Wednesday, May 19, 2010

EnScript to find and parse "vk" registry keys

Earlier today I posted an EnScript that parses the 'nk' registry records from any selected files in EnCase. You can read about that EnScript in the original post here.

This EnScript essentially does the same basic function, except it searches for 'vk' records, which are the records that hold data values. The registry hive holds different types of data in different records. A 'vk' record can have the data value "resident" inside the 'vk' record itself, or it can be "non-resident" and have its own record elsewhere in the registry hive.

Therefore, when searching for 'vk' records, it is common to find the record, but it either has no data value name and/or data value inside that specific record.  Using the same example I used in the previous post about 'nk' records, here is an example:


The "MountedDevices" folder (key) is a 'nk' record that we covered in the previous post. The data values are on the right side of the window. The data value names are things like "\DosDevices\C:", "\DosDevices\D:", etc. The data value itself is the value thats stored inside that specific data name entry. For instance the data name  "\DosDevices\C:" would commonly have a value similar to what you see here:



The value data inside the data value name is the hex values you see above.

This EnScript attempts to find 'vk' records and then parses them as best as possible. As mentioned, it is common for the actual data value to be stored elsewhere and therefore cannot be parsed. If the data value is smaller than 4 bytes, then it is stored within the 'vk' record along with the value name. Here is an example of the output of the EnScript:



In the screenshot above, I searched the pagefile. The value names can bee see in the comment field on the right. After the value name, the data value itself is displayed if it was resident to that 'vk' record.  You can see several bookmarks that have a value name, but no value itself. This is because the value was not resident to that record and is stored elsewhere.  Some value names are blank and therefore you will see the name "default" (as you would typically see in regedit or other registry viewer).

This EnScript only bookmarks the data.

Download Here

Posted by Lance Mueller at Wednesday, May 19, 2010
ShareThis

3 comments:

H. Carvey Friday, 21 May, 2010  

nk = keys
vk = values

Lance Mueller Friday, 21 May, 2010  

Harlan,

While I understand what you put in your comment, I disagree with using that simplistic definition because it can lead to confusion. Using 'vk' = values is misleading.

'vk' is the value record, but does not necessarily mean it contains the actual item value. A person who is new to reading the registry would assume just by the use of your term that 'vk' signifies where the registry value is stored, and that is commonly not the case. This is why I tried to explain it in the original post and not call it just "'vk' = value.

The data in a 'vk' structure is technically called a value record. It contains the name field of the value AND the item value itself *ONLY* if it is a certain length, otherwise it contains an offset to where the item value is stored.

The value name field is always present in the 'vk' record, although it could be blank, which is why you see the "default" name sometimes.

H. Carvey Sunday, 23 May, 2010  

Lance,

Thanks, you made my point for me!

Post a Comment

Post a Comment

Subscribe to: Post Comments (Atom)

Computer Forensics, Malware Analysis & Digital Investigations

Loading...

Random Articles