This distinction comes from http://www.criminaljusticedegreeschools.com/top-forensics-blogs/.
Thank you! Notice a couple of other names in the computer forensics world? Namely Harlan and Grayson...great work fellas!
Wednesday, February 23, 2011
Named Top 25 Blog!
I was just informed that TheDigitalStandard was named one of the top 25 Forensics blogs! Nice!
This distinction comes from http://www.criminaljusticedegreeschools.com/top-forensics-blogs/.
Thank you! Notice a couple of other names in the computer forensics world? Namely Harlan and Grayson...great work fellas!
This distinction comes from http://www.criminaljusticedegreeschools.com/top-forensics-blogs/.
Thank you! Notice a couple of other names in the computer forensics world? Namely Harlan and Grayson...great work fellas!
Monday, February 21, 2011
Thursday, February 17, 2011
Dumpy Goodness
OK...I know the title sounds a bit wonky, but I really think a lot of you are going to find this post interesting and useful.
So...in my quest to be ever more efficient in my volatile data acquisition I stumbled upon (thanks to Harlan and Troy) a tool that is resident to Windows systems that has proved to be extremely helpful. It's called reg.exe, and it's pretty freaking sweet.
Normally, when extracting volatile data from a Windows system, I would dump RAM, run my volatile collection script, then fire up FTK Imager (usually in conjunction with F-Response if against a live system) and manually extract the registry hives and ntuser.dat files. I thought this was pretty efficient, but it always bothered me that I could not script the process. I mean, how quick and easy would it be if my data collection script dumped RAM, gather volatile data, extracted the registry hives and ntuser.dat files, AND...for good measure...ripped them for me with RegRipper!
That would not only save me time, but it'd be freaking sweet...so I set my mind to figuring this problem out. After a couple of days of poking around and trial and error, I got it to work! So, here's how...
reg.exe is resident to all Windows releases that I have in my lab (2000, XP, 7, Vista, Server 2003, and Server 2008), but just to be safe, I copied it from my lab XP system to the same directory with all of my tools. Then, when I scripted it into my batch file, it looks like this...
@ECHO Dumping Registry Hives
@ECHO Dumping SAM Hive
@reg save HKLM\SAM %DST%\%NAME%\vol\%NAME%_SAM_Hive
@md5deep.exe -b %DST%\%NAME%\vol\%NAME%_SAM_Hive > %DST%\%NAME%\vol\%NAME%_SAM_Hive.md5
@ECHO Dumping SYSTEM Hive
@reg save HKLM\SYSTEM %DST%\%NAME%\vol\%NAME%_SYSTEM_Hive
@md5deep.exe -b %DST%\%NAME%\vol\%NAME%_SYSTEM_Hive > %DST%\%NAME%\vol\%NAME%_SYSTEM_Hive.md5
@ECHO Dumping SECURITY Hive
@reg save HKLM\SECURITY %DST%\%NAME%\vol\%NAME%_SECURITY_Hive
@md5deep.exe -b %DST%\%NAME%\vol\%NAME%_SECURITY_Hive > %DST%\%NAME%\vol\%NAME%_SECURITY_Hive.md5
@ECHO Dumping SOFTWARE Hive
@reg save HKLM\SOFTWARE %DST%\%NAME%\vol\%NAME%_SOFTWARE_Hive
@md5deep.exe -b %DST%\%NAME%\vol\%NAME%_SOFTWARE_Hive > %DST%\%NAME%\vol\%NAME%_SOFTWARE_Hive.md5
@DELAY.EXE %DELAY%
@ECHO Ripping SAM Hive
@rip.exe -r %DST%\%NAME%\vol\%NAME%_SAM_Hive -f sam > %DST%\%NAME%\vol\%NAME%_SAM_Hive_ripped.txt
@ECHO Ripping SYSTEM Hive
@rip.exe -r %DST%\%NAME%\vol\%NAME%_SYSTEM_Hive -f system > %DST%\%NAME%\vol\%NAME%_SYSTEM_Hive_ripped.txt
@ECHO Ripping Software Hive
@rip.exe -r %DST%\%NAME%\vol\%NAME%_SOFTWARE_Hive -f sam > %DST%\%NAME%\vol\%NAME%_SOFTWARE_Hive_ripped.txt
@ECHO Ripping SECURITY Hive
@rip.exe -r %DST%\%NAME%\vol\%NAME%_SECURITY_Hive -f sam > %DST%\%NAME%\vol\%NAME%_SECURITY_Hive_ripped.txt
Nice huh! So now, you can add this little snippet to your own volatile collection script. For more on reg.exe, you can also just run, "reg /?"...
C:\tools>reg /?
Console Registry Tool for Windows - version 3.0
Copyright (C) Microsoft Corp. 1981-2001. All rights reserved
REG Operation [Parameter List]
Operation [ QUERY | ADD | DELETE | COPY |
SAVE | LOAD | UNLOAD | RESTORE |
COMPARE | EXPORT | IMPORT ]
Return Code: (Except of REG COMPARE)
0 - Succussful
1 - Failed
For help on a specific operation type:
REG Operation /?
Examples:
REG QUERY /?
REG ADD /?
REG DELETE /?
REG COPY /?
REG SAVE /?
REG RESTORE /?
REG LOAD /?
REG UNLOAD /?
REG COMPARE /?
REG EXPORT /?
REG IMPORT /?
As you can see from my script, I used reg save...
C:\tools>reg save /?
Console Registry Tool for Windows - version 3.0
Copyright (C) Microsoft Corp. 1981-2001. All rights reserved
REG SAVE KeyName FileName
KeyName ROOTKEY\SubKey
ROOTKEY [ HKLM | HKCU | HKCR | HKU | HKCC ]
SubKey The full name of a registry key under the selected ROOTKEY
FileName The name of the disk file to save. If no path is specified, the
file is created in the current folder of the calling process
Examples:
REG SAVE HKLM\Software\MyCo\MyApp AppBkUp.hiv
Saves the hive MyApp to the file AppBkUp.hiv in the current folder
***Remember...I am running this against a LIVE system! As far as I know, without either using reg.exe or something like FTK Imager, you cannot access the registry hives from a live system.***
Now, you would pretty much repeat the same process for ntuser.dat files, only instead of entering the hive information, you would use HKU (instead of HKLM) followed by a backslash and the SID of the specific user. Here is what the syntax looks like for the admin account on my XP box...
c:\tools>reg save hku\S-1-5-21-746137067-1547161642-839522115-500 outputfile.dat
Now, this may be "old new" to some of you, but I will tell you that for me...and I have been doing this for about seven years now...I had not heard of or used reg.exe until this week. AND, I have never seen it scripted before as part of a volatile collection script. It's not to say that it hasn't been done already, just that I have not seen it.
So...now, you can easily write a batch file that will dump RAM, grab volatile data, copy the registry hives and parse them, and copy ntuser.dat files and parse them. Total time saver!
Enjoy!
Happy Hunting!
So...in my quest to be ever more efficient in my volatile data acquisition I stumbled upon (thanks to Harlan and Troy) a tool that is resident to Windows systems that has proved to be extremely helpful. It's called reg.exe, and it's pretty freaking sweet.
Normally, when extracting volatile data from a Windows system, I would dump RAM, run my volatile collection script, then fire up FTK Imager (usually in conjunction with F-Response if against a live system) and manually extract the registry hives and ntuser.dat files. I thought this was pretty efficient, but it always bothered me that I could not script the process. I mean, how quick and easy would it be if my data collection script dumped RAM, gather volatile data, extracted the registry hives and ntuser.dat files, AND...for good measure...ripped them for me with RegRipper!
That would not only save me time, but it'd be freaking sweet...so I set my mind to figuring this problem out. After a couple of days of poking around and trial and error, I got it to work! So, here's how...
reg.exe is resident to all Windows releases that I have in my lab (2000, XP, 7, Vista, Server 2003, and Server 2008), but just to be safe, I copied it from my lab XP system to the same directory with all of my tools. Then, when I scripted it into my batch file, it looks like this...
@ECHO Dumping Registry Hives
@ECHO Dumping SAM Hive
@reg save HKLM\SAM %DST%\%NAME%\vol\%NAME%_SAM_Hive
@md5deep.exe -b %DST%\%NAME%\vol\%NAME%_SAM_Hive > %DST%\%NAME%\vol\%NAME%_SAM_Hive.md5
@ECHO Dumping SYSTEM Hive
@reg save HKLM\SYSTEM %DST%\%NAME%\vol\%NAME%_SYSTEM_Hive
@md5deep.exe -b %DST%\%NAME%\vol\%NAME%_SYSTEM_Hive > %DST%\%NAME%\vol\%NAME%_SYSTEM_Hive.md5
@ECHO Dumping SECURITY Hive
@reg save HKLM\SECURITY %DST%\%NAME%\vol\%NAME%_SECURITY_Hive
@md5deep.exe -b %DST%\%NAME%\vol\%NAME%_SECURITY_Hive > %DST%\%NAME%\vol\%NAME%_SECURITY_Hive.md5
@ECHO Dumping SOFTWARE Hive
@reg save HKLM\SOFTWARE %DST%\%NAME%\vol\%NAME%_SOFTWARE_Hive
@md5deep.exe -b %DST%\%NAME%\vol\%NAME%_SOFTWARE_Hive > %DST%\%NAME%\vol\%NAME%_SOFTWARE_Hive.md5
@DELAY.EXE %DELAY%
@ECHO Ripping SAM Hive
@rip.exe -r %DST%\%NAME%\vol\%NAME%_SAM_Hive -f sam > %DST%\%NAME%\vol\%NAME%_SAM_Hive_ripped.txt
@ECHO Ripping SYSTEM Hive
@rip.exe -r %DST%\%NAME%\vol\%NAME%_SYSTEM_Hive -f system > %DST%\%NAME%\vol\%NAME%_SYSTEM_Hive_ripped.txt
@ECHO Ripping Software Hive
@rip.exe -r %DST%\%NAME%\vol\%NAME%_SOFTWARE_Hive -f sam > %DST%\%NAME%\vol\%NAME%_SOFTWARE_Hive_ripped.txt
@ECHO Ripping SECURITY Hive
@rip.exe -r %DST%\%NAME%\vol\%NAME%_SECURITY_Hive -f sam > %DST%\%NAME%\vol\%NAME%_SECURITY_Hive_ripped.txt
Nice huh! So now, you can add this little snippet to your own volatile collection script. For more on reg.exe, you can also just run, "reg /?"...
C:\tools>reg /?
Console Registry Tool for Windows - version 3.0
Copyright (C) Microsoft Corp. 1981-2001. All rights reserved
REG Operation [Parameter List]
Operation [ QUERY | ADD | DELETE | COPY |
SAVE | LOAD | UNLOAD | RESTORE |
COMPARE | EXPORT | IMPORT ]
Return Code: (Except of REG COMPARE)
0 - Succussful
1 - Failed
For help on a specific operation type:
REG Operation /?
Examples:
REG QUERY /?
REG ADD /?
REG DELETE /?
REG COPY /?
REG SAVE /?
REG RESTORE /?
REG LOAD /?
REG UNLOAD /?
REG COMPARE /?
REG EXPORT /?
REG IMPORT /?
As you can see from my script, I used reg save...
C:\tools>reg save /?
Console Registry Tool for Windows - version 3.0
Copyright (C) Microsoft Corp. 1981-2001. All rights reserved
REG SAVE KeyName FileName
KeyName ROOTKEY\SubKey
ROOTKEY [ HKLM | HKCU | HKCR | HKU | HKCC ]
SubKey The full name of a registry key under the selected ROOTKEY
FileName The name of the disk file to save. If no path is specified, the
file is created in the current folder of the calling process
Examples:
REG SAVE HKLM\Software\MyCo\MyApp AppBkUp.hiv
Saves the hive MyApp to the file AppBkUp.hiv in the current folder
***Remember...I am running this against a LIVE system! As far as I know, without either using reg.exe or something like FTK Imager, you cannot access the registry hives from a live system.***
Now, you would pretty much repeat the same process for ntuser.dat files, only instead of entering the hive information, you would use HKU (instead of HKLM) followed by a backslash and the SID of the specific user. Here is what the syntax looks like for the admin account on my XP box...
c:\tools>reg save hku\S-1-5-21-746137067-1547161642-839522115-500 outputfile.dat
Now, this may be "old new" to some of you, but I will tell you that for me...and I have been doing this for about seven years now...I had not heard of or used reg.exe until this week. AND, I have never seen it scripted before as part of a volatile collection script. It's not to say that it hasn't been done already, just that I have not seen it.
So...now, you can easily write a batch file that will dump RAM, grab volatile data, copy the registry hives and parse them, and copy ntuser.dat files and parse them. Total time saver!
Enjoy!
Happy Hunting!
Monday, February 14, 2011
Windows Registry Forensics Released!
I received my copy of Harlan Carvey's, "Windows Registry Forensics" over the weekend and I am really excited to start reading it!
The registry is a GOLD MINE of forensic artifacts that can really put some teeth in your investigations. If you do not have this book yet, BUY IT!!! Harlan has not disappointed yet with any of his published works, and I don't expect this will be any different.
Look for a book review from me in the coming weeks. But seriously, if you are doing forensic investigations on Windows systems, and you don't yet have a copy of this book, you are really missing something. You have NO IDEA how useful this information can be!
The registry is a GOLD MINE of forensic artifacts that can really put some teeth in your investigations. If you do not have this book yet, BUY IT!!! Harlan has not disappointed yet with any of his published works, and I don't expect this will be any different.
Look for a book review from me in the coming weeks. But seriously, if you are doing forensic investigations on Windows systems, and you don't yet have a copy of this book, you are really missing something. You have NO IDEA how useful this information can be!
Friday, January 21, 2011
Sniper Forensics Part 2 Posted
I have posted part two of Sniper Forensics to the SpiderLabs Anterior blog.
Check it out! Great stuff! (or at least I think so)
Check it out! Great stuff! (or at least I think so)
Wednesday, January 19, 2011
SpiderLabs Anterior - Sniper Forensics
Sniper Forensics: Part 1
I have recently blogged about the Sniper Forensics methodology at the SpiderLabs Anterior blog...which is THE official blog of the Trustwave SpiderLabs. Check it out!
I have recently blogged about the Sniper Forensics methodology at the SpiderLabs Anterior blog...which is THE official blog of the Trustwave SpiderLabs. Check it out!
Tuesday, November 16, 2010
Sniper Forensics Videos!
The kind folks at SecTor just posted the videos from SecTor 2010! ALSO, there is a link there for the videos from 2009.
If you have not had a chance to see either of the Sniper Forensics talks, now is your chance to download the videos or the slide decks!
If you have not had a chance to see either of the Sniper Forensics talks, now is your chance to download the videos or the slide decks!
Subscribe to:
Posts (Atom)