Monday, September 05, 2011

Stuff...and whatnot

Speaking Engagements
I received notification last week that my submission for the 2012 DoD CyberCrime Conference was accepted.  I'll be giving a presentation on timeline analysis at this conference, and I hope to have some new material ready and available to share well before the presentation.

I will also be speaking at PFIC 2011 this year; I actually have two presentations, with a total (according to the schedule) three sessions on the podium.  I'll be presenting on "Scanning for Low-Hanging Fruit in an Investigation", as well as "Intro to Windows Forensics".  Once I've completed WFA 3/e and everything's been submitted, I plan to focus on some of the material for the first presentation, in particular the scanning framework.  This presentation will be a follow-on to my OSDFC presentation from this past June.

The closest alligator to the boat, however, would be presentations I'll be giving at ETCSS in Oct. I'll be giving two presentations on 12 Oct..."What's new in Windows 7: An Analyst's Perspective", and "Incident Preparedness".

The eEvidence What's New page has been updated...I always find a lot of great reading material there.  This time around, there are a number of excellent presentations linked from the page...all of which are well worth taking a look at.

NoVA Forensics Meetup
Our next meetup is this Wednesday, 7 Sept.  Mitch Harris will be presenting on botnets.

Please take a look at the "NoVA Forensics Meetup" page linked on the right-hand panel of this blog, under "Pages", if you have any questions regarding location, times, fees, attendance requirements, etc.  Thanks.

If you still feel the need to ask about attendance requirements and fees, you will have to pay eleventy-three dollars at the door as a cover charge, and you have to come dressed as a clown. 

RegRipper Plugins
An archive of new RegRipper plugins was recently released and is available for download at this Google Code site.  I didn't write these plugins, but I will say that it is really cool to see folks taking the time to take full advantage of an open source tool such as RegRipper, and create what they need to get the job done.

I did modify some code for one of the plugins. -- contact the author --

Now, I've seen a couple of comments and received an email or two recently regarding adding these new plugins to RegRipper.  First, download the archive and copy the plugins into the plugins directory...however, from there, there seems to be some confusion regarding how to get RegRipper to use these new plugins.

The RegRipper plugins folder generally contains types of files; the ones that end with the ".pl" extension should be plugins (Perl scripts), and those that have no extensions should be profiles, or lists of plugins that you'd like to run against a particular hive.  The profiles don't have to have a specific name...the ones that were originally shipped with RegRipper (software, system, sam, ntuser, etc.) are just examples, nothing more.  You can name one of these files "steve" if you like, it doesn't matter.  As long as the file does not have an extension, it will appear in the dropdown list in the RegRipper GUI.

So, when you get a new plugin and add it to the plugin folder, yes, you do sort of have to figure out what you want to do with it.  I designed it this way to give analysts the flexibility to run their exams the way they want, to give them choices (hopefully based on knowledge, education, and experience).  In order to facilitate determining which hive a plugin is intended for, I added some functionality to (or rip.exe, whichever version you're using); for example, if you run with the "-l" switch, you will see a listing of plugins with information about each one output to STDOUT.  If you add the "-c" switch, the output will in .csv format, which is great for redirecting to a file, which you can then open in Excel.  From there, it's pretty easy to create or modify a profile via Notepad.

I also created the Plugin Browser, which was released along with the code/programs for Windows Registry Forensics (  This tool provides a graphical method for an analyst to browse through the plugins (hence the name) and even create a profile.

When I sat down and came up with this tool, I wanted the user/analyst to have the ability to decide which plugins to run.  After all, there isn't always a need to run all of the available plugins against a hive file; this may simply be too much information to dig through.  Some plugins may be redundant, parsing the same information, but just displaying it a different manner (yes, I was once contacted by someone who had run all three plugins that parse UserAssist subkey data and present it in different formats...they asked me what the difference was between them...).  There may also be instances in which a plugin may be used in different profiles; for example, I would include the plugin that parses the XP firewall settings in a profile that gets general information about the system, as well as one specifically used to determine if there are any indications of malware on the system.

What this ultimately means is that the analyst is going to have to do something.  I'm really sorry about that...but as an analyst using RegRipper, you're going to have make some decisions and take some actions.

Note:  Something I wanted to mention such as RegRipper (and rip) are only as powerful as the analyst using them.  If you sit down and expect RegRipper to extract some particular information from the Registry for you, without understanding what the tool is doing, or if there is even a plugin that gets that information, you may be disappointed.

What do I do if it don't work?
If something doesn't appear to be right about the tool you're using, it's usually most helpful if you go directly to the author, and provide information beyond, "it don't work".  The response may be simply an update, particularly if it's a known issue. Or you may be using the tool incorrectly...those pesky readme files are such a PITA, aren't they?  Or it could be an unanticipated condition...such as when I was working on the Jump List parser and found out what a Jump List "looks like" when it hasn't yet been closed by the operating system (the Jump List was extracted from an image file produced during a live acquisition).

What if a plugin I need isn't in RegRipper?
If there's a particular plugin that you need and can't seem to find, contacting me with a clear description of what you're looking for, as well as providing a sample hive, will usually result in a new or updated plugin in fairly short order.  And no, I don't make a habit of sharing the fact that you asked, or sharing the contents of the hive, or the sharing the plugin.  I tend to securely delete the hive file once I'm done, and I leave it up to you to share the plugin...unless it's really cool, but then, I'll ask you first.  So if you have any trepidation about asking for help, I hope what I've said here will quell those concerns or fears.

I've posted on using RegRipper to the blog before; there's a link here, and one here.  There is also a great deal of information about using RegRipper available in chapter 2 of Windows Registry Forensics.

Books (Again)
I had a section in my last post regarding the use of books I've written or co-authored being used in courses to teach computer forensics.  I received an email from Joshua Bartolomie, Adjunct Lecturer at Utica College, and have provided the entirety of his statement, quoted below, with his permission:

To expand a bit on some detail – my associate and I just finished one of our 8 week classes (Computer Forensic Investigations I) in the Cyber Security Master Program at Utica College where we utilized your Windows Forensic Analysis 2ED book as the primary ‘text’ book, with supplemental/ancillary reading via online texts and reports as needed for core concepts and research. We walked through the book and leveraged your examples and case studies in a lot of our discussions and hands-on lab concepts – for the most part the hands-on labs were specifically set to look for, preliminarily evaluate, and compare/contrast available technologies within the vein of the topic at hand. The students responded well to this type of instruction and even those that have done forensic analysis before are keeping your book handy as a practical reference.

We also just started the follow-on class (Computer Forensic Investigations II) and are leveraging the Open Source Digital Forensics book you co-authored as our primary textbook – with the same caveat as above regarding supplemental/ancillary reading via online texts and reports as needed for core concepts and research. The plan that we've outlined in this class is to walk the book front to back and evaluate/compare/use the 'forensic workstations' that are being built. We are building both a Linux and Windows VM concurrently to compare/contrast the environments, their applicable usages, and pro’s and con’s. We are also utilizing these VM’s for analysis and examination hands-on labs as we progress; leveraging standard and/or available forensic test images such as those offered by NIST, Honeynet project, etc. At the end of the class - all of our students should have two fully functional, usable, and relatively cheap/free forensic environments to continue their learning and expansion in this field.

The goal of our classes and overall program is to take a different approach to the traditional theory based Graduate programs, and instead provide our students with viable, practical, and production/operations grade hands-on instruction and usage. The two courses I mentioned above are being taught between myself, with a corporate security focus/background, and one of my associates at Utica College that is also the lead computer forensic investigator for a local police department, with an obvious law enforcement focus/background. We both instruct portions of each of our classes and by tag-teaming them we are able to highlight concepts, protocol/procedures, and issues from our respective areas of expertise. By executing the classes in this manner, we are able to provide them with insight from two generally different operational approaches/angles, and integrating your book(s) provides a solid foundation for hands-on real-world applicability.
This is a great endorsement for all of the books mentioned!  When I develop training materials myself, my focus (time permitting) is usually to give those I'm engaged with something that they can use immediately, right there in the course (or as soon as they leave)...that "practical...operations-grade hands on instruction".  I do that, because that's what I look for in training courses, as well, regardless of whether it's a 60 minute presentation or a half day of instruction.  I tend to look for something I can put my hands on and use.  Oddly enough, it turns out that others look for the same thing.  So, again...endorsements like this are great, and they're much better than a "review" that simply reiterates the table of contents of the book. 
I'm sure that by now, many of us have heard of this guy, who got 6 yrs for "hacking" user's systems and taking over their webcams and mics, and using information (pictures, video, stuff he listened in to) to extort his victims.

Something else to be aware of, folks, is how this sort of information is presented in the media...notice that the first sentence of the third paragraph mentions "undetectable malware", but later the article actually names some of the malware used (i.e., Poison Ivy).

If you're into digital forensics analysis of Windows systems, particularly those formatted NTFS, then you should consider taking a look at a couple of tools.

First off, Willi Ballenthin released a Python script for parsing INDX files; Willi's also done an excellent job of providing background information about the tool, as well as why you'd want to use it, so take a look.

Then there's the Windows NTFS journal change log parser from TZWorks, LLC.  Tim Mugherini provides a great example of how "jp" was used during a case.

I haven't used either of these tools yet, but I can see where they would be very useful during an examination.  I've found indications of files in directories via the INDX files (appear as "$I30" in FTK Imager) when malware or an intruder's tool kit was deleted after use.


Jimmy_Weg said...

If I haven't said so before, the Plugin Browser is a great adjunct to RegRipper. I used it recently to browse and select plugins to create a custom plugin file for a particular case. The Plugin Browser also can serve as a very good way to learn more about RegRipper, as you can see what each plugin does and experiment with plugin files.

Keydet89 said...


Thanks, I'm glad that you've found the tool useful. I received a series of emails from a senior analyst who didn't seem to understand how RegRipper was used, or that the Plugin Browser (or even just " -l -c") was available...