Task: 50 hard drives, Windows XP, report all date/time instances a USB drive connection was made.
Purposed Solution: Open Encase, Mount Image using Physical Disk Emulator module, Manually change Window’s security permissions/ownership of System Volume Information directory OR export Restore Point directory, Open up CMD prompt, Execute RegRipper against %/Windows/System32/config/SYSTEM and Restore Point, slice and dice output, and misc.
~ 1 hour per hard drive.
Alternative Solution: Batch script that shit!
~ 2 hours of development resulting in ~5 mins per hard drive.
This is the groundwork and a start to scripting computer forensic tasks via the command line. It’s simple, yet very powerful stuff that anyone can do.
Also, a special thank you to David Kovar who was so kind to give me a few pointers along the way. He has volunteered to take this initiative and port it over to Python. More to come from David and I as we work together on expanding on this.
1. Windows XP Examiner Machine
2. Image with Windows XP
3. Mount Image Pro (fully functional 30 day demo available)
About the Batch:
• Will prompt for disk image Full Path Location (.ad1, .e01, .dd, .vmdk, etc…)
• Automatically mount disk image using Mount Image Pro CLI
• List disk mounting information (drive letters mounted, volume name, file system, etc...)
• Prompt for drive letter that %/SYSTEM VOLUME INFORMATION/% is located. This is where Restore Points are saved. By default this directory is protected and not accessible by the system. This can be automated later on
• Prompt for local Administrator account name
• Automatically Change ownership and grant full access to the %/SYSTEM VOLUME INFORMATION/% directory using SysInternal’s Subinacl.exe.
• List %/SYSTEM VOLUME INFORMATION/% information
• Prompt for Restore Point Directory Name you would like to parse
• Then do work...
• Currently set to execute RegRipper (RipXP.exe) using the USBSTOR3 plugin. This will parse the local SYSTEM hive and every Restore Point System Hive subsequently outputting a nice CSV file showing every USB drive (and corresponding date/time) EVER plugged into the system.
• Anything that is cmd line accessible can be set to be executed after the drive is mounted.
Copy the code below into notepad, save as XXX.bat, and execute via the command line. Make sure you have the three dependencies installed and your paths are defined to the three executables.
Let me know if you have any questions or suggestions… It is just a rough draft but gets the job done for me! A lot more to come... stay tuned