Advent of Cyber 2025 - Day 16
Registry Forensics: Investigating the TBFC Dispatch Server Compromise
Advent of Cyber – Day 16
Introduction
TBFC recently identified suspicious activity across several internal systems. With their lead defender unavailable, the security team initiated a structured incident response to prevent disruption during the upcoming SOCMAS event.
One of the most critical systems under investigation was dispatch-srv01, a Windows server responsible for coordinating drone-based delivery operations. Initial indicators suggested unauthorized modifications, prompting a Windows Registry Forensics investigation to identify persistence mechanisms and attacker activity.
This write-up focuses on analyzing offline registry hives to reconstruct what happened on the compromised system.
Learning Objectives
By completing this investigation, we aim to:
-
Understand the purpose of the Windows Registry
-
Identify key Registry Hives and Root Keys
-
Analyze registry data using Windows Registry Editor
-
Perform offline registry forensics using Registry Explorer
-
Identify attacker persistence and execution artifacts
Understanding the Windows Registry
The Windows Registry is a centralized configuration database that stores:
-
System and hardware settings
-
Installed software information
-
User preferences and profiles
-
Startup and persistence entries
-
Security and policy configurations
Rather than existing as a single file, registry data is distributed across multiple registry hives, each serving a specific purpose.
Registry Hives Overview
| Hive Name | Data Stored | File Location |
|---|---|---|
| SYSTEM | Boot config, services, drivers | C:\Windows\System32\config\SYSTEM |
| SECURITY | Local security policies | C:\Windows\System32\config\SECURITY |
| SOFTWARE | Installed software, autoruns | C:\Windows\System32\config\SOFTWARE |
| SAM | User and group information | C:\Windows\System32\config\SAM |
| NTUSER.DAT | User preferences | C:\Users\<username>\NTUSER.DAT |
| USRCLASS.DAT | Shellbags, UI artifacts | C:\Users\<username>\AppData\Local\Microsoft\Windows\USRCLASS.DAT |
These files are binary and must be analyzed using specialized tools.
Registry Root Keys Explained
Windows maps registry hives into logical containers called Root Keys:
| Hive File | Registry Path |
|---|---|
| SYSTEM | HKLM\SYSTEM |
| SECURITY | HKLM\SECURITY |
| SOFTWARE | HKLM\SOFTWARE |
| SAM | HKLM\SAM |
| NTUSER.DAT | HKCU or HKU\<SID> |
| USRCLASS.DAT | HKU\<SID>\Software\Classes |
Why Registry Forensics Is Important
The registry contains long-term forensic artifacts that persist even after files are deleted.
Commonly investigated keys include:
| Registry Key | Evidence Provided |
|---|---|
| UserAssist | Recently executed GUI programs |
| TypedPaths | Explorer address bar history |
| Run / RunOnce | Startup persistence |
| RecentDocs | Recently accessed files |
| Uninstall | Installed applications |
| ComputerName | System hostname |
To preserve evidence integrity, analysts extract and analyze registry hives offline.
Tool Used: Registry Explorer
Registry Explorer is a forensic analysis tool that allows investigators to:
-
Load offline registry hives
-
Parse transaction logs
-
View registry artifacts safely
-
Avoid altering original evidence
Practical Investigation: dispatch-srv01
Step 1: Launch Registry Explorer
Open the tool from the forensic workstation.
Step 2: Load Registry Hives
Navigate to:
Select File → Load Hive.
Step 3: Handle Dirty Hives
For each hive:
-
Hold SHIFT
-
Click Open
This replays transaction logs to ensure data accuracy.
Key Finding: System Hostname
Registry Path:
Hostname Identified:
DISPATCH-SRV01
Forensic Findings
Installed Application Prior to Suspicious Activity
-
DroneManager Updater
Application Execution Source
Persistence Mechanism Identified
Startup entry added:
This registry-based autorun ensured the application launched on every system startup.
Conclusion
This investigation demonstrates how Windows Registry Forensics can uncover attacker activity that may not be visible through logs alone.
By analyzing offline registry hives, we successfully identified:
-
The suspicious application involved
-
Its execution origin
-
A registry-based persistence mechanism
Registry artifacts played a crucial role in reconstructing the attack timeline and understanding how persistence was maintained on the system.
Key Takeaway
Even when files are removed, the Windows Registry often retains the evidence.
Proper registry analysis is essential for effective incident response and threat hunting.
Comments
Post a Comment