Monday, March 25, 2013


New HEFCBlog book is out!
David Cowen posted that his new book is out!  The book is titled, Computer Forensics InfoSec Pro Guide (Beginner's Guide).  David's also got a new web site to go along with the  There isn't a great deal of information available about this book or its contents yet, but Dave has always been a fount of great things for DFIR, so keep your eyes on the site.  David did state on his blog that he's working on some "links, documents, and forensic images", so look for good things to come.

If you're going to get David's book, I would recommend that you also consider Brett Shaver's book, Putting the Suspect Behind the Keyboard, which provides an investigator's perspective and insight into determining who was sitting at the keyboard.

CyberThreat Detection
Lesley Carhart posted this article over on the Motorola Solutions Community site, mentioning the need for log monitoring, particularly in the face of Mandiant's APT1 report.  A lot of what Lesley says in the post has been mentioned before, but I tend to think that it's important to keep the same message consistent and repeated...just look around and see all of the organizations that get hit and don't have any of what she mentions implemented.

One statement made in the article that caught my attention was:

Attackers frequently spread laterally, system to system, using legitimate accounts and services. Would your organization detect this?

The reason this caught my attention was that as far back as I can remember, even going back to the 2012 DoD CyberCrime Conference, one of the primary complaints about the mention of "lateral movement" is that there is a dearth of information regarding what that looks, how would an organization be able to detect this sort of activity if the folks who know what it looks like aren't sharing the information?  This was the case at DC3 2012...I heard a couple of attendees lamenting the fact that for all of the presentations that included "APT" in the title, none of them actually provided actionable information.  I can only say that I attended three of those presentations, and not one of the authors actually listed what that lateral movement within the infrastructure looks like to an analyst.

Using RegRipper
Ken posted the Work Smarter, Not Harder article to his blog this weekend, which, in part, raises awareness of how to make the most effectively use of RegRipper.  In his post, Ken discusses using some basic functionality of RegRipper...creating custom profiles...and ties that to another recent blog post.  I greatly appreciate the time that Ken took to not only use the tool, but to write about his experience and use of the tool...I think that this really validates how easy-to-use these tools can be, and how effective their use can be in pursuing an examination.  It's one thing for me to write about how to use the tool, it's something else entirely for someone like Ken to share a real-world example of how he used the tool to complete analysis.

One thing that Ken says in the post is:

Running rip.exe -r ntuser.dat -f ntuser-all, for example, will run every ntuser.dat specific plugin against the ntuser.dat file.

A bit of clarification is required here...the command will run every "ntuser.dat-specific plugin listed in the ntuser-all profile against the ntuser.dat file".  My point is that analysts should not assume that every plugin intended to be run against the NTUSER.DAT file is listed in the ntuser-all profile.  This file is a flat text file, with no extension (which simply means that it does not end in ".txt" or ".dat", or...anything) that contains a list of plugins that you'd like to run, in the order that you'd like to run them.  It's always good to check and ensure that the plugins you want to be included in the profile are actually listed.  If not, they're very easy to add, as Ken described in his post.

My own custom RegRipper profile for retrieving program execution artifacts from the NTUSER.DAT hive includes the following plugins:


As many folks are aware, I teach a couple of courses.  During the courses, I invariably meet people who "use" RegRipper on a regular basis...what this most often amounts to is downloading RegRipper v2.5 (if you watched the SANS webcast from January 2013 closely, you could see that Mandiant is still on v2.02...) and simply running the UI version of RegRipper.  But there's so much more available through the tool, as Ken described in his post.

For example, I get asked, " there a list of available plugins?" on a regular basis.  This is why I provided a very simple facility through rip.exe to output a list of plugins (described in this blog post), including an option for CSV output.  An example of a command line that I discuss in the courses, for providing just a list of plugins that retrieve information from the NTUSER.DAT hive is:

C:\tools>rip -l -c | find ",NTUSER,DAT," /i > ntuser.csv

Run this command, and then open the resulting .csv file in Excel for easy review.  An alternative would be to simply drop the "find" portion of the command, open the resulting .csv file in Excel, and then sort of the third column to list the plugins based on the hive file.

You can also take this same approach to create specific profiles for USB device tracking within various hives, as well.

Side Note: One question is regularly ask users of RegRipper is, what would make RegRipper a 'better' tool. More/better documentation?  Some additional functionality?  If there's a specific plugin that you'd like to see created, you can take a look at Adam's 3RPG site (he blogged about creating four RR plugins in 15 min.), or you can contact me and request the plugin - all I'll need is a concise description of what you're looking for, and some sample data.  If you provide this information, I'm able to get plugins turned around rather quickly.  There is a LOT of information out there embedded in Registry hive files, and relying on a small group of people to create the plugins, when we're not seeing this information, amounts to a significant loss for the community.

"Cyber" Insurance
Something I've been watching with a bit of fascination is the spread of "cyber" insurance.  Looking back over the response and analysis engagements that I've performed or been involved with over the years, including PCI forensic audits, this is a very interesting development.  You'd need to review the annual reports from companies such as Mandiant, Trustwave and Verizon to see the effect that compliance regulations have had on organizations getting compromised...based on previous year's reports, one might think that there hasn't been much of an effect.

What's clear is that the issue of organizations getting "hacked" is getting even more attention.

CyberGuardians post
I did not attend the SANS Cyber Thread Intelligence Summit 2013, but I did get to read about it at the CyberGuardians blog.  Having been engaged in DFIR work for some time, I thought that both the presentations and the reviews of them were very insightful, and that the focus of DFIR work was moving in the right direction.  So many times as an emergency responder, I would show up and find that the on-site IR team was completely hamstrung, with no ability to get any sort of meaningful information during an incident.  In many cases, even the most basic information needed to simply assess systems had to be requested from network or systems ops folks...this was true not only at commercial and private sector sites, but also within the federal government.

What I really took away from the post is the realization that a mainstream organization such as SANS is now espousing the need for organizations to not only effectively consume (i.e., make use of) threat intelligence, but to also produce and share threat intelligence, as well. A number of consulting organizations offer this as a service, but some of them focus solely on one are of the IR spectrum (i.e., network sources, and not bringing memory- or host-based artifacts into the equation).  Part of the problem with this is that, while these are excellent services, many of the potential consumers of this intelligence are simply neither prepared nor equipped to make effective use of this information.

A new version of the ImDisk Toolkit is available, which works on Windows up to Win8 (32- and 64-bit).

There are still seats available for the 9-10 April offering of Timeline Analysis at our Reston location, as well as for the Windows Forensic and Registry Analysis course combo to be held at the Santa Cruz PD training facility.  If you're interested in any of these courses, but cannot make it to the Reston location, contact us about sponsoring the training at your location.


Dedric B said...

Mr. Carvey,

Just a simple suggestion.

Your blog seems to really push your training. Could you separate your content posts from your sales posts? I get that you should post on your blog about your training, but do you have to mention it in every post? Perhaps one per week might work best?

Anyway... just a thought from a fan. Your posts are good and informative. I realize I might be blocked on twitter now for a suggestion for you, but if that is your reaction, I really shouldn't be following you anyway.

Keydet89 said...

Your blog seems to really push your training.

Yes, it does. I have only been posting to my blog about once a week, so that fits in pretty well with what you've requested, I would think.

I include the notification because I do hear time and again from folks who had no idea that I offered training, as well as those who seem to feel that the one time I mentioned the training was the only time that it was offered.

I hope that helps...

I realize I might be blocked on twitter now for a suggestion for you, but if that is your reaction, I really shouldn't be following you anyway.

What's up with that comment?

Ken Pryor said...

Hi Harlan,

Thanks for the mention and link to my blog. Also, thanks for clarifying what I meant regarding the use of "all" plugin profiles. I read back over my post and I wasn't all that clear about it.

Looking forward to getting both David and Brett's books. I'm sure both will be very good.

Keydet89 said...


I thought that the clarification was important...I recently spoke to analysts who were running the "all" profile against the NTUSER.DAT, thinking that it ran "all" of the plugins for the NTUSER.DAT against the hive file. I was somewhat shocked to see this, particularly since they told me that they used RegRipper "a lot".

I guess that also goes toward answering the question of how I have time to blog, write books, etc...

Brett Shavers said...

Harlan, thanks for the book plug.

I appreciate blog posts from my usual blog suspects (IR and forensics favorites) with links to something I haven't seen somewhere else, including training, software, and books. I'm not sure how else I can keep up without following the lead of others that are also trying to keep up and sharing information on what they found.

A note on my book, the goal of the book is to help every reader successfully close at least one case they would not have been able, or save hours/days/weeks of time in at least one case. That's what I personally try to gain in everything I read; just the one benefit that makes it worthwhile.