Wednesday, February 03, 2016

Updated samparse.pl plugin

I received an email from randomaccess last night, and got a look at it this morning.  In the email, he pointed out there there had been some changes to the SAM Registry hive as of Windows 8/8.1, apparently due to the ability to log into the system using an MSDN Live account.  Several new values seem to be added to the user RID key, specifically, GivenName, SurName, and InternetUserName.  He provided a sample SAM hive and an explanation of what he was looking for, and I was able to update the samparse.pl plugin, send him a copy, and update the GitHub repository, all in pretty short order.

This is a great example of what I've said time and again since I released RegRipper; if you need a plugin and don't feel that you can create or update one yourself, all you need to do is provide a concise description of what you're looking for, and some sample data.  It's that easy, and I've always been able to turn a new or updated plugin around pretty quickly.

Now, I know some folks are hesitant to share data/hive files with me, for fear of exposure.  I know people are afraid to share information for fear it will end up in my blog, and I have actually had someone tell me recently that they were hesitant to share something with me because they thought I would take the information and write a new book around it.  Folks, if you take a close look at the blog and books, I don't expose data in either one.  I've received hive files from two members of law enforcement, one of whom shared hive files from a Windows phone.  That's right...law enforcement.  And I haven't exposed, nor have I shared any of that data.  Just sayin'...

Interestingly enough, randomaccess also asked in his email if I'd "updated the samparse plugin for the latest book", which was kind of an interesting question.  The short answer is "no", I don't generally update plugins only when I'm releasing a new book.  If you've followed this blog, you're aware that plugins get created or updated all the time, without a new book being released.  The more extensive response is that I simply haven't seen a SAM hive myself that contains the information in question, nor has anyone provided a hive that I could used to update and test the plugin, until now.

And yes, the second edition of Windows Registry Forensics is due to hit the shelves in April, 2016.

11 comments:

Anonymous said...

"And I haven't exposed, nor have I shared any of that data."

It's sad you have to even say this. Thanks for everything you post for our community, your books, and your tool contributions.

Harlan Carvey said...

@Anonymous,

It's sad you have to even say this.

Perhaps, but based on my experience, however limited it may be, I felt that it was important to point this out.

As I said in the post, I was very recently told by someone that they were afraid to share information because they feared that I might create a new book based on what the information. Never mind that they could not point to an instance where I'd actually done this.

ERZ said...

Looking forward to the new release Harlan!!

randomaccess said...

I've done a little bit more research into this and found a paper confirming a number of things that I have found (or vice versa, since it was written before I started looking into it)

http://www.marshall.edu/forensics/files/Matts-Paper.pdf

Its unfortunate the author didn't pass on this information to tool developers

Harlan Carvey said...

Its unfortunate the author didn't pass on this information to tool developers

Well, looking at the paper, it doesn't appear to be complete. There's no date, and the references page has "1.", and that's it. It may be a draft.

Also, I've found that many academic papers aren't aware of what FOSS tool authors are up to. For example, when I see papers, I don't often see that there's been an extensive literature search done. I guess it doesn't help when the instructors/professors themselves are out of date...I've been contacted by students at one particular school, asking me about updated information for RegRipper. Apparently, their professor was pointing them to a web site that was changed over two years ago. ;-(

mustu said...

I couldn't make any possible sense of why one shouldn't compile the findings in the form of a book/blog? Isn't that how we learn from each other? What's wrong in writing a new book based on new experiences?

randomaccess said...

Yeah I'll see if I can find the complete paper. The author finished their degree a couple years ago so they probably didn't add too much on top of this.

Harlan Carvey said...

mustu...

I couldn't make any possible sense of why one shouldn't compile the findings in the form of a book/blog?

Apparently, this particular individual seems to think that no other organization has ever been breached, so saying something like, "...I was analyzing a system infected with PlugX..." would expose the breached company somehow...honestly, I don't know.

Isn't that how we learn from each other?

Good question...I honestly don't know. A very few folks in this industry talk about what they see or do, so I do not know. ;-)

Bill O'Sullivan said...

I really enjoy your writing and looking forward to this book. Thank you and Semper Fi!

Harlan Carvey said...

Thanks, Bill...and Semper Fi!

Yogesh said...

Harlan, Good to know that its been updated to include that information. You should also add this other bit, if it is an MS account, then last logon date is not populated in the F value, and the tool output is therefore "Last Logon:Never" even when there have been logons. If its an MS account, then "Never" should not be printed, instead it can say "not available".