How To View Windows Registry On Linux

Introduction

Forensic Registry EDitor (fred) is a cross-platform Microsoft registry hive editor. It is GUI based registry editor that can work on Linux and has a built in hex viewer and data interpreter.

Installation

The best way to install this tool is listening its owner Daniel:

In order to automatically stay up-to-date when new versions are released, I recommend adding my repository to your software sources list. This is done by executing the following commands:

sudo wget -P /etc/apt/sources.list.d/ http://deb.pinguin.lu/pinguin.lu.list
wget -q http://deb.pinguin.lu/debsign_public.key -O- | sudo apt-key add -
sudo apt-get update

Once done, you can install packages by issuing:

sudo apt-get install fred fred-reports

 

Environment

I used a hard disk image of a Windows system.

# ewfmount myImage.E01 /mnt/ewf/
# mount -o ro,loop,show_sys_files,streams_interface=windows /mnt/ewf/ewf1 /mnt/windows_mount

I mounted my image in /mnt/windows_mount. Since I was using an E01 image, I used two step process to mount my image. For details on how to mount E01 image in Linux you can check this post. You don’t need to use E01 image. Any image you could mount in Linux i.e. raw image would be fine.

 

Usage

I will give some examples that shows how to use this powerful tool. First let’s cover the locations of hives. If you already  are familiar with Windows Registry you can skip this section and continue on Finding unique device serial number of a USB Key.

In Windows NT 4 (and later) the Registry is stored in the Windows NT Registry File (REGF) format (http://www.forensicswiki.org/wiki/Windows_Registry).

Basically the following Registry hives are stored in the corresponding files:

  • HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
  • HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
  • HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
  • HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
  • HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
  • HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system

1. Finding unique device serial number of a USB Key

This information is stored at SYSTEM\CurrentControlSet001\Enum\USBSTOR

We know that SYSTEM registry hives are stored in C:\Windows\system32\config\system

Lets go to the directory that we have system file (/WINDOWS/system32/config/system) I mounted it in the /mnt/windows_mount so I will type

cd /mnt/windows_mount/WINDOWS/system32/config

Then I can type the following to run fred on system file:

root@siftworkstation:/mnt/windows_mount/WINDOWS/system32/config# fred system

So it is the value I circled red.

 

fred1

2.What was  last time that a user opened a .doc file

This data stored  in NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocsn>

NTUSER.DAT is in \Documents and Setting\User Profile. First we need to go into that directory and run

fred NTUSER.DAT

fred2

So it is the value I circled red.

3.What was the last program a user ran using the Start->Run dialog.

We need to use fred and open NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

fred3

At the right column we see what the user run using start->run.

Conclusion

Windows registry includes good information for investigators. Fred helps investigators to find the data they need in registry very easily. The best thing about Fred it is open source and cost you zero dollar…

I would love to hear from you about what you think about fred and  registry tools in general.

 

 

 

 

 

 

Forensics Netwars First Day

I was planning to attend DFIR Summit for last two years and now I am in Austin for that. As part of DFIR summit I am attending Forensics netwars. Forensics netwars is a fun practice that help you to remember the forensics knowledge you may forget and learn some new tricks. The best thing is if you screw up, that’s okay. You cannot damage anything but your netwars score…

I remembered the power of stat command when it comes to mac time.  I also found a new tool called Fred for analyzing registry.  I also remembered that -iname option will ignore case when you use it in “find” command.

I am planning to write how to install and use Fred this week.

 

 

GCIA Exam

Hi all,

It has been such a long time since my last post. I have been very busy.  Last week I took GCIA exam and passed it. I thought I could share my experience. So far I took 3 exams from GIAC.  Those are GCFA, GCIH and GCIA.  GIAC certifications are very valuable certifications and it is always a plus to have them in your resume. Personally I value those certifications in the interviews I conduct.

GCIA exam was the hardest GIAC exam I had so far. If you want to pass this exam make sure you know followings:

  • Snort (yes, lots of question about snort and they are very detailed.)
  • Very deep level understanding of TCP/IP
    • How to calculate ip header
    • How to calculate tcp header
    • How to calculate data in a packet
    • Shortly interpreting hex
  • SIEM tools
  • ICMP,UDP,TCP,IPv6

I didn’t have time to study but my experience in network forensics helped a lot to answer the questions in the test. Here some strategic test tips:

  • You can skip 5 questions. If you want to go back and answer those questions you have to answer all 5, you cannot skip any other questions unless you answer those questions. My suggestion do not use skip questions option too quickly. I did that because I didn’t know that…
  • Watch your progress in every 15 questions. GIAC tells you what percentage of questions you answer correctly in every 15 questions. Don’t stress out if you score very low, some questions hard some are very easy so you will have chances to increase your score later.
  • If you don’t know the answer of an question, try to eliminate wrong answers in multiple choices.
  • You have 240 minutes, it is more than enough, relax… If you think it is not enough for you to solve 150 questions, do not take this test. It is not for you.
  • The test is not easy, study material or if you have experience use that. Some questions are directly related with giac material (testing your memory not really your knowledge i.e. some not popular command line options in snort) so knowing study materials will do better than trusting your experience in some questions. In real world you have google,yahoo,bing or man pages for command line options. I am not good for memorizing and don’t really think it is very important. IF you know how to get information then you’re good in real world. You don’t need to overload your memory with them. However in the test it is a different story.

What security researchers do need to know about laws?

Disclaimer: First I am not a lawyer, this post is not about legal advices. Please contact a lawyer for a legal advice. This post is just about what I learned through different sources over time. Let’s start.

One of the most important law for security researcher is the computer fraud and abuse act (cfaa). This act was written in 1984. At that time the main idea of the act was “you are not supposed to gain access government computers”. There were a few additions happened over the time to the act and made the act confusing and pretty much useless. There are problems with this law. I discussed them below:

  • 18 usc 1030 a 2c:without authorization or in excess of authorization—> Here we DO NOT know what without authorization mean…
  • 18 usc 1030 a 4:knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;->Here we DO NOT know what without authorization mean…
  • 18 usc 1030 a 5:(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer (B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.  –>Here we DO NOT know what without authorization mean…

There could be criminal charges or civil penalties. However the victim has to have at least 5k of financial loss for court to process the claims.

Problems:

  • What is illegal is unclear.
  • Selective enforcement: Law enforcement can interpret the law the way they want since it is so open for interpretation.
  • The penalties are harsh.

Interesting Cases:

  • US v. Nosal (Bonus: watch the trial here)

  • US v. Drew
  • EF Cultural v. Explorica
  • US v. Auernheimer

 

 

 

 

Detecting Rogue Virtual Machine- My Script

I wrote a post about detecting rogue virtual machine a while ago. Today I am publishing my script for how to get list of mac addresses and their manufacturer. It is easy to put an if statement and make this script to detect virtual machines. This is just start, if I get some time I will make this smarter.

#scan C subnet assuming you're in 192.168.1.X
#check arp info
for ((i=0; i<255; i++))
do
ping -t 1 192.168.1.$i >temp.txt
done
arp -a | awk /:/ | cut -f 4 -d " " > macAddresses.txt
arp -a | awk /:/ | cut -f 2 -d " " > ipAddresses.txt
fileName=macAddresses.txt
#lookup those mac address on the web
cat $fileName | while read mac
do

#for each mac addresses we are sending post request and formating the output
#-qO- means show the output in terminal, not save in a file
#post data is obvious, use post method to fill a field "mac" on the form
#awk the Company part and format to gather the result

wget -qO- --post-data="mac=$mac" http://aruljohn.com/mac.pl | awk /\>Company/ | cut -f 5 -d ">" >>companiesTemp.txt

done

#little more formating for companies.Temp required

cut -f 1 -d "<" companiesTemp.txt >companies.txt
#combining ip,mac, and companies in a single file
paste ipAddresses.txt macAddresses.txt companies.txt>finalResult.txt

#printing final result on the screen
echo "The results are saved in local finalResult.txt, and we are kind enough to show them here"
cat ./finalResult.txt

#cleanUp temp files
rm temp.txt companies.txt companiesTemp.txt ipAddresses.txt macAddresses.txt

Effective Security Project Management

After running several projects I observe very interesting things about the management of the security projects.

Stakeholders usually have very limited focus. For example if there is a project about network security, they don’t think how to implement some part of the projects into  say an application security project.

Moreover stakeholders usually have lack of long term thinking. You should never spend all of your money to achieve a single thing unless it is so critical. In other words you have to be very effective, efficient and smart. If you are doing a project to reduce abuse in your internal computing resources, don’t try to save the day. Try to save the weeks, months, and years. This is not hard to do.

When you design your project, assume that you are playing with lego. With lego you can build home, and you can break down the home and build a car with the same lego pieces. Your projects should be the same. Moreovoer there will be some “plugins”. This means if you want to achieve X, dont just build X. Do this

Build A, B and C and make them to work together to get X as a result of those three plugins.

A+B+C=X

Moreover the functionality of A, B and C shouldn’t so similar to each other. Make them somewhat diverse by thinking your only condition is that the total    result should be X.

Then next time when you are working for a different project, say project Y, think about using at least one plugin you have here i.e.

A+D+E=Y

This makes you use your resources in a smart way and you have a long term thinking.

Always think smart since this will make your projects better and powerful…

 

SQLite Database Browser

There is no doubt that the most popular post I have written so far is How FF store your passwords? Is it secure?  I believe the reason is there was not enough documentation 3 years ago about Firefox’s security mechanisms. At that time I couldn’t find something simple that can read/edit sqlite databases. Now I am going to write about SQLite Database browser; a freeware, public domain, open source visual tool used to create, design and edit database files compatible with SQLite.

You can go here and download it. After you download it, go to your firefox profile directory. How can you find it? Just open a new page and type about:support You will see the path of the directory next to the Profile Folder.

There are very good information stored in the profile folder such as bookmarks, passwords, search engine data etc…

You can now open SQLite Database Browser and click the directory icon in upper left and browse the file you want to open in the profile directory. Now you can have some fun with the ff databases and get more information about how ff store information.

How To Protect Yourself From Frauds

Cyber world is a dangerous place. Governments, and private industries become more and more aware of this danger in every single day. What about the citizen Joe and citizen Anna? Are they aware of the cyber threats? Do they know  how cyber threats can take all of their hard earned money they put into banking accounts? Or somebody  who is thousands of miles away from them can impersonate them and make their friends to send money to that person? There are great variety of frauds in cyber world. Most of them are around for more than ten years. Most of them use similar techniques with old traditional fraudsters use in the physical world.

There are number of sites that has very good information about prevention of frauds. One of them is this site. Just watch the videos on the site and you will get idea of how those frauds can waste people time and make their life miserable. Just watch the video below. We will cover frauds in detail later.

 

There Is No Such Things As Security

Well, time to be honest with ourselves dear security community. Even if we have firewalls, IDSs, IPSs, antiviruses, SIEMs etc our systems are not secure and will not be secure since there is no such thing as security.

I know some of you are now became angry and thinking cross arguments but seriously think about it. Your work place for example. You have all kinds of good stuff to protect it, motion detectors, glass-break detectors, wired windows, doors etc… But what if a crime organization just break one of the door with a truck at night and now they are inside, can you still think you are secure? There is a level of insecurity. You can decrease that with what you have however when you think about your system you need to think they are insecure for some level.

One of the thing I recently (!) realized is there is balance in the life and most of the time we forget about it. Yes, nothing is secure about this doesn’t mean we need to freak out. This is what risk management for.

If you have two systems and one doesn’t have sensitive data and you have other systems that have data such that if you lose them you will go out of business then take care of the second systems. Don’t get so obsess about the first team so that you forget the important one. You need to protect what you need. I know it sounds sad that you will not pay enough attention for the first system for some cases, but that’s ok.

Security is very hot subject and lots of individuals are coming this area. Most of them are bright, smart people. They want to do their best but we need to give them right expectations of security. We need to secure every single asset as much as we can, as harder as we can. However we should classify those assets and focus on the more important ones. We also should not forget that there is no such things as security…

 

UNIX Command History

One of the great things about Mac OSX is that it is based on Unix. One of the greatest thing in Unix is its terminal. However in my new mac I see that I need to re-type every command even I have just typed before… Usually you expect your command to be stored in .bash_history and when you hit upper arrow key you should be able to see the previous commands you typed. That was not the case with this Mac.

I checked/Users/ismail directory for .bash_history file. There was none. I created with touch command.

touch .bash_history
I tried with no help… Next I see there was no .bash_profile file neither. I created that with touch too:
touch .bash_profile

I then edited the .bash_profile :
HISTFILESIZE=5000 HISTSIZE=5000 HISTFILE=/Users/ismailg/.bash_history

HISTFILESIZE
The maximum number of lines contained in the history file. When this variable is assigned a value, the history file is trun-
cated, if necessary, to contain no more than that number of lines.

HISTSIZE
The number of commands to remember in the command history

Now you should be able to use arrow keys to get previous commands. In the next blog post we will discuss how to make Unix systems not records your commands even if you are a regular user in box and how to control attackers to delete .bash_history