Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]

---

S'abonner au fil RSS global de la revue de presse

---

Présentation : PrerequisitesBinaries require no external dependencies working from asource checkout requires Python 2.6.x or 2.7.x and additional third-party appsand libraries. Merry Christmas Christmas is not a time nor aseason, but a state of mind. To cherish peace and goodwill, to be plenteous inmercy, is to have the real spirit of Christmas. -Calvin Coolidge IntroductionReaders of the SANS Computer Forensics Blog orHarlan Carvey s Windows Incident Response bloghave likely caught wind of Registry Decoder. Harlaneven went so far as to say sounds like development is really ripping along nopun intended . If you do any analysis of Windows systems and you haven't lookedat this tool as a resource, what's wrong with you When Registry Decoder was firstreleased in September 2011, I spotted it via Team Cymru s Dragon News Bytesmailing list and filed it away for future use. Then, in most fortuitousfashion, Andrew Case, one of the Volatility developers I d reached out to forSeptember s Volatility column, contacted me regarding Registry Decoder in earlyNovember. Andrew co-develops Registry Decoder with Lodovico Marziale as part ofDigital Forensic Solutions and kindly provided me with content for theremaining entirety of this introduction. Registry Decoder is open source GPL and writtencompletely in Python and is downloadable via Google Code projects. It wasinitially funded by the National Institute of Justice and now is funded byDigital Forensics Solutions.Registry Decoder was devised to automate the acquisition,analysis, and reporting of registry contents. To accomplish this, there areactually two projects. The first is RegistryDecoder Live which allows for the safe acquisition of registry files from alive machine by forcing a system restore point, thus putting the currentlyactive registry files into a read-only state in backup. It then reads thesefiles from backup either in System Restore Points for XP or from the VolumeShadow Service on Windows Vista Windows 7. As Registry Decoder Live acquiresfiles, it creates a database that can then be imported into the second tool, Registry Decoder. Registry Decoder can analyze registry files from a numberof sources and then provide a number of GUI-driven analysis capabilities. Thecurrent version of the tool 1.1 as this is written can import individualregistry files, raw dd disk images, raw dd split images, Encase E01 images, and databases from the live tool. Once evidence is imported andpre-processed, the investigator then has a number of analysis tools availableand new evidence can be added to a case at any time. Registry Decoder s analysis capabilities include Browsing Hives similar to Access Data sRegistry Viewer Hive Searching more on this below Plugin System similar to regripper Hive Differencing Timelining based on last write time Path Based Analysis Automated reporting of all of the aboveRegistry Decoder automates all of this functionality forany number of registry hives and the reporting can handle exporting resultsfrom multiple hives and analysis types into one report. Andrew s favorite Registry Decoder use case is USBSTORanalysis. Almost every case involving investigating a specific employee requiresdetermining which if any USB drives were in use. To do this with Registry Decoder, all aninvestigator has to do is create a case with the disk images or hives acquired,run the USBSTOR plugin, and thenexport the results. After pre-processing is done, it takes mere minutes to havea report created with the device name, serial number, etc. of any devicesconnected. Also, since Registry Decoder pulls historical files from livemachines and disk images System Restore Volume Shadow Service , thisanalysis can be run across hives going back months or years.Similarly, while investigating data exfiltration betweenmultiple employees of a company, Andrew needed to know if they shared USBdrives. To make the determination he took the SYSTEM files from each machine,loaded them into Registry Decoder and then used the plugin differencing abilityon the USBSTOR plugin. Itimmediately revealed what drives were shared between computers, including theirserial number. Another common use of thedifferencing feature is with the Servicesplugin as this quickly identifies malware if you difference your known gooddisk image vs. a disk image of a machine suspected to be infected. Registry Decoder s search feature is one of its strongestfeatures. It allows you to search across any number of hives and filter bykeys values names, last write time range, wildcard searching, and bulksearching with keyword files. For a recent case, Andrew had to determine if a personwas accessing files they shouldn t have been looking at. They had a desktop anda laptop, both running XP and both with many System Restore Points. In lessthan 30 minutes with Registry Decoder, Andrew needed only load the disk imagesfrom the two machines into Registry Decoder, make a text file with all thesearch terms, and then search all the terms across all the hives in the case including historical ones . This returned results that he then exported intoone report and was finished. Another usefulsearch is noted when viewing the search results tab, right click on any result,and immediately jump into the Browseview positioned at that key. Another good use case includes path-based analysis whichallows you to determine if a registry path exists in any number of files. For whicheverfiles it is present in, one can then export the path and optionally itskey value pairs. This is extremely useful in two situations 1. Determiningif certain software is installed P2P, cracked software, etc. , as you can simplysearch any of the paths that the program creates and then export its key valuesinclusive of when and where the software was installed. 2. Duringmalware analysis as most malware writes to the registry. Searching across numeroussuspect systems for the malware s path allows investigators to immediately determinethe extent of infection. Registry Decoder s roadmap includes more analysis pluginsand added support for memory analysis integrate with Volatility s existingin-memory registry functionality .The developers also want to add support for analyzingpreviously deleted keys and name value pairs within hives. The library utilizedfor enumerating hives, reglookup,already supports this functionality so it is just a matter of integration.Running theRegistry Decoder online acquisition component I ran regdecoderlive32 on a 32bit Windows XP SP3 virtualmachine infected with Lurid and regdecoderlive64 on a Windows 7 SP1 64bitmachine.One note for regdecoderlive32 on Windows XP systems with drivesformatted with NTFS. Even when running regdecoderlive32 with administratorprivileges the hidden System Volume Information directory is protected withunique ACLs. To circumvent this issue, issue cacls C System Volume Information E G F from acommand prompt at the root of C this assumes the OS is installed on C .As seen in Figure 1, running regdecoderlive is as simpleas executing and defining a few parameters including description, outputdirectory must be empty and check boxes for acquisition of current and backupfiles. Figure1 Registry Decoder Live Once acquisition is complete, the results directory willbe populated with registryfiles acquire_files.dband related files. This results directory can should be written to portablestorage mounted on the target system or a network share, which can then beconsumed by Registry Decoder for offline analysis. Running theRegistry Decoder offline analysis component Registry Decoder can consume individual registry files,raw dd disk images, and Encase E01 images, including split images. Buildinga case is as easy as adding a case name and number, investigator, comments, andcase directory. Adding evidence to a case after initial processing is createdis quite simple you ll be prompted to add new evidence after choosing Start Case and opening an existingcase. I only tested RegistryDecoder with the acquisition database acquired from a Lurid-infected Windows XPVM via Registry Decoder Live.Initial processing can takesome time depending on the number of restore points or volume shadows.Once initial processing iscomplete however, Registry Decoder is nimble and effective.I mimicked some of Andrew suse cases in this analysis of a Lurid victim. From runtime analysis of the Lurid sample I had md5 84d24967cb5cbacf4052a3001692dd54 I knew a few key attributes to test Registry Decoder with. Services andregistry keys created include WmdmPmSp.As the search functionality is a strong suit, I selected CORE from the currentsnapshot acquired and searched WmdmPmSp. Right-click search results andselect Switch to File View thennavigate to the Browser tab forkey values, etc. as seen in Figure 2. Figure 2 Registry Decoder search results I made use of the timelinefunctionality and was amply rewarded. Imagine a scenario where have a ballparktime window for a malware compromise or unauthorized access. You can filter thetimeline window accordingly and produce output that is compliant to theSleuthKit s mactime format. It s not human readable currently next release soread it in with Autopsy or TSK. Timeline gathering and results are combined inFigure 3. It clearly identified exactly when Lurid wrote to HKLM SYSTEM CONTROLSET001 SERVICES WmdmPmSp. Figure 3 Registry Decoder timeline results I also tested USBSTOR unrelated to Lurid on both acquisitions Windows 7 and Windows XP and the results were accurate and immediate in bothcases as seen Figure 4. Figure 4 Registry Decoder USBSTOR results Explore the Plugins optionsincluded with Registry Decoder, the possibilities are endless. SYSTEM willprovide you a nice summary overview as you begin, IE Typed URLs is great forinappropriate browser use, Services with Perform Diff enabled is excellent formalware hunting, System Runs will give you instant gratification regardingwhat s configured to run on startup, ACMRU queries the registry keys that havebeen typed into the Windows Search dialog box, and on and on and on. JBrilliant In Conclusion I m extremely excited about this tool and imagining itsuse at scale to be of incredible use for enterprise incident responders andforensic examiners. I ve been chatting with Andrew at length while writing thisand he continuously mentions pending features including some visualizationoptions and the aforementioned Volatility interaction. I can t wait check outRegistry Decoder out for yourself ASAP.Merry Christmas Ping me via email if you have questions russ atholisticinfosec dot org .Cheers until next month. Acknowledgements Andrew Case, Registry Decoderdeveloper and project lead






Les derniers articles du site "HolisticInfoSec.org" :

- toolsmith ZeroAccess analysis with OSForensics
- toolsmith Registry Decoder
- Tool review NetworkMiner Professional 1.2
- toolsmith OWASP ZAP - Zed Attack Proxy
- Presenting OWASP Top 10 Tools Tactics at ISSA International
- toolsmith Log Analysis with Highlighter
- toolsmith Memory Analysis with DumpIt and Volatility
- Phorum Phixes Phast
- toolsmith PacketFence - Open Source NAC
- Mark Russinovich presenting at ISSA Puget Sound

---

S'abonner au fil RSS global de la revue de presse

---