Windows IR
WFA 2/e Status PDF Print E-mail
Written by Keydet89   
Saturday, 17 January 2009 01:53
I wanted to let everyone know that since October, I've been working on the second edition of this book, and I'm almost done with the initial rewrites. I'm finishing up chapter 4, Registry Analysis, now, and this is the last chapter that needs to go to the tech editor. Once this chapter has been sent off, I'll be going back to chapter 1 and addressing the tech editor's comments...the next stop is the publisher!

What's changed...a good deal of the original information is still in the book, but has been added to and in many cases expanded and brought up to date. For example, the binary structure of Registry hives and PE files haven't changed, so there's no reason to take any of that information out of the book...it's still pertinent. However, new tools are available, new techniques have been developed, and I've tried to highlight that in the additional information. In chapter 4, I focus primarily on RegRipper and rip.pl, rather than standalone scripts and tools. The standalone scripts and tools are still there, though...I moved them to another directory on the DVD.

I've also added two new chapters, not based on any specific requests, but rather upon things I've seen over time. Chapter 8 is "Tying It All Together", where I try to illustrate incidents I and others have responded to (in general terms, of course), and show how information from different chapters in the book get pulled together and correlated to create an overall picture of the incident or examination. Chapter 9 discusses getting a great deal of analysis capability out of freely available (in some cases, low cost) tools...the vast majority (albeit not all) of the tools discussed in this chapter were not brought up anywhere else in the book.

This time around, I've included more information about Vista, and while the recent release of Windows 7 Beta makes it too soon to really be included in the book, it does open the door for a third edition. ;-) Some other things that are on the DVD that accompanies the book (besides tools and other items referenced in the chapters) will be a number of PDFs I've written up over the past year or so to act as training manuals...each PDF addresses a single topic and is short enough to print out and take on a plane with you, or simply read at your leisure. I'm also including a document that shows, in detail, how to deploy F-Response EE remotely, and what physical memory from the remote system "looks like" to the analysis system.

From what the publisher tells me, this book should be out by May/June of this year, although it is already up on Amazon for pre-order.
Read more...
 
Windows 7 Beta Registry PDF Print E-mail
Written by Keydet89   
Sunday, 11 January 2009 15:52
I've seen recently how folks have gotten access to the Windows 7 Beta for download from Microsoft, and being interested, I jumped right up on that bandwagon. I mean, from a forensic perspective, this "Jump List" thing is just going to be a gold mine for an analyst, much like RecentDocs and UserAssist keys have been since Windows 2000. Wikipedia has a nice write-up, and I look at all the great usability stuff that's talked about and all I can think of is "artifacts". ;-)

So, I took a look around to see if anyone was trying to install Windows 7 Beta into VMWare, and I ran across a Windows 7 Beta VM at TuxDistro. I fired up BitTorrent and downloaded the zipped archive, and then unzipped the VMDK file, and opened it in FTK Imager. Now, I saw a "Documents and Settings" directory, and a "Users" directory...so was this REALLY Windows 7?

Well, one question I heard a LOT when Vista came out was "what changed?" Was the Registry different enough that all of our current tools no longer worked? So, there's one way to find out! I dumped the hive files out of the VMDK file from their usual locations, including one called "Components". So I wanted to see if my tools worked, so I fired up rip.pl to see what I was working with:

C:Perlforensicsrr>rip.pl -r d:caseswin7software -p winnt_cv
Plugins Dir = C:Perlforensicsrrplugins/
Launching winnt_cv v.20080609
WinNT_CV
MicrosoftWindows NTCurrentVersion
LastWrite Time Fri Dec 12 18:26:31 2008 (UTC)

RegisteredOrganization :
CurrentVersion : 6.1
CurrentBuild : 6956
CurrentBuildNumber : 6956
SoftwareType : System
InstallationType : Client
EditionID : Ultimate
SystemRoot : C:Windows
PathName : C:Windows
ProductName : Windows 7 Ultimate
CurrentType : Multiprocessor Free
ProductId : 00428-015-8630506-70665
BuildLab : 6956.winmain.081122-1150
InstallDate : Fri Dec 12 20:52:50 2008 (UTC)
BuildLabEx : 6956.0.x86fre.winmain.081122-1150

Very cool! Not only do the tools seem to work just fine, but it looks as if the VMDK is a Windows 7 Beta VM. Very nice. Other plugins, such as samparse, seemed to work just fine, but parsing the UserAssist key in the NTUSER.DAT file was problematic...the "normal" GUID key didn't seem to be in the hive.

So, it would seem that the binary format of the Windows 7 (the Beta, anyway) Registry hive files has not changed. I'm sure that the content has, as keys have changed names and functionality, and values and ways of recording data have changed. However, as with the move from Windows 2000 to XP, there may simply be more opportunities for forensic analysts. I'll be interested to see who writes some of the first RegRipper plugins specific to Windows 7.
Read more...
 
<< Start < Prev 11 12 13 Next > End >>

Page 13 of 13

Contact
Joomla Templates by Joomlashack