Forensic Investigation: Windows Registry Analysis

In this article, we will learn how we can use RegRipper to analyze the windows registry in the forensic investigation environment.

Table of Content

Introduction to RegRipper

Creating a Registry Hives

SAM Hive

  • Analyzing Log: SAM
  • Analyzing Report: SAM

System Hive

  • Analyzing Log: System
  • Analyzing Report: System

Software Hive

  • Analyzing Log: Software
  • Analyzing Report: Software

Security Hive

  • Analyzing Log: Security
  • Analyzing Report: Security

Conclusion

Let’s begin the Forensic Investigation!!

Introduction to Regripper

RegRipper is an open-source tool, written in Perl. To extracting and parsing information like [keys, values, data] from the Registry and presenting it for analysis.

Its GUI version allows the analyst to select a hive to parse, an output file for the results. It also includes a command-line (CLI) tool called rip.

Rip can be pointed against a hive and can run either a profile (a list of plugins) or an individual plugin against that hive, with the results being sent to STDOUT.

Plugins are extremely valuable in the sense that they can be written to parse data in a manner that is useful to individual analysts.

To learn more about RegRipper click here.

We can download RegRipper for windows from here.

Creating a Registry Hives

A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files loaded into memory when the OS is started or user login.

Each time a new user logs on a computer, a new hive file is created for that user with a separate file for the user profile hive.

A user’s hive contains specific registry information about user’s application settings, desktop, environment, network connections, and printers. User profile hives are located under the HKEY_USERS key.

We can learn more about Registry Hives from here.

Use these commands to save a copy of these Registry Hives [SAM, System, Software, and Security].

After saving all these Hive files, we can launch the RegRipper software.

In the Hive file tab, we need to select the location where we saved our Registry hive file. In the Report file tab, select that location where we want our report and log file both saved. Then click on a rip button to get the report and log file.

Now let us learn about all this file information.

SAM Hive

SAM stands for the Security Account Manager is a database file in windows that stores user’s information. The user passwords are stored in a hashed format in a Registry hive either as an LM hash or as an NTLM hash. This file can be found in “%SystemRoot%/system32/config/SAM” and is mounted on HKLM/SAM.

In an attempt to improve the security of the SAM database against offline software cracking, Microsoft introduced the SYSKEY function in Windows NT 4.0. When SYSKEY is enabled, the on-disk copy of the SAM file is partially encrypted, so that the password hash values for all local accounts stored in the SAM are encrypted with a key.

Now, open RegRipper and select the location of the Hive file and Report file. Then click on the Rip! Button to start the Investigation process.

After some time, it will showcase the message on the screen that our work for this investigation process is completed with zero plugins completed with errors.

It will create two files one with logs of the investigation and Second with a Report of the investigation.

Analyzing Log: SAM

Now check the log file with this command.

It will only tell about the environment of this hive file.

Analyzing Report: SAM

Secondly now its Report time. we can access this file with the following commands.

As we can see in the below screenshot it will tell about SAM version and User information.

Now, as we can see the main user account got spotted with its major details like.

Next, we have spotted Group Membership Information. With its group name Guests and its details.

Some more group membership information, the group’s name like Users, System Managed Accounts Group, and Administrators. Their details revel Lastwrite, Group Comment, and Its Users.

Lastly, RDP and some Analysis tips which would be handy for us in the Investigation.

System Hive

The system hive file consists of all basic information regarding the system information. Now, repeat the same steps for RegRipper and select the location of the Hive file and Report file. Then click on the Rip! Button to start the Investigation process.

After some time, it will showcase the message on the screen that our work for this investigation process is completed with zero plugins completed with errors. As we mentioned earlier it will create two files: Log and Report.

Analyzing Log: System

The first file is the log file regarding gathering information from that directory. After seeing the logs regarding system information.

Analyzing Report: System

we have opened its report with these commands.

The below screenshot tells about all the software installed with their default directory along with its path.

After that, we found out control set backups details in the victim’s system. Along with temp file details.

Now, this result is showing us about the HKLM [ HKEY_LOCAL_MACHINE] user’s BAM. It is a user-specific application.

Now it shows, Some device details, Computer name on diff-diff instances and crash control information.

Now the network media streaming devices connected with the system. In our case, it is from a Sony corporation. We can get along some interesting details with its hardware ID. It also gets some details regarding the connected USB devices no matter their currently connected or not.

After this, it will cover the hardware details along with NTFS disable the last access update. Like, ControlSet001\Control\Session Manager\Environment, Hardware details.

After this IP address and Domain name details with Hint. Analysis Tips and Mounted devices.

Now Finally in the System file, we got details regarding mounted devices details. It gets all details whether they are currently mounted or not.

Software Hive

Software Hive file consists, all the information regarding the software installed in this system.

Now, follow the previous steps for RegRipper and select the location of the Hive file and Report file. Then click on the Rip! Button to start the Investigation process.

After some time, it will showcase the message on the screen that our work for this investigation process is completed with zero plugins completed with errors.

Analyzing Log: Software

As usual, we opened the logfile first to check its log to understand through which file it is detecting to create an Investigation report for this file. Now run this command to view this file.

Analyzing Report: Software

Now we need to view the report file of the software hive file. So, run this command to get this file.

In this report, the first page shows details regarding AppInit DLLs values. AppInit DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user-mode process on the system.

The next page shows us the details regarding application details and the App Paths subkeys.

After this, it will showcase all the drivers regarding Input and output devices installed in the victim’s system. It will show us Bluetooth driver details and the system doesn’t have a webcam in the system.

Last page of this report regarding the CLSID key. Where CLSID is a globally unique identifier that identifies a COM class object. If your server or container allows linking to its embedded objects, you need to register a CLSID for each supported class of objects.

The CLSID key contains information used by the default COM handler to return information about a class when it is running. The CLSID is a 128-bit number, in hex, within a pair of curly braces.

Security Hive

Security hive helps us to understand the security measures of the victim’s system in the Forensic Investigation process.

Now, follow the previous steps for RegRipper and select the location of the Hive file and Report file. Then click on the Rip! Button to start the Investigation process.

After some time, it will showcase the message on the screen that our work for this investigation process is completed with zero plugins completed with errors.

Analyzing Log: Security

Now we checked its log file to deeply understand our Investigation report. Run these commands to view the log file in the command prompt.

Analyzing Report: Security

To view, the security hive file report follows this command.

This report page is all about the security hive file audit policy. An audit policy specifies account limits of one or multiple resources for a group of users.

This contains guidelines that establish policy limitations and workflows for processing breaches after they occur.

Where N means No audit, S means Success, and F means failure.

Conclusion

The Windows Registry is a hierarchical database that stores low-level settings for the operating system of Microsoft Windows and for programs choosing to use the registry. The register also offers access to counters for results in profiling systems. In other terms, on all models of Microsoft Windows operating systems, the registry or Windows registry contains information, settings, options, and other values for programs and hardware installed.

These details can be extracted with RegRipper to get a better result in the Forensic Investigation.

Author: Shubham Sharma is a Pentester and Cybersecurity Researcher, Contact Linkedin and twitter.

Forensic Investigation: Ghiro for Image Analysis

In this article, we will learn how we can use the Ghiro image analysis tool in forensic investigation. Ghiro is a digital image forensic tool. Which is fully automated and opensource.

Table of Content

  • What is Ghiro?
  • Features of Ghiro
  • Setup the Ghiro
  • Working on case with Ghiro

What is Ghiro?

It is developed by Alessandro Tanasi Jekil and Marco Buoncristiano Burlone. It is a fully automated tool designed to run forensic analysis over a massive amount of images, just using a user-friendly and fancy web application.

To know more about the Ghiro image analysis tool you click here.

Features of Ghiro

We can control all Ghiro features via the web interface. We can upload an image or a bunch of images to get a quick and deep overview of image analysis. We can group images in cases and search for any kind of analysis data.

The main features of Ghiro.

  • Metadata Extraction: Metadata is divided into several categories depending on the standard where they are come from, Image metadata are extracted and categorized. EX- EXIF, IPTC, XMP.
  • GPS Localization: It is Embedded in the image metadata sometimes there is a geotag, a bit of GPS data providing the longitude and latitude of where the photo was taken, it is read and the position is displayed on the map.
  • MIME Information: The image MIME type detected to know the image type we are dealing with, in both contacted and extended form.
  • ELA: ELA stands for Error Level Analysis. It identifies areas within an image that are at different compression levels. The entire picture should be at roughly the same level if a difference is detected, then it likely indicates a digital modification.
  • Thumbnail Extraction: The thumbnails and data related to them are extracted from the image metadata and stored for review.
  • Thumbnail Consistency: Sometimes when a photo is edited the original image is edited but the thumbnail not difference between the thumbnails and the images are detected.
  • Signature Engine: They have over 120 signatures that provide evidence about the most critical data to highlight focal points and common exposures.
  • Hash Matching: Suppose we are searching for an image and we have only the hash value. We can provide a list of hashes and all images matching are reported.

Setup the Ghiro

Now we need to set up our Ghiro, we recommend the “OVA” version because it is the faster way to start using the Ghiro. After downloading the Ghiro, in few minutes you will have a fully functional Ghiro set up to start to analyze our images.

To download the Ghiro image analysis tool, click here.

After opening this OVA file in Virtual Box or VMWare, It will come up as a screen like this.

It is showing us the two details

IP address: 192.168.0.7

We can use this detail to trigger our software.

Default credentials to log in Ghiro are

Now we open that IP address in our browser, to move further in the setup process.

Straight away we focus on the login screen and fill up its credentials. After filling up the details click on the login button.

Now, we can see that we successfully set up the Ghiro, the dashboard in the home screen says that welcome to Ghiro, Which confirms that our setup is successful.

As we can see that it has we user which user: ghiro through which we log in the software. At the initial point, it shows zero cases and zeroes analysis left because we just set up this software.

Working with Ghiro

To start working with Ghiro for image analysis we need to click on cases. Where we can see that it is completely blank, then notice a [+] to add any case to this directory.

Now, we need to fill up the details regarding the forensic case like case name, case description, and its Investigating user.

After saving the details regarding this forensic case, It will confirm these details and ask us to add images to analysis. To add images click [+] button.

To will lead us to a window through which we can add images by clicking in the add file option. Browse the file you want to analyze. After adding those files click on the start upload button.

After uploading these files it will show us the files and their status of uploading these images. In this uploading process, Ghiro demands us to refresh this screen by clicking on the highlighted refresh button. Click on the refresh button to finishing up the upload.

We can see that the file upload process in just finished now we have two options to analyze the image. The first option is directly to click on the image name to view their details.

The second option is to click on the images tab and then click on the image we want to see their details. Both of them are kind of the same it doesn’t affect the forensic investigation process.

Click on the image we want to analyze, it will show us the basic details regarding the image in the dashboard which shows us all the analysis results like static analysis, EXIF, IPTC, XMP, Signature check, etc.

Now we clicked on the second options offer by the dashboard menu which is Signature results. Which shows us all the signature matched by severity. In case 4 are low, 3 are medium and nothing is high.

In the second tab, we see static and its first option is static info. In the static info option, we see all the basic information about the image.

We switched to the second option which is FileType. Which says it is a jpeg file standard for EXIF.

The Third option shows all the Hash values of this file within different algorithms. If we Focus hard we can see that MD5 hash values are the file name, when we clicked on the image for analysis.

The fourth option which we see is Strings. It will show us all strings behind this image file with the slight details of the metadata of this image file.

The final option offered by the static is the Hex dump. It will show us the hexadecimal value of that image file through which can get some small details about that image file.

Now switch on the third tab EXIF, which has only one option which says about EXIF the metadata. We get some of the major details for our forensic investigation.

Scroll down to get full segments of the metadata of image files that can become handy in forensic investigation. Regarding GPS, Thumbnails, and IOP.

After switching the one more we found out the thumb tab. This shows us all details regarding the thumbnail of the image. Regarding Mime type, Extension, and Dimension.

The fifth tab of Ghiro image analysis we get ELA. Error Level Analysis (ELA) permits identifying areas within an image that are at different compression levels. With JPEG images, the entire picture should be at roughly the same level. If a section of the image is at a significantly different error level, then it likely indicates a digital modification.

If we focus hard and keep the brightness high we can see the Error image analysis of our image as well.

The final tab shows us the signature values in the image analysis. Which we already discussed above.

Overall Ghiro is the complete image analysis tool that can be quite beneficial in any Forensic Investigation.

Author: Shubham Sharma is a Pentester and Cybersecurity Researcher, Contact Linkedin and twitter.

Forensic Investigation: Examining Corrupted File Extension

In this article, we will learn how we can Examine Corrupted File Extension to identify the basic file header in a Forensic Investigation.

Let’s understand this with the following Scenario

In this Scenario, a forensic investigator has gone for an investigation and found out a suspicious folder where no file has any kind of file extension. Now, what will he do to proceed in his forensic investigation?

Objective: Learn to use various techniques in Forensic Investigation to analyse and examine the various file headers

  • Examining Corrupted File Extension using Windows Platform.
  • Examining Corrupted File Extension using Linux Platform.

Table of Content

Cheatsheet for Hex File Header

Examining Corrupted File Extension using Windows Platform

  • File #1: app
  • File #2: apple
  • File #3: data
  • File #4: Final
  • File #5: lecture
  • File #6: Manual
  • File #7: Notes
  • Recovered all files successfully

Examining Corrupted File Extension using Linux Platform

  • Analyze in Linux with file command
  • Analyze in Linux

Cheatsheet for Hex File Header

We all know that the hex file header is used to identify any file by examining the first 4 or 5 bytes of its hexadecimal content.

We have created our very own cheat sheet to examine these values more appropriately; Which contains all the basic files extensions and its 4 to 5 bytes starter hexadecimal value along with its ASCII translation.

Examining Corrupted File Extension using Windows Platform

As per the given scenario, the first thing which comes into our mind that let’s check these files in the command prompt [cmd]. Nevertheless, nothing is visible to the investigator.

Now Let’s try to examine each file we found this folder and try to restore them in their original format.

File #1: app

The first file, which we got is app. The first thing that comes into our mind is to open this file with the help of notepad.  We are doing it to show you guys that the file is in an unreadable format.

Now, we examine hexadecimal values of these files with Hexadecimal editor. We can use any kind of hexadecimal editor, that can show us a hexadecimal value of any file. After opening that file, we need to examine its stating hexadecimal value to know about the file type.

So, I have used Hex Workshop which you can download from here.

After, analyzing its starting bytes with our cheat sheet. We come to know that it is a .exe file with its ASCII translation MZ. MZ is the initials of Mark Zbikowski, he is the designer of the DOS executable file format. We have successfully investigated the first file as a .exe file.

Now, we have two methods to rename that file extension.

Method 1: With the help of the command line.

Follow this command to rename this file extension.

This command helps us to select only the app file to rename only this file extension. Because others are yet to be examined.

Method 2: We can simply change it directly by renaming the file name and providing it with an extension which we already find above.

File #2: apple

Now, it’s time to examine the second file all we know about that file is its name apple. Straight away we opened that file in the hexadecimal editor. To start analyzing its hexadecimal values.

As we have to try to match its starting 4 bytes with our cheat sheet. We were quickly able to find out it is a .jpg file with ASCII translation ÿØÿà.

Now, just rename this file with the help of this command.

This command will only change the apple file to a .jpg file. Because others are yet to be examined.

File #3: data

Time to examine the third file which name is data. We are opening that file into a hexadecimal editor, to examine its hexadecimal values.

Now, try to match it first 4 bytes with our cheat sheet which we provide above. In a few moments, we find out that it is a .zip file with ASCII translation PK.

Change the file name and provide it with an extension with the help of rename command.

As we know it will only make changes in data and change it into a .zip file.

File #4: Final

Here comes the fourth file which name is Final. Now, open that file in a hexadecimal editor to analyse its hexadecimal values.

After opening that file, try to match its first seven bytes with our cheat sheet. In a few moments, we found out that its values match with a .docx file. So, it is a .docx file with ASCII translation PK.

Just change its name and provide it with a .docx extension with the help of [rename] command.

File #5: lecture

The fifth file named as a lecture; we try to open that file in a hexadecimal editor. To analyse its hexadecimal values, which helps us to identify its file type.

Now, try to match its first four bytes. In a moment we found out that it is a .mp3 file with an ASCII translation ID3. Just provide that file a .mp3 extension with the help of [rename] command.

File #6: Manual

The second last file in that folder named Manual. Open that file in a hexadecimal editor to examine its hexadecimal values.

Now, try to match its four bytes with our cheat sheet. Then we come to know that it is a .pdf file with ASCII translation %PDF. Change its name and provide .pdf extension to it, with the help of rename command.

File #7: Notes

Finally, we have reached to the file in the folder named Notes. Straight away we opened that file in a Hexadecimal editor to examine its hexadecimal values.

After opening it is saying that “It is a simple text file.”. so, we provided a .txt extension with the help of [rename] command.

Recovered all File successfully

Now, look at the folder which itself saying that we have recovered all the files successfully.

And we can also see that these files were recovered in the command prompt along with its original extension, with the help of [dir] command.

Examining Corrupted File Extension using Linux Platform

Now suppose in your investigation, you are in the same scenario where the file extension is missing but this time the Victim machine operates on Linux Environment and you are not allowed to copy this folder on another machine. Then How would you handle this situation?

Analysis using the File command

The file command is a Linux utility that analyzes each argument in an attempt to classify it. Hence, we can examine this forensic investigation in a Linux environment with the help of file command.

We are using the [ls] command to show you guys, these are the same files and the same scenario that we already explained above.

We just need to use [file] along with the file name, to know about the originality of that file. Pick the first file and use this command. It shows that it is an MS Windows executable file.

 

Let us try the same technique with the second file named apple. Apply [file] command and provide its file name. It shows that it is a jpeg image along with its internal pieces of information.

This article will help us to identify the true identity of a file during a Forensic Investigation in both the Windows and Linux environments.

Author: Shubham Sharma is a Pentester and Cybersecurity Researcher, Contact Linkedin and twitter.

Forensic Investigation: Extract Volatile Data (Manually)

In this article, we will run a couple of CLI commands that help a forensic investigator to gather volatile data from the system as much as possible. The commands which we use in this post are not the whole list of commands, but these are most commonly used once.

As per forensic investigator, create a folder on the desktop name “case” and inside create another subfolder named as “case01” and then use an empty document “volatile.txt” to save the output which you will extract.

Here I have saved all the output inside /SKS19/prac/notes.txt which help us creating an investigation report.

Table of Content

  • What is Volatile Data?
  • System Information
  • Currently available network connections
  • Routing Configuration
  • Date and Time
  • System Variables
  • Task List
  • Task List with Modules
  • Task List with Service
  • Workstation Information
  • MAC Address save in system ARP Cache
  • System User Details
  • DNS configuration
  • System network shares
  • Network configuration

What is Volatile Data?

There are two types of data collected in Computer Forensics Persistent data and Volatile data. Persistent data is that data that is stored on a local hard drive and it is preserved when the computer is OFF. Volatile data is any kind of data that is stored in memory, which will be lost when computer power or OFF.

Volatile data resides in the registry’s cache and random access memory (RAM). This investigation of the volatile data is called “live forensics”.

System Information

It is a system profiler included with Microsoft Windows that displays diagnostic and troubleshooting information related to the operating system, hardware, and software.

We can collect this volatile data with the help of commands. All we need is to type this command.

It will save all the data in this text file. We check whether this file is created or not by [ dir ] command to compare the size of the file each time after executing every command.

Now, go to this location to see the results of this command. Where it will show all the system information about our system software and hardware.

Currently Available Network Connections

Network connectivity describes the extensive process of connecting various parts of a network. With the help of routers, switches, and gateways.

We can check all the currently available network connections through the command line.

we can check whether it is created or not with the help of [dir] command as you can see, now the size of the get increased.

Now, open that text file to see all active connections in the system right now. It will also provide us with some extra details like state, PID, address, protocol.

Routing Configuration

It specifies the correct IP addresses and router settings. Host configuration: sets up a network connection on a host computer or laptop by logging the default network settings, such as IP address, proxy, network name, and ID/password.

To know the Router configuration in our network follows this command.

We can check the file with [dir] command.

Open the txt file to evaluate the results of this command. Like the Router table and its settings.

Date and Time

To know the date and time of the system we can follow this command. We can also check the file is created or not with the help of [dir] command.

Open that file to see the data gathered with the command.

System Variables

A System variable is a dynamic named value that can affect the way running processes will behave on the computer. They are part of the system in which processes are running. For Example, a running process can query the value of the TEMP environment variable to discover a suitable location to store temporary files.

We can check all system variable set in a system with a single command.

We can check whether the file is created or not with [dir] command.

Now, open the text file to see set system variables in the system.

Task List

A Task list is a menu that appears in Microsoft Windows, It will provide a list of running applications in the system. To get the task list of the system along with its process id and memory usage follow this command.

we can also check whether the text file is created or not with [dir] command.

Open the text file to evaluate the details.

Task List with Modules

With the help of task list modules, we can see the working of modules in terms of the particular task. We can see that results in our investigation with the help of the following command.

we can check whether our result file is created or not with the help of [dir] command.

Open the text file to evaluate the command results.

Task List with Services

It will showcase all the services taken by a particular task to operate its action. We get these results in our Forensic report by using this command.

we check whether the text file is created or not with the help [dir] command.

Open this text file to evaluate the results. It will showcase the services used by each task.

Workstation Information

A workstation is known as a special computer designed for technical or scientific applications intended primarily to be used by one person at a time. They are commonly connected to a LAN and run multi-user operating systems. Follow these commands to get our workstation details.

to check whether the file is created or not use [dir] command.

Now, open the text file to see the investigation results.

MAC Address saved in System ARP Cache

There are two types of ARP entries- static and dynamic. Most of the time, we will use the dynamic ARP entries. This means that the ARP entries kept on a device for some period of time, as long as it is being used.

The opposite of a dynamic, if ARP entry is the static entry we need to enter a manual link between the Ethernet MAC Address and IP Address. Because of management headaches and the lack of significant negatives. We use dynamic most of the time. To get that details in the investigation follow this command.

we can whether the text file is created or not with [dir]  command.

Now, open the text file to see the investigation report.

System User Details

A user is a person who is utilizing a computer or network service. Users of computer systems and software products generally lack the technical expertise required to fully understand how they work. To get that user details to follow this command.

we can use [dir] command to check the file is created or not.

Now, open a text file to see the investigation report.

DNS Configuration

DNS is the internet system for converting alphabetic names into the numeric IP address. When a web address is typed into the browser, DNS servers return the IP address of the webserver associated with that name. To know the system DNS configuration follow this command.

we can see the text report is created or not with [dir] command.

Now open the text file to see the text report.

System network shares

A shared network would mean a common Wi-Fi or LAN connection. The same is possible for another folder on the system. By turning on network sharing and allowing certain or restricted rights, these folders can be viewed by other users/computers on the same network services. We can see these details by following this command.

we can also check the file it is created or not with [dir] command.

Now, open that text file to see the investigation report.

Network Configuration

Network configuration is the process of setting a network’s controls, flow, and operation to support the network communication of an organization and/or network owner. This term incorporates the multiple configurations and steps up processes on network hardware, software, and other supporting devices and components. To get the network details follow these commands.

As usual, we can check the file is created or not with [dir] commands.

Now, open the text file to see the investigation report.

As we said earlier these are one of few commands which are commonly used. There are plenty of commands left in the Forensic Investigator’s arsenal.

Author: Shubham Sharma is a Pentester and Cybersecurity Researcher, Contact Linkedin and twitter.