domingo, 12 de noviembre de 2006

Registry MRU Keys / Forensic

No he encontrado mucha información ni ningún listado de claves del registro de windows donde encontrar los MRU más importantes y que se deberian de consultar en todo forense que se precie.

Haciendo un poco de reversing sobre MRU-Blaster y mirando en varios registros, he podido obtener un listado medianamente aceptable.

Trataré de gestionar esta información en un excel que dejaremos colgado en la web de 514.es.

Esta información se puede consultar mediante perl sobre un archivo .reg (exportable facilmente desde el propio regedit, o herramientas como WRR de mitec) o mediante comandos de sistema si el equipo esta encendido:

C:\> reg query "HKCU\Software\Microsoft\Office\11.0\Excel\Resiliency\DocumentRecovery" /s

O hacer un script para que recorrar un archivo y pruebe todas las posibles opciones:
C:\> for /F %i in (forensic_mru.txt) do reg query "%i" /s

Una forma de buscar estas claves de forma rápida y ampliar la lista, podría ser:

C:\>reg query HKCU\ /s | find "Opened" | find "HKEY"
C:\>reg query HKCU\ /s | find "MRU" | find "HKEY"
C:\>reg query HKCU\ /s | find "Recent File List" | find "HKEY"


Y esta es la lista....

HKCU\Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Word\Settings\Save As\File Name MRU
HKCU\Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Word\Settings\Open\File Name MRU
HKCU\Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Word\Settings\Create custom dictionary\File Name MRU
HKCU\Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Word\Settings\Add Custom Dictionary\File Name MRU
HKCU\Software\Microsoft\Office\9.0\Common\Open Find\Microsoft PowerPoint\Settings\Insert Picture\File Name MRU
HKCU\Software\Microsoft\Office\9.0\Common\Open Find\Microsoft PowerPoint\Settings\Save As\File Name MRU
HKCU\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Word\Settings\Save As\File Name MRU
HKCU\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Word\Settings\Open\File Name MRU
HKCU\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Word\Settings\Create custom dictionary\File Name MRU
HKCU\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Word\Settings\Add Custom Dictionary\File Name MRU
HKCU\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Word\Settings\Insert Picture\File Name MRU
HKCU\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Word\Settings\New from Existing Document\File Name MRU
HKCU\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft PowerPoint\Settings\Insert Picture\File Name MRU
HKCU\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft PowerPoint\Settings\Save As\File Name MRU
HKCU\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Document Imaging\Settings\Save As\File Name MRU
HKCU\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Document Imaging\Settings\Open\File Name MRU
HKCU\Software\Microsoft\Office\8.0\Common\Open Find\Microsoft Word\Settings\Save As\File Name MRU
HKCU\Software\Microsoft\Office\8.0\Common\Open Find\Microsoft Word\Settings\Open\File Name MRU
HKCU\Software\Microsoft\Office\8.0\Common\Open Find\Microsoft Word\Settings\Select File to Merge Into Current Document\File Name MRU
HKCU\Software\Microsoft\Office\8.0\Common\Open Find\Office\Settings\Open Office Document\File Name MRU
HKCU\Software\Microsoft\Office\8.0\Common\Open Find\Office\Settings\Open Office Document\Any Text MRU
HKCU\Software\Microsoft\Office\8.0\Common\Open Find\Microsoft PowerPoint\Settings\Save\File Name MRU
HKCU\Software\Microsoft\Office\8.0\Excel\Recent File List
HKCU\Software\Microsoft\Office\9.0\Excel\Recent Files
HKCU\Software\Microsoft\Office\10.0\PowerPoint\Recent File List
HKU\.DEFAULT\Software\Microsoft\Office\10.0\Excel\Recent Files
HKCU\Software\Microsoft\Office\10.0\Excel\Recent Files
HKCU\Software\Microsoft\Office\11.0\Excel\Resiliency\DocumentRecovery
HKCU\Software\Microsoft\Office\10.0\Excel\Recent Templates
HKCU\Software\Microsoft\Office\10.0\PowerPoint\Recent Templates
HKCU\Software\Microsoft\Office\10.0\Word\Recent Templates
HKCU\Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent File List
HKCU\Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent Page List
HKCU\Software\Gabest\Media Player Classic\Recent Dub List
HKU\.DEFAULT\Software\Microsoft\MSPaper\Persist File Name
HKCU\Software\Microsoft\MSPaper\Persist File Name
HKCU\Software\Microsoft\MSPaper\Recent File List
HKCU\Software\Foxit Software\Foxit Reader\Recent File List
HKU\.DEFAULT\Software\Microsoft\MSE\10.0\FileMRUList
HKU\.DEFAULT\Software\Microsoft\MSE\10.0\ProjectMRUList
HKU\.DEFAULT\Software\Microsoft\MSE\10.0\SolutionMRUList
HKCU\Software\Microsoft\MSE\10.0\FileMRUList
HKCU\Software\Microsoft\MSE\10.0\ProjectMRUList
HKCU\Software\Microsoft\MSE\10.0\SolutionMRUList
HKCU\Software\Corel\User Assistant\9\Recent Work\WordPerfect\Last Opened
HKCU\Software\Corel\User Assistant\10\Recent Work\WordPerfect\Last Opened
HKCU\Software\Corel\User Assistant\9\Recent Work\QuattroPro\Last Opened
HKCU\Software\Corel\User Assistant\10\Recent Work\QuattroPro\Last Opened
HKCU\Software\Corel\User Assistant\9\Recent Work\Corel Presentations\Last Opened
HKCU\Software\Corel\User Assistant\10\Recent Work\Corel Presentations\Last Opened
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKCU\Software\Microsoft\Internet Explorer\TypedURLs
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\TypedURLs
HKCU\Software\Microsoft\MediaPlayer\Player\RecentFileList
HKCU\Software\Microsoft\MediaPlayer\Player\Settings\OpenDir
HKU\.DEFAULT\Software\Microsoft\MediaPlayer\Player\RecentFileList
HKCU\Software\Microsoft\MediaPlayer\Player\Settings\SaveAsDir
HKCU\Software\Microsoft\MediaPlayer\Preferences\CDRecordPath
HKCU\Software\Microsoft\MediaPlayer\Preferences\LastPlaylist
HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List
HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List
HKCU\Software\Google\NavClient\1.1\History
HKU\.DEFAULT\Software\7-ZIP\FM
HKCU\Software\7-ZIP\FM
HKCU\Software\ahead\Nero - Burning Rom\Settings\BrowserDir
HKCU\Software\ahead\Nero - Burning Rom\Settings\ImageDir
HKCU\Software\ahead\Nero - Burning Rom\Settings\NeroCompilation
HKCU\Software\ahead\Nero - Burning Rom\Settings\WorkingDir
HKU\.DEFAULT\Software\Macromedia\Flash 6\Open Document
HKCU\Software\Macromedia\Flash 6\Open Document
HKCU\Software\RealNetworks\RealPlayer\6.0\Preferences\LastLoginTime
HKCU\Software\RealNetworks\RealPlayer\6.0\Preferences\LastOpenFileDir
HKCU\Software\SmartFTP\Queue
HKCU\Software\SmartFTP\LocalView
HKCU\Software\WinRAR\General\LastFolder
HKCU\Software\Nico Mak Computing\WinZip\directories
HKCU\Software\Adobe\Acrobat Reader\5.0\AVGeneral\cRecentFiles
HKU\.DEFAULT\Software\Adobe\Acrobat Reader\5.0\AVGeneral\cRecentFiles
HKU\.DEFAULT\Software\Adobe\Acrobat Reader\6.0\AVGeneral\cRecentFiles
HKCU\Software\Adobe\Acrobat Reader\6.0\AVGeneral\cRecentFiles
HKU\.DEFAULT\Software\Adobe\Adobe Acrobat\6.0\AVGeneral\cRecentFiles
HKCU\Software\Adobe\Adobe Acrobat\6.0\AVGeneral\cRecentFiles\c1
HKCU\Software\MGI\VideoWave\Recent File List
HKCU\Software\Sierra Imaging\Image Expert 2000\Recent Album List
HKCU\Software\ahead\Nero - Burning Rom\Recent File List
HKU\.Default\Software\ahead\Nero - Burning Rom\Recent File List
HKCU\Software\ahead\nero wave editor\Recent File List
HKU\.Default\Software\ahead\nero wave editor\Recent File List
HKCU\Software\ahead\Cover Designer\Recent File List
HKU\.Default\Software\ahead\Cover Designer\Recent File List
HKCU\Software\BVRP Software\Annuaire\Recent File List
HKCU\Software\Microsoft\HTML Help Workshop\Recent File List
HKCU\Software\Microsoft\HTML Help Workshop\Project Files
HKCU\Software\Microsoft\HTML Help Workshop\Html Titles
HKCU\Software\Microsoft\HTML Help Workshop\Compressed HTML
HKCU\Software\Microsoft\Picture It! Publishing\5.0\Recent File List
HKCU\Software\Software602\602Tab\Recent File List
HKCU\Software\Software602\WinMgr\1.0\602Tab\Recent Files
HKCU\Software\Software602\602Text\2000\Settings
HKCU\Software\TMT Development\TMT Pascal Lite 3
HKCU\Software\HeadLight\GetRight\TypedURLs
HKU\.Default\Software\HeadLight\GetRight\TypedURLs
HKCU\Software\Jasc\Paint Shop Pro 6\Recent File List
HKCU\Software\Jasc\Paint Shop Pro 7\Recent File List
HKCU\Software\Jasc\Paint Shop Pro 8\Recent File List
HKCU\Software\Greatis\Regrun2\RegAdviser\LocateHistory
HKCU\Software\Ontrack\PowerDesk\CurrentVersion\PDFind\FileNames
HKCU\Software\SpeedBit\Download Accelerator\HistoryCombo
HKCU\Software\Microsoft\Office\10.0\Clip Organizer\Search\Last Query
HKU\.Default\Software\Microsoft\Office\10.0\Clip Organizer\Search\Last Query
HKCU\Software\Microsoft\ClipArt Gallery\2.0\MRUDescription
HKU\.DEFAULT\Software\JetCar\JetCar\Recent File List
HKU\.DEFAULT\Software\JetCar\JetCar\DownDir
HKCU\Software\JetCar\JetCar\Recent File List
HKCU\Software\JetCar\JetCar\DownDir
HKU\.DEFAULT\Software\VB and VBA Program Settings\Microsoft Visual Basic AddIns\VisData6
HKCU\Software\VB and VBA Program Settings\Microsoft Visual Basic AddIns\VisData6
HKU\.DEFAULT\Software\CursorArts\MRU Items
HKCU\Software\CursorArts\MRU Items
HKU\.DEFAULT\Software\Spidersoft\WebZIP\Settings
HKCU\Software\Spidersoft\WebZIP\Settings
HKU\.DEFAULT\Software\Advanced Grapher\RecentFiles
HKCU\Software\Advanced Grapher\RecentFiles
HKU\.DEFAULT\Software\MeeSoft\ImageAnalyzer
HKCU\Software\MeeSoft\ImageAnalyzer
HKU\.DEFAULT\Software\InstallShield\Express\4.0\Recent File List
HKCU\Software\InstallShield\Express\4.0\Recent File List
HKU\.DEFAULT\Software\Impact\Microangelo\Animator\MRU List
HKU\.DEFAULT\Software\Impact\Microangelo\Librarian\MRU List
HKU\.DEFAULT\Software\Impact\Microangelo\Studio\MRU List
HKCU\Software\Impact\Microangelo\Animator\MRU List
HKCU\Software\Impact\Microangelo\Librarian\MRU List
HKCU\Software\Impact\Microangelo\Studio\MRU List
HKCU\Software\Impact\Microangelo\Animator\MRU List
HKU\.DEFAULT\Software\FerretSoft\NetFerret\CurrentVersion\Web
HKCU\Software\FerretSoft\NetFerret\CurrentVersion\Web
HKU\.DEFAULT\Software\ORL\VNCviewer\MRU
HKCU\Software\ORL\VNCviewer\MRU
HKU\.DEFAULT\Software\PowerArchiver\Files
HKCU\Software\PowerArchiver\Files
HKU\.DEFAULT\Software\Microsoft\DevStudio\6.0\Recent File List
HKCU\Software\Microsoft\DevStudio\6.0\Recent File List
HKU\.DEFAULT\Software\e-merge\WinAce\2.0\MRU Items
HKCU\Software\e-merge\WinAce\2.0\MRU Items
HKU\.DEFAULT\Software\JGsoft\EditPadLite\Search
HKCU\Software\JGsoft\EditPadLite\Reopen
HKU\.DEFAULT\Software\VB and VBA Program Settings\3D Canvas\Application
HKCU\Software\VB and VBA Program Settings\3D Canvas\Application
HKCU\Software\7-ZIP\FM
HKU\.DEFAULT\Software\Vallen-Systeme GmbH\Vallen JPegger\MRU-Files-BMP&PCX
HKU\.DEFAULT\Software\Vallen-Systeme GmbH\Vallen JPegger\MRU-Folders-IMG
HKU\.DEFAULT\Software\Vallen-Systeme GmbH\Vallen JPegger\MRU-Folders-MP3
HKCU\Software\Vallen-Systeme GmbH\Vallen Zipper\MRU-Files-ZIP
HKU\.DEFAULT\Software\M.Dev Software\ZG5\MRU Items
HKCU\Software\M.Dev Software\ZG5\MRU Items
HKCU\Software\WinRAR\ArcHistory
HKCU\Software\Trident Software\PowerZip\Recent File List
HKCU\Software\Trident Software\PowerZip\Doc
HKCU\Software\WinRAR\DialogEditHistory\ExtrPath
HKCU\Software\Nico Mak Computing\WinZip\extract
HKCU\Software\Gnucleus\Searches
HKCU\Software\Kazaa\Search
HKU\.Default\Software\Kazaa\Search
HKCU\Software\Jasc\Animation Shop 2\Recent File List
HKCU\Software\Jasc\Animation Shop 3\Recent File List
HKCU\Software\Jasc\Jasc Media Center Plus\Recent File List
HKCU\Software\Jasc\Jasc WebDraw 1\Recent File List
HKCU\Software\Macromedia\Flash 5\Recent File List
HKCU\Software\Macromedia\Flash 6\Recent File List
HKCU\Software\Macromedia\Firework 6\Recent File List
HKCU\Software\Macromedia\Dreamweaver 4\Recent File List
HKCU\Software\Macromedia\Dreamweaver 6\Recent File List
HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication
HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
HKCU\SOFTWARE\Microsoft\DirectInput\MostRecentApplication
HKCU\Software\Ulead Systems\Ulead PhotoImpact\7.0\Recent File List
HKCU\Software\SpeedBit\Download Accelerator\HistoryCombo
HKCU\Software\Microsoft\Office\10.0\Clip Organizer\Search\Last Query
HKU\.Default\Software\Microsoft\Office\10.0\Clip Organizer\Search\Last Query
HKCU\Software\Microsoft\ClipArt Gallery\2.0\MRUDescription
HKCU\Software\Microsoft\Photo Editor\3.0\Microsoft Photo Editor
HKU\.DEFAULT\Software\Microsoft\Photo Editor\3.0\Microsoft Photo Editor
HKCU\Software\Microsoft\Photo Editor\3.0\Microsoft Photo Editor
HKCU\Software\Creative Tecg\Creative Wavestudio\Settings
HKCU\Software\Freeware\VirtualDub\MRU List
HKCU\Software\Microsoft\Journal Viewer\MRU
HKCU\Software\Ying3\DLExpert\MAIN
HKCU\Software\Microsoft\Search Assistant\ACMru\5001
HKCU\InstallLocationsMRU
HKU\.Default\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ContainingTextMRU
HKU\.Default\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ContainingTextMRU
HCKU\Software\ORL\VNCviewer\MRU
HCKU\Software\RealVNC\VNCViewer4\MRU
HCKU\Software\Ahead\Cover Designer\Recent File List
HCKU\Software\Ahead\Nero - Burning Rom\Recent File List
HCKU\Software\Ahead\Nero WaveEditor\Recent File List
HCKU\Software\DVD Shrink\DVD Shrink 3.2\Recent File List
HCKU\Software\DVDAuthor2\DVD-lab\Recent File List
HCKU\Software\JetCar\JetCar\Recent File List
HCKU\Software\Macromedia\Dreamweaver 8\Recent File List
HCKU\Software\Macromedia\Fireworks\8\ini\Recent File List
HCKU\Software\Macromedia\Flash 8\Recent File List
HCKU\Software\Microsoft\Consola de administración de Microsoft\Recent File List
HCKU\Software\SoulSeek\SoulSeek\Recent File List
HCKU\Software\WinHTTrack Website Copier\WinHTTrack Website Copier\Recent File List