Prepopulated artifacts

Have you ever encountered on-disk artifacts originating from another system?

Typically, this is something you see when a custom operating system image had been deployed to multiple computers by IT staff (on-disk artifacts appeared before the image is captured become a part of that image).

But there are some minor artifacts existing in installation images coming from Microsoft!

It’s known that during the Windows installation process, many files (including executables and data files) are extracted from an installation image (which is the “\sources\install.wim” file within an ISO image) to a target volume. Some registry hives with prepopulated keys and values are among those files.

During the reverse engineering of the Windows registry file format, I found that many standard registry hives (like SYSTEM and SOFTWARE) include misleading key node flags.

For example, in Windows XP and Windows Server 2003, all keys created by 32-bit programs running under the Wow64 subsystem receive the 32-bit flag (which isn’t exposed by many DFIR tools). This flag was moved to another location within a structure describing a registry key (it’s called a key node) in Windows Vista. And in Windows 7, this flag became unused (thus, deprecated).

However, many key nodes found in registry hives from a Windows 7 installation have this flag set! Moreover, the flag is set in its old location (like in Windows XP, but not in Windows Vista).

nk32b.png
A key node (shown as selected), the signature field (“nk”) is followed by the flags field (0x1020). The 0x1000 flag is used in 64-bit versions of Windows XP and Windows Server 2003 only to mark 32-bit keys. And the screenshot is of a Windows 7 hive!

Here is my explanation from the format specification (which was linked above):

A possible explanation for this oddity is that initial primary files were generated on Windows XP or Windows Server 2003 using the Wow64 subsystem […]

While this explanation sounds obvious, it took me more than a month to exclude other explanations possible (like the same bit being reused for another purpose, for a different flag).

Okay, this is Windows 7. What about Windows 10?

Take a look at these bytes:

w10ofrg
A base block of the SYSTEM hive from a Windows 10 installation

This is a base block (or a file header) from a registry hive. Do you see anything suspicious?

Here is the same hive from a Windows 8.1 installation:

w81.png
A base block of the SYSTEM hive from a Windows 8.1 installation

Note the “OfRg” string at the offset 0xB0, which is absent in the Windows 8.1 hive. This is a toolmark coming from the offreg library and it’s present in the original hive file from the Windows 10 installation image. So, someone used that library to edit the hive before putting it into the WIM image! Since the hive from the WIM image contains deleted data and transaction log files with valid log entries and matching sequence numbers, the offreg library wasn’t the last tool used against the hive before packing it into the WIM image.

Let’s take an installation image (“Win10_1909_English_x64.iso“), extract the prepopulated SYSTEM and SOFTWARE hives from it, install the operating system from that image into a virtual machine, and extract the installed instances of the same hives (right after the installation is finished). Then extract possible timestamps stored in key names & value names & value data using the registry-miner tool. Finally, let’s focus on timestamps that have the same “key + value” path and the same value data in the prepopulated and fresh-installed instances of the hives.

This gives us a bunch of timestamps, some of them are stored in keys which were modified during or right after the installation process (according to the last written timestamps of those keys) but have the same value (e.g., the same integer in value data) as in the WIM image.

For example, a key from the WIM image:

Key path: Microsoft\Windows\CurrentVersion\SideBySide
Last written timestamp (UTC): 2019-10-07 03:04:11.848690
Access bits: 1
Owner SID: S-1-5-32-544

Value name: MaintenanceFlags
Value type: REG_DWORD
Data size: 4
Data (decoded):
2147483655

Value name: PublisherPolicyChangeTime
Value type: REG_QWORD
Data size: 8
Data (decoded):
132148908626149594

Value name: LastSuccessfullScavenge
Value type: REG_QWORD
Data size: 8
Data (decoded):
132148910518486891

Value name: LastScavengeCookie
Value type: REG_QWORD
Data size: 8
Data (decoded):
132148908626149594

Value name: LastScavengeFlags
Value type: REG_DWORD
Data size: 4
Data (decoded):
103

---

The same key from the fresh installation:

Key path: Microsoft\Windows\CurrentVersion\SideBySide
Last written timestamp (UTC): 2020-05-03 13:02:00.403844
Access bits: 3
Owner SID: S-1-5-32-544

Value name: MaintenanceFlags
Value type: REG_DWORD
Data size: 4
Data (decoded):
0

Value name: PublisherPolicyChangeTime
Value type: REG_QWORD
Data size: 8
Data (decoded):
132329845199047741

Value name: LastSuccessfullScavenge
Value type: REG_QWORD
Data size: 8
Data (decoded):
132148910518486891

Value name: LastScavengingStarvationReport
Value type: REG_QWORD
Data size: 8
Data (decoded):
132330201815801878

---

As you can see, the key got modified, but the “LastSuccessfullScavenge” value contains the same FILETIME timestamp as before (132148910518486891 = 2019-10-07 03:04:12 UTC, this is long before the installation). Without comparing each timestamp to the installation date, this could lead to a wrong conclusion about activity which didn’t really happen on this machine.

A similar test with the NTUSER.DAT hive shows that there is one “TypedURLs” entry from the WIM image: “http://go.microsoft.com/fwlink/p/?LinkId=255141“. After the installation, this entry is stored in the same key but with an updated last written timestamp and with a corresponding “TypedURLsTime” entry set to zero.

This issue is also documented here:

Upon review of the NTUSER.DAT hive immediately after the first login (before Internet Explorer was ever opened), I observed a single value named “url1” in the TypedURLs subkey with the data being “http://go.microsoft.com/fwlink/?LinkId=69157”. This existence of this value appears to be consistent with the behavior in older versions of Windows.

Furthermore, in previous versions of Windows, prepopulated registry hives could contain uninitialized memory in unused/unfilled portions of a base block. Here is an example of the SOFTWARE hive from a WIM image of Windows Vista:

regf-uninit.png
The base block from a prepopulated hive (Windows Vista). One “meaningful” string can be observed in the unfilled location (0x80), unused areas (0xA8-0x1FC) are filled with garbage data

Based on how uninitialized data is written to such areas, I suppose these are random memory chunks from a machine involved in the development process.


Usually, such prepopulated artifacts don’t cause any trouble during forensic investigations. But they can mislead us during reverse engineering.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s