Tuesday, June 21, 2011

Basic Groundwork for cmd line Scripting Computer Forensic Tasks + VIDEO BONUS

Watch the video tutorial that I created for our internal team to see this in action and how it works:

Task: 50 hard drives, Windows XP, report all date/time instances a USB drive connection was made.

Purposed Solution: Open Encase, Mount Image using Physical Disk Emulator module, Manually change Window’s security permissions/ownership of System Volume Information directory OR export Restore Point directory, Open up CMD prompt, Execute RegRipper against %/Windows/System32/config/SYSTEM and Restore Point, slice and dice output, and misc.

~ 1 hour per hard drive.

Alternative Solution: Batch script that shit!

~ 2 hours of development resulting in ~5 mins per hard drive.

This is the groundwork and a start to scripting computer forensic tasks via the command line. It’s simple, yet very powerful stuff that anyone can do.

Also, a special thank you to David Kovar who was so kind to give me a few pointers along the way. He has volunteered to take this initiative and port it over to Python. More to come from David and I as we work together on expanding on this.


1. Windows XP Examiner Machine
2. Image with Windows XP
3. Mount Image Pro (fully functional 30 day demo available)
4. SubInACL.exe
5. RegRipper

About the Batch:

• Will prompt for disk image Full Path Location (.ad1, .e01, .dd, .vmdk, etc…)

• Automatically mount disk image using Mount Image Pro CLI

• List disk mounting information (drive letters mounted, volume name, file system, etc...)

• Prompt for drive letter that %/SYSTEM VOLUME INFORMATION/% is located. This is where Restore Points are saved. By default this directory is protected and not accessible by the system. This can be automated later on

• Prompt for local Administrator account name

• Automatically Change ownership and grant full access to the %/SYSTEM VOLUME INFORMATION/% directory using SysInternal’s Subinacl.exe.

• List %/SYSTEM VOLUME INFORMATION/% information

• Prompt for Restore Point Directory Name you would like to parse

• Then do work...

• Currently set to execute RegRipper (RipXP.exe) using the USBSTOR3 plugin. This will parse the local SYSTEM hive and every Restore Point System Hive subsequently outputting a nice CSV file showing every USB drive (and corresponding date/time) EVER plugged into the system.

• Anything that is cmd line accessible can be set to be executed after the drive is mounted.

Get Started:

Copy the code below into notepad, save as XXX.bat, and execute via the command line. Make sure you have the three dependencies installed and your paths are defined to the three executables.

Let me know if you have any questions or suggestions… It is just a rough draft but gets the job done for me! A lot more to come... stay tuned


::Date: 6/15/2010
::Created by: David Nides

::This batch script will mount image using Mount Image Pro (MIP4.exe), use Microsoft's SubInACL (SubInACL.exe) command to take ownership and grant full access to System Volume Information, and then do work such as execute RipXP.exe.

:: This requires that you have installed Mount Image Pro (Demo is available for free),
:: SubInACL (http://www.microsoft.com/downloads/en/details.aspx?familyid=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en)
:: Any other tools you want to cool

::Set full path of where all your .exe's are located below
set MIP_PATH="C:\Program Files\GetData\Mount Image Pro v4\MIP4"
set RR_PATH="C:\Program Files\Reg Ripper\RegRipper032911\ripxp"
set SUBINACL_PATH="C:\Program Files\Windows Resource Kits\Tools\subinacl"

:input for Mount Image Pro CMD Line
set /P IMAGELOC="Enter Image full path (e.g d:\image.dd): "

echo Your input was: %IMAGELOC%
echo ----------------------------------------------
echo Please wait while drive is being mounted.....
echo ----------------------------------------------


echo ----------------------------------------------
echo Please wait while mounted device details are populated.....
echo ----------------------------------------------

:input to locate SYSTEM VOLUME INFORMATION - this can be automated later
set /P MOUNTED_DRIVE_LETTER="Look at the above List of Mounted Devices and input drive letter where SYSTEM VOLUME INFORMATION directory is located (e.g. H): "
echo Your input was: %MOUNTED_DRIVE_LETTER%

echo ----------------------------------------------
:input collect username to setowner and grant access to
set /P USER="Enter Administratve user account name to setowner and grant access to SYSTEM VOLUME INFORMATION (e.g. Administrator): "
echo Your input was: %USER%

%SUBINACL_PATH% /subdirectories "%MOUNTED_DRIVE_LETTER%:\System Volume Information" /setowner="%USER%" /grant="%USER%"=F

echo ----------------------------------------------
dir /ah "%MOUNTED_DRIVE_LETTER%:\System Volume Information\"
set /P RP_FOLDER_NAME="Enter Restore Point Folder you would like to parse in /System Volume Information/ (e.g. _restore{46DE8921-1D39-44D2-A9E9-64119261F211}): "
echo ----------------------------------------------
echo Lets do work......
echo ----------------------------------------------

::The below can be set for user config later. In the mean time this is the tell RegRipper to do X section.
::set /P HIVE_to_PARSE="Enter Registry Hive to Parse (e.g. SYSTEM, SAM, NTUSER, SECURITY, SOFTWARE): "
::set /P RR_PLUGIN="RR Plugin to Parse with (e.g. USBSTOR3) "

%RR_PATH% -r "%MOUNTED_DRIVE_LETTER%:\WINDOWS\system32\config\SYSTEM" -d "%MOUNTED_DRIVE_LETTER%:\System Volume Information\%RP_FOLDER_NAME%" -p usbstor3>> c:\output.csv

If  you are interested in reading more about expanding RegRipper and similar projects, I suggest reading Corey Harrell's blog post, Triaging my way.