Wednesday, August 22, 2018


Not all RegRipper plugins come from external sources; in fact, a good number of the plugins I've written start as something I've run across on the Internet, from various sources (most times Twitter).  Sometimes it's a blog post, other times it's a malware write-up, or it could be the result of a working a forensic challenge.

Based on Adam's post, I created a plugin (named that outputs the values of the Settings key, and includes an Analysis Tip that references the Remote value.

I also updated the plugin to incorporate looking for the TreatAs value. On a sample hive that I have from a Win7 SP1 system, I ran the following command:

rip -r d:\cases\test\software -p clsid | find "TreatAs"

I got a total of 9 hits, 7 of which were all for the same GUID (i.e., {F20DA720-C02F-11CE-927B-0800095AE340}), which appears to refer to packager.dll.

I also created a TLN output version of (named so that this information can be used to create timeline (in and of itself), or can be added to a timeline that incorporates other data sources.  I know from initial testing that under "normal" circumstances, the LastWrite times for the keys may be lumped together around the same time, but what we're looking for here is outliers, timeline entries that correspond with other suspicious activity, forming an artifact cluster.

I received an email from my publisher on 20 Aug 2018 telling me that Investigating Windows Systems had officially been published, and is available here through the publisher!  I'm not sure what that means with respect to the book actually being available or shipped (if you pre-ordered it) from Amazon; for me, it's a milestone, something I can mark off my list. That's #9 down (as in, nine books that I've authored), and I'm currently working on Practical Windows Investigations, which will is due out next year.

IWS is a bit of a departure from my previous books; instead of listing various artifacts that you could use in an investigation, and leaving it to the reader to figure out how to string them together, I used images available online to illustrate what an investigation might look like.  Using the images, I provide analysis goals that are more inline with what one might expect to see during a real world IR investigation.  I then walk through the analysis of the image (based on the stated goals), providing decision pivot points along the way.  However, these investigations are somewhat naturally limited...they aren't enterprise level, don't involve things like lateral movement, etc.  As such, these things aren't addressed, but I did try to cover as much as I could with what was available.

I have a GitHub repo for the book - it doesn't contain a great deal at the moment, just links to the images used, and in the folder for chapter 4, code that I wrote for that particular chapter.  I'm sure I'll be adding material over time, either based on requests or based on interesting things from my notes and folders for the book.

Practical Windows Investigations is going to swing the pendulum back a bit, so to speak, in that rather than just looking at artifacts, I'm focusing on different aspects of investigations and addressing what can be achieved when pursuing those avenues.  The book is currently spec'd at 12 chapters, and the list is not too different from what was listed in this post from March.

The current chapters are:

Core Concepts
How to analyze Windows Event Logs
How to get the most out of RegRipper
Malware Detection
How to determine data exfiltration
File (LNK, DOCX/DOC, PDF) Analysis
How to investigate lateral movement
How to investigate program execution
How to investigate user activity
How to correlate/associate a device with a user (USB, Bluetooth)
How to detect/analyze the use of anti-forensics
Making use of VSCs

As with my previous books, tools used for analysis will be free and open source tools; this is due to the fact that I simply do not have access to commercial tools.  This is a topic that is continually brought up during prospectus reviews, and the reviewers simply do not seem to understand. 

No comments: