Monday, November 28, 2011

Extending Reg Ripper, again.

A few months ago I posted how to automate the process of reporting all date/time instances a USB connection was made (including from Restore Points), using a combination of Mount Image Pro, SubInACL.exe, Reg Ripper, and some batch script Kung Foo. For one engagement, the scope was 50 + hard drives. Exercising this process reduced analysis time from hours to minutes per hard drive and translated into a significant time and cost savings to the client.

Recently, I received 50 + SYSTEM registry hives from various host systems. Note, due to special circumstances only the SYSTEM hives were provided -- fyi -- there are other artifacts that log USB connections. All hives where preserved in Logical Evidence File (L01s) format. Using Encase I took a look at the L01 files. Based on full path information of the SYSTEM registry hives collected, it appeared they were from both active and Restore Point locations.

For this engagement I needed to report all date/time instances a USB connection was made based on the SYSTEM registry hives provided...

Since I was dealing with hives from various hosts within the L01s-- the only thing segregating them was the directory structure  (full path information) they were preserved in. It would be key to preserve this same full path information for each hive in whatever output/report created. This would allow one to tie a Hive back to a specific host later on.

Therefore, it was time to put my thinking cap on. Below is the list of options I came up with:
  1. Manually parse out the Hives.
  2. Run the Encase Advanced Enscript USB parser, but that outputs into a messy log file that is not delimited. Experience also tells me it can be hit or miss.
  3. Export the Hives and run Reg Ripper on each of them one by one, manually building a report as I go.
  4. Build a Reg Ripper batch script, but this would not preserve the file name and full path source of the hive in the output.
  5. Script that sh!@t!!
I like being challenged so scripting that sh!@t using Python sounded trivial. Note, as I stated in my post about using Python to automate the process of creating folder structures, my coding skillz are script kiddie at best so please no LuLzing.

The requirements of the tool needed to be:
  • Recursively walk through a directory structure (using Encase I exported all L01's preserving folder paths to a case folder).
  • Identify any "SYSTEM" or "_REGISTRY_MACHINE_SYSTEM" registry hives.
  • For each Hive it finds:
    • Append File name to processing audit log
    • Run Reg Ripper against it with specific plug in ( USBSTOR3 to show me all USB connections)
    • Import Reg Ripper output into Python memory based list/db
    • For each line imported, append full path of original hive parsed (for audit purposes -- will allow me to tie a hive back to it's original source later).
  • Export CSV report for all hive files found.
Below is the pretty Python code I compiled. For fun I’m going to try to add some error handling, convert to OO, and port into an Executable. For now, all I can say is it works and saved me a ton of manual effort/time.

import os, fnmatch, csv
a = []

def find_files(directory, pattern): #Recursively walk directory path for files
    print 'Recursively search directory for SYSTEM hives..'
    for root, dirs, files in os.walk(directory):
        for basename in files:
            if fnmatch.fnmatch(basename, pattern):
                filename = os.path.join(root, basename)
                yield filename

for filename in find_files('C:\directory_structure_to_search)' , '*SYSTEM'):  #Define dir path and hive type to look for
    print 'Found Hive:', filename
    print 'Ripping...'
    os.system('""C:\\Program Files (x86)\\RegRipper032911\\rip.exe " -r "' + filename + '" -p usbstor3> c:\\final.csv"')
    print 'Done Ripping.'
    print 'Processing Output...'

    with open('c:\\final.csv', 'r+') as f: #Import RegRipper output into list
        writer = csv.writer(f)
        reader = csv.reader(f)
        for row in reader:
    log = open('c:\\log.txt', 'r+') #Append each processed file to log output
    log.writelines(filename + '\n')   

output = open('c:\\output.csv', 'r+') #print 'Writing output CSV'
wr = csv.writer(output)
for i in a:
    print i
print a
print 'Done'

Dav Nads

Sunday, November 13, 2011

Intellectual Property (IP) Theft and Technology 1o1o1o1

I'm working on a paper on High Tech Intellectual Property Theft so I thought I would share some food for thought!

According to Wikipedia (whatev that's worth), Intellectual Property (IP) is a term referring to a number of distinct types of creations of the mind for which a set of exclusive rights are recognized—and the corresponding fields of law and theft is the illegal taking of another person's property without that person's freely-given consent.

Do the math, IP + Theft is a equation for stealing s$% you shouldn't!! If you add technology as a variable into this equation, stealing $#% can get super geeky. For instance, a employee can copy the text from a document containing the recipe for Coke onto a website called This is a website where you can freely copy and paste text making it accessible to the world with just a few clicks. It is a convenient and "virtually untraceable" platform for people to share large amounts of text. The website has been traditionally used by programmers to store source code but also more recently used by HaX0r groups like Anonymous, 4chan, and LulzSec to post their pirated caches and booties.

Methods of IP theft are becoming more advanced and mutually difficult to detect. Traditional methods of detection (i.e. usb connection analysis, print spool files, e-mail, etc.) are not going to CUT it in some cases. I used one example of a insider COPYING and PASTING IP out of a network, but their are many other advanced methods such as transferring data from a laptop to a mobile device in someone's pocket via ad-hoc networking, to installing mobile malware/spyware software on a VIP.

However, traditional methods of IP theft may not be as advanced but just as difficult (if not more difficult) to detect. For instance, taking pictures of IP with a camera phone or calling a partner and communicating IP over a phone. In these cases it's more important to be aware of these methods and put governance and policies in place to prevent so your NOT responding to the "perfect crime".

Let's also not forget about how the most simple digital crime can become ah so difficult. For instance, a terminated user transferred documents from a computer to a USB storage device a week before they resign. During that week, a Windows Update is also run and all USB last connection date/time information in the active registry are unfortunately updated. Now you, as a forensic examiner are challenged to think outside of the box and look elsewhere ;-)

Below is a collaborative (thank you unnamed co-worker) brain dump of potential methods of IP Theft. Note, some of these methods may leave little to NO forensic residue - the emphasis of the paper I'm writing is identification and detection from a Computer Forensic purpose. The purpose of this list is to promote awareness and hopefully assist with your due diligence or your next IP Theft investigation .
  1. Personal e-mail account usage (i.e. user logs into personal e-mail account via web mail and attaches documents or copies text to e-mail message).
  2. Instant Messaging software such as AIM, MSN, Yahoo, Gtalk, or ICQ (i.e. transfer text or attachment over instant messaging conversation)
  3. Internet activity to online storage tools, file sharing services, social media platforms, and public/private forums (i.e. upload documents to online storage service or copy text to website such as
  4. Access to network resources such as file servers (i.e. copy documents from file server directly to USB device) without subsequently accessing it.
  5. Network connectivity to private networks via Bluetooth, wifi, or remote access to transfer data (i.e. computer transfers documents to another computer via Bluetooth network).
  6. Removable storage device (i.e. user copies data to thumb drive or external hard drive). Keep in mind removable storage devices do not not always get tracked comprehensively (i.e. O/S update occurs that updates all USB last connection date/time information in registry).
  7. Screen capture applications run from removable devices to minimize forensic residue (i.e. run screen recording tool from USB drive).
  8. Use of non-standard applications/protocols such as VPN, FTP, SFTP, P2P, SHH (i.e. Use FTP application to transfer data to remote server).
  9. Copy data to device that be configured as USB storage device such as mobile phone or music player (i.e. copy data via USB to iPhone or iPod).
  10. Bypassing the operating system by booting the system into a bootable disk to copy data to an external drive (i.e. anti-forensic or forensic software such as Helix or Knoppix).
  11. Traditional forensic and IT methods of cloning hard drives (i.e. extract hard drive from system and use forensic software/hardware to copy/clone data).
  12. Host and Mobile device based Spyware/Malware
  13. Other "low tech" methods of exfiltrating data include:
    1. Taking hard copy documents or electronic devices,
    2. Photography or video,
    3. printing,
    4. scanning,
    5. use of unknown devices,
    6. making a phone call and communicating the IP. 

Stay tuned.. I will be posting some more forensication soon.

-Dav Nads

Monday, November 7, 2011

Reminiscing about my CEIC 2010 video competition entry

In 2010, Guidance Software hosted a video competition for 2 free passes to their CEIC conference. We did not win because apparently it was not appropriate.I still went anyways, but reminiscing about our great video!