Wednesday, November 12, 2008

More Deleted Keys Goodness!

I was performing some analysis recently, and ran across some real analysis goodness.

First off, I was using my usual tools to parse and analyze Windows Event Logs, and was getting a warning that some of the logs were corrupted. First, the auditpol RegRipper plugin made it clear what was being audited and logged on the system I was analyzing, and then the evtrpt tool was providing me with statistics about the total number of event records, frequency of event IDs and sources, and the date range of all event records. All of this information can give an analyst considerable insight into the content of the Event Logs before I even open them. At that point, I used a modified version of evt2xls to parse the Event Logs into Excel spreadsheet format, and then performed my analysis. Note: is an excellent resource to have handy when doing this sort of analysis, and well worth the annual subscription fee.

So, in the Security Event Log on one system, I saw that a user account had been used to create, modify (i.e., add that account to the Local Adminstrators group), and then delete that user account. Of course, the account had been deleted, but I found no other indications that the account had even existed (user profile, etc.), not even in the SAM Registry hive file. So I pulled out JT's code and ran it against the hive file, and presto! There was the deleted key, extracted from unallocated space within the hive file, and I two source of time data with which I could correlate the events.

In another Security Event Log, from another system, I could see where a user account was accessing the Service Control Manager on a system repeatedly, starting and stopping the PSExeSVC service. However, the System hive file from that host showed no indications of the service...until I ran JT's code on it! Again, I had timestamped data from the Event Log that I could then correlate with the LastWrite time from the deleted Registry key.

I have to say that JT did a great job with her code, which she put together as part of her master's thesis from the University of Liverpool. At her request, I will be posting her code to, and including it in and along with the second edition of Windows Forensic Analysis.

While we're on the subject of the Registry, a good friend of mine contacted me last week with an issue. Apparently, he was working on an examination in which a key factor of the case was determining if and when the user had uninstalled Firefox. According to him, "...install and uninstall dates of programs are of great interest. This will also show destruction of evidence and add additional charges to cases. It also increases sentences sometime by 2x." To help him out, I wrote a plugin that would parse the default browser information from the Registry, but then I compiled the (as-yet-unreleased, still-private, not-even-in-beta) ripxp code, which he used, said that it worked like a champ!

All in all, this is very cool, truly awesome stuff! While this sort of thing doesn't solve every problem, it does add an entirely new capability to the analyst's toolkit, providing answers to new (and in some cases, as yet unasked) questions!

No comments: