Mastering Windows Network Forensics - Assignment Example

Introduction The Windows registry and NTFS permissions are some of the vital aspects of the Windows Operating System. The NTFS permissions manage the access groups and users have to files and folders hosted on NTFS formatted storage medium, while the registry essentially stores configuration options and settings of the system. This study explores the purpose of the registry, its structure, and specific instances of how it use used as well as practically investigates the inheritance of the NTFS permissions. Part 1: The Windows Registry The Windows Registry is “a hierarchical database”, which contains the configuration options and settings of the Microsoft Windows operating system (OS), including those of the users and program under the operating system “(Anson & Bunting, 2007). Therefore, it includes the settings for some components of the OS as well as programs or applications such as kernel, services, device drivers, the user interface, Security Accounts Manager (SAM), and third party programs. The main purpose of the registry, therefore, is not only the storage of the configuration information for the Component Object Model (COM)-based Windows components, but also to reorganize the excess INI files that were necessary in storing configuration settings for every program stored on the Windows OS (Honeycutt, 2002; Surhone, Timpledon & Marseken, 2009). The structure of the Windows registry is characterised by keys and values, hives, and aliases. The keys and values are actually the basic components of the registry (Hipson, 2002; Honeycutt, 2002). A registry keys resembles a normal folder, and contains values as well as subkeys; these subkeys may also contain other subkeys, and so on. The syntax that is used with the path names in Windows OS is same one used to reference the registry keys and subkeys. For instance, the subkey Console in HKEY_CURRENT_USER would be referenced as My Computer\ HKEY_CURRENT_USER\Console. Six root keys comprise a Windows registry. These include the following: HKEY_CLASSES_ROOT HKEY_CURRENT_USER HKEY_LOCAL_MACHINE HKEY_USERS HKEY_CURRENT_CONFIG HKEY_DYN_DATA Figure 1: The six registry root keys Figure 2: Subkeys of the HKEY_CLASSES_ROOT The registry values are basically pairs of name and data contained in the keys and subkeys. They resemble as “associative array” (Kimmel, 2001). There are several types of registry values. These include the following: Multi-String Value - REG_MULTI_SZ Expandable String Value - REG_EXPAND_SZ Binary Value - DWORD Value - REG_DWORD Multi-String Value - REG_MULTI_SZ Binary Value - REG_RESOURCE_REQUIREMENTS_LIST, REG_BINARY, REG_RESOURCE_LIST, and REG_FULL_RESOURCE_DESCRIPTOR. None - REG_NONE Link - REG_LINK QWORD Value - REG_QWORD The Windows registry aliases are simply pseudonames of various keys and subkeys. For instance in Windows 9x, the HKEY_CLASSES_ROOT is an alias for the HKEY_LOCAL_MACHINE\Software\Classes. Hives The registry hives are the logical segments of the registry. In other words, a hive is a logical suite of keys, subkeys and values within the registry that is characterised by a series of supporting files comprising backups of its information. The following are the standard registry hives and supporting files respectively (Microsoft 2007): HKEY_CURRENT_CONFIG - System, System.log, System.alt, System.sav. HKEY_CURRENT_USER - Ntuser.dat.log, Ntuser.dat. HKEY_LOCAL_MACHINE\SAM - Sam, Sam.sav, Sam.log HKEY_LOCAL_MACHINE\Security - Security, Security.sav, Security.log HKEY_LOCAL_MACHINE\Software - Software, Software.sav, Software.log HKEY_LOCAL_MACHINE\System - System, System.log, System.alt, System.sav HKEY_USERS\.DEFAULT - Default, Default.sav, Default.log Specific instances registry functioning Every time a fresh user logs on to the Windows operating system, a fresh hive for that particular user is generated with a discrete file for that user’s profile (Microsoft 2007). Thus, this is the user profile hive (Microsoft 2007). . Part 2: Practical investigation: Local NTFS file system security 1. NTFS Permissions Inheritance With NTFS file systems, it is possible for directories and files to inherit permissions for their root directories. In windows XP, for instance, creating a new file or subfolder in a root directory will be characterised by inheritance of the root directory’s NTFS permissions by the new file or subfolder; this is by default settings. Therefore, depending on the permission inheritance settings for a particular object, parent folder’s permissions are also applicable to files and subfolders in this parent folder. That is, when a folder is assigned NTFS permissions to allow access to it, it means that all the existing sub-directories and files in it, including new sub-directories and files created in that folder are assigned the same permissions. However, it is possible to prevent NTFS permissions of the parent directory from being inherited by the files and subfolders contained in the directory by specifying the inheritance option for a specific object. Thus, the NTFS permission of the parent directory will not be inherited by the files and sub-folders in that directory. This act of preventing inheritance of the NTFS permission results in the directory that one prevents its permissions from being inherited becoming a top parent directory. The NTFS permissions assigned to it are nonetheless inherited by the files and subfolders contained in it. The NTFS inheritance can be used to advantage in establishing NTFS file systems on multiuser platforms like Windows XP. The NTFS inheritance is useful in controlling specific users on Windows XP by assigning them specific permissions. It also makes it easy to set the permissions and attributes of multiple subfolders and files, which can be tasking if an administrator had to set one folder or file at a time. 2. Options available below the security tab The options available below the security tab are the same for folders and files, except that for folders there is an extra permission. The permission options for files and folders are shown below: Figure 1: Permissions for user 30071344 The NTFS file permissions: Full Control: This allows user to alter attributes of files, including permissions as well as create, delete, compress, execute, and add data to a file. The user can also view the files attributes and permissions. , Modify: It allows a user to alter a file’s properties, create and delete files, write on files, and view files attributes. Read and Execute: This allows a user to execute files in the directory as well as view files attributes. Read: This option allows a user to view files as well as their attributes. Write: This permission allows a user to create files, alter file’s attributes, write on and overwrite files, and view file’s permission and ownership. The NTFS folder permissions: Full Control: This allows user to alter permissions, attributes, and ownership of folder as well as create, delete, modify, and navigate folders. It also allows a user to execute executable files, and compress files in the folder. Modify: It allows a user to alter a folder’s properties, create and delete folders. Read and Execute: This allows a user to execute files in a folder, navigate folders, and view attributes and list contents of a folder. Read: This option allows a user to view a folder as well as files and subfolders in the folder. Write: This permission allows a user to create folders, files and subfolders in the folder. It also allows a user to alter attributes of the folder. List Folder Contents: This permission enables a user to list a folder’s contents, to view a folder attributes, and to navigate directories. a) The effect of the “Advanced” options “Inherit from parent .......” and its associated “Copy” and “Remove” options The “Advanced” permission settings includes an option known as “Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here.” When the check box for this option is checked, then the NTFS permissions settings of the parent folder are inherited by the child folder or file as it is by default together with the special permissions or explicit settings defined through the Advanced Security Settings. The explicit permission settings take precedence over the inherited permissions. When the check box is cleared, permission entries that were previously inherited from the parent folder are removed from the child object if the associated “Remove” option is selected although the special permission explicitly defined on Advanced Security Settings window are retained; however, if the associated “Copy” option is selected, the permission entries previously inherited from the parent are retained in the highlighted object. Figure 2: Advanced Security Setting for folder 30071344 showing associated options b) The reason some permissions are grayed out in the security tab dialog There is a reason some permissions are grayed out in the security tab dialog. This prevents the manipulation of the specific grayed permission, and thus preventing a user from altering the permissions of the highlighted object. c) The effect of the 5 default ACL assignments and their associated permissions. The five default ACL assignments are Allow ‘System’ and ‘Administrator’ groups Full Control permissions, and allow ‘Everyone’, ‘Power Users’, and ‘Users’ Read & Execute permissions. These default assignments allow the specified users and groups to have the specific controls defined by two permission categories on folders and files. Figure 3: permission for the c: drive (root directory) 3. Comparing permissions inherited to directories with those inherited to files. There are differences in the inheritance of permissions to directories and files. Only folders and not files inherit the “List Folder Contents” permission of the root folder (Microsoft, 2007). This permission is only visible if folder permissions as opposed to viewing files permissions. Additionally, “Read and Execute”, and “Read” permissions are inherited by both folders and files in all the default groups and user and are visible when you view either folder or file permissions (Microsoft, 2007). Elsewhere, for ‘users’, ‘Everyone’ and ‘Power Users’ groups the ‘write’ permission of the parent folder is not inherited by files although it is inherited by subfolders. Figure 4: inherited permissions for a folder and a file Investigating limited user NTFS permissions (Screenshots) i. Documents & Settings\30071344\ Figure 5: Permissions for 30071344 ii. Documents & Settings\All Users\ Figure 6: Permissions for All users iii. Documents & Settings\30071344 \Desktop Figure 7: Permissions for Desktop iv. Program Files Figure 8: Permissions for programs folder References Anson, S. & Bunting, S. (2007). Mastering Windows Network Forensics and Investigation.John Wiley and Sons, New York. Hipson, P. D. (2002). Mastering Windows XP Registry. Sybex, Honeycutt, J (2002). Microsoft Windows XP registry guide. Microsoft Press, United States. Kimmel, P. (2001). Sams Teach Yourself Microsoft Access 2002 Programming in 24 Hours. Sams Publishing, New York. Microsoft (2007). Registry Hives. Retrieved on 24 May 2010 from http://msdn.microsoft.com/en-us/library/ms724877.aspx Microsoft, 2007. How to set, view, change, or remove special permissions for files and folders in Windows XP. retrieved on 23 May 2010 from 5http://support.microsoft.com/kb/308419. Surhone, L. M., Timpledon, M. T. & Marseken, S. F. (2009). Windows Registry: Directory, Operating System, Microsoft Windows, Hardware, Windows 3. 1x, INI File, Registry Cleaner. Betascript Publishers, Read More