Privacy and Security of the Windows Registry

Amoruso, Edward L

01 January 2024

The Windows registry serves as a valuable resource for both digital forensics experts and security researchers. This information is invaluable for reconstructing a user's activity timeline, aiding forensic investigations, and revealing other sensitive information. Furthermore, this data abundance in the Windows registry can be effortlessly tapped into and compiled to form a comprehensive digital profile of the user. Within this dissertation, we've developed specialized applications to streamline the retrieval and presentation of user activities, culminating in the creation of their digital profile. The first application, named "SeeShells," using the Windows registry shellbags, offers investigators an accessible tool for scrutinizing and generating event timelines based on specific criteria like file access patterns and system navigations. It boasts analytical features that can identify potentially suspicious events through a heat mapping system. In the context of our research, we've also crafted another application designed to collect and deduce a user's extensive activities by solely accessing the Windows registry. This program effectively sidesteps security software by utilizing native Windows application programming interface (API) to interact with the registry, granting unrestricted access to valuable information. This trove of data, often referred to as the user's digital footprint, holds the potential to either investigate or compromise both the user's privacy and security. Finally, we propose a custom-developed application that utilizes both software-based encryption and advanced hooking techniques to protect users' personal data within the registry. Our program is designed to create a more secure and discreet environment for users, effectively fortifying it against privacy and security threats while maintaining accessibility to legitimate users and applications.

Digital forensic investigation

event timelines

Windows registry

user digital footprint

privacy risk

data protection

One key to rule them all : Sårbarheter och spårbara artefakter i säkerhetsnycklar / One key to rule them all : Vulnerabilities and traceable artefacts in security keys

Gunnarsson, Philip, Isenstierna, Emmi

January 2023

Att skydda sin data idag kommer med flera utmaningar då lösenord som enda autentiseringsmetod är otillräcklig. Lösenord är ofta användarvänliga, enkla att hålla koll på och är utan kostnad för användaren. Det går alltid att göra lösenord säkrare men det upplevs ofta som svårhanterligt. I stället för detta kan man även använda ytterligare autentiseringsmetod. Många sidor och tjänster använder idag så kallad två- eller flerfaktorsautentisering genom t.ex. BankID eller säkerhetsnycklar. Med all ny teknik följer nya säkerhetsaspekter att ta hänsyn till, speciellt om denna teknik lämnar efter sig spår som kan utnyttjas av t.ex. hackare. Arbetets syfte är att undersöka spårbara artefakter som är kopplade till de fysiska säkerhetsnycklarna Solo 1 och YubiKey 5 NFC i Windows Registret i Windows 10 Pro N, samt utvärdera om tidigare kända sårbarheter kan bidra till insikter om säkerhetsnycklars säkerhet. Detta genomförs med hjälp av två kvalitativa metoder, dels genom en kartläggning av sårbarheter, dels genom ett experiment. Baserat på de funna sårbarheterna som har hittats så går det inte att säga huruvida de säkerhetsnycklarna skiljer sig i säkerhetsnivå, men det är tydligt att det främst är i firmware och mjukvara där sårbarheterna finns. Huruvida den ena säkerhetsnyckeln är säkrare än den andra går inte att fastställa, samt om en öppen källkod har någon betydelse vad gäller säkerhet. Dessutom går det att konstatera att spårbara artefakter från en säkerhetsnyckel kan hittas i ett Windows operativsystem. Baserat på de funna sårbarheterna som har hittats så går det inte att säga huruvida de säkerhetnycklarna skiljer sig i säkerhetsnivå, men det är tydligt att det främst är i firmware och mjukvara där sårbarheterna finns. Huruvida den ena säkerhets-nyckeln är säkrare än den andra går inte att fastställa, samt om öppen källkod har någon betydelse vad gäller säkerhet. Dessutom går det att konstatera att spår-bara artefakter från en säkerhetsnyckel kan hittas i ett Windows operativsystem. / Protecting your data today comes with several challenges since a password as the only authentication method is insufficient. Passwords are often user-friendly, easy to keep track of, and at no cost for the user. Passwords can always be made more secure, but this task is often perceived as tedious. Instead, additional authentication methods may be used. Many sites and services today use so-called two- or multifactor authentication, e.g. BankID (a type of eID) or security keys. all new technology comes with unique security aspects to consider, especially if this technology leaves behind traces that can be exploited by, e.g., hackers. This study aims to investigate traceable artifacts associated with the physical security key Solo 1 and YubiKey 5 NFC in the Windows Registry in Windows 10 Pro N and to evaluate whether previously known vulnerabilities can contribute to insights into security key security. The study uses two qualitative methods, one mapping out the vulnerabilities and another through an experiment. Based on the vulnerabilities that was found, it is not possible to conclude whether the security keys differ in security level. Still, it is mainly in the firmware and software where the vulnerabilities exist. Whether one security key is more secure than the other is inconclusive, and whether open-source code has any implications regarding security. In addition, it is ascertained that traceable artifacts from a security key can be found in a Windows operating system.

Vulnerabilities

physical security key

SoloKeys

YubiKey

Windows Registry

Registry Editor

Sårbarheter

fysisk säkerhetsnyckel

SoloKeys

YubiKey

Windows Registret

Registereditorn

Övrig annan teknik

Analýza registrů Microsoft Windows / Microsoft Windows Registry Analysis

Hula, Miroslav

January 2011

Understanding and working with Microsoft Windows registry is an important ability from the perspective of security. This ability is used by malicious software as well as by software, which repaires the damage caused by activity of malicious software. However, applications accessing and working with the registry are platform dependent, which may not always be convenient and it can lead to other problems if the platform is not secure. Therefore, the aim of this work is to create a platform independent application for accessing and working with registry, which makes possible to analyse the effect of malware on registry.