Wednesday, April 01, 2009

Extending Your Reach

As a consultant, one of the things I have always struggled with is an enterprise capability. Often, I'll go on-site for an organization, and the systems that are in-scope for the incident may potentially be the entire infrastructure, ranging from several hundred systems in a data center to several thousand systems across a city, state, or country.

In such instances, tools such as F-Response EE are lifesavers!

However, a full forensic capability isn't always what's necessary. Take the CommandLine Kungfu blog for example...episode 16 has the infamous Ed Skoudis showing us an excellent example of how to use tools inherent to Windows systems to check to see if the patch for MS08-067 has been installed. Ed's WMIC command line is:

C:\>wmic qfe where hotfixid="KB958644" list full

Run that on your own system and see what you get. WMIC makes use of the WMI classes, in this case, the QuickFixEngineering class.

As a sidenote, if you're a Perl freak (like me), or if you just want to add some error checking or nice formating to the output you get from the WMI class query, be sure to look at the MS Script Center repository of sample Perl code. This is a great place to start...for the most part, getting the code working is simply a matter of cut-and-paste. Also, there's a good deal of code on the Windows Forensic Analysis DVD that uses WMI, so you've got another resource available.

I ran a search for the KB958644 patch on my XP system via RegEdit and found it referenced in several locations, including:

HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB958644
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB958644
...and...
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

Another very cool thing is that RegRipper includes a plugin for the Uninstall key...which means that not only can you check for the patch while examining an acquired image, but you can also check live systems via F-Response EE and RegRipper!

Okay...but so what? Well, these approaches (WMIC, Perl, F-Response, RegRipper) give you (as a consultant or as an admin) an enterprise reach, and at a fraction of the cost (in dollars) of some of the big commercial products. Sometimes you don't need a commercial product to reach out and, say, check critical systems in your domain to see if they've been infected with Conficker...

3 comments:

David Cowen said...

Thanks for the link to ms perl script site, had no idea it existed

Dale Rogers said...

Harlan, This single post gave me enough forensic references to keep me busy for a long time.

Thanks.

H. Carvey said...

Dale,

How so?

Thanks,

h