Hogfly emailed me last night to let me know that he'd posted a video on how to use F-Response and RegRipper together in live response. There's no audio to the video, but it's cool nonetheless...Hogfly does a great job of putting in cues, and focusing in so that the viewer can see what's going on up-close.
One thing that I wanted to address, though, is something that Hogfly stated in his blogpost:
Harlan has said this tool is not designed for live response...
For the record, I never said that. What I did say is:
RegRipper is NOT intended to be run on live Registry hive files.
There's a difference. RegRipper was NOT intended to be run against C:\Documents and Settings\hcarvey\NTUSER.DAT while I'm logged into my system...the hive file is live and locked by the system (populating the HKEY_CURRENT_USER hive in RegEdit). However, what Hogfly did was completely different...he used the excellent tool F-Response to access the remote drives as read-only physical disks, and then used FTK Imager to extract the hive files. You can do this on your own system as well...fire up FTK Imager, add your physical disk as an evidence item, and extract your hive files into another location in the file system. At that point, when you fire up RegRipper, you're not longer really doing "live response".
Thanks, Hogfly...great video! And a mighty THANKS goes out to Matt Shannon for coming up with F-Response...for recognizing and filling a very important need. With what's coming down the road with F-Response, as well as with other tools, the face of incident response and computer forensic analysis is now changing, in a very positive direction!
Thanks again for the clarification Harlan. I've made the edits in my post. For future reference would audio be useful?
ReplyDeleteHarlan,
ReplyDeleteFYI - Regripper works against a LIVE registry hive over F-response tunnel. Physical disk access bypasses logical restrictions to the file. New video forthcoming.
Very cool! Great use for the tools!
ReplyDeleteFYI in imager to get the reg files you don't even need to add the physical drive. Just use the "Obtain Protected Files" feature and select the "Password recovery and all registry files" option. This will give you the reg files and user.dat files (as well as other files used in PRTK for cracking logins etc)
ReplyDeleteHarlan,
ReplyDeleteJust spotted this new (beta) tool.
Evidence Collector Beta released
"Evidence Collector is a free forensics program used to manage other utilities to collect useful information you may need to investigate on some IT Incidents."
Reading the description left me a bit skeptical. Sounds like they just rounded up a bunch of existing third-party tools and assembled them in a zip file.
But upon download and initial playing...it looks pretty clever. Run a single "exe" and a bunch of log-files are generated on key system areas.
It seems to have a few "weaknesses" and I'm not sure I would call it a true "forensics" level tool in the purest sense of the word. However, from a system-administrator perspective, it certainly would be useful in system documentation. Certainly when paired up with RegRipper.
In the read-me file, the developer makes the following comment (I thought was pretty nice):
Quote "Evidence Collector is a little program used to manage other utilities in order to collect some data and information you may need
to investigate on some IT Incidents. Actually, it deals with Windows environment.
IT incidents, you mean Forensics ?
Call it what you want. But, this helps me out to debug and track some incidents occurred
on some computers." End-quote
I'll try to play with it more and will do an "IT Incident" useage point-of-view review on my blog, maybe this weekend.
I'm curious as to your "professional" take on it as I deeply respect your skills and "wide-view" perspectives.
I was impressed by the quick log-report generation. Really saves some time...but as you have said...it isn't really just enough to be fast; you have to know what you are getting, why you need to get what you need, and finally, how to correctly interpret what you got.
--Cheers
Claus,
ReplyDeleteI hit the site, read up on the tool and downloaded it...the utilities directory contains a standard list of utilities, albeit not necessarily all of which I would consider using. The overall package has it's pluses and minuses, but for the most part, it's another example of what's possible.
Thanks for pointing that one out...