tag:blogger.com,1999:blog-9518042.post776556368890023940..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Browser StuffUnknownnoreply@blogger.comBlogger11125tag:blogger.com,1999:blog-9518042.post-43094251245770653332010-01-26T06:51:59.049-05:002010-01-26T06:51:59.049-05:00Gregory,
It's a plugin I've written for m...Gregory,<br /><br />It's a plugin I've written for myself.<br /><br />RegRipper is freely available, and anyone can write plugins for it. In fact, someone a while back wrote a plugin generator that, for a very limited subset of plugins, would allow you to select a key or value and automatically generate a plugin to retrieve data. <br /><br />Also, I have stated time and time again that if someone needs a plugin that's not yet available, send me a concise request and a sample plugin, and I can turn one around (generally) pretty quickly. I've actually had some folks send me a request, and state in the email that they were not sending me a sample hive.<br /><br />I tried to access your profile in order to get an email address to send you the plugin, but I couldn't.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-66732363284567960742010-01-25T16:59:38.529-05:002010-01-25T16:59:38.529-05:00Harlan,
I'm new to RegRipper and am just star...Harlan,<br /><br />I'm new to RegRipper and am just starting to get acquainted with it. You indicate above that there's a plugin that helps determine the default browser. It's not clear to me which plugin applies. Can you please clarify that point? (Forgive me if I'm missing something; I've looked through the documentation and the plugin list, and the required plugin is eluding me).<br /><br />Thanks.Unknownhttps://www.blogger.com/profile/13740370471063358036noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-57948865697440928192010-01-07T11:46:47.406-05:002010-01-07T11:46:47.406-05:00I had an older blog post on this showing the activ...I had an older blog post on this showing the activity - http://forensicir.blogspot.com/search?q=analyzing+an+intrusion<br /><br />Here's a very recent example.<br />Default User Cache below. This is from a compromise where the system was remotely exploited and code execution was done under SYSTEM privs using "default user" profile. I see this more often than I'd care to admit..<br /><br />Produced with iecacheview.<br /><br />E001[6].exe ftp://into.imzone.in/E001.exe 12/29/2009 4:16:28 PM N/A N/A 172 0 2ZE1UPGJ F:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2ZE1UPGJ\E001[6].exe Yes <br />A028[31].exe ftp://into.imzone.in/A028.exe 12/29/2009 4:16:24 PM N/A N/A 197 0 2ZE1UPGJ F:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2ZE1UPGJ\A028[31].exe Yes <br />M001[2].exe ftp://into.imzone.in/M001.exe 12/29/2009 4:15:40 PM N/A N/A 16 0 2ZE1UPGJ F:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2ZE1UPGJ\M001[2].exe Yes <br />J002[2].exe ftp://into.imzone.in/J002.exe 12/29/2009 4:15:37 PM N/A N/A 19 0 2ZE1UPGJ F:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2ZE1UPGJ\J002[2].exe Yes <br />J001[2].exe ftp://into.imzone.in/J001.exe 12/29/2009 4:15:34 PM N/A N/A 20 0 2ZE1UPGJ F:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2ZE1UPGJ\J001[2].exe Yes <br />H001[2].exe ftp://into.imzone.in/H001.exe 12/29/2009 4:15:30 PM N/A N/A 29 0 2ZE1UPGJ F:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2ZE1UPGJ\H001[2].exe Yes <br />Q[1].exe ftp://into.imzone.in/Q.exe 12/29/2009 4:09:44 PM N/A N/A 4 0 2ZE1UPGJ F:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2ZE1UPGJ\Q[1].exe No <br />P001[1].exe ftp://into.imzone.in/P001.exe 12/29/2009 4:09:40 PM N/A N/A 6 0 I9U5K1A7 F:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\I9U5K1A7\P001[1].exe Yeshogflyhttps://www.blogger.com/profile/00741773109962883616noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-10751797174279065662010-01-06T18:53:42.232-05:002010-01-06T18:53:42.232-05:00Jimmy,
I don't have an actual sample availabl...Jimmy,<br /><br />I don't have an actual sample available, as this is something I've been repeating for a while now, based on Robert "Van" Hensing's assistance on an old case. If you look at Robert's post, it's dated 2006. Sorry.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-18552993017930254712010-01-06T18:34:55.973-05:002010-01-06T18:34:55.973-05:00Harlan, is it possible to show us a sample of the ...Harlan, is it possible to show us a sample of the Default account's index records that display the activity that you noted? Sorry for asking again, but this interests me. Thanks.Jimmy_Wegnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-54754105706320233832010-01-05T07:02:25.209-05:002010-01-05T07:02:25.209-05:00Thanks all, for your comments...
...I'll poin...Thanks all, for your comments...<br /><br /><i>...I'll point out that the TypedURLS is a questionable indicator of intent.</i><br /><br />Agreed. However, when I've reviewed what others have done, or said that they've done, this is one of the first things I see mentioned.<br /><br /><i>It would be wise to check for artifacts of every browser, default or otherwise. </i><br /><br />Particularly if I'm seeing a reference to other browsers in, say, the MUICache key, and that the user launched the Add/Remove Programs Control Panel applet (seen via the UserAssist key entries)...<br /><br /><i>My biggest gripe would be having to process each file separately.</i><br /><br />At the moment, you can do this quite easily with rip.pl/.exe, in a batch file. This is <a href="https://docs.google.com/fileview?id=0B3oC9uB5ETAbMDY2NGNlNTAtYWNiNy00NDkxLWE1OTEtZGY0YmNhNDAxN2Ji&hl=en" rel="nofollow">what Paul Stutz has done</a>. I am adding this capability to the next version of RegRipper, as well.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-58366083835523945032010-01-05T02:49:46.800-05:002010-01-05T02:49:46.800-05:00For Google Chrome: http://www.woanware.co.uk/chrom...For Google Chrome: http://www.woanware.co.uk/chromeforensics/, includes the ability to extract thumbnails etc.Mark Woanhttp://www.woanware.co.uknoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-68751574525375310312010-01-04T23:09:26.220-05:002010-01-04T23:09:26.220-05:00Extracting the Registry Files is the first thing I...Extracting the Registry Files is the first thing I do, then whilst other processes are running, I use access data registry viewer, and some custom summary reports I've created, to extract keys of interest. It really helps to start building a picture, and give you an oversight of what you are dealing with, and very quickly too. I also use regripper to confirm findings. There are lots of keys with really good information, too many to start listing. One good one is the "number of days to keep browser history". If it's only one day, don't expect to see too much, but if it's 90 days, there should be lots to look through.<br /><br />My biggest gripe would be having to process each file separately. It would be so much easier to point regripper to a folder with all the registry files in it, and have it produce reports based on the keys I choose. I know it can be done with individual files. Perhaps rather than focussing on getting regripper to work on mounted images, you could get it to process all registry files in a folder. Shouldn't be too hard, probably easier than the mounted image scenario. <br /><br />Or perhaps I should start reading the regripper code to see if I can create this functionality...Darrenhttps://www.blogger.com/profile/00164457850717481893noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-20267203726170704862010-01-04T22:53:12.924-05:002010-01-04T22:53:12.924-05:00Many times during an examination, we'll take a...<i>Many times during an examination, we'll take a look at the user's browser activity. That might include starting by getting the contents of the TypedURLs Registry key...</i><br /><br />I think that you mentioned this key as an example to drive a point home, but, since you did, I'll point out that the TypedURLS is a questionable indicator of intent. I review it, but rarely, if ever, cite it in a report as evidence. The problem is that the key can be populated by actions other than typing and pasting. I'll anticipate your question, so I'll say that there was some research cited on this key on the Digital Detective Forum, and I validated the findings at the time, but can't recall the more esoteric events that can populate this key. I can try to go back and find that thread. <br /><br />It would be wise to check for artifacts of every browser, default or otherwise. That point seems implicit in your message.<br /><br /><i>...so we found clear artifacts of the use in the Default User's Internet history.</i><br /><br />This is a very interesting and useful pointer. I'd be interested to see the index records that documented this finding. In most of our cases, I'd say that the index records that reflect web site visits and file accesses are records of activity that were effetced with MSIE. Perhaps something else could mimic that behavior? Any index record attributed to the "Default" user should be explored further.Jimmy_Wegnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-85583254476872564172010-01-04T21:20:02.762-05:002010-01-04T21:20:02.762-05:00I hope you find it helpful...I hope you find it helpful...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-30494939269753589442010-01-04T21:18:23.223-05:002010-01-04T21:18:23.223-05:00Very interesting and helpful post, Harlan. Thanks...Very interesting and helpful post, Harlan. Thanks for the post!<br />KPKen Pryorhttps://www.blogger.com/profile/06777221347861058406noreply@blogger.com