Tip: Using a backing file to record file and registry changes, part 3

In the first part I showed you that you can use libguestfs directly on QEMU snapshots and backing files, and this can be used to forensically look at changes made to virtual machines, eg. by installing new software. In the second part yesterday I showed you how to look for files that have changed.

Today we’ll look at differences in the Windows registry.

Although the Windows registry is stored in hive files, because these files are complex binary structures it makes sense to examine them at a higher level using a library like hivex, or the high level tool I wrote virt-win-reg.

Using virt-win-reg we can examine each hive that virt-win-reg supports separately, and use “diff” to list differences:

$ virt-win-reg backing.qcow2 'HKLM\SYSTEM' > system.without-chrome
$ virt-win-reg win7.qcow2 'HKLM\SYSTEM' > system.with-chrome
$ virt-win-reg backing.qcow2 'HKLM\SOFTWARE' > software.without-chrome
$ virt-win-reg win7.qcow2 'HKLM\SOFTWARE' > software.with-chrome

There were no significant changes to the HKEY_LOCAL_MACHINE\SYSTEM hive, but Chrome made many additions to the SOFTWARE hive, for example:

+[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChromeHTML]
+@=str(1):"Chrome HTML Document"
+"URL Protocol"=str(1):""
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChromeHTML\DefaultIcon]
+@=str(1):"C:\Users\rjones\AppData\Local\Google\Chrome\Application\chrome.exe,0"
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChromeHTML\shell]
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChromeHTML\shell\open]
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChromeHTML\shell\open\command]
+@=str(1):"\"C:\Users\rjones\AppData\Local\Google\Chrome\Application\chrome.exe\" -- \"%1\""

Note that you can make the output more readable by using the --unsafe-printable-strings option (but note that it’s called “unsafe” for a reason).

Chrome appears to have modified the list of CA certificates — should I be worried?

There is an addendum to this coming tomorrow morning.

2 Comments

Filed under Uncategorized

2 responses to “Tip: Using a backing file to record file and registry changes, part 3

  1. Shouldn’t the backslashes inside the strings also be doubled?

    • rich

      Kevin do you mean the output of virt-win-reg, like the second backslash in "\"C:\Users? You could well be correct. However there is no proper definition of the regedit format, so I’d have to go back to Windows and test what the “regedit” program itself accepts.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s