SANS Digital Forensics and Incident Response Blog: Category - Registry Analysis

Computer Forensics How-To: Microsoft Log Parser

As any incident responder will agree, you can never have too many logs. That is, of course, until you have to analyze them! I was recently on an engagement where our team had to review hundreds of gigabytes of logs looking for evidence of hacking activity. I was quickly reminded of how much I love … Continue reading Computer Forensics How-To: Microsoft Log Parser

Digital Forensics: Detecting time stamp manipulation

At approximately 22:50 CDT on 20101029 I responded to an event involving a user who had received an email from a friend with a link to some kid's games. The user said he tried to play the games, but that nothing happened. A few minutes later, the user saw a strange pop up message asking to send an error report about regwin.exe to Microsoft.

I opened a command prompt on the system, ran netstat and saw an established connection to a host on a different network on port 443. The process id belonged to a process named kids_games.exe.

I grabbed a copy of Mandiant's Memoryze and collected a memory image from the system and copied it to my laptop for offline analysis using Audit Viewer.

Audit Viewer gave the kids_games.exe process a very high Malware Rating Index (see Figure 1), so I decided there was probably more


Digital Forensics: Persistence Registry keys

Some have called us log monkeys and claim our work is boring. Others recognize that what we do is a form of hunting. Computer Incident Response Team members watch security information event monitors (SIEMs) for indicators of compromise (IOCs). IOCs are like lycanthropes, they may be IDS/IPS alerts or blocks, or a system trying to connect to a resource it shouldn't be connecting to, or a user complaining of odd system behavior, or heaven forbid, a call from the Feds in the middle of the night.

Incident handlers may look for secondary IOCs to confirm an incident has occurred so they don't unnecessarily cause alarm or disrupt the organization. In the case of unsophisticated malware these secondary indicators can often be found by taking a quick look at the Windows Registry's run key. In many environments, this can be done remotely via:

reg query \\\\suspect.system.ip.address\\HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run

What comes back

... Continue reading Digital Forensics: Persistence Registry keys

Autoruns and Dead Computer Forensics

Autoruns from Sysinternals is one of my favorite (free) tools. It has a myriad of uses, from optimizing the boot process to rooting out persistence mechanisms commonly used by malware. It is essentially a targeted registry dump, peering into at least a hundred different Windows Registry keys that the boot and logon processes rely upon. It very quickly shows what executables are set to run during boot or login, as well as enumerating many other interesting locations like Explorer shell extensions, browser helper objects, and toolbars. Over the years it has added some very useful features, including digital signature checks and the ability to ignore signed (and verified) Microsoft executables.

Until recently Autoruns had one big limitation: it had to be run on a live system. This is perfectly fine in a live response scenario when you are primarily working with systems that are up and running. However, in a dead computer forensics environment, its usefulness was hampered

... Continue reading Autoruns and Dead Computer Forensics

Turning RegRipper into WindowsRipper

Harlan Carvey has given us a great tool inRegRipper andit's undeniable that many examiners have found it to be a useful addition to their toolbox. RegRipper has a very specific purpose - parse the Windows registry. With some modification, we can turn RegRipper into WindowsRipper, an extremely powerful Windows triage tool. Using WindowsRipper we can parse much more than just the registry.

Adam James, a coworker who did the coding for this project, and I took a look at RegRipper and decided it could be morphed nicely into an amazing triage tool. The first thing Adam did wasmodify RegRipper to work against a mounted drive. You can read his explanation in the previous post or simply know that his code allows RegRipper to look at a mounted drive, find the Windows