Thursday, February 17, 2011

Dumpy Goodness

OK...I know the title sounds a bit wonky, but I really think a lot of you are going to find this post interesting and useful.

So...in my quest to be ever more efficient in my volatile data acquisition I stumbled upon (thanks to Harlan and Troy) a tool that is resident to Windows systems that has proved to be extremely helpful. It's called reg.exe, and it's pretty freaking sweet.

Normally, when extracting volatile data from a Windows system, I would dump RAM, run my volatile collection script, then fire up FTK Imager (usually in conjunction with F-Response if against a live system) and manually extract the registry hives and ntuser.dat files. I thought this was pretty efficient, but it always bothered me that I could not script the process. I mean, how quick and easy would it be if my data collection script dumped RAM, gather volatile data, extracted the registry hives and ntuser.dat files, AND...for good measure...ripped them for me with RegRipper!

That would not only save me time, but it'd be freaking sweet...so I set my mind to figuring this problem out. After a couple of days of poking around and trial and error, I got it to work! So, here's how...

reg.exe is resident to all Windows releases that I have in my lab (2000, XP, 7, Vista, Server 2003, and Server 2008), but just to be safe, I copied it from my lab XP system to the same directory with all of my tools. Then, when I scripted it into my batch file, it looks like this...

@ECHO Dumping Registry Hives
@ECHO Dumping SAM Hive
@reg save HKLM\SAM %DST%\%NAME%\vol\%NAME%_SAM_Hive
@md5deep.exe -b %DST%\%NAME%\vol\%NAME%_SAM_Hive > %DST%\%NAME%\vol\%NAME%_SAM_Hive.md5

@ECHO Dumping SYSTEM Hive
@reg save HKLM\SYSTEM %DST%\%NAME%\vol\%NAME%_SYSTEM_Hive
@md5deep.exe -b %DST%\%NAME%\vol\%NAME%_SYSTEM_Hive > %DST%\%NAME%\vol\%NAME%_SYSTEM_Hive.md5

@ECHO Dumping SECURITY Hive
@reg save HKLM\SECURITY %DST%\%NAME%\vol\%NAME%_SECURITY_Hive
@md5deep.exe -b %DST%\%NAME%\vol\%NAME%_SECURITY_Hive > %DST%\%NAME%\vol\%NAME%_SECURITY_Hive.md5

@ECHO Dumping SOFTWARE Hive
@reg save HKLM\SOFTWARE %DST%\%NAME%\vol\%NAME%_SOFTWARE_Hive
@md5deep.exe -b %DST%\%NAME%\vol\%NAME%_SOFTWARE_Hive > %DST%\%NAME%\vol\%NAME%_SOFTWARE_Hive.md5

@DELAY.EXE %DELAY%

@ECHO Ripping SAM Hive
@rip.exe -r %DST%\%NAME%\vol\%NAME%_SAM_Hive -f sam > %DST%\%NAME%\vol\%NAME%_SAM_Hive_ripped.txt

@ECHO Ripping SYSTEM Hive
@rip.exe -r %DST%\%NAME%\vol\%NAME%_SYSTEM_Hive -f system > %DST%\%NAME%\vol\%NAME%_SYSTEM_Hive_ripped.txt

@ECHO Ripping Software Hive
@rip.exe -r %DST%\%NAME%\vol\%NAME%_SOFTWARE_Hive -f sam > %DST%\%NAME%\vol\%NAME%_SOFTWARE_Hive_ripped.txt

@ECHO Ripping SECURITY Hive
@rip.exe -r %DST%\%NAME%\vol\%NAME%_SECURITY_Hive -f sam > %DST%\%NAME%\vol\%NAME%_SECURITY_Hive_ripped.txt

Nice huh! So now, you can add this little snippet to your own volatile collection script. For more on reg.exe, you can also just run, "reg /?"...

C:\tools>reg /?

Console Registry Tool for Windows - version 3.0
Copyright (C) Microsoft Corp. 1981-2001. All rights reserved


REG Operation [Parameter List]

Operation [ QUERY | ADD | DELETE | COPY |
SAVE | LOAD | UNLOAD | RESTORE |
COMPARE | EXPORT | IMPORT ]

Return Code: (Except of REG COMPARE)

0 - Succussful
1 - Failed

For help on a specific operation type:

REG Operation /?

Examples:

REG QUERY /?
REG ADD /?
REG DELETE /?
REG COPY /?
REG SAVE /?
REG RESTORE /?
REG LOAD /?
REG UNLOAD /?
REG COMPARE /?
REG EXPORT /?
REG IMPORT /?

As you can see from my script, I used reg save...

C:\tools>reg save /?

Console Registry Tool for Windows - version 3.0
Copyright (C) Microsoft Corp. 1981-2001. All rights reserved


REG SAVE KeyName FileName

KeyName ROOTKEY\SubKey
ROOTKEY [ HKLM | HKCU | HKCR | HKU | HKCC ]
SubKey The full name of a registry key under the selected ROOTKEY
FileName The name of the disk file to save. If no path is specified, the
file is created in the current folder of the calling process

Examples:

REG SAVE HKLM\Software\MyCo\MyApp AppBkUp.hiv
Saves the hive MyApp to the file AppBkUp.hiv in the current folder

***Remember...I am running this against a LIVE system! As far as I know, without either using reg.exe or something like FTK Imager, you cannot access the registry hives from a live system.***

Now, you would pretty much repeat the same process for ntuser.dat files, only instead of entering the hive information, you would use HKU (instead of HKLM) followed by a backslash and the SID of the specific user. Here is what the syntax looks like for the admin account on my XP box...

c:\tools>reg save hku\S-1-5-21-746137067-1547161642-839522115-500 outputfile.dat

Now, this may be "old new" to some of you, but I will tell you that for me...and I have been doing this for about seven years now...I had not heard of or used reg.exe until this week. AND, I have never seen it scripted before as part of a volatile collection script. It's not to say that it hasn't been done already, just that I have not seen it.

So...now, you can easily write a batch file that will dump RAM, grab volatile data, copy the registry hives and parse them, and copy ntuser.dat files and parse them. Total time saver!

Enjoy!

Happy Hunting!

1 comment:

  1. Wow! I've been looking for this information all day. I'm going to test this out and get back to you. I can't believe you don't have any more comments about this because if it works its exactly what I'm looking for. I'll get back to you after my trials.

    ReplyDelete