Wednesday, December 02, 2009


Timeline Stuff
Don has put together something very interesting with respect to timeline creation called System Combo Timeline; it looks like he's added quite a degree of automation (following artifact extraction) to the whole process of creating timelines (in TLN format) on Windows systems.

Download syscombotln and smell what Don's been cookin'!

Speaking of Don, he and I were chatting the other day, and during the course of our discussion, we covered an analysis technique. Now, I have no doubt that this technique is NOT new, and I am sure that there are folks out there who've used it in one form or another...however, I wanted to present it here in the hopes that someone would see it and use it, or add to it. So, starting with an acquired image from a Windows system, do the following:

1. Extract unstructured data (i.e., pagefile, unallocated space via blkls, etc.).

2. Parse the output with strings (the version from MS includes a -o switch that outputs the offset of each string within the file).

3. Search the output of strings for specific items; indications of commands being run (wget, etc.) and/or other Windows artifacts. This can be run on Windows using a keyword list in a file, via findstr (see the /G switch).

4a. Using your scripting language of choice, read in the output of strings and when you find a "hit of interest", access the original data at the offset provided by strings, and extract either X bytes on either side of the hit, or X bytes from the hit going forward; now, you've got something of a search hit preview capability (a la EnCase).

4b. Using your scripting language of choice, process any discovered Windows artifacts based on their structure; I've seen hits such as nk and hbin (Registry keys and hives, respectively), as well as LfLe (event records). We know how to process the structures, so this is pretty straightforward.

5. You can also carve the unstructured data for files (via PhotoRec, scalpel, or foremost) as well as indications of Internet activity (i.e., Internet Evidence Finder).

Like I said...this is nothing new, I'm sure. I just wanted to put it out there so that others could see it, and perhaps provide their own take, or even add to it. I've run this technique on a test image, and found entire pages of source code, as well as some nifty artifacts.

Document Metadata
Something cool from the SANS Forensic blog was the ability to pull VB script macros from Office documents, using OfficeMalScanner. This looks like an excellent means by which you can investigate an intrusion, particularly if you find Office documents in web browser download or email attachment directories.

Other useful tools for examining Office document metadata include OffVis (pre-Office 2007) and from Kristinn. Note that Windows 7 uses the OLE format for a number of file types, including Sticky Notes, so OffVis will be very useful.

It seems RegRipper has gained popularity around the world! Pedro from Spain found RegRipper interesting enough to post about...thanks, Pedro! Gracias!

Speaking of RegRipper, Mike Tarnawsky sent me a plugin he'd written to extract the Internet Server Cache from the Office Registry keys in the user's hive. This plugin ( is posted in the forum, as well as in the Win4n6 Yahoo Group Files section. Mike did a great job putting it together and even provided references in the header of the plugin that help the analyst to understand why the data is being extracted, and how it can be important to an investigation. Thanks, Mike!

No comments: