Thursday, June 10, 2010

Linkz

Analysis
This post from the Digital Detective site discusses how to manually identify the time zone of a system from the image. This information is maintained in the Registry, and RegRipper has a plugin for this (as part of the default distro).

Plugins
I saw this post recently on the SANS ISC blog, which has to do with software restriction policies on a system. I thought...hey, that's pretty cool, AND there's a Registry key listed. From there it was a simple matter to research the MS site and see what other information I could find, and I began to see the possible value of the data derived from the DefaultLevel value (called a "key" in the blog post) to an analyst. In a matter of minutes, I had a functioning RegRipper plugin.

Interestingly enough, the more I research this, the more I see the CodeIdentifiers key being of some level of importance, not only to forensic analysts, but also to system administrators. After all, if it weren't, why would so many bits of malware be modifying or deleting entries beneath this key?

5 comments:

Stefan said...

Harlan,

thanks for sharing this information. The CodeIdentifiers key seems to be quite interesting indeed. A search on threatexpert.com and the like reveals a number of malware samples that delete the key or create sub-keys.

Wrt the DefaultLevel value, however, it is important to recognize that on many Windows systems DWORD:40000 seems to be its default setting. So this fact on its own doesn't hint towards malware.

Cheers,
Stefan.

H. Carvey said...

Stefan,

True, but that's why more research is needed.

Anonymous said...

Harlan, I found a book on Amazon that looks like it has a lot of potential. http://www.amazon.com/Digital-Forensics-Open-Source-Tools/dp/1597495867 Can you give any more details on it?

H. Carvey said...

Anonymous...

Don't know how I'd be able to...

H. Carvey said...

What I mean to say is that the book hasn't been written yet, and since I don't know what details you're looking for, I could literally write for an hour and never answer your question.