing it to a small jump list amount, if there is more stored in the registry.  

In investigating the Jump Lists it will require setting limitations on the data retained by the jump lists and seeing how the operating system reacts. We will need to understand how these changes would impact the registry and the jump list if the jump list is turned off, and told to remember nothing, told to remember less, or if the limit is increased. This will require analyzing the registry as we make the changes to the jump list to compare against the baseline and the modified versions.

By understanding how the registry behaves within the Windows 8 operating system this will allow us to know what tools currently can handle the new operating system, what tools would need to be modified and what options are missing from the current tool sets that are deployed by digital forensic investigators. This research will give us a chance to understand the changes that we are going to be faced with as well as share our knowledge with the others in the field.

No comments:

Post a Comment