Registry - TypedPath

 

Registry Section of TypedPath: Understanding Its Importance in Digital Forensics

    The registry is an important aspect of a computer's operating system, as it stores information about the configuration, settings, and installed software. In digital forensics, the registry can provide valuable information to investigators, as it can reveal data about software execution and system changes. The registry section of TypedPath is a digital forensics tool that can be used to extract information from the registry of a computer. 

In this blog post, we will discuss the normal use case and malicious use case of the registry section of TypedPath and what a digital forensic investigator would want to find in this section.

 

Finding the TypedPath Registry

TypedPath is a powerful tool in digital forensics, helping investigators quickly and easily access the Windows registry and retrieve valuable data that can assist in their investigations. The registry section of TypedPath is of particular interest to digital forensic investigators because it provides critical information about the configuration, settings, and activities of a computer system. In this blog post, we will examine the registry section of TypedPath, including both normal use cases and malicious use cases, and explain what a digital forensic investigator would want to find in this section. These could be related to websites, but are more likely related to local paths typed in within explorer, such as FileShares.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths	

Normal Use Case

    The registry section of TypedPath is a useful tool for digital forensic investigators to retrieve important information about a computer system. This information includes information about software installations, network settings, and user activity. Some of the key data that can be found in the registry section include:

• Software installations: The registry section of TypedPath can reveal information about software installations on a computer system, including the names of the programs installed, their version numbers, and the dates they were installed. This information can be valuable in tracking the use of specific software programs and can provide insight into what a user was doing on their computer.

• Network settings: The registry section of TypedPath can also reveal information about network settings on a computer system. This information includes the names of network adapters, the IP addresses assigned to those adapters, and the names of the DNS servers being used. This information can be useful in tracking network activity and can assist in determining if a system has been used to engage in malicious activity.

• User activity: The registry section of TypedPath can also provide information about user activity on a computer system. This information includes data about logon and logoff times, as well as the names of the users who have logged into the system. This information can be useful in tracking user activity and can help to determine if a user was using their computer for malicious purposes as well as connected filepaths on shared drives.

Malicious Use Case

   The registry section of TypedPath can also be used to uncover evidence of malicious activity on a computer system. Some of the key data that can be found in the registry section in the case of malicious activity include:

• Malware installations: The registry section of TypedPath can reveal information about malware installations on a computer system. This information includes the names of the malware programs, their version numbers, and the dates they were installed. This information can be valuable in tracking the spread of malware and can assist in determining the extent of the damage caused by the malware.

• Command and control (C2) servers: The registry section of TypedPath can reveal information about command and control (C2) servers that are being used by malware. This information includes the IP addresses of the C2 servers, the ports they are using, and the names of the malware programs that are communicating with those servers. This information can be useful in tracking the spread of malware and can assist in determining the extent of the damage caused by the malware.

• Persistence mechanisms: The registry section of TypedPath can reveal information about persistence mechanisms used by malware. This information includes the names of the registry keys that the malware is using to persist on the system, the values of those keys, and the data stored in those keys. This information can be useful in tracking the spread of malware and can assist in determining the extent of the damage caused by the malware.

What a Digital Forensic Investigator Would Want to Find

    A digital forensic investigator would want to find several key pieces of information in the registry section of TypedPath. Firstly, they would want to find information about the configuration and settings of the system, such as the operating system version and the type of user account. This information can provide insight into the state of the system at the time of interest. Secondly, they would want to find information about installed software, including the name, version, and installation date. This information can be used to determine if specific software was installed or used on the system during the time of interest. Lastly, they would want to find information about malicious activities, such as the creation or modification of registry keys or values that are used by malware to persist on the system. This information can provide insight into the tactics and techniques used by attackers to compromise the system.

https://www.sans.org/posters/windows-forensic-analysis/