Friday, May 14, 2010

Linkity linkity
Brett updated recently...take a look. I received some emails recently regarding "404 Not Found" messages for some stuff linked at the original site, and then received a couple of messages from Brett.

Brett's done a great job of maintaining the site, but for the site to really be of value, it takes more than folks in the community coming by to grab RegRipper and that's it. It takes contributions...thoughts, ideas, communication, etc. One particular project that's benefited from a very active community is Volatility.

Here's an interesting post from the Binary Intelligence blog, explaining how Matt went about modifying the current RegRipper to meet his own needs! Great job, Matt!

64-bit Software hives
Speaking of the Registry, does anyone have Software hives from well-used 64-bit systems that they're willing to share, for research purposes?

Chris Brown recently released v6.5 of ProDiscover. Chris very graciously provided me with a license back when PD was at version 3, and I've used the framework ever since. Chris added Perl as the scripting language for PD, in the form of ProScripting, a while back and that proved to be very beneficial. Most times my case notes will start with something like, "Created a case project in ProDiscover v6.0, added the image, and populated the Registry and Internet History Views." This is a great way to get an initial view of things, particularly if you suspect malware has infected the system. One of the things I look for first is the Default User with a web browsing history.

When conducting IR or analyzing live IR data, I tend to lean toward a little Least Frequency of Occurrence (LFO) analysis as an approach to malware detection on systems. Most times, what I do is grab the output of handle.exe and run it through a Perl script (, posted to the Files section of the Win4n6 Yahoo group) to get a list of the mutants/mutexes that are unique or appear least frequently on the system.

When it comes to LFO analysis, some folks seem to think that means just running a tool, like handle.exe, or just running a script that locates all of those mutexes that are unique and appear only once in the output of handle. But that's not analysis...that's just running a tool and getting data. Due to the way malware authors use mutexes, you have to look for something odd and out of place, so comparing the names with each other is one way to conduct LFO analysis. Another way to address this if you're looking at multiple systems is to compare your findings between systems. Let's say that you have some systems you know to not be infected, and others that you suspect may be infected...conducting LFO analysis on each system and comparing the output across all systems may provide some interesting findings.

My point is that running a tool and dumping the output into a report is NOT analysis, folks.

In addition to handle.exe, I ran across this post on Jamie Blasco's blog today that listed two tools, one of which that would be of use during IR...enumeratemutex.exe. While this would enumerate the mutexes for you and allow you to do a really quick LFO analysis, it wouldn't necessarily allow you to tie the mutex to a specific process. However, it can be a good check.

TSK Open Source Conference
June 9th is the date for Brian Carrier's first TSK and Open Source Forensics Conference, right in my own backyard (well, almost...that would be kind of cool though...).

I'll be giving a presentation on using open source tools to create timelines for analysis.

Cory's apparently doing a presentation entitled Commando it wrong of me to want to go see Cory talk about doing forensics commando? I have to admit that there's a certain horrifying fascination there...but is it really so wrong? ;-)

The venue isn't far from a Dogfish Head Ale House, and Vintage 51 is close, as well. Look to one of those venues for the conference pre-party (I'm kind of proactive and not into after-parties...) the evening before.

SANS Forensic Summit
The SANS What Works in Forensics and Incident Response summit is coming up this summer in Washington, DC.

The agenda looks like another good one this year. Jesse will be talking about fuzzy hashing, Troy will be talking about Windows 7, and Richard will be presenting on the CIRT-level response to APT. Between the presentations and panels, this looks like it will be another great opportunity.

I'll be giving a workshop on adding pertinent Registry data to a timeline (can you see a trend developing here, with my presentation at the TSK conference?), and how doing so can really help develop context to and confidence in the data you're looking at.

Looks like I'm on a panel again this time around...those are always a good time. Troy Larson will be there...everyone should come on by and check out his Sharky lazer pointer. No, that's not a euphemism for anything.



Anonymous said...

I was almost willing to share my registry with you, but then I read the header: "my book, "Windows Forensic Analysis"... which will be available in June 2009." Sorry, can't trust you if you can't update your site on a yearly basis. *phbbt!*

Keydet89 said...


...and people wonder why I don't keep posting all of the new and updated plugins that I mention in my blog. Sheesh.

Brett Shavers said...

The 'old' website had constant issues with the forum and site (I mistakenly chose substandard providers...). But now, both the new site and forum should be much better.

I've been receiving some RegRipper user input files to add to the site. RegRipper has been downloaded over 5,000 times now (I stopped keeping track after 5,000), so there should be plenty of feedback available to submit via the website/forum. The more the merrier!

Sharky said...

I will return the favor my friend. Moreover, I found Brett. He is one of mine.