We are making a quick blog post to say that Registry Decoder co-developer Andrew Case (@attrc) was interviewed about the project this week on Ovie Carroll's (@ovie) CyberSpeak podcast. The recording can be downloaded here:
http://traffic.libsyn.com/cyberspeak/Cyberspeak-Show-141-2011-09-25.mp3
The interview gives some background on the project, explains the functionality it gives investigators, and discusses on-going development.
We hope that you can take a few minutes and listen, and please provide feedback in the comments section.
Monday, September 26, 2011
Friday, September 16, 2011
Recovering and Analyzing Deleted Registry Files
I have been working on a case recently where we were asked to investigate possible data exfiltration from inside a corporate network. While investigating this type of scenario is not uncommon and has a number of investigative methods that can be used (see our previous post here), this scenario had a unique characteristic - namely that both computers we were asked to investigate had been reformatted/reinstalled since the investigated employee left.
This obviously was going to make the case more difficult and required some creative thinking in order to recover the necessary data to analyze. When attempting to document the process taken to perform a component of the analysis, what was meant to be a couple paragraph blog post, turned into a multiple page writeup. For that reason, I chose to simply convert the writeup to PDF and release it as a mini-whitepaper that can be found here:
http://www.digitalforensicssolutions.com/papers/recovering-and-analyzing-deleted-registry-hives.pdf
I hope you take a few minutes (should be 10-15 at most) to read the paper and hopefully learn something from it. From the feedback I got from other investigators who have seen the paper, (@kdpryor, @wyattroersma, @littlemac042), they all have liked it and found it interesting, and I believe you will too.
Please either comment on the blog or write me directly if you have any questions.
Andrew Case - @attrc
This obviously was going to make the case more difficult and required some creative thinking in order to recover the necessary data to analyze. When attempting to document the process taken to perform a component of the analysis, what was meant to be a couple paragraph blog post, turned into a multiple page writeup. For that reason, I chose to simply convert the writeup to PDF and release it as a mini-whitepaper that can be found here:
http://www.digitalforensicssolutions.com/papers/recovering-and-analyzing-deleted-registry-hives.pdf
I hope you take a few minutes (should be 10-15 at most) to read the paper and hopefully learn something from it. From the feedback I got from other investigators who have seen the paper, (@kdpryor, @wyattroersma, @littlemac042), they all have liked it and found it interesting, and I believe you will too.
Please either comment on the blog or write me directly if you have any questions.
Andrew Case - @attrc
Wednesday, September 14, 2011
DFS Upcoming Speaking Events: DOD Cybercrime, SANs, BSidesDFW, and more!
We wanted to give an update on a number of accepted presentations and other speaking events that we have upcoming in the next few months.
First, Golden Richard (@nolaforensix) will be presenting at the The Colloquium on IT Security, Cyber Forensics and Combating Cybercrime on Recent Advances in Live Forensics.
At BSidesDFW, Lodovico Marziale will be presenting on Registry Decoder and Andrew Case (@attrc) will be presenting on ways to investigate data exfiltration cases.
Then at the SANs Security East event in January, Lodovico and Andrew will be giving a Registry Decoder hands-on workshop, and the next day Andrew will be giving a workshop on using Volatility to analyze Linux memory captures.
And finally, Andrew will be presenting ways to incorporate Registry Decoder into the forensics process and how to leverage it for forensics research at the DOD Cybercrime Conf in January.
We hope that many of our blog readers will be able to attend some of these events. Be sure to drop us an email or twitter message if you will be there!
First, Golden Richard (@nolaforensix) will be presenting at the The Colloquium on IT Security, Cyber Forensics and Combating Cybercrime on Recent Advances in Live Forensics.
At BSidesDFW, Lodovico Marziale will be presenting on Registry Decoder and Andrew Case (@attrc) will be presenting on ways to investigate data exfiltration cases.
Then at the SANs Security East event in January, Lodovico and Andrew will be giving a Registry Decoder hands-on workshop, and the next day Andrew will be giving a workshop on using Volatility to analyze Linux memory captures.
And finally, Andrew will be presenting ways to incorporate Registry Decoder into the forensics process and how to leverage it for forensics research at the DOD Cybercrime Conf in January.
We hope that many of our blog readers will be able to attend some of these events. Be sure to drop us an email or twitter message if you will be there!
Tuesday, September 6, 2011
Announcing Registry Decoder
Digital Forensics Solutions is pleased to announce Registry Decoder, an open source tool that automates the acquisition, analysis, and reporting of Microsoft Windows registry contents. The tool was initially funded by the National Institute of Justice (NIJ) and is now ready for public release. Please see our History Page for information about the project.
Registry Decoder consists of two components, the first of which is a tool for online acquisition of registry files from a running machine. The page for this project can be found here. To safely acquire files from a running machine, we ‘freeze’ a copy of the current registry files using the System Restore Facility. This places the files into a read-only location and ensures that the operating system will not have the files opened (which would prevent them from being copied to external storage).
Beyond the current set of registry files, the acquisition component can also acquire historical files from the running system. These historical files are acquired from XP machines through the System Restore Point facility and through the Volume Shadow Service on Vista and Windows 7 machines.
The second component of Registry Decoder performs offline analysis (on an investigator’s lab machine) of acquired registry files. This project can be found here. The current version of this tool can process raw disk images, partition images, individual registry files, and the database of hives acquired by the online component. When given a disk image, the Sleuthkit libraries are used to parse the image and read each registry hive. This includes the ability to acquire historical files from System Restore Points as well as the RegBack folder of Vista and 7 images. Individual registry hives are processed using libraries from the RegLookup project.
After being provided with all registry-oriented evidence for a particular case, which can be any combination of registry files, disk images, and acquired databases, Registry Decoder performs a one-time pre-processing of the evidence. During this process, it creates a number of databases and metadata files that contain all information needed to analyze the files.
The analysis section of the offline component contains a number of powerful features. The first feature is Search, which allows for powerful searching across registry hives. The searching abilities include:
- Filtering by hive keys, name, and data
- Filtering by the last write time of keys
- Searching individual terms or with a newline delimited search term file
- Exact or wildcard based search
- Viewing of search results
- Automated reporting of search contents to HTML, PDF, or XLS
Another important feature of Registry Decoder is its plug-in system. This facility is similar to the plugins provided by RegRipper, in that individual plugins provide very specific analysis of a subset of data contained within the registry. Output of the plugins can be automatically exported into reports, in the same manner as for registry searches.
A third feature provided by Registry Decoder is differencing of registry hives. This feature utilizes the search and plugin subsystems to illustrate differences and similarities between two registry hives. This allows for viewing of changes across time from the same computer or comparing results of searches or plugins against files from multiple computers.
Finally, Registry Decoder supports browsing of registry hives through the file view. This is very similar to AccessData’s Registry Viewer and provides the ability to browse hives, view data, and acquire the last write time of relevant registry keys.
We hope that Registry Decoder interests you and that you will try it out in cases that you are working on. We believe that Registry Decoder significantly reduces the time, effort, and skills needed to perform complex registry analysis. By being open source and well documented, we also think that Registry Decoder provides a strong platform for future research and development within the registry forensics field. If you decide to use Registry Decoder, we would love to hear your feedback either through the comments section of the blog or you can email directly to: registrydecoder@digdeeply.com.
Subscribe to:
Posts (Atom)