Wyatt Roersma Blog

I told you I would be back in no time with another dig from the archive on a file server it took me like 20 minutes to get 2 on my own network. It’s a long story but let’s say me and my virtual XTMv Watchguard firewall are not getting along. I set up a new ESXi box on my HP xw8400 workstation with the new raid card and transferred over my AD while my XTMv box got angry.

Back to forensics I actually going up the list only 1 step from last night to the 302 challenge from DC3 2011. This is the Shadow Volume Win7 Registry Analysis which was actually one of my favorites. Since the case is a registry case I used Harlan Carvey Registry Ripper v2.02 (regripperplugins_20110830.zip – version of plugins) against the provided system hive files because his program can examine registry hive files and export evidence reports into easy to read text format documents.

The challenge called for the following information provided by the Department of Defense.

I would later go on to do it with one of my favorite programs of 2011 Registry Decoder but I will save that for another post down the road because I plan to go much more into detail.

“Description: Examiners must develop and document a methodology used to determine, from the provided Windows registry files obtained from a subject’s computer (used to create the 400 – Shadow Volumes Analysis Challenge), a method for detecting items of interest in the system Registry files.  Items of interest are any items that would be non-standard or not normally found on a majority of computers; or those items that indicate activity or awareness of the user that may be of interest to the investigation.

Report the exact registry key path for each item of interest listed below with any additional entry information.  Include a detailed explanation of your processes (software or technique) used to examine and detect the information, and the reason for your selections.

Examiners must also be concerned with recording a detailed methodology of the steps and recording the tools used to accomplish the task as part of their grade.”

Methodology

Notes:

Commands are highlighted in Bold Font

Selections are highlighted with Italic Text

File Hives where placed in the directory 302-Shadow-Volume-Win7-Registry-Analysis\Files\Hives\

Spaces where edited out of directory and file names to avoid command line errors(well I’m lazy and like to avoid the pain of “ “ )

I opened (with administrative privileges) the command prompt (cmd.exe) and ran the following commands.

“Cd C:\Regripper

rip -r C:\302-Shadow-Volume-Win7-Registry-Analysis\Files\Hives\NTUSER.dat -f ntuser >> C:\302-Shadow-Volume-Win7-Registry-Analysis\Registry-Ripper-Report-NTUSER-dat.txt

rip -r C:\302-Shadow-Volume-Win7-Registry-Analysis\Files\Hives\System -f system >> C:\302-Shadow-Volume-Win7-Registry-Analysis\Registry-Ripper-Report-System.txt

rip -r C:\302-Shadow-Volume-Win7-Registry-Analysis\Files\Hives\software -f software >> C:\302-Shadow-Volume-Win7-Registry-Analysis\Registry-Ripper-Report-Software.txt

rip -r C:\302-Shadow-Volume-Win7-Registry-Analysis\Files\Hives\sam -f sam >> C:\302-Shadow-Volume-Win7-Registry-Analysis\Registry-Ripper-Report-Sam.txt

rip -r C:\302-Shadow-Volume-Win7-Registry-Analysis\Files\Hives\security -f security >> C:\302-Shadow-Volume-Win7-Registry-Analysis\Registry-Ripper-Report-Security.txt “

Alright to reduce the massive amount of information I blast into these I will provide simple short links if you want to get into the nuts and bolts of my results. Please feel free to use some of my commands in your own investigation or practice. I will warn there are far more powerful features but in this case it wasn’t really required to go after any special registry keys that the Great DFIR community hasn’t already covered for newbs like me to be able to use.

Key Files of Interest: Files of Interest 302

Registry-Ripper-Report-NTUSER-dat Registry-Ripper-Report-NTUSER-dat

Registry-Ripper-Report-Sam Registry-Ripper-Report-Sam

Registry-Ripper-Report-Security Registry-Ripper-Report-Security

Registry-Ripper-Report-Software Registry-Ripper-Report-Software

Registry-Ripper-Report-System Registry-Ripper-Report-System

Alright I tried to keep the post a little shorter for browser friendly kindness. If anyone has suggestions please feel free to contact me on twitter, G +, or email me at wyattroersma@gmail.com. I would recommend leaving comments and feedback if you have something you want to see or possibly see something I could be doing better. I Love feedback because I can’t fix what’s broken if I’m blind from the problem.

Want more Registry Forensics information? Go buy the latest version of Windows Registry Analysis Book by the RR creator himself http://www.amazon.com/Windows-Registry-Forensics-Advanced-Forensic/dp/1597495808.

If your to lazy and not convinced then go check out the start of it http://www.forensicfocus.com/downloads/forensic-analysis-windows-registry.pdf.  I mean if you enjoyed my mini low level post at all then this will be the perfect bunny hole to chase down to feed the information monster inside.

In the coming days I will be posting some more Digital Forensics Challenge madness from my long endless nights of trying to figure this crap out. So please stay tuned as I will be going into Registry Decoder (Andrew Case doesn’t know it yet but I’m pretty sure I can get some comments from him about how it all came to be from the beginning) It will be a good dive into Registry Decoder which recently got nominated for Digital Forensics Software of the year, it will be a close race with Log2Timeline. I mean the log will prolly take it with the amount of power it offers.

Alright I’m finally off to do something along the lines of learning from this web thing. Turns out it can really take the time out of your life.

A final Note:

Follow @keydet89 for the Registry Goodies