Exploring Internet Explorer with RegRipper


In the last case...

I was feeling that some Internet Explorer artifacts were missing, so I decided to take a look at RegRipper plugins that parse the user registry NTUSER.DAT to see if they could help me. Honestly I have not a clear idea on where to search for a sign since I usually get information from IE cache files and not from registry.

RegRipper IE plugins mini-survey


Actually there exist 4 Internet Explorer plugins, being:
  • ie_main: (NTUSER) despite the reported description in the source file header ("the plugin Checks keys/values set by new version of Trojan.Clampi") the plugin parses (details later) the "Software\Microsoft\Internet Explorer\Main" key and it was written by Harlan Carvey at 19/09/2009.
  • ie_settings: (NTUSER) the plugin reports the User Agent string used by IE when visiting sites and the ZoneSecurityUpgrade value inside the "Software\Microsoft\Windows\CurrentVersion\Internet Settings" key. Written by Harlan Carvey at 16/10/2009.
  • ie_version: (SOFTWARE) it gets the IE software version from "Microsoft\Internet Explorer" key, again Harlan wrote it at 16/10/2009.
  • iexplore: (NTUSER) written by E. Rye at 08/03/2010, it simply outputs all values inside "Software\Microsoft\Internet Explorer\Main" key.

So there are a couple of plugins aimed to answer a specific question and two (they could be called) reporting plugin. Just to take a look at them working, here are their outputs on a bunch of hives that Marco provided to me (thanks Marco... ). Note: the hives are coming from a Windows7 x64 os.



 "#!&%##!รนรน^?***@#!"
"Why are you complaining about showing them? Should I have asked for a signed permission??! Ok, I will make coffee for a week... sig"



Launching ie_main v.20091019
ie_main v.20091019
(NTUSER.DAT) Gets values beneath user's Internet Explorer\Main key

Software\Microsoft\Internet Explorer\Main
LastWrite Time Thu Sep  1 18:09:10 2011 (UTC)

IE8TourShownTime                     Thu Jul 28 16:04:54 2011 UTC
IE8RunOnceLastShown_TIMESTAMP        Thu Jul 28 16:04:31 2011 UTC
Enable Browser Extensions            yes                
Start Page Redirect Cache AcceptLangs  it                 
AutoHide                             yes                
Play_Animations                      yes                
XMLHTTP                              1                  
IE9TourShown                         1                  
Start Page Redirect Cache            http://it.msn.com/?ocid=iehp
Search Page                          http://go.microsoft.com/fwlink/?LinkId=54896
IE8TourShown                         1                  
Display Inline Images                yes                
DownloadWindowPlacement              ,ร‚‚รฟรฟƒรฟรฟรฟรฟรฟรฟรฟรฟรฟรฟ¹รถ9ร–
FullScreen                           no                 
Show_StatusBar                       yes                
CompatibilityFlags                   0                  
Check_Associations                   no                 
DisableScriptDebuggerIE              yes                
IE9RunOncePerInstallCompleted        1                  
Disable Script Debugger              yes                
NoUpdateCheck                        1                  
UseClearType                         no                 
NotifyDownloadComplete               yes                
Local Page                           C:\Windows\system32\blank.htm
IE8RunOncePerInstallCompleted        1                  
IE9TourShownTime                     รขรพ¸NรŒ           
Do404Search                          1                  
IE9RunOnceCompletionTime             รฝ¸NรŒ           
Show_ToolBar                         yes                
Start Page Redirect Cache_TIMESTAMP  ²รฅ รถ?MรŒ           
Save_Session_History_On_Exit         no                 
Show_FullURL                         no                 
Cache_Update_Frequency               Once_Per_Session   
Show_URLinStatusBar                  yes                
IE8RunOnceLastShown                  1                  
Show_URLToolBar                      yes                
IE8RunOnceCompletionTime             H @MรŒ           
Use FormSuggest                      yes                
Anchor Underline                     yes                
IconCache                            08aku2z            
Use_DlgBox_Colors                    yes                
Start Page                           http://www.google.it/
Play_Background_Sounds               yes                

As you can see, there is a little garbage in the previous output (bold-red) but the most notable fact is that the plugin is not answering to the question about Trojan/Clampi and its output shows (almost) all values inside the "Software\Microsoft\Internet Explorer\Main" key. In that cases (when you expect something you do not get)(or you get something you do not expect) it's advisable to take a look inside the plugin: indeed there are a lot of information inside a RegRipper plugin, and a look at them should be always done despite being or not a Perl coding guru, as we can see it's easy to understand:


#-----------------------------------------------------------
# ie_main.pl
#   Checks keys/values set by new version of Trojan.Clampi
#
# Change history
#   20091019 [hca] % created
#   20110830 [fpi] + banner, no change to the version number
#
# References
#   http://support.microsoft.com/kb/895339
#   http://support.microsoft.com/kb/176497
#
# copyright 2009 H. Carvey
#-----------------------------------------------------------
package ie_main;
use strict;

my %config = (hive          => "NTUSER\.DAT",
              hasShortDescr => 1,
              hasDescr      => 0,
              hasRefs       => 0,
              osmask        => 22,
              version       => 20091019);

sub getConfig{return %config}
sub getShortDescr {
    return "Gets values beneath user's Internet Explorer\\Main key";   
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}

my $VERSION = getVersion();

sub pluginmain {
    my $class = shift;
    my $ntuser = shift;
    ::logMsg("Launching ie_main v.".$VERSION);
    ::rptMsg("ie_main v.".$VERSION); # 20110830 [fpi] + banner
    ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner
    my $reg = Parse::Win32Registry->new($ntuser);
    my $root_key = $reg->get_root_key;
   
    my $key_path = 'Software\\Microsoft\\Internet Explorer\\Main';
    my $key;
    if ($key = $root_key->get_subkey($key_path)) {
        ::rptMsg($key_path);
        ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
        ::rptMsg("");
       
        my %main;
       
        my @vals = $key->get_list_of_values();
       
        if (scalar(@vals) > 0) {
            foreach my $v (@vals) {
                my $name = $v->get_name();
                my $data = $v->get_data();
                next if ($name eq "Window_Placement");
               
                $data = unpack("V",$data) if ($name eq "Do404Search");
               
                if ($name eq "IE8RunOnceLastShown_TIMESTAMP" || $name eq "IE8TourShownTime") {
                    my ($t0,$t1) = unpack("VV",$data);
                    $data = gmtime(::getTime($t0,$t1))." UTC";
                }
                $main{$name} = $data;
            }
       
            foreach my $n (keys %main) {
                my $str = sprintf "%-35s  %-20s",$n,$main{$n};
                ::rptMsg($str);
            }
        }
        else {
            ::rptMsg($key_path." has no values.");
        }
    }
    else {
        ::rptMsg($key_path." not found.");
    })
}
1;


The comment description (2nd line) it's wrong and it's probably due to a cut-and-paste "header" plugin (I usually forget something during that process...): the getShortDesc function is showing the correct description (I will do a "fix" on that), as stated by the References in the source file header. Note: references usually make up the knowledge base used by the author, they should be checked at least once to well understand the plugin.

By inspecting the source code, other interesting stuffs come out: not all values are treated in the same way. The Window_Placement is skipped, the Do404Search is unpacked as an unsigned long in little-endian order (for non-perl-coders, check the unpack-cheat-sheet: it's really important to understand this "data interpreter", and it's easy to do), the IE8RunOnceLastShown_TIMESTAMP and IE8TourShownTime are FILETIMEs. Finally the garbage: some values have  data that it's not correctly managed (syntactic level) since it cannot be printed as ASCII/UTF8, as done for values like IE8TourShownTime. The reason is quite obvious: at the time author wrote the plugin, those special values were the only available, so the "new-ones" are not considered special by the plugin and they provide garbage when reported as ASCII/UTF8. This fact could lead to a statement like the following:


"When plugins get old, you will leak the FForce: always train with them!"

"I will do!

Basically RR users should test their favorite plugins by running them when the target software (Internet Explorer in the case) get updated or when a new Windows version is released (at least).

The following is the output coming from the  iexplore plugin, same hive:



Launching iexplore v.20100308
iexplore v.20100308
(NTUSER.DAT) Get Main Key contents from HKCU\Software\Microsoft\Internet Explorer

Software\Microsoft\Internet Explorer\Main

LastWrite Time Thu Sep  1 18:09:10 2011 (UTC)
        IE8RunOnceLastShown_TIMESTAMP -> l├▓☼   @M├รฎ☺
        IE8TourShownTime -> ┬รณs"↨@M├รฎ☺

        Enable Browser Extensions -> yes
        Start Page Redirect Cache AcceptLangs -> it
        Play_Animations -> yes
        AutoHide -> yes
        XMLHTTP -> 1
        IE9TourShown -> 1
        Start Page Redirect Cache -> http://it.msn.com/?ocid=iehp
        Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896
        IE8TourShown -> 1
        Display Inline Images -> yes
        DownloadWindowPlacement -> ,         ├รฉ┬รฉ├┐├┐ ┬รข├┐├┐├┐├┐├┐├┐├┐├┐├┐├┐
        FullScreen -> no
        Show_StatusBar -> yes
        CompatibilityFlags -> 0
        Check_Associations -> no
        DisableScriptDebuggerIE -> yes
        IE9RunOncePerInstallCompleted -> 1
        Disable Script Debugger -> yes
        NoUpdateCheck -> 1
        UseClearType -> no
        Window_Placement -> ,   ☻   ♥   ├รฉ┬รฉ├┐├┐ ┬รข├┐├┐├┐├┐├┐├┐├┐├┐├┐├┐┬ร† 
        NotifyDownloadComplete -> yes
        Local Page -> C:\Windows\system32\blank.htm
        IE8RunOncePerInstallCompleted -> 1
        IE9TourShownTime -> ├รณ┬รผ├¥┬©▬N├รฎ☺
        Do404Search -> ☺

        IE9RunOnceCompletionTime ->  ┬ร˜├¢┬©▬N├รฎ☺
        Show_ToolBar -> yes
        Start Page Redirect Cache_TIMESTAMP -> ┬▓├ร‘ ├ร‚?M├รฎ☺
        Save_Session_History_On_Exit -> no
        Show_FullURL -> no
        Cache_Update_Frequency -> Once_Per_Session
        IE8RunOnceLastShown -> 1
        Show_URLinStatusBar -> yes
        IE8RunOnceCompletionTime -> H◄ ↨@M├รฎ☺
        Show_URLToolBar -> yes
        Use FormSuggest -> yes
        Anchor Underline -> yes
        IconCache -> 08aku2z
        Use_DlgBox_Colors -> yes
        Start Page -> http://www.google.it/
        Play_Background_Sounds -> yes

Software\Microsoft\Internet Explorer\Main\Default Feeds
LastWrite Time Thu Jul 28 15:58:53 2011 (UTC)

Software\Microsoft\Internet Explorer\Main\WindowsSearch
LastWrite Time Thu Sep  1 07:49:17 2011 (UTC)
        UpgradeTime -> |├╗├ร€┬ยช{h├รฎ☺
        LastCrawl -> ├┤+a┬╗┬ร˜a├รฎ☺

        ConfiguredScopes -> 5
        Version -> 6.1.7601.17514
        User Favorites Path -> file:///C:\Users\Marco\Favorites\
 


As you can see, there is more garbage respect the previous plugin: the reason is in the code shown later. But there are more subkeys parsed: "Default Feeds" and "WindowsSearch", which could be somewhat useful (with garbage again). Let's see inside the source code


#-----------------------------------------------------------
# iexplore.pl
#
# Change history
#   20110830 [fpi] + banner, no change to the version number
#
# References
#
# copyright 2010 E. Rye esten@ryezone.net
#-----------------------------------------------------------
package iexplore;
use strict;

my %config = (hive => "NTUSER\.DAT",
              osmask => 22,
              hasShortDescr => 1,
              hasDescr => 0,
              hasRefs => 0,
              version => 20100308);
             
sub getConfig{return %config}
sub getShortDescr {
    return "Get Main Key contents from HKCU\\Software\\Microsoft\\Internet Explorer";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}

my $VERSION = getVersion();

sub pluginmain {
    my $class = shift;
    my $hive = shift;
    ::logMsg("Launching iexplore v.".$VERSION);
    ::rptMsg("iexplore v.".$VERSION); # 20110830 [fpi] + banner
    ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner
   
    my $reg = Parse::Win32Registry->new($hive);
    my $root_key = $reg->get_root_key;
    my $key_path = "Software\\Microsoft\\Internet Explorer\\Main";
    my $key;
   
    if ($key = $root_key->get_subkey($key_path)) {
        ::rptMsg($key_path);
        ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
        my %vals = getKeyValues($key);
        if (scalar(keys %vals) > 0) {
            foreach my $v (keys %vals) {
                ::rptMsg("\t".$v." -> ".$vals{$v});
            }
        }
        else {
            ::rptMsg($key_path." has no values.");
        }

        my @sk = $key->get_list_of_subkeys();
        if (scalar(@sk) > 0) {
            foreach my $s (@sk) {
                ::rptMsg("");
                ::rptMsg($key_path."\\".$s->get_name());
                ::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)");
                my %vals = getKeyValues($s);
                foreach my $v (keys %vals) {
                    ::rptMsg("\t".$v." -> ".$vals{$v});
                }
            }
        }
        else {
            ::rptMsg("");
            ::rptMsg($key_path." has no subkeys.");
        }
    }
    else {
        ::rptMsg($key_path." not found.");
        ::logMsg($key_path." not found.");
    }
}

sub getKeyValues {
    my $key = shift;
    my %vals;
    my @vk = $key->get_list_of_values();
    if (scalar(@vk) > 0) {
        foreach my $v (@vk) {
            next if ($v->get_name() eq "" && $v->get_data() eq "");
            $vals{$v->get_name()} = $v->get_data();
        }
    }
    else {
    }
    return %vals;
}
1;

As shown, this the most basic form of a plugin with 1level subkey recursion: it simply reports all values inside the Main key and all values inside all Main's subkeys. The report is done by using the facility rptMsg provided by rip.pl, and that's the reason why it shows garbage (since not all data values are ASCII/UTF8 strings or numbers). There isn't any logic to handle special data.


"This is the first FForce exercise, try it!"

"I can move the rock...!



Regarding the last two IE plugins, that's their output (as expected they do their work). Just one note regarding ie_settings: there are many-many-many values and subkeys inside "Software\Microsoft\Windows\CurrentVersion\Internet Settings", and the plugin's name could be a little misleading, just thinking about renaming it...


Launching ie_version v.20091016
ie_version v.20091016
(Software) Get IE version and build

Microsoft\Internet Explorer
LastWrite Time Wed Aug 17 01:27:51 2011 (UTC)

IE Build   = 98112
IE Version = 9.0.8112.16421





Launching ie_settings v.20091016
ie_settings v.20091016
(NTUSER.DAT) Gets IE settings

Software\Microsoft\Windows\CurrentVersion\Internet Settings
User Agent = Mozilla/4.0 (compatible; MSIE 8.0; Win32)
ZonesSecurityUpgrade = Fri Jul 29 12:40:52 2011 (UTC)



So now?


I took a look at hives and I saw that exist a lot of subkey and values used by Internet Explorer: check the fantastic work made by Geoff Chappell here and particulary here. Honestly I was overcome when looking at them, but I tried to face the problem using a drive-by-ignorance approach.

"By Ignorance?
Are you interested in the Dark side of FForce?"

 "Hum hem... no... (I should study more)"


What I mean is that I did not start my exploration to answer a specific question: I simply opened the hives I got and explored how many keys/values they contained. The mission was to identify interesting values and to parse them correclty (syntactic level), so to create a reporting plugin with almost no garbage and to add some keys/values.


NTUSER \Software\Microsoft\Internet Explorer



I began from "HKCU\Software\Microsoft\Internet Explorer", and here are results from my observations on 4 NTUSER hives, there are much more subkeys beyond "Main" which can be present depending on IE version/use and possibly on OS version:


#   Registries coming from (and tested on):
#       (A) Windows7 Professional 32bit - IE 9.0.8112.16421
#       (B) Windows7 Ultimate 64bit     - IE 9.0.8112.16421
#       (C) Windows XP Home 32bit       - IE 8.0.6001.18702
#       (D) Windows Vista 64bit         - IE 7.0.6002.18005

#

#    (P) means parsed, (*) means not parsed but interesting (a TODO), nothing 
#    means not parsed.
#
#   HKCU\Software\Microsoft\Internet Explorer subkeys list:
#
#   Activities                  (*)         [ A            ]
#   ApprovedExtensions          (*)         [     B        ]
#   ApproveExtensionsMigration  (*)         [  A  B        ]
#   AutoComplete                (P)         [  A           ]
#   BrowserEmulation                        [  A  B  C     ]
#   CaretBrowsing                           [  A           ]
#   CommandBar                              [  A  B  C  D  ]
#   Default HTML Editor                     [        C  D  ]
#   Default MHTML Editor                    [           D  ]
#   Desktop                                 [  A  B  C  D  ]
#   Document Windows                        [  A  B  C  D  ]
#   DOMStorage                  (P)         [  A  B  C     ]
#   Download                    (*)         [  A  B  C  D  ]
#   DxTrans                                 [  A           ]
#   Expiration                              [  A           ]
#   Explorer Bars                           [  A           ]
#   Extensions                  (*)         [  A  B  C  D  ]
#   Feed Discovery                          [  A           ]
#   Feeds                                   [  A        D  ]
#   Geolocation                 (*)         [  A           ]
#   GPActivities                            [  A           ]
#   GPU                                     [  A  B        ]
#   Help_Menu_URLs                          [  A  B  C  D  ]
#   IEDevTools                  (*)         [  A  B        ]
#   IETld                       (P)         [  A  B  C     ]
#   InformationBar                          [        C  D  ]
#   IntelliForms                (*)         [  A  B  C  D  ]
#   International               (*)         [  A  B  C  D  ]
#   InternetRegistry                        [  A  B  C  D  ]
#   LinksBar                                [  A  B  C     ]
#   LinksExplorer                           [  A     C  D  ]
#   LowRights                               [     B     D  ]
#   LowRegistry                             [  A  B  C  D  ]
#   Main                        (P)         [  A  B  C  D  ]
#   MAO Settings                            [  A  B  C     ]
#   Media                                   [  A     C  D  ]
#   MenuExt                     (*)         [  A  B  C  D  ]
#   MINIE                                   [  A  B        ]
#   New Windows                             [  A  B  C  D  ]
#   PageSetup                               [  A  B  C  D  ]
#   PhishingFilter              (*)         [  A  B  C  D  ]
#   Privacy                     (P)         [  A     C     ] (user settings ndr)
#   ProtocolExecute                         [  A           ]
#   Recovery                    (P)         [  A  B  C     ]
#   Safety                                  [  A           ]
#   SearchScopes                (*)         [  A  B  C  D  ]
#   SearchUrl                               [  A  B  C  D  ]
#   Security                    (*)         [  A  B  C  D  ]
#   Services                                [  A  B  C  D  ] (empty? ndr)
#   Settings                                [  A  B  C  D  ]
#   Setup                                   [  A  B     D  ]
#   SiteMode                                [  A  B  C  D  ]
#   SQM                         (*)         [  A  B  C     ]
#   Styles                                  [  A           ]
#   Suggested Sites             (P)         [  A  B  C     ]
#   TabbedBrowsing                          [  A  B  C  D  ]
#   TaskbarPreview                          [  A           ]
#   Text Scaling                            [  A           ]
#   Toolbar                                 [  A  B  C  D  ]
#   TypedURLs                               [     B  C     ] (hum?! ndr)
#   UpgradeIEAd                             [  A           ]
#   URLSearchHooks              (*)         [  A  B  C  D  ]
#   User Preferences            (*)         [  A  B  C     ]
#   View Source Editor                      [  A           ]
#   Zoom                                    [  A  B  C  D  ]






As you guessed, the previous square is taken from a new RegRipper plugin I made, in which I tried to correctly (syntactic level) parse some keys and their values. Here is the output on the usual hive:



Launching ToBeNamed v.20120513ToBeNamed v.20120513
(NTUSER.DAT) Get HKCU information on Internet Explorer

Software\Microsoft\Internet Explorer
LastWrite Time Thu Aug 25 15:30:43 2011 (UTC)
  Download Directory = 'C:\Users\Marco\Downloads'

Software\Microsoft\Internet Explorer\AutoComplete not found.

Software\Microsoft\Internet Explorer\DOMStorage
LastWrite Time Tue Aug 23 14:04:06 2011 (UTC)
Subkeys:
  live.com             ---  Tue Aug 23 14:04:30 2011 UTC
  mediaset.it          ---  Mon Aug 22 09:16:43 2011 UTC
  Total                ---  Tue Aug 23 14:04:30 2011 UTC

Software\Microsoft\Internet Explorer\IETld
LastWrite Time Wed Aug 17 08:25:32 2011 (UTC)
  Internet Explorer version = 9.0.8112.16434

Software\Microsoft\Internet Explorer\Main
LastWrite Time Thu Sep  1 18:09:10 2011 (UTC)
  Anchor Underline                         = yes
  AutoHide                                 = yes
  Cache_Update_Frequency                   = Once_Per_Session
  Check_Associations                       = no
  CompatibilityFlags                       = 0 [0x00000000]
  Disable Script Debugger                  = yes
  DisableScriptDebuggerIE                  = yes
  Display Inline Images                    = yes
  Do404Search                              = 1 [0x01000000]
  DownloadWindowPlacement                  = <skipped>
  Enable Browser Extensions                = yes
  FullScreen                               = no
  IconCache                                = 08aku2z
  IE8RunOnceCompletionTime                 = Thu Jul 28 16:04:54 2011 UTC
  IE8RunOnceLastShown                      = true  [1]
  IE8RunOnceLastShown_TIMESTAMP            = Thu Jul 28 16:04:31 2011 UTC
  IE8RunOncePerInstallCompleted            = true  [1]
  IE8TourShown                             = true  [1]
  IE8TourShownTime                         = Thu Jul 28 16:04:54 2011 UTC
  IE9RunOnceCompletionTime                 = Fri Jul 29 17:41:18 2011 UTC
  IE9RunOncePerInstallCompleted            = true  [1]
  IE9TourShown                             = true  [1]
  IE9TourShownTime                         = Fri Jul 29 17:41:18 2011 UTC
  Local Page                               = C:\Windows\system32\blank.htm
  NotifyDownloadComplete                   = yes
  NoUpdateCheck                            = true  [1]
  Play_Animations                          = yes
  Play_Background_Sounds                   = yes
  Save_Session_History_On_Exit             = no
  Search Page                              = http://go.microsoft.com/fwlink/?Lin
kId=54896
  Show_FullURL                             = no
  Show_StatusBar                           = yes
  Show_ToolBar                             = yes
  Show_URLinStatusBar                      = yes
  Show_URLToolBar                          = yes
  Start Page                               = http://www.google.it/
  Start Page Redirect Cache                = http://it.msn.com/?ocid=iehp
  Start Page Redirect Cache AcceptLangs    = it
  Start Page Redirect Cache_TIMESTAMP      = Thu Jul 28 16:03:59 2011 UTC
  Use FormSuggest                          = yes
  Use_DlgBox_Colors                        = yes
  UseClearType                             = no
  Window_Placement                         = <skipped>
  XMLHTTP                                  = true  [1]

  Software\Microsoft\Internet Explorer\Main\WindowsSearch
  LastWrite Time Thu Sep  1 07:49:17 2011 (UTC)
    ConfiguredScopes          = 5 [0x00000005]
    LastCrawl                 = Tue Aug 23 14:05:36 2011 UTC
    UpgradeTime               = Thu Sep  1 07:49:17 2011 UTC
    User Favorites Path       = file:///C:\Users\Marco\Favorites\
    Version                   = 6.1.7601.17514

Software\Microsoft\Internet Explorer\Privacy not found
(IE should use the default Privacy settings)

Software\Microsoft\Internet Explorer\Recovery
LastWrite Time Fri Jul 29 09:53:55 2011 (UTC)

  Software\Microsoft\Internet Explorer\Recovery\Active
  LastWrite Time Thu Jul 28 17:03:54 2011 (UTC)

  Software\Microsoft\Internet Explorer\Recovery\AdminActive
  LastWrite Time Thu Sep  1 18:09:17 2011 (UTC)

  Software\Microsoft\Internet Explorer\Recovery\PendingDelete not found.

Software\Microsoft\Internet Explorer\Suggested Sites
LastWrite Time Fri Jul 29 17:41:18 2011 (UTC)
  Enabled                        = 0
  MigrationTime                  = Fri Jul 29 17:41:18 2011 UTC
  ObjectsCreated                 = false [0]
  ObjectsCreated_TIMESTAMP       = Thu Jul 28 16:04:54 2011 UTC
  SlicePath                      = C:\Users\Marco\Favorites\Links\Siti suggeriti
.url


I will not post here the source code since it's quite large but let's dig a little inside it. First, you can see output (bold-red) like "NoUpdateCheck = true  [1]": here I guessed that value is boolean since there were present other values like "yes/no" and since I found that data are always "0" or "1". But assumptions are the "mother of errors" and so I printed the original data number inside "[]": if you get values different from "0|1" then my guessing is wrong. The plugin will issue a warning in the case, so don't worry too much. Outputs like "Windows_Placement = <skipped>" mean  that the plugin (coff coff...) is not interested in the data, but I think I will change the behavior and it will print the binary blob in hexadecimal format. Finally, when you see a value inside "[]" that is redundant and it's used to validate translators (more on them later).


Another interesting thing - that one specific - is the subkey "Software\Microsoft\Internet Explorer\Privacy" which is related to the Privacy user settings. What I found is that if the user changes these settings from default to some other custom values, the subkey "Privacy" will appear and will contain values. That's the reason why, when it's missing, the plugin writes "(IE should use the default Privacy settings)". On another hive, that's the result:

[...]

Software\Microsoft\Internet Explorer\Privacy
LastWrite Time Fri Sep 23 22:34:00 2011 (UTC)
  CleanDownloadHistory           = true  [1]
  CleanPassword                  = true  [1]
  CleanTrackingProtection        = true  [1]
  ClearBrowsingHistoryOnExit     = true  [1]
  UseAllowList                   = false [0]



Quite interesting, isn't' it? (By the way this was the real starting reason of my post... sig, one minute to understand and a lot of time to write plugins and post... but that's sharing...). Could be anti-forensics or better counter-forensics (more from Harlan)?

Finally you could have spotted that the IE version reported in the SOFTWARE is a little different from the one reported in the NTUSER hive: the first is "9.0.8112.16421", the second is "9.0.8112.16434". Homework...

Regarding the mentioned translators: I use lookup table (Perl hashes) to associate values and their data interpretations, which I (unfortunaly) called translator(s). A snip on the code:


[...] 

my %IE_MAIN_WINSEARCH_TRANSLATE = (
    "AutoCompleteGroups"                    =>  \&trNumHex,
    "Cleared"                               =>  \&trBool,
    "Cleared_TIMESTAMP"                     =>  \&trFileTime,
    "ConfiguredScopes"                      =>  \&trNumHex,
    "Disabled"                              =>  \&trBool,
    "EnabledScopes"                         =>  \&trNumHex,
    "LastCrawl"                             =>  \&trFileTime,
    "UpgradeTime"                           =>  \&trFileTime
); 


[...]

When the plugin encounter a value that is the list then the values will be parsed using the specified translator (which is a sort of callback function): if new values come out, it's easy to add them to the list (or not) if a special translator is needed, otherwise the regular rptMsg facility will be used.


"I can feel your FForce..."


"(I should take a shower)



NTUSER Software\Microsoft\Windows\CurrentVersion\Internet Settings


Another huge source of information (with many subkeys and values)... another RR plugin! (urrah)

Since the post is becoming too long I will omit some details: depending of feedback, I could write a specific post on the plugin. I try to parse the following keys at least: "5.0", "CACHE", "P3P", "Url History", "Wpad", "ZoneMap", references here: "Internet Explorer 6.0 Registry Settings", "WinInet Registry Settings", "Web Proxy Autodiscovery Protocol", "How the Windows Update client determines which proxy server to use to connect to the Windows Update Web site", "Automatic Discovery for Firewall and Web Proxy Clients ", etc.. Since the plugin is a reporting one, I felt the need to add few lines about the subkeys not parsed, to provide something that analysts could be delve into. Let's see its output on "our" hive:


Launching internet_settings v.20120515
internet_settings v.20120515
(NTUSER.DAT) Get HKCU information on Internet Settings

Software\Microsoft\Windows\CurrentVersion\Internet Settings
LastWrite Time Wed Aug 31 14:08:37 2011 (UTC)
  AutoConfigProxy                = wininet.dll
  CertificateRevocation          = true  [1]
  DisableCachingOfSSLPages       = false [0]
  EmailName                      = User@
  EnableHttp1_1                  = true  [1]
  EnableNegotiate                = true  [1]
  IE5_UA_Backup_Flag             = 5.0
  MigrateProxy                   = true  [1]
  MimeExclusionListForCache      = multipart/mixed multipart/x-mixed-replace mul
tipart/x-byteranges
  PrivacyAdvanced                = false [0]
  PrivDiscUiShown                = true  [1]
  ProxyEnable                    = false [0]
  SecureProtocols                = 160 [0x000000A0]
  UrlEncoding                    = false [0]
  User Agent                     = Mozilla/4.0 (compatible; MSIE 8.0; Win32)
  UseSchannelDirectly            = 0x01000000
  WarnOnIntranet                 = false [0]
  WarnOnPost                     = 0x01000000
  WarnonZoneCrossing             = false [0]
  ZonesSecurityUpgrade           = Fri Jul 29 12:40:52 2011 UTC



 *Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0
  LastWrite Time Thu Jul 28 15:58:52 2011 (UTC)

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
  LastWrite Time Thu Jul 28 15:58:52 2011 (UTC)
    Signature                 = Client UrlCache MMF Ver 5.2

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
  LastWrite Time Fri Jul 29 12:40:58 2011 (UTC)
    CacheLimit                = 256000 KB
    CachePrefix               =

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
  LastWrite Time Thu Jul 28 15:58:52 2011 (UTC)
    CacheLimit                = 8192 KB
    CachePrefix               = Cookie:

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
  LastWrite Time Thu Jul 28 15:58:52 2011 (UTC)
    CacheLimit                = 8192 KB
    CachePrefix               = Visited:

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensib
le Cache
  LastWrite Time Fri Sep  2 06:55:10 2011 (UTC)

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensib
le Cache\DOMStore
  LastWrite Time Thu Aug  4 15:55:12 2011 (UTC)
    CacheLimit                = 1000 KB
    CacheOptions              = 0x8
    CachePath                 = %USERPROFILE%\AppData\Local\Microsoft\Internet E
xplorer\DOMStore
    CachePrefix               = DOMStore
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensib
le Cache\feedplat
  LastWrite Time Thu Jul 28 15:58:52 2011 (UTC)
    CacheLimit                = 8192 KB
    CacheOptions              = 0x0
    CachePath                 = %USERPROFILE%\AppData\Local\Microsoft\Feeds Cach
e
    CachePrefix               = feedplat:
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensib
le Cache\iecompat
  LastWrite Time Fri Jul 29 09:53:57 2011 (UTC)
    CacheLimit                = 8192 KB
    CacheOptions              = 0x9
    CachePath                 = %APPDATA%\Microsoft\Windows\IECompatCache
    CachePrefix               = iecompat:
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensib
le Cache\iedownload
  LastWrite Time Fri Jul 29 17:41:15 2011 (UTC)
    CacheLimit                = 8192 KB
    CacheOptions              = 0x9
    CachePath                 = %APPDATA%\Microsoft\Windows\IEDownloadHistory
    CachePrefix               = iedownload:
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensib
le Cache\ietld
  LastWrite Time Thu Jul 28 15:58:52 2011 (UTC)
    CacheLimit                = 8192 KB
    CacheOptions              = 0x9
    CachePath                 = %APPDATA%\Microsoft\Windows\IETldCache
    CachePrefix               = ietld:
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensib
le Cache\MSHist012011080820110815
  LastWrite Time Wed Aug 17 08:21:29 2011 (UTC)
    CacheLimit                = 8192 KB
    CacheOptions              = 0xB
    CachePath                 = %USERPROFILE%\AppData\Local\Microsoft\Windows\Hi
story\History.IE5\MSHist012011080820110815
    CachePrefix               = :2011080820110815:
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensib
le Cache\MSHist012011081520110822
  LastWrite Time Mon Aug 22 07:57:07 2011 (UTC)
    CacheLimit                = 8192 KB
    CacheOptions              = 0xB
    CachePath                 = %USERPROFILE%\AppData\Local\Microsoft\Windows\Hi
story\History.IE5\MSHist012011081520110822
    CachePrefix               = :2011081520110822:
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensib
le Cache\MSHist012011082220110829
  LastWrite Time Mon Aug 29 08:00:42 2011 (UTC)
    CacheLimit                = 8192 KB
    CacheOptions              = 0xB
    CachePath                 = %USERPROFILE%\AppData\Local\Microsoft\Windows\Hi
story\History.IE5\MSHist012011082220110829
    CachePrefix               = :2011082220110829:
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensib
le Cache\MSHist012011082920110830
  LastWrite Time Mon Aug 29 08:00:42 2011 (UTC)
    CacheLimit                = 8192 KB
    CacheOptions              = 0xB
    CachePath                 = %USERPROFILE%\AppData\Local\Microsoft\Windows\Hi
story\History.IE5\MSHist012011082920110830
    CachePrefix               = :2011082920110830:
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensib
le Cache\MSHist012011083020110831
  LastWrite Time Tue Aug 30 07:52:35 2011 (UTC)
    CacheLimit                = 8192 KB
    CacheOptions              = 0xB
    CachePath                 = %USERPROFILE%\AppData\Local\Microsoft\Windows\Hi
story\History.IE5\MSHist012011083020110831
    CachePrefix               = :2011083020110831:
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensib
le Cache\MSHist012011083120110901
  LastWrite Time Wed Aug 31 08:41:58 2011 (UTC)
    CacheLimit                = 8192 KB
    CacheOptions              = 0xB
    CachePath                 = %USERPROFILE%\AppData\Local\Microsoft\Windows\Hi
story\History.IE5\MSHist012011083120110901
    CachePrefix               = :2011083120110901:
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensib
le Cache\MSHist012011090120110902
  LastWrite Time Thu Sep  1 04:22:06 2011 (UTC)
    CacheLimit                = 8192 KB
    CacheOptions              = 0xB
    CachePath                 = %USERPROFILE%\AppData\Local\Microsoft\Windows\Hi
story\History.IE5\MSHist012011090120110902
    CachePrefix               = :2011090120110902:
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensib
le Cache\MSHist012011090220110903
  LastWrite Time Fri Sep  2 06:55:10 2011 (UTC)
    CacheLimit                = 8192 KB
    CacheOptions              = 0xB
    CachePath                 = %USERPROFILE%\AppData\Local\Microsoft\Windows\Hi
story\History.IE5\MSHist012011090220110903
    CachePrefix               = :2011090220110903:
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensib
le Cache\PrivacIE:
  LastWrite Time Fri Jul 29 09:53:58 2011 (UTC)
    CacheLimit                = 1024 KB
    CacheOptions              = 0x9
    CachePath                 = %APPDATA%\Microsoft\Windows\PrivacIE
    CachePrefix               = PrivacIE:
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensib
le Cache\UserData
  LastWrite Time Fri Jul 29 17:41:17 2011 (UTC)
    CacheLimit                = 1000 KB
    CacheOptions              = 0x8
    CachePath                 = %APPDATA%\Microsoft\Internet Explorer\UserData
    CachePrefix               = UserData
    CacheRepair               = 0x0


  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache
  LastWrite Time Thu Jul 28 16:03:49 2011 (UTC)
    Signature                 = Client UrlCache MMF Ver 5.2

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Conte
nt
  LastWrite Time Mon Aug  1 13:11:07 2011 (UTC)
    CacheLimit                = 256000 KB
    CachePrefix               =

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Cooki
es
  LastWrite Time Thu Jul 28 16:03:48 2011 (UTC)
    CacheLimit                = 8192 KB
    CachePrefix               = Cookie:

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Histo
ry
  LastWrite Time Thu Jul 28 16:03:48 2011 (UTC)
    CacheLimit                = 8192 KB
    CachePrefix               = Visited:


  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Exten
sible Cache
  LastWrite Time Thu Jul 28 16:05:04 2011 (UTC)

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Exten
sible Cache\DOMStore
  LastWrite Time Thu Jul 28 16:04:05 2011 (UTC)
    CacheLimit                = 1000 KB
    CacheOptions              = 0x8
    CachePath                 = %USERPROFILE%\AppData\LocalLow\Microsoft\Interne
t Explorer\DOMStore
    CachePrefix               = DOMStore
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Exten
sible Cache\iecompat
  LastWrite Time Thu Jul 28 16:04:55 2011 (UTC)
    CacheLimit                = 8192 KB
    CacheOptions              = 0x9
    CachePath                 = %APPDATA%\Microsoft\Windows\IECompatCache\Low
    CachePrefix               = iecompat:
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Exten
sible Cache\ietld
  LastWrite Time Thu Jul 28 16:03:49 2011 (UTC)
    CacheLimit                = 8192 KB
    CacheOptions              = 0x9
    CachePath                 = %APPDATA%\Microsoft\Windows\IETldCache\Low
    CachePrefix               = ietld:
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Exten
sible Cache\MSHist012011072820110729
  LastWrite Time Thu Jul 28 16:04:30 2011 (UTC)
    CacheLimit                = 8192 KB
    CacheOptions              = 0xB
    CachePath                 = %USERPROFILE%\AppData\Local\Microsoft\Windows\Hi
story\Low\History.IE5\MSHist012011072820110729
    CachePrefix               = :2011072820110729:
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Exten
sible Cache\PrivacIE:
  LastWrite Time Thu Jul 28 16:04:01 2011 (UTC)
    CacheLimit                = 1024 KB
    CacheOptions              = 0x9
    CachePath                 = %APPDATA%\Microsoft\Windows\PrivacIE\Low
    CachePrefix               = PrivacIE:
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Exten
sible Cache\UserData
  LastWrite Time Thu Jul 28 16:05:04 2011 (UTC)
    CacheLimit                = 1000 KB
    CacheOptions              = 0x8
    CachePath                 = %APPDATA%\Microsoft\Internet Explorer\UserData\L
ow
    CachePrefix               = UserData
    CacheRepair               = 0x0


 *Software\Microsoft\Windows\CurrentVersion\Internet Settings\CACHE
  LastWrite Time Thu Jul 28 15:58:39 2011 (UTC)
    Persistent                = 1


 *Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P
  LastWrite Time Thu Jul 28 15:58:28 2011 (UTC)

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History
  LastWrite Time Thu Jul 28 15:58:28 2011 (UTC)
  ANALYST NOTE:
    No per-domain cookie decisions subkeys are present


 *Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
  LastWrite Time Thu Sep  1 11:48:06 2011 (UTC)

    NETWORK SUBKEY: {248FCCF6-AA10-4609-ACFB-9CB9849B58E8}_{64E2FC55-36A5-4BEE-8
13F-0AF28B619F1A}

    LastWrite Time Wed Aug 31 14:24:17 2011 (UTC)
      WpadDecision              = 0
      WpadDecisionReason        = 1
      WpadDecisionTime          = Wed Aug 31 14:24:17 2011 UTC
      WpadNetworkName           = Rete non identificata
      -- MAC SUBKEYS --         *no* MAC subkeys (unidentified network)

    NETWORK SUBKEY: {248FCCF6-AA10-4609-ACFB-9CB9849B58E8}
    LastWrite Time Thu Aug 25 13:45:54 2011 (UTC)
      WpadDecision              = 0
      WpadDecisionReason        = 1
      WpadDecisionTime          = Wed Aug  3 07:11:41 2011 UTC
      WpadNetworkName           = Rete  2
      -- MAC SUBKEYS --
      00-09-0f-e4-37-47         LastWritten Thu Aug 25 13:45:54 2011 UTC

    NETWORK SUBKEY: {248FCCF6-AA10-4609-ACFB-9CB9849B58E8}_{67358AD6-9D44-4D73-A
12C-9490D94ED958}

    LastWrite Time Wed Aug 31 13:43:47 2011 (UTC)
      WpadDecision              = 0
      WpadDecisionReason        = 1
      WpadDecisionTime          = Wed Aug 31 13:43:47 2011 UTC
      WpadNetworkName           = Rete non identificata
      -- MAC SUBKEYS --         *no* MAC subkeys (unidentified network)

    NETWORK SUBKEY: {B5D922E7-8B67-44FD-926F-B616962C7248}
    LastWrite Time Thu Jul 28 16:04:31 2011 (UTC)
      WpadDecision              = 0
      WpadDecisionReason        = 1
      WpadDecisionTime          = Thu Jul 28 16:04:31 2011 UTC
      WpadNetworkName           = Rete
      -- MAC SUBKEYS --
      00-09-11-8d-14-5f         LastWritten Thu Jul 28 16:03:58 2011 UTC

    NETWORK SUBKEY: {ED4D141B-8DF1-4779-A7AA-8FD1D3123048}
    LastWrite Time Thu Aug 25 13:45:54 2011 (UTC)
      WpadDecision              = 3
      WpadDecisionReason        = 1
      WpadDecisionTime          = Thu Aug 25 13:22:20 2011 UTC
      WpadNetworkName           = Rete non identificata
      -- MAC SUBKEYS --         *no* MAC subkeys (unidentified network)

    MACs SUBKEY: 00-09-11-8d-14-5f
    LastWrite Time Thu Jul 28 16:04:31 2011 (UTC)
      WpadDecision              = 0
      WpadDecisionReason        = 1
      WpadDecisionTime          = Thu Jul 28 16:04:31 2011 UTC

    MACs SUBKEY: 00-09-0f-e4-37-47
    LastWrite Time Thu Aug 25 13:45:54 2011 (UTC)
      WpadDecision              = 0
      WpadDecisionReason        = 1
      WpadDecisionTime          = Wed Aug  3 07:11:41 2011 UTC

 *Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
  LastWrite Time Fri Jul 29 12:41:00 2011 (UTC)
    (default)                 =
    AutoDetect                = 1
    UNCAsIntranet             = 0
    -- 'ZoneMap' subkeys -- not parsed:
      Domains                   Thu Jul 28 15:58:39 2011 UTC
      EscDomains                Thu Jul 28 15:58:38 2011 UTC
      ProtocolDefaults          Thu Jul 28 15:58:39 2011 UTC
      Ranges                    Thu Jul 28 15:58:39 2011 UTC


Subkeys not parsed in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings'

    Activities           ---  Thu Jul 28 16:04:54 2011 UTC
    Connections          ---  Fri Sep  2 09:28:45 2011 UTC
    Http Filters         ---  Thu Jul 28 15:58:28 2011 UTC
    Lockdown_Zones       ---  Thu Jul 28 15:58:39 2011 UTC
    Passport             ---  Fri Jul 29 07:03:48 2011 UTC
    TemplatePolicies     ---  Fri Jul 29 07:03:48 2011 UTC
    Zones                ---  Thu Jul 28 16:03:47 2011 UTC



I must admit a long report, that could be cut especially regarding the cache settings. First, all values inside the "Software\Microsoft\Windows\CurrentVersion\Internet Settings" are parsed and reported (ie_settings is included). Then there are the cache and lowcache settings (in green and purple colors), useful when correlated with the cache files residing on the disk. The P3P (Platform for Privacy Preferences, some info here) parsing simply reports how many configured sites esist ("No per-domain cookie decisions subkeys are present", that means none). It could be interested to analyze Wpad settings and history, like that one reported (omitting details for shortness). Last observation: the plugin reports the subkeys that are not parsed (last lines in blue color), since they could be of great importance in some cases.


Finally the end...



Feel free to try the plugins and to report errors, preferably on the win4n6 mailing list and/or on the RegRipperPlugins Google Code site: they were released with the RegRipperPlugins package 20120528. Try them and give feedback to understand what causes those values to change, how they change and when (semantic level): it would be of great importance to have some real-life cases, I mean hives and your considerations. Let's improve the FForce (forensic force)!



"frrrbzzzzzzzz bzzz bzzzzzzzzzz"
"I don't fear your encryption!"

" ... (just breathing, dumb!)"



Comments

Popular posts from this blog

A first look at Android 14 forensics

Huawei backup decryptor

Dissecting the Android WiFiConfigStore.xml for forensic analysis