SecureArtisan

My Road to Digital Forensics Excellence

Archive for April, 2009

Pleasant Surprise – Registry Parsing of all hives

Posted by Paul Bobby on April 27, 2009

I had been frustrated with the Registry Enscript libraries – while fast (they could natively parse hives without having to mount them), they were restricted to the hives in system32\config only…. who knows why. I had posted two threads concerning this on the Guidance Forums, and even when including IsSelected()? type code in my enscripts, it still would only parse the live hives.

Roll on v6.13 (and maybe a tad earlier, who knows), and it looks like my dream has come true.

The below script will parse out the Shutdown time from _whatever_ SYSTEM hive you have selected, for example all SYSTEM hives in the restore points. The output is displayed to console and to bookmarks.

I am so excited  tons of new possibilities for enscript functionality!

/*
  Registry File key comparison tool
    1. Select the registry files to review
    2. Hard code the registry key (for now)

  Created by Paul Bobby, 2008 - paul.bobby@lmco.com
*/

include "GSI_LogLib"

class MainClass {

  LogClass CLog;  // Make CLog global so that it can be used throughout the script

  void Main(CaseClass c) {
    // Start of Case startup code
    // 1. Check if a case is open with evidence added
    // 2. Clear the console and focus it
    // 3. Script start time
       SystemClass::ClearConsole(1);
       CLog = new LogClass("RegKeyCompare", LogClass::DEBUG, Console);
       if(!c){
         CLog.Fatal("You must have an open case");
       }
       if (!c.EntryRoot().FirstChild()) {
         CLog.Fatal("Please add some evidence to your case");
       }
/*
       String usageText = "This script will blah blah blah\n"
         "Be sure you select the following files\n\n"
         "Are you ready to proceed, or do you need to cancel to set up the script properly?\n";
       int mbResponse = SystemClass::Message(SystemClass::MBOKCANCEL, "Template Script",usageText);
       if (mbResponse == SystemClass::CANCEL) {
         return;
       }
*/
       DateClass now;
       now.Now();
       uint start = now.GetUnix();
       CLog.Info("Script Started");
    // End of Case startup code

    //
    // Script specific variables
    BookmarkFolderClass topFolder(c.BookmarkRoot(), "Registry Key Compare");
    RegCommandClass cmds();
    new RegCommandClass(cmds,"Shutdown Time",RegCommandClass::READVALUE, RegCommandClass::HKEY_LOCAL_MACHINE,
      "System\\ControlSet001\\Control\\Windows","ShutdownTime",0,0);

    //
    // Script specific code start
    forall (EntryClass e in c.EntryRoot()) {
      if (e.IsSelected()) {
        if (!(e.Description().Contains("invalid"))) {
          RegistryClass reg(e);
          reg.Name() = "Hello";
          RegValueClass values();
          if (reg.Run(cmds, values)) {
            RegValueClass v = values.Find("Shutdown Time");
            if (v) {
              MemoryFileClass mf();
              if (mf.Open(8, FileClass::WRITE)) {
                if (v.GetData(mf)) {
                  DateClass d();
                  mf.Seek(0);
                  if (mf.ReadWinDate(d)) {
                    CLog.Debug("Shutdown Time: "+d.GetString());
                  }
                }
              }
            }
            topFolder.AddDatamark("Shutdown Time", values);
          }
        }
      }
    }
    // Script specific code ends
    //

    // Case closedown code
       now.Now();
       CLog.Info("Script Completed in " + (now.GetUnix() - start) + " seconds");
  }
}
Advertisements

Posted in EnCase | 3 Comments »

CDROM Burning

Posted by Paul Bobby on April 1, 2009

The blog, Hacking Exposed Computer Forensics Blog, has been publishing a series of articles entitled “What did they take when they left?”. Part 1 discusses CDROM burning – a common method for exfiltrating data from the corporation – and a commonly asked question of Ethics/HR.

To build on what was posted in Part 1, I performed a test using my own IBM T42 laptop.

The following three System Event log entries are created each time a particular ‘burning’ event happens:

  • 7035 – The IMAPI CDROM service has started
  • 7036 – The IMAPI CDROM service is running
  • 7036 – The IMAPI CDROM service has stopped.

The entire sequence lasts 10-15seconds or so.

I conducted the following test:

  1. Open the CD tray
  2. Insert a blank CD
  3. Close the tray
  4. This action generated the above three System Event logs
  5. Start up IBM Recordnow!
  6. This action generated the above three System Event logs
  7. Add a series of files to the burning program
  8. Click BURN
  9. This action generated the above three System Event logs
  10. The burn completed 10 minutes later
  11. No event logs were generated
  12. The CD Tray was opened by IBM RecordNow!
  13. No event logs were generated

 

Inserting the blank CD, firing up the CD burning tool, and clicking the burn button, all generated System Event logs. Unfortunately no other IMAPI CDROM events were recorded when the burn completed.

However, a series of repeated 7035,7036,7036 IMAPI System Event logs may be enough to indicate disc burning activity. To be sure of course, the investigator would have to test the exact system configuration and the installed disc burning software. One of the advantages of corporate investigations is that system builds are often standardized enough that these determinations can be tested ahead of time.

Posted in Forensics | Leave a Comment »