Documente Academic
Documente Profesional
Documente Cultură
Week 3 Lab
Copyright 2012, John McCash. This work may be copied, modified, displayed and distributed under conditions set forth in the Creative Commons AttributionNoncommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
sudo bash You should still have both images mounted in your Linux SIFT Kit
If not, refer to last weeks lab for how to mount them back up
So for example:
/usr/local/bin/rip.pl -r "/home/sansforensics/Desktop/mou nt_points/windows_mount/Docume nts and Settings/Mr. Evil/NTUSER.DAT" -f ntuser (Quotes are necessary around file or folder paths that include spaces)
See the deleted registry service key for mdd? Thats a physical memory acquisition tool that was run on this host before the disk image was acquired. It installs and subsequently removes a device driver
Image File
Generally more trouble than its worth except on a live system. Even then, lack of date visibility is problematic Regedit is also not read-only To examine non-native hive files, you have to mount them, using load hive under some other key such as HKEY_USERS
Run Regedit
Load Hive
When finished, select hive mount point, and click Unload Hive
Run it Click No to run in demo mode Click Open & Select Hive File
Run Regripper Select Hive to Process Provide output filename Select Plugin File (type of registry hive to process) Rip It (Do this for each of the Hive files we exported)
Username : Mr. Evil [1003] Full Name : User Comment : Account Type : Default Admin User Account Created : Thu Aug 19 23:03:54 2004 Z Last Login Date : Fri Aug 27 15:08:23 2004 Z Pwd Reset Date : Thu Aug 19 23:03:54 2004 Z Pwd Fail Date : Never Login Count : 15 --> Password does not expire --> Normal user account
Username : Administrator [500] Full Name : User Comment : Built-in account for administering the computer/domain Account Type : Default Admin User Account Created : Thu Aug 19 16:59:24 2004 Z Last Login Date : Never Pwd Reset Date : Thu Aug 19 17:17:29 2004 Z Pwd Fail Date : Never Login Count :0 --> Password does not expire --> Normal user account
Group Name : Administrators [2] LastWrite : Thu Aug 19 23:03:54 2004 Z Group Comment : Administrators have complete and unrestricted access to the computer/domain Users : S-1-5-21-2000478354-6887898441708537768-1003 S-1-5-21-2000478354-6887898441708537768-500
Load image using AccessData Imager Mount image with read/write caching Run autoruns against mounted image
Set Parameters
Image File
Generally more trouble than its worth except on a live system. Even then, lack of date visibility is problematic Regedit is also not read-only To examine non-native hive files, you have to mount them, using load hive under some other key such as HKEY_USERS
Run Regedit
Load Hive
When finished, select hive mount point, and click Unload Hive
Run it Click No to run in demo mode Click Open & Select Hive File
Run Regripper Select Hive to Process Provide output filename Select Plugin File (type of registry hive to process) Rip It (Do this for each of the Hive files we exported)
Username : Mr. Evil [1003] Full Name : User Comment : Account Type : Default Admin User Account Created : Thu Aug 19 23:03:54 2004 Z Last Login Date : Fri Aug 27 15:08:23 2004 Z Pwd Reset Date : Thu Aug 19 23:03:54 2004 Z Pwd Fail Date : Never Login Count : 15 --> Password does not expire --> Normal user account
Username : Administrator [500] Full Name : User Comment : Built-in account for administering the computer/domain Account Type : Default Admin User Account Created : Thu Aug 19 16:59:24 2004 Z Last Login Date : Never Pwd Reset Date : Thu Aug 19 17:17:29 2004 Z Pwd Fail Date : Never Login Count :0 --> Password does not expire --> Normal user account
Group Name : Administrators [2] LastWrite : Thu Aug 19 23:03:54 2004 Z Group Comment : Administrators have complete and unrestricted access to the computer/domain Users : S-1-5-21-2000478354-6887898441708537768-1003 S-1-5-21-2000478354-6887898441708537768-500
Load image using AccessData Imager Mount image with read/write caching Run autoruns against mounted image
Set Parameters
Questions?
84