Procedure: Parsing Windows 7 Registry Hives with auto_rip

One of my favorite tools, or combination of tools I should say, is Reg Ripper and auto_rip, created by Harlan Carvey and Corey Harrell respectively. I use these two tools together (among other feeds) to rapidly assess potentially compromised systems in an attempt to understand quickly what nefarious activities I could be faced with. I have integrated these tools as part of my Rapid Assessment and Triage for alerts that I get sent from the SOC.

Even before I consider the need for a full disk image capture I will use this procedure, "Parsing Windows 7 Registry Hives with auto_rip" to assist in that decision making process. Quite often it has weeded out false positives and place the staff back on stand-by.

Please take a look and comment if you can. I encourage feed back and would really like to see some input/ideas on how other folks may be using these tools.

The procedure can be viewed here via Google Drive.

Until next time, take care.

Mr. Orinoco

Is a forensic image a corporate record?

The topic of records retention came up today as it relates to evidence image files of corporate hard disk drives (hdd)  and the entire product created as a result of the internal corporate investigation involving such hdd.

The discussion asked, “is a forensic image of an employee’s corporate hdd a record?” Do the forensic images fall under the governance of the corporate records retention policy?

At first, at least to a forensic examiner, the answer may seem obvious, a resounding yes I suspect. I’m sure an examiner does not want his forensic images deleted after he is done, seems obvious right! However, your records retention policy, and the legal folks will define what a record is. As an example, a record in terms of the business unit creating records (data), see’s a record as data that contains customer information from various sources. This can be names, addresses, NPPI, PCI, PII, transaction history related data, data that is created as part or doing business. This is not difficult to understand. So, when it comes to forensic images, do they fall under the same corporate records retention policy, or should they be treated differently?

To emphasize the question again, we are just trying to understand if the images are corporate records and fall under the record retention policy, we are not discussing the data within them.

There are investigations that absolutely dictate the images must be retained. For example, employee fraud comes to mind. If every forensic image that is created falls under the policy, then we have some serious long-term storage equipment to purchase, and then we need to manage that environment and all its associate costs.

Here is another example; a machine becomes infected, analysis is performed, it was discovered the machine was the victim of a drive by from a legitimate website, a report is written up with the RCA, case closed and desktop is re-imaged. Now, do you really need to keep the 150Gb image for this investigation? The report will be archived but the image? See the dilemma?

You could be collecting needless amounts of data simply because your record retention policy states your work is a record regardless of the investigation type and outcome. Let me know your thoughts on this topic, I will be interested to hear them.

Until next time, take care.

Mr. Orinoco