Monday, October 06, 2008

New Registry Analysis Tools

As I mentioned earlier, James Macfarlane has released an update to his Parse::Win32Registry Perl module. In order to install the module, I simply downloaded the .tar.gz file, extracted everything, and copied the contents of the lib directory in the tarball to my C:\Perl\site\lib directory. Yep, that's it.

James have been nice enough to include a number of useful utilities to demonstrate the new capabilities of his modules...some of those new utilities are:

- regstats.pl - gives you statistics about a file, such as the number of keys and values, with an option to show the number of different value types
- regtimeline.pl - prints a timeline of all Registry key LastWrite times
- regexport.pl - exports the Registry hive file (or part of it) as a .reg file

One of the most interesting tools James included with his updates is regscan.pl, which parses through a Registry hive file, identifying different cells. However, instead of following the various links between cells, regscan.pl simply parses through the binary hive file one cell at a time. Running the script produces some interesting output:

0x38cd48 1 nk $$$PROTO.HIV\ControlSet003\Control\Nls\MUILanguage\RCV2\
umaxu40.dll [2004-08-23T21:24:25Z]
0x38cda8 1 vk 0 (REG_BINARY) = 00 00 28 0a 01 00 05 00
0x38cdc8 1 ..
0x38cdd8 1 vk 1 (REG_BINARY) = ab c4 e9 4c d8 fd a5 7c de 59 ff 05 93 9e 87 ba 02
0a e6 17 27 02 f9 a3 42 27 95 a0 61 0e 66 fd

Pretty cool, eh? Probably not...doesn't look very useful, does it? Well, see that "1" following the offset? That tells you whether the key or value is "in use"; that is, is it in allocated or unallocated space within the hive file? Sound interesting? Check it out...running the following command:

C:\Perl>regscan.pl d:\cases\system | find "0 nk"

...showed me a list of all of the Registry keys found to NOT be in use in the hive file! Basically, what this script and command line are showing me are a list of deleted keys in the hive file. Here's an excerpt of the output:

0x1ef020 0 nk (Invalid Parent Key)\04 [2004-08-18T00:39:36Z]
0x1f0020 0 nk (Invalid Parent Key)\Security [2004-08-18T00:32:16Z]
0x1f2020 0 nk $$$PROTO.HIV\ControlSet001\Enum\Root\LEGACY_DCOMLAUNCH
\0000\Services\SCardDrv [2004-08-23T21:34:10Z]

Notice that the first two keys don't have their full paths traced all the way back to the root key, but the last one does.

Pretty neat stuff, eh? I'm considering including the use of regscan.pl in my SANS Forensic Summit presentation demos, but I'm not sure if the usefulness of this type of information will really be apparent...what do you think?

No comments: