SecureArtisan

My Road to Digital Forensics Excellence

Pleasant Surprise – Registry Parsing of all hives

Posted by Paul Bobby on April 27, 2009

I had been frustrated with the Registry Enscript libraries – while fast (they could natively parse hives without having to mount them), they were restricted to the hives in system32\config only…. who knows why. I had posted two threads concerning this on the Guidance Forums, and even when including IsSelected()? type code in my enscripts, it still would only parse the live hives.

Roll on v6.13 (and maybe a tad earlier, who knows), and it looks like my dream has come true.

The below script will parse out the Shutdown time from _whatever_ SYSTEM hive you have selected, for example all SYSTEM hives in the restore points. The output is displayed to console and to bookmarks.

I am so excited  tons of new possibilities for enscript functionality!

/*
  Registry File key comparison tool
    1. Select the registry files to review
    2. Hard code the registry key (for now)

  Created by Paul Bobby, 2008 - paul.bobby@lmco.com
*/

include "GSI_LogLib"

class MainClass {

  LogClass CLog;  // Make CLog global so that it can be used throughout the script

  void Main(CaseClass c) {
    // Start of Case startup code
    // 1. Check if a case is open with evidence added
    // 2. Clear the console and focus it
    // 3. Script start time
       SystemClass::ClearConsole(1);
       CLog = new LogClass("RegKeyCompare", LogClass::DEBUG, Console);
       if(!c){
         CLog.Fatal("You must have an open case");
       }
       if (!c.EntryRoot().FirstChild()) {
         CLog.Fatal("Please add some evidence to your case");
       }
/*
       String usageText = "This script will blah blah blah\n"
         "Be sure you select the following files\n\n"
         "Are you ready to proceed, or do you need to cancel to set up the script properly?\n";
       int mbResponse = SystemClass::Message(SystemClass::MBOKCANCEL, "Template Script",usageText);
       if (mbResponse == SystemClass::CANCEL) {
         return;
       }
*/
       DateClass now;
       now.Now();
       uint start = now.GetUnix();
       CLog.Info("Script Started");
    // End of Case startup code

    //
    // Script specific variables
    BookmarkFolderClass topFolder(c.BookmarkRoot(), "Registry Key Compare");
    RegCommandClass cmds();
    new RegCommandClass(cmds,"Shutdown Time",RegCommandClass::READVALUE, RegCommandClass::HKEY_LOCAL_MACHINE,
      "System\\ControlSet001\\Control\\Windows","ShutdownTime",0,0);

    //
    // Script specific code start
    forall (EntryClass e in c.EntryRoot()) {
      if (e.IsSelected()) {
        if (!(e.Description().Contains("invalid"))) {
          RegistryClass reg(e);
          reg.Name() = "Hello";
          RegValueClass values();
          if (reg.Run(cmds, values)) {
            RegValueClass v = values.Find("Shutdown Time");
            if (v) {
              MemoryFileClass mf();
              if (mf.Open(8, FileClass::WRITE)) {
                if (v.GetData(mf)) {
                  DateClass d();
                  mf.Seek(0);
                  if (mf.ReadWinDate(d)) {
                    CLog.Debug("Shutdown Time: "+d.GetString());
                  }
                }
              }
            }
            topFolder.AddDatamark("Shutdown Time", values);
          }
        }
      }
    }
    // Script specific code ends
    //

    // Case closedown code
       now.Now();
       CLog.Info("Script Completed in " + (now.GetUnix() - start) + " seconds");
  }
}
Advertisements

3 Responses to “Pleasant Surprise – Registry Parsing of all hives”

  1. H. Carvey said

    This functionality has been part of RegRipper since its inception…

  2. Paul Bobby said

    To be accurate, you have not released your system restore point regripper capability to the public, and the actual registry parsing is based off of someone elses Perl registry libraries.

  3. H. Carvey said

    Paul, I’m not sure that I see your point. The above EnScript is, well, based off of GSI’s EnScripting functionality; how is that any different from RegRipper being based off of a free library?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: