Using RegRipper inside Encase Enterprise


In the earlier discussion I talked about the Registry Parser Tool “RegRipper” that uses plugins to parse through pre-determined registry paths to pull out relevant information.  In that post I was providing information on how to use Regripper against a mounted drive, but doing that takes some additional steps that are not necessary.  Normally to use RegRipper you must locate your registry hives, blue-check within Encase Enterprise and then copy them out to an export folder.  Then launch regripper and browse over to the hive files and run the tool then open the resulting report.  There is another way of using this tool inside of Encase without having to copy anything out of Encase and it is not necessary to mount the image as a mounted drive.  In order to do this you need to use the 3rd party viewer inside of Encase.  I have created a batch file for each current plugin that RegRipper uses and placed those in the RegRipper folder on my hard drive.  I then created a command line inside of Encase telling Encase I want the command prompt to open to “C:\RegRipper” and execute a particular plugin against the highlighted hive file that I have highlighted and creat a report based upon that plugin and place the report in the “C:\Temp\[plugin_name.txt.”

In other words the application path would show “C:\Windows\System32\cmd.exe” and the command lline shows: ” /S /D /K c:\\regripper\\bat_files\\aim.bat [file]

This opens the command prompt  and runs the aim plugin.  The corresponding batch file looks like this:

cd c:\regripper\

rip.exe -r %1 -p aim >> c:|temp\aim.txt

What this allows an examiner to do is run one particular plugin aganist a give hive file without having to copy anything out and without having to run all the plugins for that particular hive file and then dig through a text report for the information you are looking for.  If you feel this is something you would like to try out then please do so and provide some feedback on your thoughts.

I have uploaded a zip file containing all the batch files and the .ini viewer configuration file from Encase to the Document Library at the CSIRT Forum.  Just unzip the file and place the “bat” directory into your regripper folder and viewer.ini file into the “Program Files\Encase\Config\.”  This is setup with the assumption that your regripper folder is in the root of your “C:\” drive and that you have temp directory in the root of your “C:\” drive as well.  If you have those folders someplace else then you will need to update the ini file and the batch file for each plugin.

I am sure there are easier ways of doing this and maybe the scripting can be better but either way leave your comments here.  Also remember if you come up with additional plugins that would be beneficial to the rest of us please pass them along to everyone.

If you would like the batch files and ini files mentioned you can contact me through my email address: of mark.morgan47@gmail.com.   Please put in SUBJECT “Evernote” so I know where it came from.
Advertisements

Intrusion Discovery Cheat Sheet 2.0 (Windows XP Pro/2003 Server/Vista


Unusual Processes and Services

Using the GUI, run Task Manager
Using the command prompt:
     c:/tasklist
     c:/wmic process list full
Also look for unusual Services.
Using the GUI
Using the Command Prompt:
     c:/ net start
     c:/ sc query
For a list of services associated with each process:
     c:/ tasklist /svc
Unusual Files and Registry Keys

Check the file space usage to look for sudden major decreases in free space, using the GUI (right-click on partition), or type:
     c:/ dir c:\
Look for unusually big files: Start->Search->For Files of Folders…Search Options->Size->at least 10000KB
Look for storage programs referred to in registry keys associated with system start up:
  • HKLM\Software\Microsoft\Window\CurrentVersion\Run
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce
  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunonceEx
Note you should also check the HKCU counterparts (replace HKLM with HKCU above).

Using the GUI:
     c:/ regedit

Using the command prompt:
     c:\ reg query <reg key>

Unusual Network Usage

Look at file shares, and make sure each has a defined business purpose:

     c:\ net view \\127.0.0.1
Look at who has an open session with the machine:
     c:\ net session
Look at which sessions this machine has opened with other systems:
     c:\ net use
Look at NetBIOS over TCP/IP activity:
     c:\ nbtstat -S
Look for unusual listening TCP and UDP ports:
     c:\ netstat -na
For continuously updated and scrolling output of this comm and every 5 seconds:
     c:\ netstat -na 5
The -o flag shows the owning process id:
     c:\ netstat -nao 5
The -b flag shows the executable name and the DLLs loaded for the network connection:
     c:\ netstat -naob 5
Note the -b flag uses excessive CPU resources.
Again, you need to understand normal port usage for the system and look for deviations.
Also check Windows Firewall configuration:
     c:\ netsh firewall show config

Look for unusual scheduled tasks, especially those that run as a user in the Administrators group, as SYSTEM, or with a blank user name.
Using the GUI, run Task Scheduler:
Start->Programs->Accessories->System->Tools->Scheduled Tasks
Using the command prompt:
     c:\ schtasks
Check other autostart items as well for unexpected entries, remembering to check user autostart directories and registry keys.
Using the GUI, run msconfig and look at the Startup tab:
     Start->Run, msconfig.exe
Using the command prompt:
     c:\ wmic startup list full
Unusual Accounts

Look for new, unexpected accounts in the Administrators group:
     c:\ lusrmgr.msc
Click on Groups, Double Click on Administrators, then check members of the group.
This can also be done at the command prompt:
     c:\ net user
     c:\ net localgroup administrators
Unusual Log Entries

Check you logs for suspicious events, such as:
  • Event log service was stopped.”
  • Windows File Protection is not active on this system”
  • “The protected System file [file name] was not restored to its original, valid version because  the Windows File Protection ….”
  • “The MS Telnet Service has started successfully.”
To do this using the GUI, run the Windows event viewer:

     c:\ eventvwr.msc

Using the Command Prompt:

     c:\eventquery.vbs | more

Or, to focus on a particular event log:

     c:\ eventquery.vbs /L security

Other Unusual Items

Look for unusually sluggish performance and a single unusual process hogging the CPU: Task Manager->Process and Performance tabs

Look for unusual system crashes, beyond the normal level for the given system.

Additional Supporting Tools

The following tools are not built into Windows operating system but can be used to analyze security issues in more detail.  Each is available for free download at the listed web site.

Tools for mapping listening TCP/UDP ports to the program listening on those ports:

     Fport – command-line tool at www.foundstone.com
     TCPView – GUI tool at www.microsoft.com/technet/sysinternals
Additional Process Analysis Tools:
The Center for Internet Security has released various Windows security templates and security scoring tools for free at www.cisecurity.org.