INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE

K.D. Cook et al., Vol.7, No.2

Using PowerShell to Capture and Compare

Windows Registry and Live Memory Artifacts
with Online Databases to Identify Suspect Files
Kenneth Dale Cook*, Narasimha Shashidhar*§
* Department of Computer Science, Sam Houston State University,
Huntsville, TX 77341, USA.
{kdc057, karpoor}@shsu.edu

Abstract - System administrators and forensic investigators alike face a multitude of challenges
when seeking to identify sources of pertinent data while in the course of their work. The
inconsistent identification and acquisition of significant registry keys is frustrating, second only to
the common practice of overlooking unique data stored in system memory. Also challenging, is the
practice of identifying suspect file signatures from the resulting data. Many tools are available for
scanning and identifying suspect files, and as such it makes sense to utilize them where possible. In
this paper, we present a PowerShell tool and the accompanying method to acquire, parse, and
display not only significant registry data, but also perform live memory acquisition of the
application compatibility cache where key registry attributes are stored before being later written to
the registry. These keys, stored in memory, are of particular interest since they can be an indicator
of executed processes that are not yet recorded in the registry, and therefore potentially helpful to
system administrators and investigators. This tool identifies the contents of the Application
Compatibility Cache stored in volatile memory, and compares them to the same dataset recorded to
disk in the Windows Registry. The items that exist in memory, but are absent from the registry on
disk, are hashed and submitted to the VirusTotal.com database where the results are returned and
presented in the form of a report. This paper contains not only positive VirusTotal.com results, but
also other significant data from the registry that may be of interest to the administrator and
investigator.
Keywords – Registry; Memory; PowerShell; Appcompatcache; ShimCache.

preferences, the registry and volatile memory

1. Introduction offer both a recorded history of what has
happened on the system, as well as a road map
The windows registry, together with the to what will happen in the future.
system’s volatile memory, contains In order to add to the existing toolsets that
information that is not only critical to the are available, this project expands on prior
functioning of the system, but also of research and work involving the registry,
irreplaceable benefit to the systems volatile memory, and a handful of unique
administrator performing troubleshooting and applications that enable analysis with the
diagnostic work, or the investigator searching PowerShell scripting environment,
for clues/artifacts. From critical system consolidating all of these aspects into a single
settings, executed and accessed files, to user tool. Prior research shows that certain registry
78
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
K.D. Cook et al., Vol.7, No.2

attributes stored in memory have been found to A. Windows registry

be unique in that they may not be written to the
registry hives on disk until a successful The Windows Registry is a central
shutdown has been initiated. This project is a repository in the form of a hierarchical
PowerShell tool that, with the integration of database of configuration data for the
existing tools specific to accessing elements in Windows operating system and many of its
volatile memory, seeks to address the programs [1]. First introduced into the
following topics: Windows operating system with the release of
1) Create a consolidated report of Windows 95, it continues this role as a
significant registry keys. configuration database in Microsoft’s latest
2) Retrieve the Application Compatibility releases. It has consolidated and organized the
Cache entries in both the registry and memory. tasks of installing software device drivers,
3) Submit the hashes of uncommitted defining environment variables, and running
Application Compatibility Cache entries from startup programs. In addition, previously
Volatile memory to an online malware important files such as config.sys, autoexec.bat,
scanning database in order to check for suspect win.ini and system.ini, previously used to store
files and report results. user settings and system parameters, have been
This paper is organized as follows. In consolidated into the registry [2].
Section 2, we provide a background review of The Windows registry is an important
the Windows Registry, Volatile Memory, and resource to the forensic investigator and
PowerShell, as well as the additional resources system administrator due to its role within the
and executables. Their importance, role, and operating system. For the investigator familiar
method of utilization will also be discussed. In with the type of information available and its
Section 3, the methodology and further details location, a virtual treasure trove of valuable
of the script’s functional areas are described. artifacts can be unearthed. As an investigative
Section 4 is devoted to the final report and resource and troubleshooting tool, the registry
exported files as compiled by the tool, while may provide information on users, groups,
Section 5 will provide a conclusion and briefly hardware, software, networking, recently
discuss future work. installed peripherals, and other areas such as
programs executed and files accessed. This
2. Background collection of information, taken in part or as a
whole, may provide irreplaceable information
Whereas the focus of this project is to capture and history concerning an incident.
and present data present in the Windows Traditionally, the Windows Registry is
Registry and Volatile Memory (RAM), accessed via a standard graphical user interface
followed by presenting a subset of this data to (GUI) that has largely remained unchanged
an online database for identification of suspect across multiple versions of the parent
files, some background is necessary to describe operating system. The registry editor is
the Windows Registry, Volatile Memory, and accessed by referencing “regedit.exe” from the
the primary tool – the PowerShell scripting command line. It is a no-frills interface for
environment. Additionally, there are external casual browsing and even editing of the
executables utilized for their specialization and database that many refer to as the “brain” or
those are described here as well. “heart” of the operating system. While it does

79
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
K.D. Cook et al., Vol.7, No.2

permit backup and restore of the data within, it while the device is powered on, which in
lacks in areas of automation, bulk commands, common usage, refers to the RAM (Random
and especially the inability to view encrypted Access Memory) in personal computers and
or binary data. It is in these areas where our servers. This is in contrast to non-volatile
tool excels, as discussed later in this paper. storage such as hard disks, solid state drives,
Organizationally, the registry is divided magnetic tape, and other similar media types
into sections titled hives, containing a logical that do not rely on constant power to retain
group of keys, sub keys, and values. information.
Reviewing the work previously conducted by The Windows Operating System utilizes
Farmer [2], and cross-referencing with the volatile memory (RAM) to store the operating
MSDN.Microsoft.com [3] documentation for system’s code and data needed by the CPU.
the registry, we can define the primary hives This process provides faster read and write
along with their keys and values. Of particular access to the data by the CPU than traditional
note is that the first two hives are in fact hard disks are able to provide. The information
aliases of other physical hives. is stored and accessed, while also swapped in
and out of Virtual memory, paging, and
HKEY_CLASSES_ROOT (HKCR) – Contains hibernation files as the need and settings
file-name extension associations and COM require. For the purposes of our research
class registrations, in order to define which project, we will focus on live memory
application is executed when a file is opened. acquisition and the data that is actively stored
Also contains drag-and-drop rules, shortcuts, in volatile memory
and user interface information. An Alias for: The forensic values of the RAM contents
HKEY_LOCAL_MACHINE\SOFTWARE\Cl are an important reason to focus on the data
asses. that resides within, as well as the methods
used to obtain it. Through acquisition and
HKEY_CURRENT_USER (HKCU) - Defines analysis, we are able to see a history of
preferences for the currently logged-on user, executed commands, network connections,
including folder, display, and control panel processes, and other items that only exist in
settings. An alias for the current user’s branch memory. Disk encryption keys, application
in: HKEY_USERS\User SID shims (injected code), chat messages, internet
history, and others exist for the investigator to
HKEY_USERS (HKU) – Defines default and obtain through diligence and proper execution
new user configuration including application of memory imaging tools [6]. In addition to the
configurations and visual settings. aforementioned sensitive information, data
such as usernames and passwords may be
HKEY_CURRENT_CONFIG (HKCC) - unintentionally exposed in the system memory
Contains information about the current during use and subsequent analysis.
hardware profile or system configuration. In “Comparative Analysis of Volatile
Memory Forensics, Live Response vs.
B. Volatile Memory Memory Imaging” Aljaedi et al., prominently
state the significance of volatile memory
Volatile memory describes computer analysis in digital investigations due to certain
storage that maintains its digital contents only data residing only in physical memory (RAM),

80
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
K.D. Cook et al., Vol.7, No.2

and not existing in any state on the physical of Verb-Nouns, such as Get-File hash (the
media. Examples such as Code Red, Witty, cmdlet for obtaining the file hash of a file,
and the SQL Slammer worms function in which we will use later in our project). The
memory without writing themselves to disk, self-descriptive nature of the name persists
and therefore support the importance of throughout the shell, providing searchable help.
acquiring volatile data as one of the beginning The results are output not at text, but rather as
steps in incident handling [7]. Additionally, objects that persist through the pipeline [11].
these points are further supported in well- The PowerShell pipeline supports the piping
known incident handling guides [8]. of output from one cmdlet to another, whereas
The structure of physical RAM requires the either all the object properties or selected
use of external tools in order to easily extract properties may be piped and thereby used as
the contents for analysis. Our project will input in subsequent tasks. PowerShell provides
utilize multiple tools in order to simplify methods to format data, and thus
access to the information held in RAM. This customization of the output objects is possible.
will involve creating an image of the memory Additionally, external executables are also
contents as they exist at a point in time, and supported, whereby PowerShell receives a
utilizing separate tools to parse the resulting text-stream of the output from the executable
image file for the data contents. These in order to make the output available to the
methods will be explained in detail later. PowerShell system [12, 13].
From a forensic viewpoint, PowerShell can
C. PowerShell perform an important role in gathering data. Its
ability to configure and manage Windows
Windows PowerShell is the native scripting system changes both locally and remotely may
environment for Windows environments, be leveraged to also query those same systems
consisting of a command line shell built on and system settings. The resulting data sets can
the .NET framework, enabling it to interface be used for investigations, auditing and
with .Net objects. The ability to accept and reporting. Of particular note is PowerShell’s
return .Net objects while most scripting shells ability to natively read the Windows Registry
accept and return text provides for a significant and parse the data as a normal file system. The
change in the way administrators are able to ability to use the common Get-Item and Get-
configure and manage Windows environments ChildItem PowerShell cmdlets simplify the
[9]. task of querying the Windows registry and
PowerShell version 2.0 was released in 2009 compiling reports. This is in contrast to
and included in Windows 7 and Windows previous methods involving manually looking
Server 2008 R2. Versions for XP, Vista, and at regedit.exe or other scripting tools.
Server 2003 were subsequently released and Additionally, where other tools are necessary
PowerShell has been included in all versions or preferred, the ability to work with the
of workstation and server operating systems external tool’s returned data stream within a
since 2009. The latest version (x86 or x64) single PowerShell script ensures that a single
may be downloaded and installed from tool can be used and greatly reduces the
Microsoft’s website [10]. multiple steps that would otherwise be
The base command in PowerShell is necessary. The next section will describe
comprised of a cmdlet, which is in the format

81
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
K.D. Cook et al., Vol.7, No.2

external tools that we will use with PowerShell The Volatility framework is one of the
to acquire the information. most widely used memory analysis and
forensic toolsets available, as represented by
D. WinPMem Version 1.6.2 years of published academic research. Based
on Python, it is a cross-platform, modular, and
This stand-alone tool, which enables us to extensible platform that enables collaboration,
acquire the system memory, while creating a innovation, and accessibility to knowledge and
single image file, is part of the Rekall Forensic tools within the forensic and offensive
and incident response framework, which bills software/security communities. Used
itself as the most advanced open source extensively by commercial investigators,
memory analysis framework available [14, 15]. academia, military, and law enforcement
Like many forensic tools, the platform requires organizations, its reputation is widely known
Python [16] to be installed. However, we have and prior success with it has resulted in its use
chosen to use a version of WinPMem that has within this project [18]. This stand-alone
been compiled into a windows executable in executable, like the previously mentioned
order bypass the requirement for python to be WinPMem.exe, allows us to take advantage of
installed on the target system. The particular this tool without installing the prerequisite
version on WinPMem used here, Version 1.6.2, Python distribution. Additionally, it retains the
is a prior version that natively supports the ability to fully support the vast catalog of plug-
RAW image file creation, which is more ins available to extend the native feature set.
broadly supported by our other chosen tools. Our process leverages the plugins available for
During prior research, we discovered that the Volatility such as dumpregistry, and
latest version, Winpmem, 2.1.post4.exe, shimcachemem to not only extract the cached
supports a native format of AFF4. While it is registry files from the image file we created,
possible to convert memory dumps from AFF4 but to also extract and decipher the
to RAW format, we find this step to be Application Compatibility Cache information
unnecessary while adding unnecessary that is stored within RAM. Their use will be
complexity to the process. In addition, it further explained later in this paper.
appears that Winpmem 1.6.2 uses less memory
when running than subsequent versions. This F. Registry Ripper V1.0
is an important distinction since our
acquisition tools should have the smallest Harlan Carvey is a name synonymous with
footprint possible; especially if our practitioners of Digital Forensics, as not only
investigations include processes which seek to an author of popular books on the subject, but
examine unallocated structures. In those cases, also as principal author of the tool commonly
the extra memory usage will overwrite referred to as RegRipper. An open source tool
unallocated space in the memory, potentially written in Perl, it serves as a registry data
destroying valuable information [17]. extraction and analysis tool. Offered in two
versions, a GUI and a Command line tool, its
E. Volatility Version 2.6 Windows Standalone strength lies in the exhaustive plugin library
Executable that enables the user to extract keys, sub keys,
and their data [19].

82
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
K.D. Cook et al., Vol.7, No.2

From a forensics standpoint, RegRipper’s tools such as URL and domain blacklisting
significance is unquestionable. It has long been services to analyze submitted executables and
a staple in many investigator’s toolbox, and its record the data. The website provides a
reputation and ease of use in other projects method for uploading files for analysis, or the
lends itself to this project without challenges. user may upload the hash of a file and Virus
The ability for RegRipper to utilize its plugins Total will check their database to see if they
and extract targeted data from the extracted have a record for that file with that hash value.
hive could not have as easily be obtained This service is one of many providing
otherwise. In this project we utilize plugins cloud-based malware scanning to the Internet
such as comdlg32, recentdocs, mp2, community. While the web interface allows for
userassist_tln, and usbsotr2 in order to access uploading one file at a time, the HTTP-
the data from the extracted registry hives. accessible API provides a platform for a more
automated and scriptable solution (such as our
G. AppCompatCacheParser V9.8.0 project) to be developed, whereby multiple
items can be scanned from one instance. A free
The AppCompatCacheParser.exe by Eric API key, necessary to use the API, is available
Zimmerman is a standalone Windows to anyone that registers, although it has limited
executable for Windows 7, 8, and 10. It is used usage and restricts the number of inquiries to
to dump shimcache entries directly from the four submissions per minute. Additional calls
registry stored on disk [20]. Contrary to the may be made with an alternate, paid account.
feature set of the aforementioned tools, the Since the other tools we are using are open
AppCompatCacheParser.exe has a single goal source with no cost, this project will utilize the
with limited options. When executed, it free API and limit the requests to no more than
extracts the binary data in the four per minute [21]. While prior work has
AppCompatCache Key in the registry and been completed by others with each of these
exports it to a readable tab separated value tools, this project extends the individual
(.tsv) file which can be viewed in a text editor functionality by leveraging each application’s
or imported into a spreadsheet viewer. Each strengths and combines their functionality into
record in the resulting *.tsv file contains the a new tool.
following fields: ControlSet,
CacheEntryPosition, LastModifiedTimeUTC 3. Tool Description
Path, and Executed. This data is significant to
the project as we will compare it to the same In simplest terms, the tool utilizes existing
entries stored in volatile memory (RAM) in cmdlets within PowerShell as a basis for data
order to isolate any AppCompatCache entries acquisition while leveraging mature projects
that are in memory, but which have not yet described in the prior section such as
been committed to the registry stored on disk. Winpmem and the Volatility framework to
create and analyze volatile memory from a
H. VirusTotal.com API Windows machine. In the following tool
description, we will discuss the methodology
The final external tool that this project used, followed by a description of the actual
utilizes is the virustotal.com API. Virus Total tool script in detail. The major processes are
utilizes over 70 antivirus scanners and other divided into the actionable areas as follows.

83
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
K.D. Cook et al., Vol.7, No.2

currently exist on the system’s hard drive. The

A. Methodology different sections, containing different
functions, are necessary due to the different
1) Integrate Winpmem with PowerShell to structure of the hives, keys, and sub keys,
obtain the Memory dump and store for analysis. along with the data they contain. The data
2) Utilize standard PowerShell cmdlets to targeted in these sections pertained to the RUN,
access the Registry on disk and record data for RUNONCE, EXTENSION ASSOCIATION,
later use. COMMAND PROCESSOR, APPINIT_DLLS,
3) Integrate PowerShell and the Volatility and DEBUGGER options and settings within
framework in order to obtain the registry from the registry. Additionally, The SERVICES sub
the memory dump and store for analysis. keys are returned. Together, these datasets
4) Use multiple tools to obtain the provide a detailed look at what has executed,
Application Compatibility Cache data from as well as what will execute in the future in
both the committed registry and uncommitted certain specific circumstances.
data in volatile memory.
5) Submit unique AppCompatCache entries 2) Pending completion of the above Sections
from memory that do not exist in the registry 1-7, a function comprised of the Volatility
to an online malware database (say, stand-alone executable and assorted registry
virustotal.com) for identification of suspect ripper plugins, are invoked in order to access
files. the previously obtained image file, extract the
6) Record data to an easy to read HTML file. registry hives to disk, and then parse those
hives for specific data. The registry ripper
plugins used are COMDLG32,
B. Tool Script RECENTDOCS, MP2, USERASSIST_TLN,
and USBSTORE. Multiple variables store the
The tool itself is divided into 18 data for each of the plugins and are used in the
commented sections where specific actions following sections.
occur in each. A brief summary of these areas
is presented here to better understand the 3) Sections 8-13 of the tool use the data
subsequent report in section 4, which is the collected in the prior paragraph. This data,
output of the tool. Throughout the script, a representing Registry keys as stored in the
common output goal is repeated, and that is volatile memory, contain information on
obtain the data, create a hash of the system LAST FILE/FOLDER VISISTED, RECENT
library or executable referenced when possible, DOCUMENT LISTS, MOUNTED
create output for HTML report, and finally, DRIVES/NETWORK ACCESSES,
export data to CSV file(s). The CSV files ACCESSED OBJECTS, and USB DEVICES
typically obtain the root RegKey, ValueName, as accessed recently by the host. These
ValueData, and generated hash. sections are unique in that while the prior
sections used native PowerShell cmdlets to
1) Sections 1-7 of the script use the access the data, thereby resulting in similar and
PowerShell Get-ItemProperty to access consistently formatted results, this is not the
different keys and Sub keys in the HKLM, case with the Volatility command and its
HKCR, and HKCU Registry hives as they plugins. Each of the plugins resulted in a

84
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
K.D. Cook et al., Vol.7, No.2

unique report of the data, and while on its own result. Negative results are discarded, and
would serve as a helpful report, in our use, it positive result sets are collected with their
needs to be parsed and the data extracted to be dataset converted to HTML for the final report.
utilized in a consistent and similarly formatted
report. Thus, in each of the sections (8-13),
unique functions and REGEX syntax are used 4. Report
to isolate the desired data and further conform
to our reporting style. As with prior data, this The final report is presented as an HTML-
information is written to both a CSV file and formatted output of the script’s results.
an HTML report to be discussed later in this Generally, the results are presented with the
paper (Section 4). following Headers: REGISTRY KEY,
VALUE NAME, and VALUE DATA. Also
4) Sections 14-16 focus on the Application obtained, but not always displayed in the
Compatibility Cache areas of the registry, both report for space reasons, is the SHA256 HASH
as stored on disk and the uncommitted registry of the executable named in the VALUE DATA
information that is stored in volatile memory field. In addition, there are several CSV files
until the next shutdown sequence is completed, that catalogue the output and the working data
at which time the registry on disk is updated that are made available for further examination
with those entries in RAM. The method used if desired.
in these three sections, begins by obtaining the
APPCOMPATCACHE entries from Disk A. HTML report
using the AppCompatCacheParser.exe, which
exports its data to a *.tsv file. The subsequent The HTML report is the final output of this
step seeks to obtain the tool. The report serves as an example of how
APPCOMPATCACHE entries from volatile the tool’s data may be viewed to provide a
memory using the volatility executable with dashboard into a host’s registry settings, as
the shimcachemem plugin and output that data well as any VirusTotal alerts pointing to
to a *.csv file. Finally, in Section 16, these two possible suspicious files. The report contains a
datasets are compared and newer, clickable table of contents with descriptions of
uncommitted entries that only exist in memory each section. The table of contents contains the
are extracted and saved to their own *.csv file. following areas, and figures are provided to
This resultant dataset is used exclusively in the demonstrate the formatting of the data as
next and last working section of the tool, collected and presented by the tool.
namely section 17.
TABLE OF CONTENTS
5) Section 17 is the last working section of
the tool. The function in this section takes each 1. ALERTS
entry from the prior section, which represents Figure 1 displays the first section of the report,
uncommitted appcompatcache data in volatile the VirusTotal.com results, assuming that
memory, and submits the hash of the positive results were returned. If no positive
executable to the API provided by results are present, this section states this fact
VirusTotal.com. The results are returned to the in the report. In the example, ORDER is the
script in the form of a positive or negative position of record in the appcompatcache in

85
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
K.D. Cook et al., Vol.7, No.2

volatile memory, the LAST MODIFIED entry

is the last time the executable itself was The next section of the Table of Contents:
modified, the EXEC flag indicates whether or
not the file was executed on the system or 3. REGISTRY KETS FROM LIVE REGISTRY
merely accessed, The FILE PATH is self- 3.1 AutoStart / AutoRun
explanatory, the HASH is the SHA256 hash of 3.2 Application Initialization and Default
the File, the HITS are the number of positive Executable
results from VirusTotal.com, and the LINK 3.3 Services
TO RESULTS field contains a hyperlink to the Figure 3 displays an example of the type of
details page on VirusTotal.com where the data available in this area of the HTML report.
detailed returns and comments for this In these datasets, certain attributes are not
particular hash are recorded. In the example available, such as ORDER or EXEC.
provided in Figure 1, three of the engines used
by VirusTotal flagged ACCParser.exe as a
suspicious file. The hyperlink, if followed, will
display the details to include which three Fig 3. HTML Report, Section 3 example.
engines, and more. The next section of the Table of Contents:

4. REGISTRY KEYS FROM VOLATILE

MEMORY
4.1 Most Recently Used Keys
4.2 Network Drive / Mount Point
4.3 User Assist
Fig 1. VirusTotal.com result example. 4.4 USBStor

The next section of the Table of Contents: This is the final section of the Table of
Contents. The data contained is formatted
2. APPLICATION COMPATIBILTY CACHE similarly to the prior section as displayed in
2.1 Live Registry… Figure 3. The exception is section 4.2 and 4.4.
2.2 Volatile Memory… When data is available, the source tool
2.3 AppCompatCache keys in memory… presents it differently, and therefore those
datasets are presented in one field as displayed
Figure 2 displays the fields available in the in Figure 4. In the example, we see that the
HTML report for Section 2, of ORDER, LAST prior mount points for the operating system
MODIFIED, EXEC, and FILEPATH. These include several local SMB shares and volumes.
fields contain the same type of data as those In spite of the formatting, the same three fields
described in Figure 1. of REGISTRY KEY, VALUE NAME, and
VALUE DATA are represented to maintain
consistency.

Fig 2. HTML Report, section 2 example.

86
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
K.D. Cook et al., Vol.7, No.2

application and the shimcachemem plugin in

section 15.
5) ShimCacheMem.csv – Contains the raw
output of the Volatility application and the
shimcachemem plugin in section 15.
6) <%VariableName%>_AppCompatCache.tsv –
Where the first part of this file name represents
the profile used in Volatility, combined with
the Host computer name, this is a tab-
separated file created by the Application
“AppCompatCacheParser”.
7) Final-HTML-Report.html - This is the
Final report as created by the tool to display
the results as collected.
While the exported files are not part of the
Figure 4. HTML Report, Section 4 example. final report, they are left available in the event
that the investigator might wish to parse them
Depending on the age of the operating system, differently or otherwise benefit from their
or time since last reload, as well as how the contents.
system is used, the size of the registry and
therefore the HTML report can vary widely. It 5. Conclusion
was not uncommon during testing to see
printed reports over 100 pages in length. This project discussed the significance of
the registry and how certain aspects of it can
B. Exported Files not only be useful in investigations, but also
how certain contents can vary depending on if
The files that result from executing the script they are stored in the memory or on disk, as
are saved for reference, in the event that the items may exist in memory that have not yet
investigator would like to look at additional been committed to disk. Exploring these
information left out of the report, such as differences and developing a tool for reporting
additional hashes, or to run their own queries the findings was the primary focus and result
against the CSV file for sorting and comparing. of this project. While developing the tool, the
three primary goals were met; these being:
1) Collected-data.csv – This csv file Creating a consolidated report of significant
contains the output from the majority of the registry keys, retrieving the Application
script, sections 1-13. Compatibility Cache entries from both the
2) Out-Cache.csv – Contains data from the registry and memory, and lastly, submitting the
live Registry Application Compatibility Cache hashes of uncommitted Application
data from sections 14-16. Compatibility Cache entries from Volatile
3) RegCompatCache.csv – Contains results memory to an online malware scanning
of the AppCompatCacheParser application in database in order to check for suspect files and
section 14. report results.
4) RamShimCache.csv – Contains the
sorted and ordered results of the Volatility
87
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
K.D. Cook et al., Vol.7, No.2

The main challenges incurred during this of Computer Science and Information
project resulted from developing the tool in Technologies (IJCSIT), 3(3), 4427-33, 2012.
PowerShell, which proved to be a challenging [2] D.J. Farmer. A forensic analysis of the
task due to the integration of many distinct Windows registry. Champlain College
tools involved in our research project. Once Burlington, Vermont, 2007.
captured, parsing and manipulating the data [3] https://msdn. microsoft.com/en-
from different sources into a common format us/library/windows/desktop/ms724877(v=vs.8
sometimes proved difficult, but was almost 5).aspx, MSDN. Microsoft.Com. “Structure of
universally accomplished. the Registry”. Latest Access Time for the
This project, while serving as an example, website is 2 July 2018.
or Version 1.0 of a tool, provides many [4] https://technet.microsoft.com/en-
opportunities for enhancement and us/library/ee176771.aspx, Microsoft, “Registry
modification to benefit others. Some areas or Overview”. Latest Access Time for the
ideas to improve upon in the future are: website is March 25, 2018.
1) Obtain an enhanced API key from [5] S. Zhang, L. Wang, R. Zhang, and Q. Guo,
VirusTotal.com. The key in use in this version “Exploratory study on memory analysis of
of the tool utilizes the free key and has limits windows 7 operating system”, In Advanced
on how many inquiries can be made per Computer Theory and Engineering (ICACTE),
minute. This can be a significant issue in an 3rd International Conference on (Vol. 6, pp.
OS with many records. V6-373). IEEE, August 2010.
2) Provide a function that may allow for [6] M. H. Ligh, A. Case, J. Levy, and A. Walters.
remote execution and capturing of the image to The art of memory forensics: detecting
a remote host, thereby not writing anything to malware and threats in windows, linux, and
the target host. Mac memory. John Wiley & Sons, 2010.
3) Provide an interactive option to [7] A. Aljaedi, D. Lindskog, P. Zavarsky, R. Ruhl,
eliminate duplicate executables from the report. and F. Almari, "Comparative analysis of
4) Provide for Operating System detection volatile memory forensics: live response vs.
and therefore automatic profile setting with the memory imaging", Privacy, Security, Risk and
volatility binary. Trust (PASSAT) and 2011 IEEE Third
5) Provide for Windows Hiberfil.sys and International Conference on Social Computing
Windows Crash dump file support. (SocialCom), 2011 IEEE Third International
It is possible that given the amount of work Conference on. IEEE, 2011.
that has been completed with this version, and [8] http://nvlpubs.nist.gov/nistpubs/SpecialPublic
the opportunities for future development and ations/NIST.SP.800-61r2.pdf, NIST Special
benefit, that this project may be viewed as a Publication 800-86, Guide to Integrating
beneficial contribution in the areas of registry Forensic Techniques into Incident Response,
and memory acquisition and analysis from Latest Access Time is July 2, 2018.
within the PowerShell environment. [9] https://docs.microsoft.com/en-
us/powershell/scripting/getting-started/getting-
References started-with-windows-
powershell?view=powershell-6, Microsoft,
[1] T. Roy and A. Jain, “Windows registry
“Getting Started with Windows PowerShell”.
forensics: an imperative step in tracking data
theft via USB devices”, International Journal

88
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
K.D. Cook et al., Vol.7, No.2

Latest Access Time for the report is July 2, “AppCompatCacheParser”. Eric Zimmerman.
2018. Latest Access Time is July 2, 2018.
[10] https://www.microsoft.com/en- [21] https://support.virustotal.com/hc/en-
us/download/details.aspx?id=50395, us/articles/115002126889-How-it-works.
“Windows PowerShell”. Latest Access Time “VirusTotal API”, VirusTotal.com. Latest
for the website is July 2, 2018. Access Time for the website is July 2, 2018.
[11] https://msdn.microsoft.com/en- [22] https://technet.microsoft.com/en-
us/library/ms714395%28v=vs.85%29.aspx, us/library/cc978714.aspx?f=255&MSPPError
“Cmdlet Overview”, Latest Access Time for =-2147217396, “Command Processor,” Latest
the website is July 2, 2018. Access Time for the website is July 2, 2018.
[12] https://docs.microsoft.com/en- [23] https://technet.microsoft.com/en-
us/powershell/module/microsoft.powershell.co us/library/cc939696.aspx, “AppInit_DLLs,”
re/about/about_pipelines?view=powershell-6, Latest Access Time is July 2, 2018.
“About Pipelines”, Latest Access Time for the [24] https://blogs.msdn.microsoft.com/mithuns/
website is July 2, 2018. 2010/03/24/image-file-execution-options-ifeo/,
[13] https://docs.microsoft.com/en- “Image File Execution Options (IFEO),”
us/powershell/module/, “About Objects”, Latest Access Time is July 2, 2018.
Latest Access Time for the website is July 2, [25] https://docs.microsoft.com/en-us/windows-
2018. hardware/drivers/install/hklm-system-
[14] microsoft.powershell.core/about/about_obj currentcontrolset-services-registry-tree,
ects?view=powershell-6, “About Objects”, Microsoft Corp., “HKLM\SYSTEM\
Latest Access Time for the website is July 2, CurrentControlSet\Services Registry Tree,”
2018. Latest Access Time for the website is July 2,
[15] https://github.com/google/rekall, “Rekall 2018.
Framework”, Latest Access Time for the [26] https://docs.microsoft.com/en-
website is July 2, 2018. us/dotnet/framework/winforms/controls/know
[16] Python. Python.org. 2016. n-folder-guids-for-file-dialog-custom-places,
[17] J. Williams, and B. McCrillis, Memory “Known Folder GUIDs for File Dialog
Forensiscs; Always Test Your Forensics Tools. Custom Places,” Latest Access Time for the
White Paper, Available: website is July 2, 2018.
https://www.renditioninfosec.com/whitepapers
/ Rendition%20InfoSec%20-
%20Memory%20Forensics %20Tool
%20Testing.pdf. 2018.
[18] http://www.volatilityfoundation.org/26.
2016, “Volatility Framework”, Latest Access
Time for the website is July 2, 2018.
[19] https://github.com/keydet89/RegRipper2.8.
2017. “Registry Ripper”, Latest Access Time
for the website is July 2, 2018.
[20] https://binaryforay.blogspot.com/2015/05/i
ntroducing-appcompatcacheparser.html,

89