Friday, January 19, 2007

SAMParse

Not too long ago, I blogged about using the Parse::Win32Registry module to parse raw Registry files, specifically the SAM file.

Since then, I've added to the code a bit, so that not only does it retrieve user information, but group membership info, as well. In this way, it's similar to the ProDiscover ProScript I use to do the same thing, only SAMParse works on the raw Registry file, and can be used when exporting the SAM file from your image. It also works on the SAM files located in the Windows XP System Restore Points. It's a useful tool and requires some additional testing, but for the most part it does provide me with a view into a Windows system that I wouldn't otherwise have.

As a side note, I've also written a tool that parses the audit policy from the Security file, returning information similar to what you can view on a live system using auditpol.exe. When combined with other information from the Registry, this lets me know what I should expect to see in the Event Logs.

Both of these scripts, and others, are provided on the DVD that comes with my upcoming book, "Windows Forensic Analysis", due out from Syngress/Elsevier this spring. The scripts will be provided as Perl code, as well as standalone executables 'compiled' using Perl2Exe.

6 comments:

Bill Ethridge said...

H

I have the original parse module from cpan. Is the code yu added available?

Forgive me if I missed the link somewhere.

And is the audit policy tool out there?

Bill

H. Carvey said...

Bill,

Per the link at the beginning of this blog entry, I've taken a new approach to parsing the raw Registry files. Where the Offline Registry Parser (available on the SourceForge site) is still extremely useful in that it parses through the file and dumps the contents, the newer files (such as SAMParse) target specific values. This is not only meant as a data reduction technique, but to also specifically treat some of the data. None of what SAMParse outputs is in ASCII format in the raw Registry file...it's all binary and needs to be parsed into human-readable form. The same holds true with parsing the Security file for the audit policy.

And is the audit policy tool out there?

Not yet. Right now, most of my spare time is spent working on the book.

I will say, however, that one of the frustrating things about providing tools such as this is not getting an acknowledgement of receipt, a simple "thank you", or any feedback on the use of the tool.

Bill Ethridge said...

You must not have teenagers Harlan, or you'd be used to that feeling.

err ..Thanks for the responseheck, i'm still experimenting with FSP and the tools that come with your first book, much less ready to get the second one, so many utilities to test , accept and be able to PROVE what they do in court, so little time

B

H. Carvey said...

You must not have teenagers...

Actually, I do. But cops aren't teenagers. And my teenager does say "thank you".

...so many utilities to test , accept and be able to PROVE what they do in court...

Oh, this is the easy part. The data is right there in the raw Registry file, in binary format. The Perl modules and scripts simply extract it into human-readable form, based on data available from the MS site and others.

Bill Ethridge said...

"The data is right there in the raw Registry file, in binary format. The Perl modules and scripts simply extract it into human-readable form, based on data available from the MS site and others."

Hence the need and I feel, the wisdom of tools you write yourself or at lease understand the code behind rather than canned utilities you have no idea what is going on behind the scenes.

"cops aren't teenagers"

no; and no one in ANY profession should be above common and profesional manners, but alas...


"my teenager does say "thank you""

so do mine,,most of the time. But I can't say thats a prevalent attitude among their peers. I conduct special courses at county high schools where the kids get to build their own computer, and keep it after the class is done. The experience has made me glad I'm not a full time teacher. Even the grad students I have in an online CF course ask tons of questions and want to use a lot of time on advice and direction, and hardly ever acknowledge any of it.

Unknown said...

Oooooo an upcoming book! I now know what to spent my Barnes & Noble gift cards on! =)