Timeline Analysis - XP Restore Points
So, MS says that XP's going to be supported at least through 2014...nice. So this means great things for examiners and analysts...great things because there's no reason to give up the tools and research you've done on XP!
One of the unique things about XP is its use of System Restore Points. For users, these take up drive space and allow you to recover from issues, but for an analyst, Restore Points are a veritable treasure trove of historical data!
So, one of the challenges (albeit minor) presented to analysts is how to extract information about (and from) Restore Points from an acquired image. Well, this is actually pretty easy. A while back, I wrote a ProScript for ProDiscover that would run through an image and extract data about Restore Points to include when and why they had been created. This ProScript is called SysRestore.pl and is located on the DVD that accompanies the Windows Forensic Analysis book (both the currently available edition, as well as the second edition, due out in early June 2009).
As an alternative, I came up with another method for extracting the same data, one that does not require a commercial forensic analysis application. So, the first thing you do is mount the acquired image via SmartMount or ImDisk, as a read-only drive letter (in this case, G:\).
Next, get a copy of PSExec and put it on your analysis system. Go to the directory where you saved it and type:
D:\tools>psexec -s cmd
This will open the command prompt to your C:\Windows\system32 directory with the prompt now running with System privileges. Now, cd to the G:\ drive, and type the following commands:
G:\>cd syst*
G:\System Volume Information>cd _resto*
G:\System Volume Information\_restore{GUID}>
At this point, you should be "in" the directory that contains the restore point directories (ie, RP0, RP1, etc.). Select the directory path in the command prompt, right-click to save it to the clipboard, and then cd to the directory where you have your tools.
Note: By default, ACLs on the system only allow access to the System Volume Information directory to System, which is why we use PSExec.
The acquired image I'm using (see the above SmartMount graphic) is one of Lance Mueller's practicals. So at this point, I type in the following command:
C:\tools>rp.pl -d "G:\System Volume Information\_restore{}"
The path to the RP directory has to be in quotes due to the spaces; the output appears as follows:
RP1 Thu Jan 31 04:33:11 2008 Z System Checkpoint
RP2 Thu Jan 31 04:43:38 2008 Z Installed VMware Tools
RP3 Wed Jan 30 14:09:49 2008 Z Installed WinZip 11.1
Pretty neat! Now, we know when the RP was created, and why. If I want to have output that i can add to an event file for my timeline analysis, I add the '-t' switch and I get:
1201753991|RP|||Restore Point created - System Checkpoint
1201754618|RP|||Restore Point created - Installed VMware Tools
1201702189|RP|||Restore Point created - Installed WinZip 11.1
Once again, for timeline analysis, we see our familiar five field format. Note that the system/host and user name fields are blank. Rp.pl does have '-s' and '-u' switches for adding that information (respectively), although only the system name really applies, as Restore Points aren't specific to a user. Use of the '-s' switch will automatically populate the third field with whatever system name you enter.
This code was pretty easy for me to work up last night because I simply extracted it from ripXP, the tool I demo'd at the first SANS Forensic Summit. I'll be demonstrating that same tool again at the next Summit, in July of this year.
One of the unique things about XP is its use of System Restore Points. For users, these take up drive space and allow you to recover from issues, but for an analyst, Restore Points are a veritable treasure trove of historical data!
So, one of the challenges (albeit minor) presented to analysts is how to extract information about (and from) Restore Points from an acquired image. Well, this is actually pretty easy. A while back, I wrote a ProScript for ProDiscover that would run through an image and extract data about Restore Points to include when and why they had been created. This ProScript is called SysRestore.pl and is located on the DVD that accompanies the Windows Forensic Analysis book (both the currently available edition, as well as the second edition, due out in early June 2009).
As an alternative, I came up with another method for extracting the same data, one that does not require a commercial forensic analysis application. So, the first thing you do is mount the acquired image via SmartMount or ImDisk, as a read-only drive letter (in this case, G:\).
Next, get a copy of PSExec and put it on your analysis system. Go to the directory where you saved it and type:
D:\tools>psexec -s cmd
This will open the command prompt to your C:\Windows\system32 directory with the prompt now running with System privileges. Now, cd to the G:\ drive, and type the following commands:
G:\>cd syst*
G:\System Volume Information>cd _resto*
G:\System Volume Information\_restore{GUID}>
At this point, you should be "in" the directory that contains the restore point directories (ie, RP0, RP1, etc.). Select the directory path in the command prompt, right-click to save it to the clipboard, and then cd to the directory where you have your tools.
Note: By default, ACLs on the system only allow access to the System Volume Information directory to System, which is why we use PSExec.
The acquired image I'm using (see the above SmartMount graphic) is one of Lance Mueller's practicals. So at this point, I type in the following command:
C:\tools>rp.pl -d "G:\System Volume Information\_restore{
The path to the RP directory has to be in quotes due to the spaces; the output appears as follows:
RP1 Thu Jan 31 04:33:11 2008 Z System Checkpoint
RP2 Thu Jan 31 04:43:38 2008 Z Installed VMware Tools
RP3 Wed Jan 30 14:09:49 2008 Z Installed WinZip 11.1
Pretty neat! Now, we know when the RP was created, and why. If I want to have output that i can add to an event file for my timeline analysis, I add the '-t' switch and I get:
1201753991|RP|||Restore Point created - System Checkpoint
1201754618|RP|||Restore Point created - Installed VMware Tools
1201702189|RP|||Restore Point created - Installed WinZip 11.1
Once again, for timeline analysis, we see our familiar five field format. Note that the system/host and user name fields are blank. Rp.pl does have '-s' and '-u' switches for adding that information (respectively), although only the system name really applies, as Restore Points aren't specific to a user. Use of the '-s' switch will automatically populate the third field with whatever system name you enter.
This code was pretty easy for me to work up last night because I simply extracted it from ripXP, the tool I demo'd at the first SANS Forensic Summit. I'll be demonstrating that same tool again at the next Summit, in July of this year.