Course 36 - Windows Forensics and Tools | Episode 6: From System Hives to Forensic Analysis - CyberCode Academy

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
I want you to imagine a deeply hidden, totally locked
diary inside your.

Speaker 2 (00:06):
Computer, right, and not just like a standard diary with
a few notes.

Speaker 1 (00:10):
Yeah, exactly. This diary doesn't just record the major milestones.
I mean, it records absolutely.

Speaker 2 (00:15):
Everything, every single tiny detail we're.

Speaker 1 (00:18):
Talking about, like the exact hex code of the blue
you chose for your desktop background, Yeah, every Wi Fi
network your machine has ever.

Speaker 2 (00:26):
Pinged, the cased passwords for your remote connections, yes.

Speaker 1 (00:30):
And even the serial number of literally every single USB
drive you have ever plugged into a port.

Speaker 2 (00:35):
Yeah.

Speaker 1 (00:36):
It's well, it's the ultimate forensic treasure box. It really is.

Speaker 2 (00:38):
And we're talking, of course about the Windows System registry, right.

Speaker 1 (00:41):
It is basically your computer's central nervous system. And today
we are doing a deep dive to teach you exactly
how cybersecurity experts and you know, forensic analysts pick the
lock bypass the operating system entirely and extract its deepest secrets.

Speaker 2 (00:55):
But to do that, we really have to understand why
this massive dayabase even exists in the first place, and
like how it mechanically operates under the hood.

Speaker 1 (01:04):
Because it is complex, very I.

Speaker 2 (01:06):
Mean, for a lot of users, the computer's just an interface, right.
You have Windows folders, you double click things. I had
graphical layer exactly. But behind that graphical layer, the operating
system is constantly querying this highly structured, hierarchical database just
to know how to behave. If you want to reconstruct
past events or understand user behavior on a machine, you

(01:28):
don't look at the files. You look at the registry.

Speaker 1 (01:31):
So let's crack the architecture open. Because Windows wasn't always
built this way, right, If we go back to the
MS DOS days or even early Windows, configuration data was
completely decentralized. Oh yeah, the Wild West, it really was.
You had these random text files just scattered all across
the hard drive, your dot II files, autoexec, dot back, configure,

(01:51):
dot tease. I mean, it seems like an organizational nightmare.
If say, two different programs tried to modify hardware settings
at the exact.

Speaker 2 (01:59):
Same time, it was a nightmare. That decentralized approach caused
like immense file locking and corruption issues I can imagine.
So the registry was engineered to solve that by creating
a single unified system defined database. Every piece of software,
every hardware driver, and the operating system itself is totally
forced to route configuration requests through this one central hub.

Speaker 1 (02:23):
And when you map out the architecture of that hub,
it looks a lot like object oriented programming inheritance or
like an active directory tree.

Speaker 2 (02:31):
It's highly nested, very much so it's a massive tree structure.
So the main folders at the very top of the
hierarchy are called hives hivesky, and inside those hives you
have subfolders called keys. Inside those are subkeys, And finally,
at the very very bottom you have the actual values
and their data.

Speaker 1 (02:48):
Like a Russian nesting doll.

Speaker 2 (02:50):
Exactly like that. And this tree can nest up to
five hundred and twelve levels deep.

Speaker 1 (02:55):
Oh wow, is that's deep.

Speaker 2 (02:56):
Yeah, it's massive, and it has strict rules governing how.

Speaker 1 (02:59):
You have it right. For example, keynames have to be
printable characters and they aren't case sensitive. But crucially, you
cannot use a backslash and a key name right correct,
because the system uses the backslash to read the path
structure itself.

Speaker 2 (03:12):
It's the exact same logic as standard file paths. If
you put a backslash in a folder name, the purser
thinks you're asking to move into a new directory, which
totally breaks the structural logic it makes sense. Another critical rule,
and this is especially important for international forensic analysts who
are tracking data across borders, is that key names in

(03:33):
the registry are never localized.

Speaker 1 (03:35):
Wait, meaning they don't change languages exactly.

Speaker 2 (03:38):
If you change your Windows language setting to French or Japanese,
your visible desktop folders will translate. Sure, but the underlying
registry keys remain exactly the same in English.

Speaker 1 (03:50):
Oh that's fascinating.

Speaker 2 (03:51):
Yeah, the actual value data inside them might localize, but
the structural path never does. It has to stay rigid.

Speaker 1 (03:57):
Okay. So if the registry is structured so much like
a standard file system, I mean folders inside folders essentially,
why can't you just open up your regular file explorer,
click on the seed drive, and just browse through the hives.
Why do we need a specialized tool like the rejetted
application to even look at it?

Speaker 2 (04:15):
Well, you can't browse it natively because of the sheer
velocity of the data transactions velocity. Yeah, the operating system
is continually reading and writing to this database thousands of
times per second. If you casually opened it in a
file explorer, you risk massive memory access violations.

Speaker 1 (04:33):
Oh so you basically crash the computer.

Speaker 2 (04:35):
Yeah, a total blue screen scenario. So to prevent that,
Windows abstracts the database behind application programming interfaces or APIs.
The system forces you to use these APIs to retrieve
or modify data safely. That tool, regit it is really
just a graphical interface built on top of those APIs.
It acts as a safety layer so you don't accidentally

(04:57):
crash the kernel while you're just looking at the data.

Speaker 1 (05:00):
Okay, so regid it provides the safety goggles.

Speaker 2 (05:02):
That's a good way to put it.

Speaker 1 (05:03):
Let's put those goggles on and take a guided tour
of the five top level hives because I feel like
this is where the logic of the operating system really
reviews itself. So the first hive is HKCR or HP
classes route. I like to think of this one as
the matchmaking service.

Speaker 2 (05:17):
Matchmaking is a great analogy. HKCR manages file associations and
object linking and embedding or OE.

Speaker 1 (05:25):
So mechanics wise, how does that actually work? Like if
I double click a dot txt text file, how does
HKCR ensure noepad opens instead of I don't know my
web browser right?

Speaker 2 (05:35):
So when you double click the file. The Windows shell
queries the HKCR hive for the dot txt extension. But
the hives don't just say, you know, use notepad. It
returns a specific program ID or progiite associated with that
extension on a D number.

Speaker 1 (05:51):
Right.

Speaker 2 (05:51):
Then the shell queries the hive again for that specific
project to find the exact file path to the notepad executable,
along with any command line param need it to launch it.

Speaker 1 (06:01):
So it's not a simple one step look up.

Speaker 2 (06:03):
No, it's a multi step verification process entirely managed by
this one hive.

Speaker 1 (06:07):
So the matchmaker handles the files, but how does the
machine know who is actually clicking on those files?

Speaker 2 (06:12):
That brings us to our next two.

Speaker 1 (06:14):
Hives, right, HKCU, which is HKE Corentiser and HKU or.

Speaker 2 (06:18):
Hq users, And these two really operate in tandem. HKU
is the master list. It contains a dedicated subkey for
the profile of every single account that is ever logged
into that computer.

Speaker 1 (06:29):
But querying a massive master list. Yeah, every single time
the active user moves their mouse or like changes their
desktop background. Yeah, that's got to be computationally.

Speaker 2 (06:40):
Heavy exactly, which is why HKCU exists.

Speaker 1 (06:43):
Well, wait, if HKCU is holding the active users settings,
and EACHKU is holding everyone's settings. Aren't we just duplicating
a ton of data.

Speaker 2 (06:50):
It looks like that, but we aren't actually duplicating data.
We are mapping a pointer.

Speaker 1 (06:54):
Oh Okay.

Speaker 2 (06:55):
HKCU doesn't actually store distinct files on the drive. It
basically acts as a dynamic shortcut, like a hologram sort of. Yeah.
When you log into the machine, Windows finds your specific
profile deep inside the HKU master list and actively maps
it to the HKCU root key. It's purely a performance optimization.

Speaker 1 (07:12):
Got it. So when an application needs to know your
personal dark mode preference, it doesn't search the master directory.

Speaker 2 (07:20):
Right, It just asks HKCU, which instantly points to your
specific data block in memory.

Speaker 1 (07:25):
So when you listening to this right now, change the
mouse sensitivity for a video game, that's setting routes instantly
through the HKCU pointer right into your specific user profile.

Speaker 2 (07:35):
Perfectly stated.

Speaker 1 (07:36):
Okay, So the final two hives deal with the hardware itself.
We have HKCC or HKE current config and HKLM hk
local machine.

Speaker 2 (07:46):
And the relationship between these two really mirrors the user hives.
HKLM is the heavyweight. It is the absolute core configuration
for the machines hardware, security, and software, regardless of who
is logged in.

Speaker 1 (07:59):
And HC is the dynamic pointer for the hardware built
on the run at startup.

Speaker 2 (08:03):
Precisely like if you boot a laptop while it's plugged
into a docking station with two external monitors, HKCC dynamically
extracts only the hardware profiles relevant to that specific boot
state from the massive HKLM database.

Speaker 1 (08:16):
That is incredibly efficient. Now I can see how user
preferences are interesting. Yeah, but if I'm a forensic investigator
or a thread actor, I don't really care about someone's wallpaper.

Speaker 2 (08:25):
No, definitely not.

Speaker 1 (08:25):
I want the system core. I want the vault. So
let's break open HKLM because this is where the actual
digital forendics gold mine lives.

Speaker 2 (08:33):
It really is. So inside HKLM, the data is partitioned
into subkeys. The software subkey handles application states, and the
system subkey handles hardware drivers. But the most highly targeted
partition by far is the SAM subkey. SAM stands for
Security Accounts Manager.

Speaker 1 (08:49):
This is the bouncer. This is what handles local user authentication.
But it doesn't just keep a plain text file of
everyone's passwords, right, it hashes them.

Speaker 2 (09:00):
Correct.

Speaker 1 (09:00):
Let's talk about the mechanics of hashing for a second,
because it's fundamentally distinct from encryption.

Speaker 2 (09:05):
That is a vital distinction to make. Encryption is a
two way street. You know, if you have the key,
you can decrypt the data back to its original form, right,
But a hash is a one way mathematical functions. It's
like putting a stake into a meat grinder.

Speaker 1 (09:19):
I love that analogy.

Speaker 2 (09:20):
Yeah, you get ground beef out, but you can never
mathematically reverse the process to get the original stake back.

Speaker 1 (09:26):
So when Windows stores your password, it runs the characters
through an algorithm and stores the resulting cryptographic string exactly.

Speaker 2 (09:34):
Historically, Windows used LM or land Manager hashes, which were
notoriously weak because they split passwords into these little seven
character chunks. Yikes, yeah, very easy to crack. Modern systems
use NTLM hashes. So when you type your password at
the login screen, Windows takes what you typed, runs it
through the exact same meat grinder, and then compares the

(09:57):
resulting output with the string stored in the SAM.

Speaker 1 (09:59):
File, and if the hash is match, you are granted
access right.

Speaker 2 (10:04):
The operating system never actually knows what your raw password is.

Speaker 1 (10:07):
Which means if an attacker gets their hands on the
SAM file, they don't have your passwords. They just have
a list of hashes. So how do forensic tools actually
crack those?

Speaker 2 (10:15):
Gearlane, brute force and rainbow tables?

Speaker 1 (10:18):
Okay, break those down.

Speaker 2 (10:19):
So a dictionary attack or a brute force tool essentially
guesses millions of passwords, a second hashes them and checks
if the output matches the stolen SAM hash.

Speaker 1 (10:28):
Just trial and error at light speed.

Speaker 2 (10:29):
Exactly, And a rainbow table is even faster. It's a massive,
pre computed database of billions of clain text passwords and
their corresponding hashes. Oh so you don't even have to
do the math, right, You just look up the stolen
hash on the table and it reveals the password that
created it.

Speaker 1 (10:46):
Wow. And Nested right alongside the SAM key is another
heavily guarded vault called the LSA secrets, which falls under
the local Security Authority.

Speaker 2 (10:55):
Yes, and LSA secrets operates as a protected storage enclave.
While sam M handles local account hashes, LSA secrets stores
high value cache data like what kind of data it holds? Cash?
Domain credentials, service account passwords, and even private encryption keys.
If an attacker compromises LSA secrets, they can often move

(11:15):
laterally across an entire corporate network rather than just controlling
the single local machine.

Speaker 1 (11:21):
It's the keys to the kingdom. So the goal is clear,
get the SAM file and get the LSA secrets, But
the operating system actively defends these files very aggressively, like
the Windows NT kernel places an absolute unbreakable lock on
the SAM registry file while the operating system is running.
You can't copy it, you can't move it, you can't
even open it.

Speaker 2 (11:40):
The kernel restricts access strictly to the system account, even
if you have full administrator privileges. Windows will entirely block
your attempt to interact with the raw SAM file on
the disc while the machine is awake.

Speaker 1 (11:52):
So if I'm an attacker or an investigator and the
front door is completely bolted from the inside while Windows
is awake, my logical move is to break in before Windows.

Speaker 2 (12:02):
Even wakes up, which is exactly what people do, which.

Speaker 1 (12:05):
Leads us to the boot process and the intense arms
race between rootkits and Microsoft.

Speaker 2 (12:10):
Oh, that arms race completely reshape the registry In older
generations of Windows, the boot sequence was dictated by a
simple text file called boot dot ini. It was incredibly
vulnerable and lacked complex logic, so modern Windows replace this
with a registry hive called BCD or Boot Configuration Data.

Speaker 1 (12:28):
So how does BCD change the mechanics of booting.

Speaker 2 (12:31):
It acts as a firmware independent abstraction layer. Older systems
relied on the BIOS, the basic input output system, which
interacted directly with the master boot record on.

Speaker 1 (12:41):
The hard drive, classic legacy tech.

Speaker 2 (12:43):
Exactly, modern systems use UFI, the Unified Extensible Firmware Interface.
BCD is designed to interface securely with UVFI, managing the
boot environment before the main operating system kernel even takes over.

Speaker 1 (12:57):
But attackers still found a way to inject themselves into
that transition phase using rootkits. These are malicious drivers that
load into mary extremely early, hiding themselves before the anti
virus software or the rest of the registries even loaded. Yep,
so Microsoft had to introduce a bouncer to stand at
the door before the party even starts.

Speaker 2 (13:16):
That bouncer is ELAM early Launch anti malware, which was
introduced in Windows eight. And to really understand ELAM, you
have to look at the start values inside the HKLM
system registry key right, because.

Speaker 1 (13:27):
The registry assigns a numerical value to drivers to tell
them when to wake up exactly.

Speaker 2 (13:32):
Drivers with a start value of zero, like your hard
disk controller, are absolutely critical. If they don't load, the
machine literally can't read its own hard drive.

Speaker 1 (13:40):
Okay, so they go first, right.

Speaker 2 (13:42):
And ELAM is the very first system kernel driver that
starts immediately after those critical bootstart drivers. It initializes before
any third party software gets a chance, So.

Speaker 1 (13:53):
Its entire job is to scan every subsequent non Microsoft
driver trying to load into the kernel yes, and classifies
them as known good, known bad, or unknown. Well, wait,
if ELAM decides what's known bad, are we just giving
the operating system complete dictatorial control over what hardware you're
allowed to use.

Speaker 2 (14:13):
That's a common concern, like what.

Speaker 1 (14:15):
If you were a developer writing a custom kernel driver
for I don't know, a Niache piece of robotics. Does
Windows just lock you out of your own machine?

Speaker 2 (14:22):
Well, it's a careful balance between security and user control.
ELAM operates based on strict initialization policies and driver signing. Okay,
so by default ELAM actually allows known, good, and even
unknown but properly signed drivers to initialize. It primarily blocks
unsigned or explicitly blacklisted malicious code.

Speaker 1 (14:40):
I see.

Speaker 2 (14:41):
However, a system administrator can tighten those group policies to
a really draconian level, forcing the system to reject absolutely
anything that isn't explicitly pre approved.

Speaker 1 (14:51):
It's incredible how many layers of state management the registry
handles and even extends out to the cloud now right, yeah,
with hives like BBI Houser based interface. Oh yeah.

Speaker 2 (15:01):
BBI is a perfect example of how the registry evolves.
As Windows integrated more immersive apps and cloud sinking, it
needed a way to track state management across trusted machines,
things like calendar sinks or time zone adjustments. So the
registry just expands to incorporate those new operational parameters.

Speaker 1 (15:17):
Okay, so understanding the architecture, the hashes, and the boot
level bouncers, that's all the theory. But if you are
sitting at a computer right now, how do you actually
extract this data in practice? The fun part exactly. Yeah,
let's do a step by step walk through of a
forensic extraction. Because we already established that we aren't logging
into Windows, and we definitely aren't using rijetted right.

Speaker 2 (15:39):
To extract the locked files like SAM, you have to
bypass the operating system entirely. You achieve this by booting
the physical computer from a USB drive containing an independent,
lightweight environment like a Linux distribution or a specialized forensic toolkit.

Speaker 1 (15:55):
And by doing that, the primary Windows operating system on
the hard drive remains completely dorm It never wakes up,
which means the kernel never gets the chance to lock
the SAM file.

Speaker 2 (16:04):
Exactly.

Speaker 1 (16:05):
We're essentially putting on digital X ray goggles and examining
the hard drive while it's totally asleep.

Speaker 2 (16:10):
That is exactly how it works. Once you boot into
your forensic environment, you launch a disk imaging and extraction program.
We are going to target the primary local drive, which
is usually the Sea drive.

Speaker 1 (16:21):
Let's walk the listener through the file tree. Where are
we navigating to physically find these hives?

Speaker 2 (16:26):
Okay, So you expand the directory structure, moving from the
root into the Windows folder, then down into system thirty two,
and finally into a folder name can fig.

Speaker 1 (16:35):
So system route backslash System thirty two backslash can fig.

Speaker 2 (16:39):
You got it. This directory houses the physical files for
almost all the major hives SAM security, software and system.

Speaker 1 (16:47):
The only major exception is your active user profile HKCU,
which lives under system root backslash profiles backslash user name.
Right now, when you open that config folder, you don't
just see one neatly labeled SAM file. You see clusters
of files with different extensions.

Speaker 2 (17:02):
And those extensions are crucial for understanding the state of
the data. The registerry utilizes a concept called atomicity to
prevent corruption during sudden power losses.

Speaker 1 (17:12):
Atomicity meaning it writes changes to a transaction log.

Speaker 2 (17:16):
First, exactly, So if you see a file with a
dot log extension, you are looking at the pending changes
that haven't been fully committed yet.

Speaker 1 (17:23):
And if you see a dot sav extension, that's a
backup copy generated during the last major system configuration. Right again,
But the primary file, the actual complete copy of the
hive data. It has no extension at.

Speaker 2 (17:34):
All, none. It is simply a file named SAM or
system with a blank extension. So in your forensic tool
you highlight that dormant, extensionless SAM file, you write, click
select export and pull it off the target drive onto
your own secure.

Speaker 1 (17:49):
Media, and just like that, you've successfully stolen the vault.
But it's still unreadable raw data at this point.

Speaker 2 (17:55):
Yes, it's binary, so to read it, you import that
exported file into a specialized registry viewer application. The viewer
acts as a parser, translating the raw binary data back
into that familiar nested folder structure. Oh wow, Yes, suddenly
you can navigate down through the SAM keys and view
the NTLM hashes for every single user account on the machine,

(18:16):
ready to be exported into a cracking tool.

Speaker 1 (18:18):
You just successfully pulled the black box out of the airplane.
I mean, it's a staggering amount of data to process.
So let's synthesize everything we've covered today, do it.

Speaker 2 (18:26):
We began by looking at the structural logic how Windows
replace the chaotic ms dous text files with a unified,
hierarchical database of hives, keys and values.

Speaker 1 (18:36):
We explored how HKCR manages file matchmaking, how HKCU uses
pointer logic to optimize active user settings, and how the
heavyweight HKLM stores the core system hardware configurations.

Speaker 2 (18:48):
We dove into the mechanics of hashing within the deeply
secured SAM vault and examined how the boot sequence transitioned
from simple text files to the BCD firmware interface.

Speaker 1 (18:58):
We analyzed how ELAM acts as a pre boot bouncer
to stop root kits, and finally, we walked step by
step through the process of bypassing the dormant operating system
to physically extract the registry data. It is a massive
technical journey, but the value.

Speaker 2 (19:11):
Of technical knowledge lies in application and retention. So before
we wrap up, let's test your understanding with a short
review question.

Speaker 1 (19:19):
Ooh, I like it? Okay, think back to the architectural
rules of the registry structure. If you are an international
forensic investigator analyzing a machine where the operating system language
has been changed to Japanese, what happens to the names
of the underlying registry keys?

Speaker 2 (19:32):
Good question?

Speaker 1 (19:33):
Do they A translate into Japanese, b remain in English
or c corrupt entirely due to localization conflicts.

Speaker 2 (19:40):
Consider the distinction between the graphical user interface that regular
users see and the core structural pass that the operating
system relies on to function.

Speaker 1 (19:49):
So if you guessed b remain in English, you are
absolutely correct. While the visual folders on the desktop might localize,
the registry key names must remain uniform to maintain Haines
systemic integrity.

Speaker 2 (20:01):
Which highlights a profound truth about this technology. The registry
does not care about presentation. It only cares about raw
historical fact, and.

Speaker 1 (20:11):
That leaves you with a final thought to ponder as
we close this deep dive. We started by comparing the
registry to a locked diary at tracks every network, every
USB drive, every software preference, building an immutable record of
your behavior. If a forensic analyst were to bypass your
operating system right now and extract your dormant files, what
exact story is your computer's registry telling about your digital

(20:33):
life at this very moment,

All Episodes

Course 36 - Windows Forensics and Tools | Episode 6: From System Hives to Forensic Analysis

Episode Transcript

Popular Podcasts

Stuff You Should Know

Dateline NBC

iHeartRadio 24/7 News: The Latest

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Course 36 - Windows Forensics and Tools | Episode 6: From System Hives to Forensic Analysis