Procedure: Parsing Windows 7 Registry Hives with auto_rip

One of my favorite tools, or combination of tools I should say, is Reg Ripper and auto_rip, created by Harlan Carvey and Corey Harrell respectively. I use these two tools together (among other feeds) to rapidly assess potentially compromised systems in an attempt to understand quickly what nefarious activities I could be faced with. I have integrated these tools as part of my Rapid Assessment and Triage for alerts that I get sent from the SOC.

Even before I consider the need for a full disk image capture I will use this procedure, "Parsing Windows 7 Registry Hives with auto_rip" to assist in that decision making process. Quite often it has weeded out false positives and place the staff back on stand-by.

Please take a look and comment if you can. I encourage feed back and would really like to see some input/ideas on how other folks may be using these tools.

The procedure can be viewed here via Google Drive.

Until next time, take care.

Mr. Orinoco

Is a forensic image a corporate record?

The topic of records retention came up today as it relates to evidence image files of corporate hard disk drives (hdd)  and the entire product created as a result of the internal corporate investigation involving such hdd.

The discussion asked, “is a forensic image of an employee’s corporate hdd a record?” Do the forensic images fall under the governance of the corporate records retention policy?

At first, at least to a forensic examiner, the answer may seem obvious, a resounding yes I suspect. I’m sure an examiner does not want his forensic images deleted after he is done, seems obvious right! However, your records retention policy, and the legal folks will define what a record is. As an example, a record in terms of the business unit creating records (data), see’s a record as data that contains customer information from various sources. This can be names, addresses, NPPI, PCI, PII, transaction history related data, data that is created as part or doing business. This is not difficult to understand. So, when it comes to forensic images, do they fall under the same corporate records retention policy, or should they be treated differently?

To emphasize the question again, we are just trying to understand if the images are corporate records and fall under the record retention policy, we are not discussing the data within them.

There are investigations that absolutely dictate the images must be retained. For example, employee fraud comes to mind. If every forensic image that is created falls under the policy, then we have some serious long-term storage equipment to purchase, and then we need to manage that environment and all its associate costs.

Here is another example; a machine becomes infected, analysis is performed, it was discovered the machine was the victim of a drive by from a legitimate website, a report is written up with the RCA, case closed and desktop is re-imaged. Now, do you really need to keep the 150Gb image for this investigation? The report will be archived but the image? See the dilemma?

You could be collecting needless amounts of data simply because your record retention policy states your work is a record regardless of the investigation type and outcome. Let me know your thoughts on this topic, I will be interested to hear them.

Until next time, take care.

Mr. Orinoco

Procedure: Mounting an EnCase E01 Image with FTK Imager

My previous post detailed a template that I use when creating procedures. As promised, in this post I have taken the template and created a procedure using its framework. The procedure itself is quite rudimentary, mounting a forensically created image, however, the focus for the purpose of this post is on the framework, not the content. Using this framework, by providing a consistent format with clear details and instructions, you can start to build a valuable library of procedures that can be referenced and repeated, even by the noobs.

Take a look below and provide any feedback if you wish. As I stated in my first post on this blog, I want feedback, and look forward to peer review. The procedures moving forward from here will be more technical and provide some great examples of different approaches in getting work done.

The procedure can be accessed from this link via Google Drive. 

Enjoy, Mr. Orinoco

A Procedure Template

In my previous post, I discussed what I believe are the required elements when creating a procedure. Using a set of standard elements in every procedure you create ensures consistency in your approach and final product. If one item above all must be achieved when creating procedures, it is consistency. As I mentioned in an earlier post, the one item I find the most frustrating with procedure documentation is continued inconsistency of an individuals approach to creating procedures. In short, their lack of standardization. 

For example, before I started in DF, I worked in Technology. I recall being incredibly frustrated over the haphazard way in which procedure documents were not only created, but the way they were stored and maintained. Everybody and their mother were creating procedures; they were stored all over the environment and infrequently, if at all, updated to reflect recent changes in IT. In addition, people would leave the company; as a result, the procedures would disappear because it was on the local drive that desktop just re-imaged!

In this post, I am providing a template (Google drive link below) that I use for every procedure I create. Not only does it provide standardization for individuals creating the procedure, it also documents a number of other items.

First, there is a Procedure Name, a Category, and if needed, a Sub-Category.

Second, there is a Procedure Number. This number, along with the procedure name is entered into a master database, a spreadsheet that tracks all your procedures.

Third, Procedure Development. Who owns the development of the procedure?

Forth, Procedure Document. Who own this document? (this could be the same person who developed the procedure).

Fifth, my favorite, Version Control. As the procedure changes a new version number is issued and the previous version is archived.

Once last item, to ensure auditing of your procedures, the MD5 hash value of the procedure must be entered into the tracking database.

Taking this approach, using a template, completing a standard set of elements, tracking the historical life of a procedure, and finally, storing procedures in a central repository (think SharePoint) ensures that your library will grow effectively in a controlled manner and allow for maintenance.

Template Link - The template can be accessed here.

In my next post I will be posting a simple procedure on mounting a forensic image using the above approach. Until then, take care.

What makes up a good procedure?

I love documentation, so long as it is clear, and most importantly, it gives useful examples on how the procedure can be used immediately without too much effort. I don’t like hard, I like easy, thats why we document right! What I don’t like is documentation that causes me to get lost as I start reading it. Once that happens, I get frustrated and move on to seek out better documentation. What causes people to get lost? In my opinion, I believe it is lack of planning on behalf of the individual writing the documentation, coupled with a whole ton of assumptions and not knowing your audience. I hate assumptions when reading procedures.

People who write procedures, in my opinion, must write it as if the reader is a complete newbie. By doing this you level set all your readers. The more advanced reader can just skip to the juicy bits they are more interested in without reading all the background and prerequisites. Explanations, these I love also. If your going to show a command line command, then explain what it is doing. This way you are giving your reader the opportunity to really understand what is going on with all the switches and options used in the command. On that note, give some actual real world usage of the procedure, don’t leave the fella hanging.

So, what makes up a good procedure? What makes it so complete and fool proof? Lets take a stab.

1. Purpose – Describe the purpose of the procedure.

2. Why? Why are we doing this and what are the benefits.

3. Prerequisites  & Environment – Tell the reader what ALL the prerequisites are for this procedure and what your environment looks like so they can replicate it.

4. The Procedure –  Here is where we commence the actual procedure walking the reader through the steps.

5. Explanations – Provide explanations along the way with screen shots (really good screen shots). During the procedure give detailed explanations of what you are doing.

6. References – Provide links to other web pages topic related. Providing links to additional documentation or other posts discussing the topic gives the reader opportunity to see how other folks are dealing with it or what they know about the subject.

7. Use Cases – How else can I use this? Give additional example(s) of how this procedure can be used. This gets the reader thinking on how they might use the procedure in their environment.

8. Finally, after all of the above is accomplished, the reader leaves with a sense of empowerment and new knowledge to use and share with his peers.

This, I believe,  makes up a good template for creating procedures that are well documented and can be repeated by any analyst. If you fail at this, then apply the deming cycle to correct it.

http://en.wikipedia.org/wiki/PDCA

In my next post I will post an empty template to illustrate the above. Beyond that, I will start posting procedures that I have created due to a need and use quite often

Mr. Orinoco

Hello World!

The Purpose of my Blog.

I have wanted to blog for a long time, however, I personally felt there were a number of things that prevented me from blogging, especially on a topic so technical. Digital Forensics is such a wide reaching field, it covers so many aspects of modern day computing; it is easy to become overwhelmed just by thinking of the scope of this profession. To then think that you are adequate enough to contribute to this profession where folks like Mandiant dominate on the IR level, and then throw in the DFIR Gods like Rob Lee, Harlan Carvey, and Corey Harrell who are front and center every day with their incredible insights and analysis.  These guys are my “American Idols”. Nonetheless, I have decided to stick my neck out. The reason? I want to share what I have learned, I want to be commented on (peer review), and ultimately, I want to get on. I want to advance my career in this fascinating field and crush a few bad guys along the way. There is RISK in this blogging thing, I have no idea how it will go, but I have a purpose.  As I have stated I want to share, I want to learn, and I want to move up in this world of DFIR. How do you do that if nobody knows you, and by that extension, they do not know your thoughts, procedures, and capabilities to achieve your results and wins.

My background in PC computing stems from a technology start back in 1996 just as the PC/Internet world was coming to fruition. Heck, I had a Packard Bell 486 DX2 66 with a 2400-baud modem to Prodigy for Win3.1. After a career change and fresh out of IT school I held a few positions quickly rising in IT responsibilities with each move. I started of on a helpdesk, then to product support, to Desktop OS and application support, then Network Admin on Novell, switching to NT, then some engineering, then into end point security products, and ultimately to where I have been for the past few years as a DF Examiner. Most DF examiners that have been doing this for the past 5 years or so fall into these positions because someone asked them to assist with something related to info sec, or some other security related issue. I am no different. Simply because the group I was in at the time I was asked if I would like to do disk forensics? “Wow” I said, “sounds exciting”. I have an IT background but had no idea on forensics. I recall my manager walking me through the use of EnCase 5.x over the phone doing a set include!

Anyway, I plan to publish useful articles on procedures anyone can use. These procedures will have a theme and an end result goal in mind in what I am trying to accomplish. Additionally, I can use it as my own personal library collection so I can reference them myself. It’s hard to remember all your procedures when you have so many, so why not have them readily available and share them. What I really hope for is for someone to say “hey, you know you can do it this way also which is easier”. Or, “hey, have you thought about this or that?” I as said, I want to learn and move up in this profession, and I cant do that unless I put myself out there so people can  see what I am doing right!

 So, check back soon, I ‘ll have something up asap.

Mr. Orinoco