The Sploited blog has part 3 of the Forensic Timeline for Beginners series of posts up, and there are a couple of interesting and useful things mentioned in the post that I wanted to point out.
First, the posts make use of Lance's first practical to illustrate developing a timeline. Why is this interesting? Well, even though Lance has closed his blog, he has left the content up. So, while it's sad to see Lance go, I'm grateful that he's left the information and images up on the 'net. This first practical has some very interesting artifacts
The post includes the statement:
"For some reason RegRipper said this registry entry was not found. I'm
not sure why this was at this point and decided to move on and try the
Okay, we can see from the graphic that follows that statement that the key in question does not appear to exist in the System hive within the image. Creating a ProDiscover project is a great way to troubleshoot the issue; "hey, this tool says that this artifact isn't available, I'd better check it out." I've heard from a couple of folks who use RegRipper and have told me that it has reduced the Registry analysis portion of their exams from days or hours to just minutes; if that's the case, and it's only taking you a few minutes to do something that normally takes hours, why not take a minute to troubleshoot or verify your findings? It's pretty quick and easy to do...
Overall, this has been a very interesting set of blog posts for me to follow along and read, as this mirrors much of what I see when I conduct training courses on Timeline Analysis, as well as other Windows Forensic Analysis topics.
Here is an excellent article that addresses information regarding the SQLite Write Ahead Log (-wal file). While SQLite databases are found in a number of locations on Windows systems (Firefox places.sqlite and Chrome History file, as well as in iTunes iPhone backups, etc.), they aren't only found on Windows systems. As such this information can be very important to analysts who encounter a number of different target platforms.
This post to the ShadowServer blog provides some excellent insight into the world of cyber espionage, and specifically strategic web compromises. Some of what's discussed in the post takes me back to what I mentioned previously in this blog regarding defense driven by intelligence, not FUD.
According to Grady Summers over at the Mandiant blog:
"...the very systems that hold the data targeted by an attacker are probably the least likely to have malware installed on them."
I think that's a very interesting distinction to make, and one that goes right along with Peter Silberman's comment a while back about LFO, or "least frequency of occurrence".
The e-Evidence "what's new" page was updated just a bit ago...this site is always an excellent resource for information that you may not have known was out there and available.
Thanks again for reviewing my post Harlan. I've much respect for you and what you've taught me so far.
In addition to my comment on the RegRipper plugin I've since attempted this command on a second machine and had success. So more troubleshooting on the tutorial image will be required to see where I went wrong in that case.
I also mentioned in my post that receiving the output, i.e timeline, is the easy part however understanding that output is far more challenging. As you say Regripper is a great tool to increase the speed of investigation but its important for analysts to understand why the tool does what it does and how it does it so that not only can we troubleshoot issues like above but also trust the output and understand any impacts on our investigation. This is something you highlight, in my brief read of WFAT2e, when you speak about understanding tools and in particular rootkit analysis where an analyst running Rootkit revealer and the confusion it can cause.
Your dedicated book on the registry will be a big help in this area I believe and thankfully your tools are open source so with time I believe I'll gain a solid understanding of all of the above.
Post a Comment