Wednesday, August 2, 2017

Visual Studio registry artifacts – part 1 – find & replace #dfir

When you use Visual Studio it leaves a lot behind that is valuable to an investigator. A valuable trove of information may exist. We are going to review briefly the “Find and Replace” history that gets left behind.

Find and Replace

 

Registry location

“…\Software\Microsoft\VisualStudio\<version #>\Find”

Below you can my see Find history.

 

 

 

 

 

 

 

 

Why is it there? When you open the “ctrl+f” find window you can see text you searched for and it’s likely just pulling from the list of key’s in the registry. Notice above “listBoxControl1” shows up in the registry and the drop-down in Visual Studio 2015.

 

 

 

 

 

 

 

Where to find the “Find & Replace” history

I have not found any differences to the the way the history was stored in 2017 vs 2015 other than it is outside the standard user hive in Visual Studio 2017. See below that 2017 keeps it’s own registry hive!

Visual Studio 2015 and prior

The history for “Find & Replace” is kept in “C:\Users\<username>\NTUSER.DAT”

 

Visual Studio 2017

In Visual Studio 2017 Micros*ft moved the registry entries off into a separate regf (hive) called “privateregistry.bin”. I’m guessing this change is for cross platform compatibility?

The hive path in my configuration is “C:\Users\<username>\AppData\Local\Microsoft\VisualStudio\15.0_3baffadb\privateregistry.bin”

 

 

*My configuration for testing is Visual Studio 2017 on Windows 10 Pro.

Wrapping up

When reconstructing user activity it’s important to think through all the possible sources of useful information. A lot of people write code these days and Visual Studio is a popular tool due to it’s great IDE and it is free to use. The possible scenario’s for why a user was using Visual Studio are numerous, from writing malicious software to source code re-use. Hopefully this helps in the quest to answer “what were they up to” next time you are looking.

*For registry analysis I recommend RegistryExplorer.

Enjoy!

Dave


by Dave via EasyMetaData

No comments:

Post a Comment