2016/10/10

Most Recent Used (MRU) Peek-A-Book

In this post, we will cover some cool ways to review the Most Recent Used (MRU) keys from the Windows registry. The goal of the article is to show how these keys can be useful, explain how to review them using RegRipper, and provide a means to review these keys directly from a memory image using the Volatility Framework.

Let’s get to it!


What’s an MRU Key, and Why Do I Care?

The Windows registry contains numerous keys that are useful for forensic analysis. One such set of keys are the MRU keys, which contain the names of applications and files that have been recently opened on the system. This information can be quite useful to a forensic investigator, and the fact that MRU keys exist in both user-based registry hives (NTUSER.DAT) and system hives just bolsters the ability to determine which user opened a particular executable or file.

For example, say that we wanted to know which applications a particular user on a system executed. The following is a snippet of MRU data:

LastWrite: Thu Jun  2 06:58:19 2016
Note: All value names are listed in MRUListEx order.

  FlashDevelop.exe
  OpenWith.exe
  HxD.exe
  ILSpy.exe
  Vbsedit.exe
  firefox.exe

Using the data above, we can see that this user opened applications specific to Adobe Flash-based development, a hex editor, a .NET decompiler, a Visual Basic script editor, and Firefox. At face value, this data may or may not provide direct answers. However, if your company needs to know if User X executed a particular application on a shared workstation, this could provide a quick heads-up as to the answer. In other cases this information might be more useful as corroborating evidence. Regardless, this data is often used when reviewing what a user has been doing on a given system.

Before we get down and dirty, let’s review the tools that we will be using for this article.


Tools of the Trade:

Tool Name Author(s) Link Notes
RegRipper Harlan Carvey RegRipper GitHub Repo The go-to tool for parsing registry hive files. Speaking of things in the “go-to” category, Harlan is a widely respected DFIR ninja. Check out his site: http://windowsir.blogspot.com/
RegEdit Microsoft regedit.exe If you’re not familiar with RegEdit, you may want to do some Googling before continuing with this article :).
Volatility Volatility Foundation Volatility Download Page If you are not yet familiar with Volatility, please refer to our previous article: Physical Memory Analysis – Volatility


To kick things off, let’s list the steps that we need to accomplish:

1) Review the various types of MRU keys
2) Rip the registry hive files
3) Run RegRipper on the registry hive files
4) Review the RegRipper results
5) Review an MRU key via Volatility

Now that we have a loose outline, let’s get started.


Example MRU Registry Key

Numerous Most Recent Used (MRU) keys exist. For a decent list, though a bit dated, see here:

  • Forensics Wiki: http://forensicswiki.org/wiki/List_of_Windows_MRU_Locations

Here are two more resources that provide a decent breakdown of MRU keys:

  • http://www.forensicmag.com/article/2012/04/windows-7-registry-forensics-part-4
  • https://digital-forensics.sans.org/summit-archives/2009/8-harlan-carvey-registry-analysis.pdf (see slide 36)

For our purposes, we will focus on the following MRU key:

RunMRU

Location: Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

The RunMRU key stores the items that were executed via the Run dialogue box.


Peepin’ w/RegEdit

Let’s review our target key via RegEdit. To do so, open regedit and navigate to our target key location:

Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

mru_pab-01-regedit

In the above screenshot, notice that the MRUList key’s value is gafedbc. This list shows us the order in which the items were actually executed, with the most recent first. Thus, our execution chain’s most recent item was g (“regedit”) while the oldest was c (“ncpa.cpl”).


Ripping the Registry Hive Files

If you are already familiar with how to obtain the Windows registry hive files (we will be focusing on the NTUSER.DAT file[s]), go ahead and skip to the next section. Otherwise:

My goal here is to show some fun tips and tricks, but I do not intend on “reinventing the wheel” while doing so. Many articles exist that explain how to obtain the normally protected files that make up the Windows registry. Thus, I would like to defer you to a fantastic article from Sam Bowne of City College of San Francisco. [This feels somewhat like telling a television viewer to turn the channel, BUT MAKE SURE to turn it back! lulz.]

Sam covers how to obtain protected registry files using FTK Imager Lite, which is a fine tool. If you have enterprise-class forensic suites such as EnCase or GRR setup, you can grab files using those tools of course. Most people don’t have access to such tools, so feel free to download FTK Imager Lite and then read the “Downloading FTK Imager Lite” and “Creating a Registry Image with FTK Imager Lite” sections of Sam’s post here: Capturing and Examining the Registry. Then tune back to this article and we’ll keep rockin’.

Now, do you have some Windows registry hive files with which to play? Great. If not: DAMNIT. If you’d like assistance, feel free to ask in the comments section. Otherwise, go grab an NTUSER.DAT hive file from the Internet. Just download any ‘ol hive from the Internet. Seems totally safe.


RegRipper Rocks

We can view our target key via RegRipper, which is a much more automated way of gathering this data along with other, possibly related, data from the Windows registry. If you don’t already have RegRipper, go ahead and grab the bugger (even if you have it, make sure you have the latest version): https://github.com/keydet89/RegRipper2.8

To rip your hive, do the following:

  1. Launch rr.exe and select the following:
    1. Hive File: Point to the NTUSER.DAT file that you’d like to analyze
    2. Report File: Select a place to save your RegRipper report
    3. Profile: Select `ntuser`
  2. Click “Rip It” to rip the hive

The outcome should look something like this:

regripper setup

Once completed, you will find a `.txt` file with your results along with a `.log` file that contains an audit of the RegRipper run. Open the `.txt` results and scroll down to the `runmru` section, which should look something like this:

regripper results - runmru

Here we see results similar to what we found directly in RegEdit. Note once again that the MRUList designation is gafedbc, which provides the order in which these items were actually executed. Don’t forget that this list is ordered from most recent to eldest (or even better: from most recent to old crap you totally forgot about but you’re OS didn’t).

The RegRipper method is quite useful, as we can rip tons of data at once without having to much with the RegEdit GUI. However, what if we have a memory image from a machine and wish to review this type of data? Keep going to find out :).


Volatility Method

To review our key using the Volatility framework, we’re going to want to review the hives within the image using hivelist in order to find the virtual address for our target hive. In our example, we want the NTUSER.DAT file for the “REM” user account. Next, we’ll want to use the printkey module to print our target key. Let’s get started!

NOTE: Before you begin, you will need to know the proper Volatility profile to use against your memory image. If you are not familiar with this concept or need assistance, please see https://malwerewolf.com/2014/05/physical-memory-analysis-volatility/.

hivelist

In my example image, which is a .vmem file taken from a paused VMware VM, I ran the following query to obtain a list of hive files along with memory locations:

volatility -f REM\ Workstation-f0660040.vmem --profile="Win8SP1x86" hivelist

volatility hive list

As we can see in the results, our target hive file has the virtual address: 0x602473e0. The virtual address is important, as this is required by the printkey module to select the hive against which we want our command to process.

printkey

Now that we have the virtual address offset for our NTUSER.DAT file, we can print our targeted key using the following method:

volatility -f REM\ Workstation-f0660040.vmem --profile="Win8SP1x86" printkey -o 0xa8c383e0 -K "software\microsoft\windows\currentversion\explorer\runmru"

In our command above, we use the following arguments:
-o: The virtual address of our target hive, NTUSER.DAT, obtained from the output of hivelist
-K: The key location for our target key (simply change this to print any other keys from this hive)

volatility printkey results

Oh look! We have the same data that we obtained from a live machine by reviewing the registry via regedit and/or reviewing regripper details! WIN!

I am not aware of a script that allows you to basically run regripper modules and/or common tasks directly via volatility. If you know of one, please leave a comment or ping us on Twitter! If none exist, this sure would make an awesome project.


That’s all folks. This stuff isn’t new, but I wanted to provide an example key and provide methods for live and non-live systems. I hope this helps!

I look forward to any and all feedback, so please do not hesitate to drop a comment!

Fer Shizzle.

– 8bits0fbr@in8bits0fbr@in


Leave a Reply

Your email address will not be published. Required fields are marked *



Today is Saturday
2017/06/24