Wednesday, November 03, 2010


Writing Books...and whatnot...
As I've mentioned, Windows Registry Forensics is nearing completion (I'm reviewing the proofs now...) and according to Syngress, will be available in January. When something like this is coming out, as with WFA 2/e, the biggest question I tend to get is, "Did you cover the differences/changes in Windows versions?"

Most times, I'm taken aback by this question. I was at the CSI 2010 conference recently, and went by the Syngress table. I talked to someone who was looking at a copy of WFA 2/e, and once he realized that I was the author, he asked me that question. In order to get a better idea how to answer that question, I turned it around and asked him, " what?" To that, I got a blank stare in response.

I think...and please, correct me if I'm wrong here...but the real, underlying question is, what are the new sources and locations of potentially valuable data?

In many ways, this is something of a loaded question...because, yes, there are some things that are different between versions of Windows, and in particular between the venerable Windows XP and the shiny new Windows 7. But I could sit here for the better part of the day talking about the differences and never, not once, hit on anything of value to you or to your examinations. Some file paths and Registry locations have changed...while some haven't. Some file formats have changed, while new ones have been added. Some of the new file types in Windows 7...for example, sticky notes...are a bit questionable when it comes to their potential value as evidence.

My suggestion to the community is that if you want to see this kind of thing, start talking. What good does it do to stand there asking "...did you cover all of the changes?" AFTER the book has been written and published, and you're holding it in your hands (with your thumb on the table of contents)? Seriously. If you've got a concern, ask someone. I think you'll be surprised...if nothing else, that you're not the only person with that question. Sometimes, that's all it takes...

Registry Analysis
Speaking of working on the book (the proofs, really), one of the things that really intrigues me about Registry analysis is...well...Registry analysis.

One of the most valuable uses for Registry analysis that I've found is that you can go into the Registry and see historical access to a range of resources...USB removable storage devices (thumb drives, digital cameras, etc.), network shares, remote systems (via RDP or VNC), files that no longer exist on the system, etc. In many cases, you can tie a good deal of this activity to a user, as well as to a specific time frame. You can see what a user searched for on the system.

I've performed examinations of systems where there was a question regarding digital images...we'll just leave it at that (most of us know where I'm going with this...). Someone had claimed that the images had been put on the system by malware, and yet the Registry clearly showed not only access to the files in question, but also showed an association with a specific viewing application, and time stamps indicating when the files had been accessed. These time stamps from the Registry corresponded to file system metadata, as well as metadata from Prefetch files associated with the viewing application(s) (think multiple data sources for timelines). The Registry also indicated access to files no longer on the system, as well as files that were on other media.

I'm really looking forward to the book coming out for two is to see it and hold it. The other is to see what folks think, in hopes that the content will spur discussion (what else is needed) as well as a greater move toward recognizing the Registry as a valuable forensic resource.

I recently attended a portion of a FIRST technical colloquium put on by IBM. Thanks to Richard Bejtlich for sponsoring me so I could attend.

I saw David Bianco (I'd swear that David is Cory Altheide's fraternal twin...) from Richard's team at GE talk about what they were doing, and the biggest take-away for me was the fact that they collect what's practical, as opposed to everything that's possible. They've got a phased approach to their network monitoring coverage, which has been prioritized; much like the Great Wall, they don't so much look at what's coming in as what's trying to go out of their infrastructure in the first phase of their rollout. This clearly demonstrates considerable thought having been put into their approach, taking into account what needs to be covered, staffing levels, etc., and coordinating all of these resources.

In part, this is something of a breath of fresh air when applied to the IR/DF communities. Too often, I think, we tend to take an "I need EVERYTHING possible" approach, and end up losing site of our goals. I really liked what David said about getting everything practical, as I can really see how it applies to the IR/DF field. Have you ever seen someone who will arrive on-site as a responder and state their strategy is to image everything? By the time you're done imaging, the customer is no longer interested in your findings, as they're likely fined or out of business.

Another thing that came out of the discussion surrounding the presentation was that they have a tiered approach for their analysts, with a progressive career path, so that analysts coming in at a particular level have goals that they can strive for in order to progress to the next level. This is a different view than what I had seen when I got into the security industry in 1997, and I think that its an excellent approach.

Again, thanks, Richard. I was saddened to not see Eoghan Casey at the colloquium.


Rob said...

Not to Simplify this at all... but the generic question "Did you cover the differences/changes in Windows versions?" probably should have been worded "What differences are there between the Windows Registry in the different versions of the OS?".
I know that being a "Production Line" forensics guy who relies on the Registry quick find chart from Access Data and the Registry Viewer from AD to get my work done, I am just concerned with any changes that would benefit me in my investigations..or hurt me..
Nothing more or less.

Dave Hull said...

First, I'm jealous that you got to go to the FIRST technical colloquium, that sounds awesome.

I think it's more important to show folks how to analyze the artifacts themselves, show them the processes and techniques that are used to figure out what the differences are between different OS versions. Those techniques and methods are going to be valuable longer than static information about what the differences were at the time the book went to press. As they say, build a man a fire, he'll be warm for a night, light a man on fire, he'll be warm for the rest of his life... or something.

I'm looking forward to seeing the book out.

David Bianco said...

Glad you enjoyed my presentation. I think it's always interesting when someone gets up there and shows you how they do things, even if it's the same thing you're already doing. I love to compare and contrast the different approaches.

I'm a big fan of collecting what's "practical". Otherwise, you end up spending a lot of time trying (and probably failing) to collect everything, when you could have been doing useful work with the data you already have.

Keydet89 said...

@Rob...I think that based on talking to folks, the question really is more general. By that, I mean that with apparent changes in the UI, there are inferred changes in where evidence would be found. For example, with Vista, tracking of searches was moved out of the Registry, then back into it with Windows 7.

Specific to the Registry, however, I do spend an entire chapter talking about tools used to analyze the Registry, and find those "new" locations. I do that because there's no way that every possible, conceivable location can be listed in a book. I think what some folks don't realize about writing books (particularly when they don't provide anything up front) is that there's a schedule and at some point, you need to stop writing and send the material to the printer. In the time between when a chapter is written and when it actually comes out in the book, there will have been a number of new applications, as well as updates to the current applications and OS.

@David...agreed, but only with the general idea...I'm not sure that lighting a man on fire is such a good idea! ;-)

To that point, I'm a big proponent for process, but talking to several analysts, there seems to be propensity toward the static point analysis. I think that in many ways, this is really brought on and promulgated by commercial applications. It's much easier to sell the applications, as well as their support and training, that way.

Keydet89 said...


I totally agree with both points.

Too many times, I've been told by analysts that they "need everything"...but why would I parse the index.dat from every user profile, or dump the LastWrite times from every Registry key in every hive from a system, when I don't even know if I need those things? I've been able to do some extremely thorough analysis of, for example, SQL injection using just the file system metadata and the SQLi entries from the web server logs.

Like you, I'm a fan of a targeted, "sniper" (shoutz to Chris) approach. Rather than collecting everything and parsing through the noise to find the signal, I'd much rather build up that timeline using what I know is needed, based on my analysis process.

It was also good to know that I'm not the only one that feels that way...very validating! ;-)

Finally, don't take this the wrong way, but you do have a lot of mannerisms in common with Cory. Seriously. You two could have been separated at birth... ;-)

Troy said...

I have to respectfully disagree with your statement, “But I could sit here for the better part of the day talking about the differences and never, not once, hit on anything of value to you or to your examinations.” Well, you could, but it would take a lot of work to miss everything that would be valuable. From what I have been able to tell from customer and law enforcement questions, there are enough differences between versions to trap experienced investigators continually. Sure, there are common artifacts across the versions, but there are also enough differences between them to make an uninformed investigation defective.*

It would be very correct, however, to explain that it takes quite a long time between the release of a new version of an OS and the discovery and documentation of the differences between it and the prior versions. You could, for example, point out that the latest version of Windows Internals only covers up to Vista and Windows 2008. The public Microsoft documentation of Windows 7 and 2008 R2 is nowhere near as extensive as that for the previous versions. Documenting a new OS well is so much work, in other words, that it takes Microsoft considerable time to do. Considered in this light, that fact that you have much coverage for Windows 7 at all is a quite an accomplishment.

From my review of your drafts, I can say that there is plenty in your newest book that covers Windows 7, as well as much that should be useful to even experienced investigators. I also have to point out that, at least to me, you are not exhaustively covering all possible forensic artifacts so much as you are demonstrating HOW to examine important artifacts. Your latest book, then, is just as applicable to Windows 7 as any other prior version of Windows, and, as I am sure to soon discover, just as applicable to Windows 8.

*Here would be a short, non-exhaustive list changes impacting forensics:
XP to Vista:
-Location of boot sector.
-Event Logging.
-Profile folders.
-Virtual folders and registries.
-Volume Shadow copies.
-Hard links.
-Change Journal.
-Recycle Bin.
-Prefetch files.
-New hive files.
-EFS Pagefile.
-Thumbnail cache.

Vista to Windows 7
-Volume control.
-Integrated VM.
-Native VHD.
-XP Mode .
-Virtualized applications.
-Features drop for solid state drive.
-Jump Lists.
-Service/Device Triggers.
-Volume Shadow Copies.
-More hive files.
-Whole disk wiping.
-Thumbnail Cache.
-Thin (virtualized) Clients.
-Direct Access.
-Windows Search.
-InPrivate Browsing.
-Tab and Session Recovery.
-Windows applications.

(Strictly speaking, some of these have changed between feature updates (e.g., IE and Search) rather than OS versions. Note: I didn’t mention Sticky Notes, since it has become almost a straw man.)