Stuff
Using RegRipper
Russ McRee let me know recently that the folks at Passmark recently posted a tutorial on how to use their OSForensics tool with RegRipper.
Speaking of RegRipper, I was contacted not long ago about setting up a German mirror for RegRipper...while it doesn't appear to active yet, the domain has been set aside, and I'm told that the guys organizing it are going to use it not only as a mirror, but also as a site for some of the plugins they'll be getting in that are specific to what they've been doing.
If you're into GenToo Linux, there's also this site from Stefan Reimer which contains a RegRipper ebuild for that platform.
Meetups
With respect to the NoVA Forensics Meetups, I posted here asking what folks thought about moving them to the DFIROnline meetups, and I tweeted something similar. Thus far, I have yet to receive a response from the blog post, and of the responses I've seen on Twitter, the vast majority (2 or 3..I've only seen like 4 responses...) indicate that moving to the online format is just fine. I did receive one response from someone who seems to like the IRL format...although that person also admitted that they haven't actually been to a meetup yet.
So...it looks like for 2012, we'll be moving to the online format. Looking at the lineup thus far, we already seem to be getting some good presentations coming along in the near future.
Speaking of which, offering to either give a presentation or asking for some specific content to be presented on is a great way to contribute to the community. Just something to keep in mind...if you're going to say, "...I'd like to hear about this topic", be prepared to engage in a discussion. This isn't to say that someone's going to come after you and try to belittle your idea...not at all. Instead, someone willing to present on the topic may need more information about your respective, what you've tried (if anything), any research that you've already done, etc. So...please be willing to share ideas of what you'd like to see presented, but keep in mind that, "...what do you mean by that?" is NOT a slam.
New Tools
File this one under "oh, cr*p..."...
Seems setmace.exe has been released...if you haven't seen this yet, it apparently overcomes some of the issues with timestomp.exe; in particular, it is reportedly capable of modifying the time stamps in both the $STANDARD_INFORMATION and the $FILE_NAME attributes within the MFT. However, it does so by creating a randomly-named subdirectory within the same volume, copying the file into the new directory, and then copying it back (Note: the description on the web page uses "copy" and "move" interchangeably).
Okay, so what does this mean to a forensic analyst, if something like this is used maliciously? I'm going to leave that one to the community...
The folks at SimpleCarver have released a new tool to extract contents from the CurrentDatabase_327.wmdb file, a database associated with the Windows 7 Windows Media Player. If you're working an exam that involves the use of WMP (i.e., you've seen the use of the application via the Registry and/or Jump Lists...), then you may want to consider taking a look at this tool.
You might also want to check out some of their other free tools.
Melissa posted to her blog regarding a couple of interesting tools for pulling information from memory dumps; specifically, pdgmail and Skypeex. Both tools apparently require that you run strings first, but that shouldn't be a problem...the cost-benefit analysis seems to indicate that it's well worth running another command line tool. An alternative to running these tools against a memory dump would be using Volatility or the MoonSols Windows Memory Toolkit to convert a hibernation file to a raw dump format, and then run these tools.
Speaking of tools, Mike posted a list of non-forensics tools that he uses on Windows systems to his WriteBlocked blog. This is a very good list, with a lot of useful tools (as well as tools I've used) on that list. I recently used Wireshark to validate some network traffic...another tool that you might consider using alongside Wireshark is NetworkMiner...it's described as an NFAT tool, so I can see why it's not on Mike's list. I use VirtualBox...I have a copy of the developer's build of Windows 8 running in it.
Wiping Utilities
Claus is back, and this time has a nice list of wiping utilities. As forensic analysts, many times we have to sanitize the media that we're using, so having access to these tools is a very good thing. I've always enjoyed Claus's posts, as well, and hope to see him posting more and more often in 2012.
Can anyone provide a technical reason why wiping with 7 passes (or more) is "better" than wiping with just 1 pass?
File Formats
I was reading over Yogesh Khatri's posts over at SwiftForensics.com, and found this post on IE RecoveryStore files. Most analysts who have done any work with browser forensics are aware of the value of files that allow the browser to recover previous sessions...these resources can hold a good deal of potentially valuable data.
About halfway down the post, Yogesh states:
Russ McRee let me know recently that the folks at Passmark recently posted a tutorial on how to use their OSForensics tool with RegRipper.
Speaking of RegRipper, I was contacted not long ago about setting up a German mirror for RegRipper...while it doesn't appear to active yet, the domain has been set aside, and I'm told that the guys organizing it are going to use it not only as a mirror, but also as a site for some of the plugins they'll be getting in that are specific to what they've been doing.
If you're into GenToo Linux, there's also this site from Stefan Reimer which contains a RegRipper ebuild for that platform.
Updated tool: Stefan over on the Win4n6 Yahoo group tried out the Jump List parser code and found out that, once again, I'd reversed two of the time stamps embedded in the LNK file parsing code. I updated the code and reposted the archive. Thanks! |
Meetups
With respect to the NoVA Forensics Meetups, I posted here asking what folks thought about moving them to the DFIROnline meetups, and I tweeted something similar. Thus far, I have yet to receive a response from the blog post, and of the responses I've seen on Twitter, the vast majority (2 or 3..I've only seen like 4 responses...) indicate that moving to the online format is just fine. I did receive one response from someone who seems to like the IRL format...although that person also admitted that they haven't actually been to a meetup yet.
So...it looks like for 2012, we'll be moving to the online format. Looking at the lineup thus far, we already seem to be getting some good presentations coming along in the near future.
Speaking of which, offering to either give a presentation or asking for some specific content to be presented on is a great way to contribute to the community. Just something to keep in mind...if you're going to say, "...I'd like to hear about this topic", be prepared to engage in a discussion. This isn't to say that someone's going to come after you and try to belittle your idea...not at all. Instead, someone willing to present on the topic may need more information about your respective, what you've tried (if anything), any research that you've already done, etc. So...please be willing to share ideas of what you'd like to see presented, but keep in mind that, "...what do you mean by that?" is NOT a slam.
New Tools
File this one under "oh, cr*p..."...
Seems setmace.exe has been released...if you haven't seen this yet, it apparently overcomes some of the issues with timestomp.exe; in particular, it is reportedly capable of modifying the time stamps in both the $STANDARD_INFORMATION and the $FILE_NAME attributes within the MFT. However, it does so by creating a randomly-named subdirectory within the same volume, copying the file into the new directory, and then copying it back (Note: the description on the web page uses "copy" and "move" interchangeably).
Okay, so what does this mean to a forensic analyst, if something like this is used maliciously? I'm going to leave that one to the community...
The folks at SimpleCarver have released a new tool to extract contents from the CurrentDatabase_327.wmdb file, a database associated with the Windows 7 Windows Media Player. If you're working an exam that involves the use of WMP (i.e., you've seen the use of the application via the Registry and/or Jump Lists...), then you may want to consider taking a look at this tool.
You might also want to check out some of their other free tools.
Melissa posted to her blog regarding a couple of interesting tools for pulling information from memory dumps; specifically, pdgmail and Skypeex. Both tools apparently require that you run strings first, but that shouldn't be a problem...the cost-benefit analysis seems to indicate that it's well worth running another command line tool. An alternative to running these tools against a memory dump would be using Volatility or the MoonSols Windows Memory Toolkit to convert a hibernation file to a raw dump format, and then run these tools.
Speaking of tools, Mike posted a list of non-forensics tools that he uses on Windows systems to his WriteBlocked blog. This is a very good list, with a lot of useful tools (as well as tools I've used) on that list. I recently used Wireshark to validate some network traffic...another tool that you might consider using alongside Wireshark is NetworkMiner...it's described as an NFAT tool, so I can see why it's not on Mike's list. I use VirtualBox...I have a copy of the developer's build of Windows 8 running in it.
Wiping Utilities
Claus is back, and this time has a nice list of wiping utilities. As forensic analysts, many times we have to sanitize the media that we're using, so having access to these tools is a very good thing. I've always enjoyed Claus's posts, as well, and hope to see him posting more and more often in 2012.
Can anyone provide a technical reason why wiping with 7 passes (or more) is "better" than wiping with just 1 pass?
File Formats
I was reading over Yogesh Khatri's posts over at SwiftForensics.com, and found this post on IE RecoveryStore files. Most analysts who have done any work with browser forensics are aware of the value of files that allow the browser to recover previous sessions...these resources can hold a good deal of potentially valuable data.
About halfway down the post, Yogesh states:
All files are in the Microsoft OLE structured storage container format.
That's awesome...he's identified the format, which means that we can now parse these files. Yogesh mentions free tools, and one of the ones I like to use to view the contents of OLE files is MiTeC's SSV, as it not only allows me to view the file format and streams, but I can also extract streams for further analysis.
Another reason I think that this is cool is that I recently released the code I wrote to parse Windows 7 Jump Lists (I previously released code to parse Win7 Sticky Notes), and the RecoveryStore files follow a similar basic format. Also, Yogesh mentions that there are GUIDs within the file that include 60-bit UUID v1 time stamps...cool. The Jump List parser code package includes LNK.pm, which includes some Perl code that I put together to parse these artifacts!
I don't have, nor do I have access to at this time, any RecoveryStore files to work with (with respect to writing a parser)...however, over time, I'm sure that the value of these artifacts will reach a point such that someone writes, or someone contributes to writing, a parser for these files.