SANS Digital Forensics and Incident Response Blog: Category - Evidence Analysis

Digital Forensics Case Leads: Spies, Social Networking Experiments, Live CDs & More

This "007" edition of Case Leads (20100708) features Russian spies, a mini-write blocker that would make Q proud, an experiment in social networking, Live CDs for Windows and Linux and an online journal on small digital device forensics.

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to caseleads@sans.org.

News:


Autoruns and Dead Computer Forensics

Autoruns from Sysinternals is one of my favorite (free) tools. It has a myriad of uses, from optimizing the boot process to rooting out persistence mechanisms commonly used by malware. It is essentially a targeted registry dump, peering into at least a hundred different Windows Registry keys that the boot and logon processes rely upon. It very quickly shows what executables are set to run during boot or login, as well as enumerating many other interesting locations like Explorer shell extensions, browser helper objects, and toolbars. Over the years it has added some very useful features, including digital signature checks and the ability to ignore signed (and verified) Microsoft executables.

Until recently Autoruns had one big limitation: it had to be run on a live system. This is perfectly fine in a live response scenario when you are primarily working with systems that are up and running. However, in a dead computer forensics environment, its usefulness was hampered

... Continue reading Autoruns and Dead Computer Forensics


Turning RegRipper into WindowsRipper

Harlan Carvey has given us a great tool inRegRipper andit's undeniable that many examiners have found it to be a useful addition to their toolbox. RegRipper has a very specific purpose - parse the Windows registry. With some modification, we can turn RegRipper into WindowsRipper, an extremely powerful Windows triage tool. Using WindowsRipper we can parse much more than just the registry.

Adam James, a coworker who did the coding for this project, and I took a look at RegRipper and decided it could be morphed nicely into an amazing triage tool. The first thing Adam did wasmodify RegRipper to work against a mounted drive. You can read his explanation in the previous post or simply know that his code allows RegRipper to look at a mounted drive, find the Windows

...


Digital Forensics Case Leads: New RegRipper Feature, An Open Letter to Judges, the DFRWS Challenge and How Not to Seize Smart Phones

This week's installment of Digital Forensics Case Leads features a couple of tools useful for reviewing Window's systems. There is an announcement about a new feature of RegRipper and we have an open letter to the court on the use of neutral digital forensic examiners. The 2010 DFRWS Challenge is underway and law enforcement experiences the remote wiping feature of smart phones.

Keep those suggestions and topics for Digital Forensics Case Leads coming to caseleads at sans.org!

Tools:

  • Miss Identify is a cross-platform tool developed by Jesse Kornblum that identifies mislabeled Window's executables. A mislabeled executable is any executable without an executable extension of exe, dll, com, sys, cpl, hxs, hxi, olb, rll, or tlb.
  • If you've ever lost a software application key, (or need to audit installed software) the

Timestamped Registry & NTFS Artifacts from Unallocated Space

Frequently, while following up a Windows investigation, I will add certain filenames or other string values to my case wordlist and subsequently find these strings embedded in binary data of one type or another in unallocated space. Close examination of the surrounding data structures has shown that these are often old MFT entries, INDX structures, or registry keys or values. The thing that makes these things very interesting from a forensic perspective is that all of them but registry values incorporate Windows timestamps. (All timestamps referenced in this article are 64bit Windows filetime values.) Even registry values often follow closely after their parent keys in the registry, which do have associated timestamps. Once I'd noticed these key facts, it occurred to me that it would be useful to use the timestamp values to work backward to other associated data, and hence the genesis of this

...