1
CNS 320 COMPUTER FORENSICS & INCIDENT RESPONSE
Week 3 – Lab
Copyright © 2012, John McCash. This work may be copied, modified, displayed and distributed under conditions set forth in the Creative Commons Attribution-Noncommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
For convenience, escalate to a root shell
sudo bash You should still have both images
mounted in your Linux SIFT Kit If not, refer to last week’s lab for how to
mount them back up
Regripper on the Linux SIFT Kit
So for example:
/usr/local/bin/rip.pl -r "/home/sansforensics/Desktop/mount_points/windows_mount/Documents and Settings/Mr. Evil/NTUSER.DAT" -f ntuser
(Quotes are necessary around file or folder paths that include spaces)
reglookup-recover (One of the utilities for extracting deleted registry content)
rip.pl and reglookup-recover on dblake system hive
Note the complimentary information in the output
See the deleted registry service key for mdd?
That’s a physical memory acquisition tool that was run on this host before the disk image was acquired.
It installs and subsequently removes a device driver
Lab #3Part 1: Registry Hive Extraction
You have the two parts of a Computer Forensics Reference Dataset image in the files ‘4Dell Latitude CPi(1).E01’ and ‘4Dell Latitude CPi(1).E01’ on your lab system. From your Windows Sift Kit VM, open this disk image in FTK Imager, and extract some of the registry hives
Examine these files using Regedit, AccessData Registry Viewer, and Regripper
8
Run FTK Imager Add Evidence Item
Image File
Browse to First Image SegmentHit Finish
First Hive to Export:NTUSER.DAT under account: Mr. Evil
Right-click & select ‘Export Files`
Select destination E:\Hit OK
Select Additional Registry Hives and export the same way
Lab #2 Part 2:Registry Hive Examination with Regedit
Generally more trouble than it’s worth except on a live system. Even then, lack of date visibility is problematic
Regedit is also not read-only To examine non-native hive files,
you have to mount them, using ‘load hive’ under some other key such as HKEY_USERS
Run Regedit
Load Hive
Select Hive File to Load
Type key name to mount hive as
External System hive now visible under local HKEY_USERS
When finished, select hive mount point, and click ‘Unload Hive’
Lab #2 Part 3: Registry Examination with AccessData Registry Viewer
Run it Click ‘No’ to run in demo mode Click Open & Select Hive File
Select Hive File to Examine
System in AccessData Registry Viewer
Lab #2 Part 4:Registry Examination with Yaru
Run Yaru Select ‘Open Hive’ Browse to Hive File
Yaru deleted key/value recovery example
Current System Name
Current Timezone Information
Last System Shutdown Date/Time
Lab #2 Part 5:Registry Examination with Regripper
Run Regripper Select Hive to Process Provide output filename Select Plugin File (type of registry
hive to process) Rip It (Do this for each of the Hive files we
exported)
Run Regripper on Exported SAM Hive
Excerpt from SAM Hive Regripper Output (1)
Username : Mr. Evil [1003] Full Name : User Comment : Account Type : Default Admin User Account Created : Thu Aug 19 23:03:54 2004 Z Last Login Date : Fri Aug 27 15:08:23 2004 Z Pwd Reset Date : Thu Aug 19 23:03:54 2004 Z Pwd Fail Date : Never Login Count : 15 --> Password does not expire --> Normal user account
Excerpt from SAM Hive Regripper Output (2)
Username : Administrator [500] Full Name : User Comment : Built-in account for
administering the computer/domain Account Type : Default Admin User Account Created : Thu Aug 19 16:59:24 2004 Z Last Login Date : Never Pwd Reset Date : Thu Aug 19 17:17:29 2004 Z Pwd Fail Date : Never Login Count : 0 --> Password does not expire --> Normal user account
Excerpt from SAM Hive Regripper Output (3)
Group Name : Administrators [2] LastWrite : Thu Aug 19 23:03:54 2004 Z Group Comment : Administrators have complete
and unrestricted access to the computer/domain Users : S-1-5-21-2000478354-688789844-1708537768-
1003 S-1-5-21-2000478354-688789844-1708537768-
500
Lab #2 Part 6:Image Registry Autoruns Extraction
Load image using AccessData Imager
Mount image with read/write caching
Run autoruns against mounted image
With Image Loaded in FTK Imager, Select ‘Image Mounting’
Set Parameters
Run AutorunsSelect ‘Analyze Offline System’
Enter Parameters for Windows folder & Mr. Evil Profile
Lab #1Part 5: Registry Hive Extraction
You have the two parts of a Computer Forensics Reference Dataset image in the files ‘4Dell Latitude CPi(1).E01’ and ‘4Dell Latitude CPi(1).E01’ on your lab system. From your Windows Sift Kit VM, open this disk image in FTK Imager, and extract some of the registry hives
Examine these files using Regedit, AccessData Registry Viewer, and Regripper
46
Run FTK Imager Add Evidence Item
Image File
Browse to First Image SegmentHit Finish
First Hive to Export:NTUSER.DAT under account: Mr. Evil
Right-click & select ‘Export Files`
Select destination E:\Hit OK
Select Additional Registry Hives and export the same way
Lab #1 Part 6:Registry Hive Examination with Regedit
Generally more trouble than it’s worth except on a live system. Even then, lack of date visibility is problematic
Regedit is also not read-only To examine non-native hive files,
you have to mount them, using ‘load hive’ under some other key such as HKEY_USERS
Run Regedit
Load Hive
Select Hive File to Load
Type key name to mount hive as
External System hive now visible under local HKEY_USERS
When finished, select hive mount point, and click ‘Unload Hive’
Lab #1 Part 7: Registry Examination with AccessData Registry Viewer
Run it Click ‘No’ to run in demo mode Click Open & Select Hive File
Select Hive File to Examine
System in AccessData Registry Viewer
Lab #1 Part 8:Registry Examination with Yaru
Run Yaru Select ‘Open Hive’ Browse to Hive File
Yaru deleted key/value recovery example
Current System Name
Current Timezone Information
Last System Shutdown Date/Time
Lab #1 Part 9:Registry Examination with Regripper
Run Regripper Select Hive to Process Provide output filename Select Plugin File (type of registry
hive to process) Rip It (Do this for each of the Hive files we
exported)
Run Regripper on Exported SAM Hive
Excerpt from SAM Hive Regripper Output (1)
Username : Mr. Evil [1003] Full Name : User Comment : Account Type : Default Admin User Account Created : Thu Aug 19 23:03:54 2004 Z Last Login Date : Fri Aug 27 15:08:23 2004 Z Pwd Reset Date : Thu Aug 19 23:03:54 2004 Z Pwd Fail Date : Never Login Count : 15 --> Password does not expire --> Normal user account
Excerpt from SAM Hive Regripper Output (2)
Username : Administrator [500] Full Name : User Comment : Built-in account for
administering the computer/domain Account Type : Default Admin User Account Created : Thu Aug 19 16:59:24 2004 Z Last Login Date : Never Pwd Reset Date : Thu Aug 19 17:17:29 2004 Z Pwd Fail Date : Never Login Count : 0 --> Password does not expire --> Normal user account
Excerpt from SAM Hive Regripper Output (3)
Group Name : Administrators [2] LastWrite : Thu Aug 19 23:03:54 2004 Z Group Comment : Administrators have complete
and unrestricted access to the computer/domain Users : S-1-5-21-2000478354-688789844-1708537768-
1003 S-1-5-21-2000478354-688789844-1708537768-
500
Lab #1 Part 10:Image Registry Autoruns Extraction
Load image using AccessData Imager
Mount image with read/write caching
Run autoruns against mounted image
With Image Loaded in FTK Imager, Select ‘Image Mounting’
Set Parameters
Run AutorunsSelect ‘Analyze Offline System’
Enter Parameters for Windows folder & Mr. Evil Profile
84
Questions?