CNS 320 COMPUTER FORENSICS & INCIDENT RESPONSE

Week 3 Lab

Copyright 2012, John McCash. This work may be copied, modified, displayed and distributed under conditions set forth in the Creative Commons AttributionNoncommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.

For convenience, escalate to a root shell

sudo bash You should still have both images mounted in your Linux SIFT Kit

If not, refer to last weeks lab for how to mount them back up

Regripper on the Linux SIFT Kit

So for example:

/usr/local/bin/rip.pl -r "/home/sansforensics/Desktop/mou nt_points/windows_mount/Docume nts and Settings/Mr. Evil/NTUSER.DAT" -f ntuser (Quotes are necessary around file or folder paths that include spaces)

reglookup-recover (One of the utilities for extracting deleted registry content)

rip.pl and reglookup-recover on dblake system hive

Note the complimentary information in the output

See the deleted registry service key for mdd? Thats a physical memory acquisition tool that was run on this host before the disk image was acquired. It installs and subsequently removes a device driver

Lab #3 Part 1: Registry Hive Extraction

You have the two parts of a Computer Forensics Reference Dataset image in the files 4Dell Latitude CPi(1).E01 and 4Dell Latitude CPi(1).E01 on your lab system. From your Windows Sift Kit VM, open this disk image in FTK Imager, and extract some of the registry hives Examine these files using Regedit, AccessData Registry Viewer, and Regripper
8

Run FTK Imager Add Evidence Item

Image File

Browse to First Image Segment Hit Finish

First Hive to Export: NTUSER.DAT under account: Mr. Evil

Right-click & select Export Files`

Select destination E:\ Hit OK

Select Additional Registry Hives and export the same way

Lab #2 Part 2: Registry Hive Examination with Regedit

Generally more trouble than its worth except on a live system. Even then, lack of date visibility is problematic Regedit is also not read-only To examine non-native hive files, you have to mount them, using load hive under some other key such as HKEY_USERS

Run Regedit

Load Hive

Select Hive File to Load

Type key name to mount hive as

External System hive now visible under local HKEY_USERS

When finished, select hive mount point, and click Unload Hive

Lab #2 Part 3: Registry Examination with AccessData Registry Viewer

Run it Click No to run in demo mode Click Open & Select Hive File

Select Hive File to Examine

System in AccessData Registry Viewer

Lab #2 Part 4: Registry Examination with Yaru

Run Yaru Select Open Hive Browse to Hive File

Yaru deleted key/value recovery example

Current System Name

Current Timezone Information

Last System Shutdown Date/Time

Lab #2 Part 5: Registry Examination with Regripper

Run Regripper Select Hive to Process Provide output filename Select Plugin File (type of registry hive to process) Rip It (Do this for each of the Hive files we exported)

Run Regripper on Exported SAM Hive

Excerpt from SAM Hive Regripper Output (1)

Username : Mr. Evil [1003] Full Name : User Comment : Account Type : Default Admin User Account Created : Thu Aug 19 23:03:54 2004 Z Last Login Date : Fri Aug 27 15:08:23 2004 Z Pwd Reset Date : Thu Aug 19 23:03:54 2004 Z Pwd Fail Date : Never Login Count : 15 --> Password does not expire --> Normal user account

Excerpt from SAM Hive Regripper Output (2)

Username : Administrator [500] Full Name : User Comment : Built-in account for administering the computer/domain Account Type : Default Admin User Account Created : Thu Aug 19 16:59:24 2004 Z Last Login Date : Never Pwd Reset Date : Thu Aug 19 17:17:29 2004 Z Pwd Fail Date : Never Login Count :0 --> Password does not expire --> Normal user account

Excerpt from SAM Hive Regripper Output (3)

Group Name : Administrators [2] LastWrite : Thu Aug 19 23:03:54 2004 Z Group Comment : Administrators have complete and unrestricted access to the computer/domain Users : S-1-5-21-2000478354-6887898441708537768-1003 S-1-5-21-2000478354-6887898441708537768-500

Lab #2 Part 6: Image Registry Autoruns Extraction

Load image using AccessData Imager Mount image with read/write caching Run autoruns against mounted image

With Image Loaded in FTK Imager, Select Image Mounting

Set Parameters

Run Autoruns Select Analyze Offline System

Enter Parameters for Windows folder & Mr. Evil Profile

Lab #1 Part 5: Registry Hive Extraction

You have the two parts of a Computer Forensics Reference Dataset image in the files 4Dell Latitude CPi(1).E01 and 4Dell Latitude CPi(1).E01 on your lab system. From your Windows Sift Kit VM, open this disk image in FTK Imager, and extract some of the registry hives Examine these files using Regedit, AccessData Registry Viewer, and Regripper
46

Run FTK Imager Add Evidence Item

Image File

Browse to First Image Segment Hit Finish

First Hive to Export: NTUSER.DAT under account: Mr. Evil

Right-click & select Export Files`

Select destination E:\ Hit OK

Select Additional Registry Hives and export the same way

Lab #1 Part 6: Registry Hive Examination with Regedit

Generally more trouble than its worth except on a live system. Even then, lack of date visibility is problematic Regedit is also not read-only To examine non-native hive files, you have to mount them, using load hive under some other key such as HKEY_USERS

Run Regedit

Load Hive

Select Hive File to Load

Type key name to mount hive as

External System hive now visible under local HKEY_USERS

When finished, select hive mount point, and click Unload Hive

Lab #1 Part 7: Registry Examination with AccessData Registry Viewer

Run it Click No to run in demo mode Click Open & Select Hive File

Select Hive File to Examine

System in AccessData Registry Viewer

Lab #1 Part 8: Registry Examination with Yaru

Run Yaru Select Open Hive Browse to Hive File

Yaru deleted key/value recovery example

Current System Name

Current Timezone Information

Last System Shutdown Date/Time

Lab #1 Part 9: Registry Examination with Regripper

Run Regripper Select Hive to Process Provide output filename Select Plugin File (type of registry hive to process) Rip It (Do this for each of the Hive files we exported)

Run Regripper on Exported SAM Hive

Excerpt from SAM Hive Regripper Output (1)

Username : Mr. Evil [1003] Full Name : User Comment : Account Type : Default Admin User Account Created : Thu Aug 19 23:03:54 2004 Z Last Login Date : Fri Aug 27 15:08:23 2004 Z Pwd Reset Date : Thu Aug 19 23:03:54 2004 Z Pwd Fail Date : Never Login Count : 15 --> Password does not expire --> Normal user account

Excerpt from SAM Hive Regripper Output (2)

Username : Administrator [500] Full Name : User Comment : Built-in account for administering the computer/domain Account Type : Default Admin User Account Created : Thu Aug 19 16:59:24 2004 Z Last Login Date : Never Pwd Reset Date : Thu Aug 19 17:17:29 2004 Z Pwd Fail Date : Never Login Count :0 --> Password does not expire --> Normal user account

Excerpt from SAM Hive Regripper Output (3)

Group Name : Administrators [2] LastWrite : Thu Aug 19 23:03:54 2004 Z Group Comment : Administrators have complete and unrestricted access to the computer/domain Users : S-1-5-21-2000478354-6887898441708537768-1003 S-1-5-21-2000478354-6887898441708537768-500

Lab #1 Part 10: Image Registry Autoruns Extraction

Load image using AccessData Imager Mount image with read/write caching Run autoruns against mounted image

With Image Loaded in FTK Imager, Select Image Mounting

Set Parameters

Run Autoruns Select Analyze Offline System

Enter Parameters for Windows folder & Mr. Evil Profile

Questions?

84