Sunday, December 18, 2011

Monday, November 28, 2011

Extending Reg Ripper, again.

A few months ago I posted how to automate the process of reporting all date/time instances a USB connection was made (including from Restore Points), using a combination of Mount Image Pro, SubInACL.exe, Reg Ripper, and some batch script Kung Foo. For one engagement, the scope was 50 + hard drives. Exercising this process reduced analysis time from hours to minutes per hard drive and translated into a significant time and cost savings to the client.

Recently, I received 50 + SYSTEM registry hives from various host systems. Note, due to special circumstances only the SYSTEM hives were provided -- fyi -- there are other artifacts that log USB connections. All hives where preserved in Logical Evidence File (L01s) format. Using Encase I took a look at the L01 files. Based on full path information of the SYSTEM registry hives collected, it appeared they were from both active and Restore Point locations.

For this engagement I needed to report all date/time instances a USB connection was made based on the SYSTEM registry hives provided...

Since I was dealing with hives from various hosts within the L01s-- the only thing segregating them was the directory structure  (full path information) they were preserved in. It would be key to preserve this same full path information for each hive in whatever output/report created. This would allow one to tie a Hive back to a specific host later on.

Therefore, it was time to put my thinking cap on. Below is the list of options I came up with:
  1. Manually parse out the Hives.
  2. Run the Encase Advanced Enscript USB parser, but that outputs into a messy log file that is not delimited. Experience also tells me it can be hit or miss.
  3. Export the Hives and run Reg Ripper on each of them one by one, manually building a report as I go.
  4. Build a Reg Ripper batch script, but this would not preserve the file name and full path source of the hive in the output.
  5. Script that sh!@t!!
I like being challenged so scripting that sh!@t using Python sounded trivial. Note, as I stated in my post about using Python to automate the process of creating folder structures, my coding skillz are script kiddie at best so please no LuLzing.

The requirements of the tool needed to be:
  • Recursively walk through a directory structure (using Encase I exported all L01's preserving folder paths to a case folder).
  • Identify any "SYSTEM" or "_REGISTRY_MACHINE_SYSTEM" registry hives.
  • For each Hive it finds:
    • Append File name to processing audit log
    • Run Reg Ripper against it with specific plug in ( USBSTOR3 to show me all USB connections)
    • Import Reg Ripper output into Python memory based list/db
    • For each line imported, append full path of original hive parsed (for audit purposes -- will allow me to tie a hive back to it's original source later).
  • Export CSV report for all hive files found.
Below is the pretty Python code I compiled. For fun I’m going to try to add some error handling, convert to OO, and port into an Executable. For now, all I can say is it works and saved me a ton of manual effort/time.

import os, fnmatch, csv
a = []

def find_files(directory, pattern): #Recursively walk directory path for files
    print 'Recursively search directory for SYSTEM hives..'
    for root, dirs, files in os.walk(directory):
        for basename in files:
            if fnmatch.fnmatch(basename, pattern):
                filename = os.path.join(root, basename)
                yield filename

for filename in find_files('C:\directory_structure_to_search)' , '*SYSTEM'):  #Define dir path and hive type to look for
    print 'Found Hive:', filename
    print 'Ripping...'
    os.system('""C:\\Program Files (x86)\\RegRipper032911\\rip.exe " -r "' + filename + '" -p usbstor3> c:\\final.csv"')
    print 'Done Ripping.'
    print 'Processing Output...'

    with open('c:\\final.csv', 'r+') as f: #Import RegRipper output into list
        writer = csv.writer(f)
        reader = csv.reader(f)
        for row in reader:
    log = open('c:\\log.txt', 'r+') #Append each processed file to log output
    log.writelines(filename + '\n')   

output = open('c:\\output.csv', 'r+') #print 'Writing output CSV'
wr = csv.writer(output)
for i in a:
    print i
print a
print 'Done'

Dav Nads

Sunday, November 13, 2011

Intellectual Property (IP) Theft and Technology 1o1o1o1

I'm working on a paper on High Tech Intellectual Property Theft so I thought I would share some food for thought!

According to Wikipedia (whatev that's worth), Intellectual Property (IP) is a term referring to a number of distinct types of creations of the mind for which a set of exclusive rights are recognized—and the corresponding fields of law and theft is the illegal taking of another person's property without that person's freely-given consent.

Do the math, IP + Theft is a equation for stealing s$% you shouldn't!! If you add technology as a variable into this equation, stealing $#% can get super geeky. For instance, a employee can copy the text from a document containing the recipe for Coke onto a website called This is a website where you can freely copy and paste text making it accessible to the world with just a few clicks. It is a convenient and "virtually untraceable" platform for people to share large amounts of text. The website has been traditionally used by programmers to store source code but also more recently used by HaX0r groups like Anonymous, 4chan, and LulzSec to post their pirated caches and booties.

Methods of IP theft are becoming more advanced and mutually difficult to detect. Traditional methods of detection (i.e. usb connection analysis, print spool files, e-mail, etc.) are not going to CUT it in some cases. I used one example of a insider COPYING and PASTING IP out of a network, but their are many other advanced methods such as transferring data from a laptop to a mobile device in someone's pocket via ad-hoc networking, to installing mobile malware/spyware software on a VIP.

However, traditional methods of IP theft may not be as advanced but just as difficult (if not more difficult) to detect. For instance, taking pictures of IP with a camera phone or calling a partner and communicating IP over a phone. In these cases it's more important to be aware of these methods and put governance and policies in place to prevent so your NOT responding to the "perfect crime".

Let's also not forget about how the most simple digital crime can become ah so difficult. For instance, a terminated user transferred documents from a computer to a USB storage device a week before they resign. During that week, a Windows Update is also run and all USB last connection date/time information in the active registry are unfortunately updated. Now you, as a forensic examiner are challenged to think outside of the box and look elsewhere ;-)

Below is a collaborative (thank you unnamed co-worker) brain dump of potential methods of IP Theft. Note, some of these methods may leave little to NO forensic residue - the emphasis of the paper I'm writing is identification and detection from a Computer Forensic purpose. The purpose of this list is to promote awareness and hopefully assist with your due diligence or your next IP Theft investigation .
  1. Personal e-mail account usage (i.e. user logs into personal e-mail account via web mail and attaches documents or copies text to e-mail message).
  2. Instant Messaging software such as AIM, MSN, Yahoo, Gtalk, or ICQ (i.e. transfer text or attachment over instant messaging conversation)
  3. Internet activity to online storage tools, file sharing services, social media platforms, and public/private forums (i.e. upload documents to online storage service or copy text to website such as
  4. Access to network resources such as file servers (i.e. copy documents from file server directly to USB device) without subsequently accessing it.
  5. Network connectivity to private networks via Bluetooth, wifi, or remote access to transfer data (i.e. computer transfers documents to another computer via Bluetooth network).
  6. Removable storage device (i.e. user copies data to thumb drive or external hard drive). Keep in mind removable storage devices do not not always get tracked comprehensively (i.e. O/S update occurs that updates all USB last connection date/time information in registry).
  7. Screen capture applications run from removable devices to minimize forensic residue (i.e. run screen recording tool from USB drive).
  8. Use of non-standard applications/protocols such as VPN, FTP, SFTP, P2P, SHH (i.e. Use FTP application to transfer data to remote server).
  9. Copy data to device that be configured as USB storage device such as mobile phone or music player (i.e. copy data via USB to iPhone or iPod).
  10. Bypassing the operating system by booting the system into a bootable disk to copy data to an external drive (i.e. anti-forensic or forensic software such as Helix or Knoppix).
  11. Traditional forensic and IT methods of cloning hard drives (i.e. extract hard drive from system and use forensic software/hardware to copy/clone data).
  12. Host and Mobile device based Spyware/Malware
  13. Other "low tech" methods of exfiltrating data include:
    1. Taking hard copy documents or electronic devices,
    2. Photography or video,
    3. printing,
    4. scanning,
    5. use of unknown devices,
    6. making a phone call and communicating the IP. 

Stay tuned.. I will be posting some more forensication soon.

-Dav Nads

Monday, November 7, 2011

Reminiscing about my CEIC 2010 video competition entry

In 2010, Guidance Software hosted a video competition for 2 free passes to their CEIC conference. We did not win because apparently it was not appropriate.I still went anyways, but reminiscing about our great video!

Wednesday, August 24, 2011

Debian GNU/Linux Postfix Server Incident - p'owned?

Reason to believe a server was compromised and it's a physical Debian GNU/Linux mail server in a production environment?  ..Sounds like fun!

Below is a short list of items to consider when responding to a incident. This is from a technical perspective and by no means a work plan for a comprehensive investigation.

If you haven't already, try to get a physical or logical image of the device. If the server can't be turned off to acquire physically, consider acquiring the logical partitions live:

1.    Attach USB
2.    mkdir /m1
3.    mount /dev/sdb1 /m1 # Substitute /dev/sdb1 for your USB device’s partition, fdisk –l helps
4.    dd if=/dev/sda1 of=/m1/my_image.img # this cmd is very basic and will dd the partition to the USB disk. If it uses logical volume manager, copy the logical partition as reconstructing the raid/lvm later could be an issue.

Identify all logs that could contain potential evidence related to the intrusion. Logs are going to be one of the key points of analysis in Linux based investigations. To that point, don't forget to inquiry about log retention polices and procedures during your scoping. For instance, are logs from the target server collected using a SIM, backed up to tape, or maybe logging is not even enabled? A good analogy is, make sure to account for ("or eat") all the crumbs that may be surrounding the cookie.

Here is a short list:

1.    /var/log/secure
2.    /var/log/secure.*
3.    /var/log/messages
4.    /var/log/messages.*
5.    /var/log/wtmp
6.    /var/log/wtmp.*
7.    /var/log/btmp
8.    /var/log/btmp.*
9.    /var/log/mail.log
10.    /var/log/mail.log.*
11.    /var/log/apache
12.    /var/log/auth.log
13.    /var/spool/
14.    Check syslog configuration (/etc/syslog.conf typically) and see if additional log files are stored
15.    If the machine is behind a firewall, check firewall (machine/appliance)logs.

Wednesday, July 6, 2011

Dear Dav Nads, help me make some folders

yoGirl: Davnads,  you put the "sic" in forensic bc you got skillz. 
Davnads: dat rite
yoGirl: I'm trying to stage some data on my network for a eDiscovery engagement that I need to process using the Cloud. I don't have time to manually create 500 staging folders with sub directories.
Davnads: Yo chair yo' Problem
yoGirl: :-(
Davnads:  Damn sad faces, they always get 2 me. Okay I will help!

In response to my fan mail, I created a ugly (I don't program for a paycheck) Python script that will assist the process of creating directory structures in mass. This script uses the os module.  "As is" the script will read a comma delimited file, containing 3 folder names, line by line.

David Nides,HDD SN XX,Mobile Phone,Network Share
Danny Nides,HDD SN XX,SharePoint Data,Network Share

For each line, it will create a directory structure consisting of the parent folder named based on the first line variable, and sub directories using the second, third, and forth line variables. For example:

  >David Nides
   >>HDD SN XX
   >>Mobile Phone
   >>Network Share

  >Danny Nides
   >>HDD SN XX
   >>Share Point Data
   >>Network Share

The code is listed below. Note it is currently set to write the folder structure out to the "D:\" drive but this can be easily changed. Let me know if you have any questions. 


#Created by David Nides, 6/29/11
#This python script will input a CSV file (refer to the input.txt template)
#Parse each row and create a directory.
import os
import csv
file = csv.reader(open('folder_names.csv'), delimiter=',')
for row in file:
    print "creating ",row[0]
    print "creating ",temp1
    print "creating ",temp2
    print "creating ",temp3

Tuesday, June 21, 2011

Basic Groundwork for cmd line Scripting Computer Forensic Tasks + VIDEO BONUS

Watch the video tutorial that I created for our internal team to see this in action and how it works:

Task: 50 hard drives, Windows XP, report all date/time instances a USB drive connection was made.

Purposed Solution: Open Encase, Mount Image using Physical Disk Emulator module, Manually change Window’s security permissions/ownership of System Volume Information directory OR export Restore Point directory, Open up CMD prompt, Execute RegRipper against %/Windows/System32/config/SYSTEM and Restore Point, slice and dice output, and misc.

~ 1 hour per hard drive.

Alternative Solution: Batch script that shit!

~ 2 hours of development resulting in ~5 mins per hard drive.

This is the groundwork and a start to scripting computer forensic tasks via the command line. It’s simple, yet very powerful stuff that anyone can do.

Also, a special thank you to David Kovar who was so kind to give me a few pointers along the way. He has volunteered to take this initiative and port it over to Python. More to come from David and I as we work together on expanding on this.


1. Windows XP Examiner Machine
2. Image with Windows XP
3. Mount Image Pro (fully functional 30 day demo available)
4. SubInACL.exe
5. RegRipper

About the Batch:

• Will prompt for disk image Full Path Location (.ad1, .e01, .dd, .vmdk, etc…)

• Automatically mount disk image using Mount Image Pro CLI

• List disk mounting information (drive letters mounted, volume name, file system, etc...)

• Prompt for drive letter that %/SYSTEM VOLUME INFORMATION/% is located. This is where Restore Points are saved. By default this directory is protected and not accessible by the system. This can be automated later on

• Prompt for local Administrator account name

• Automatically Change ownership and grant full access to the %/SYSTEM VOLUME INFORMATION/% directory using SysInternal’s Subinacl.exe.

• List %/SYSTEM VOLUME INFORMATION/% information

• Prompt for Restore Point Directory Name you would like to parse

• Then do work...

• Currently set to execute RegRipper (RipXP.exe) using the USBSTOR3 plugin. This will parse the local SYSTEM hive and every Restore Point System Hive subsequently outputting a nice CSV file showing every USB drive (and corresponding date/time) EVER plugged into the system.

• Anything that is cmd line accessible can be set to be executed after the drive is mounted.

Get Started:

Copy the code below into notepad, save as XXX.bat, and execute via the command line. Make sure you have the three dependencies installed and your paths are defined to the three executables.

Let me know if you have any questions or suggestions… It is just a rough draft but gets the job done for me! A lot more to come... stay tuned


::Date: 6/15/2010
::Created by: David Nides

::This batch script will mount image using Mount Image Pro (MIP4.exe), use Microsoft's SubInACL (SubInACL.exe) command to take ownership and grant full access to System Volume Information, and then do work such as execute RipXP.exe.

:: This requires that you have installed Mount Image Pro (Demo is available for free),
:: SubInACL (
:: Any other tools you want to cool

::Set full path of where all your .exe's are located below
set MIP_PATH="C:\Program Files\GetData\Mount Image Pro v4\MIP4"
set RR_PATH="C:\Program Files\Reg Ripper\RegRipper032911\ripxp"
set SUBINACL_PATH="C:\Program Files\Windows Resource Kits\Tools\subinacl"

:input for Mount Image Pro CMD Line
set /P IMAGELOC="Enter Image full path (e.g d:\image.dd): "

echo Your input was: %IMAGELOC%
echo ----------------------------------------------
echo Please wait while drive is being mounted.....
echo ----------------------------------------------


echo ----------------------------------------------
echo Please wait while mounted device details are populated.....
echo ----------------------------------------------

:input to locate SYSTEM VOLUME INFORMATION - this can be automated later
set /P MOUNTED_DRIVE_LETTER="Look at the above List of Mounted Devices and input drive letter where SYSTEM VOLUME INFORMATION directory is located (e.g. H): "
echo Your input was: %MOUNTED_DRIVE_LETTER%

echo ----------------------------------------------
:input collect username to setowner and grant access to
set /P USER="Enter Administratve user account name to setowner and grant access to SYSTEM VOLUME INFORMATION (e.g. Administrator): "
echo Your input was: %USER%

%SUBINACL_PATH% /subdirectories "%MOUNTED_DRIVE_LETTER%:\System Volume Information" /setowner="%USER%" /grant="%USER%"=F

echo ----------------------------------------------
dir /ah "%MOUNTED_DRIVE_LETTER%:\System Volume Information\"
set /P RP_FOLDER_NAME="Enter Restore Point Folder you would like to parse in /System Volume Information/ (e.g. _restore{46DE8921-1D39-44D2-A9E9-64119261F211}): "
echo ----------------------------------------------
echo Lets do work......
echo ----------------------------------------------

::The below can be set for user config later. In the mean time this is the tell RegRipper to do X section.
::set /P HIVE_to_PARSE="Enter Registry Hive to Parse (e.g. SYSTEM, SAM, NTUSER, SECURITY, SOFTWARE): "
::set /P RR_PLUGIN="RR Plugin to Parse with (e.g. USBSTOR3) "

%RR_PATH% -r "%MOUNTED_DRIVE_LETTER%:\WINDOWS\system32\config\SYSTEM" -d "%MOUNTED_DRIVE_LETTER%:\System Volume Information\%RP_FOLDER_NAME%" -p usbstor3>> c:\output.csv

If  you are interested in reading more about expanding RegRipper and similar projects, I suggest reading Corey Harrell's blog post, Triaging my way.

Monday, March 28, 2011

cHECK oUT Microsoft’s Audit Object Access Policy for Forensic Evidence!

Let's say client XYZ maintains sensitive budget information within a select folder on one particular Windows fileserver. When originally created, the folder was restricted to specific AD users. At some point, everyone was granted access to the folder. Is there any available trail of activity in Windows to tell who accessed what and when?!?!

YES (if it's turned on)... !!!!!

I learned today that Microsoft’s audit object access policy handles auditing access to all objects outside AD. It is disabled by default, but IF enabled you can audit access to almost any kind of Windows object including files, folders, registry keys, printers, and services.

Pretty cool. I see this as a useful source of information for many investigations so I thought I would share.

If it's not turned on, I believe enabling Audit Object Access either within GPO or the local server policy should do the trick. Please note that depending on how many files/folders you have this auditing, disk space may be an issue. You really need a SIEM to go alongside this to parse and alert on anomalies if you want to use this as a true real-time investigate tool.