So, let's say that you have something specific that you want to look for, such as all Registry keys that were created or modified between two specific dates. You'd want to start by either extracting the appropriate hives from the acquired image via FTK Imager, or using FTK Imager to mount the acquired image as a volume on your analysis system.
For the next steps, go here and download the tln_tools.zip archive...do NOT download regtime.zip for this exercise. From the tln_tools.zip archive, we will be working specifically with the regtime.pl and parse.pl tools (note that regtime also ships with a standalone EXE...you must have the p2x588.dll file in the same directory along with the EXE).
The first thing you'll need to do is create your events file of the Registry key LastWrite times. One thing you'll need is the name of the system you're analyzing. This can be something that's already in your case documentation; however, if you don't have that information, you can either enter a designator, or leave it blank...for what we're doing, it isn't critical. If you have RegRipper installed, this is very easy to get, using the following command:
C:\rr>rip -r H:\Windows\system32\config\system -p compname
We can then use the returned information in your mini-timeline instead of the "SERVER" value in the below commands.
Next, we'll parse the Software and System hives (assume that the image is mounted as H:\):
C:\tools>regtime -r H:\Windows\system32\config\system -m HKLM/System -s SERVER > D:\case\key_events.txt
C:\tools>regtime -r H:\Windows\system32\config\software -m HKLM/Software -s SERVER >> D:\case\key_events.txt
Now that we have the events file, we can use parse.pl to generate our timeline. If you type just "parse.pl" at the command prompt (or "parse.pl -h"), you'll see that the script has a couple of options, one of which is to specify a date range. Let's say that you want all events from your events file, between 3 March and 4 April 2011, inclusive. You would use the following command:
C:\tools>parse.pl -f D:\case\key_events.txt -r 03/03/2011-04/04/2011 > D:\case\key_tln.txt
This command provides an ASCII output format that I've always found very easy to view and understand. If you would like .csv output, which Excel is much happier with, type the following command (note the "-c" switch):
C:\tools>parse.pl -f D:\case\key_events.txt -r 03/03/2011-04/04/2011 -c > D:\case\key_tln.csv
There you go...that's it. You can also add other hives to your events file, even NTUSER.DAT hives (adding the username after the "-u" switch can help you tell different user's apart).
This blog post has been brought to you by the open source tool, "regtime.pl", and the redirection operator ">".
4 comments:
Nice post, didn't know this ability existed. Adding this to reg decoder seems well worth it as currently you can only filter last write time during searches.
Will add this on the issue tracker.
Andrew,
I like to use evtrpt.pl (for XP/2003) to preview the Event Logs and see what sources are being logged, and the date range of the records in the log. This lets me know quite a bit about the Event Logs.
Having the ability to parse out some information first, before adding it to a full timeline, can be very useful.
Harlan, a great little post. I found this post very useful because it was short, to the point, had clear instructions, and most importantly I learned something that I can also implement immediately.
For me this was kind of like a mini “how to”, for my own personal standards of making sure I learn at least 3 things new a day, and can document them and repeat them in my own work. 1 down, 2 to go.
Nice going mate. Any chance you do this type of quick hit post a couple of times a month if possible.
Regards, Brian.
Brian,
Any chance you do this type of quick hit post a couple of times a month if possible.
I might be able to do a couple, but I'd likely run out of topics pretty quickly. This post came out of an exchange that occurred on Twitter last night, over a 5 hr period. I just sort of thought that was too long to keep going back and forth on something that shouldn't even take 15 minutes.
I'll see what I can do, although I don't think I'll have enough content, just on my own, to do this a couple of times a month.
Post a Comment