Monday, April 08, 2013

Plugin: *_tln

If you've downloaded the new RegRipper plugins archive, you may have noticed several plugins whose names end in "".  These plugins specifically output their collected information in the five-field timeline (TLN) events file format that I use for creating timelines.

Many folks using the RegRipper tools may not be aware that you can use rip.exe to determine information about the plugins that you have currently have available.  For example, the following command will allow you to see all the plugins that you have, listed in a tabular format:

rip -l

This next command will allow you to see all of the plugins you have, listed in CSV format:

rip -l -c

This command will let you see all of the plugins that end in "*_tln", in CSV format:

rip -l -c | find "_tln"

Now that we have a list of the plugins that provide TLN output, we can easily include the output of the plugin in our timeline events file by using the following command:

rip -r path -p plugin  -u user -s server >> events.txt

An example of how this can be useful is in adding the UserAssist data for a specific user to the timeline events can do that using the following command:

rip -r path -p userassist_tln -u user -s server >> events.txt

Very easy, very straightforward, and the use of these plugins can provide us with a good deal of granularity in our timeline.

Something that's very important to understand about the TLN plugins is that, in most cases, they will not display the same information as their accompanying plugin without "_tln" in the name.  In many cases, the information maintained in the keys and values extracted via the plugins is stored in a "most recently used" or "MRU" format, and as such, the LastWrite time of the key is associated with the most recent entry.  An example of this is the plugin...running this one side-by-side with the plugin won't provide you with the same information, nor the same number of lines in the output.  However, this is by design...shellbag data is one of those "MRU" sources within the Registry.  One exception to this is the output of the plugin; the time stamp data extracted by this plugin is stored in the binary content of the value data.

Typing the command to list the *_tln plugins will illustrate that most of the plugins appear to be oriented toward the NTUSER.DAT and Software hives.  The plugin was written to run against the USRCLASS.DAT hive, and lists its output based on the key LastWrite time or "MRU Time"; it does not list information in TLN format based on the created, last accessed or last modified times extracted from the shell items.  The plugin will list information in TLN format based on various time stamps associated with each user account.  Also, with this plugin, you don't need to add the "-u" switch, as the user information is embedded within the hive file itself.

No comments: