Chapter 3 CASE STUDIES: the SYSTEM

Chapter 3 CASE STUDIES: the SYSTEM

3 CASE STUDIES: THE SYSTEM INFORMATION IN THIS CHAPTER • Security and SAM Hives • System Hive • Software Hive • BCD Hive Introduction When I sat down to write this book, I was aware that for most folks, providing spreadsheets, tables, and lists of Registry keys and values would not be an entirely effective means of com- municating and sharing information about Registry analysis. In fact, after writing the first edition of Windows Forensic Analysis (Syngress Publishing, published in 2007, a.k.a., WFA), it was pretty clear to me that listing Registry keys and files wasn’t as effective as providing examples of Registry analysis, and of how all of these could be used together. When I began writing the second edition of WFA, I specifically included a chapter on just “case studies,” in hopes of demonstrating how I and others have used various data sources from a Windows system, in incident response and forensic analysis scenarios, to gather information and build an overall picture to solve the challenges we were fac- ing. Talking with others, I can see how this can be an effective approach … leaving someone with stacks of lumber and roof- ing shingles and some tools and nails does not help his or her build a house. However, showing someone how a house can be built, with some of the various places where modifications can be made, is more of a “teach a man to fish” approach, and it can lead to more involvement in Registry analysis, in particular, and Windows forensic analysis as a whole. Windows Registry Forensics. DOI: 10.1016/B978-1-59749-580-6.00003-6 © 2011 Elsevier Inc. All rights reserved. 85 86 Chapter 3 CASE STUDIES: THE SYSTEM In short, this chapter (and the one after it) will not be a comprehensive list of all possible Registry keys and values that would be of interest to an analyst, mapped against vari- ous types of examinations. Rather, we will take a look at some use cases, as well as some scenarios that I and others have run across, and problems that we’ve encountered and solved. My overall goal is to demonstrate how easily data from the Registry can be extracted, and how it can be used to further an examination. Security and SAM Hives The first hives we’ll look at are the Security and SAM hives, in part, because they have perhaps the least amount of data avail- able (“pound for pound,” so to speak) compared with the System and Software hives. These hives contain some useful informa- tion, and there’s no question that what they can provide can be extremely valuable during an examination, but the data in the other two hives, in my experience, is both considerably more expansive and fluid. Data from the Security Hive At the time of this writing, I am aware of little data that might be relevant to an examination that has been discussed publicly; however, there are a few keys and values that are of interest. One such Registry key is “PolAcDms,” which was mentioned in the Wikipedia page on security identifiers [1]. The “Default” value within this key contains the security identifier (SID) for the sys- tem (or “machine”), which is a unique name that identifies an object, and in this case, the system. As we will address later in this chapter, this information can be used to determine which users on a system are local users, and which users are domain users, which is something that can be very useful with respect to a domain-connected (as opposed to standalone) system and, in particular, a system with multiple domain trusts. Parsing the SID from the binary data is not an arduous task, and is included in the RegRipper polacdms.pl plug-in, the output of which (when run against a Security hive extracted from a Vista system) is shown as follows: Launching polacdms v.20100531 PolAcDmS Policy\PolAcDmS LastWrite Time Fri Aug 31 15:14:53 2007 (UTC) Chapter 3 CASE STUDIES: THE SYSTEM 87 Machine SID: S-1-5-21-3831915772-716441274-3601324335 PolPrDmS Policy\PolPrDmS LastWrite Time Thu Nov 2 12:48:01 2006 (UTC) Primary Domain SID: S-1-5- Not only does this plug-in extract and parse the machine SID from the PolAcDmS key, but it also extracts and parses the domain SID (for the domain to which the system was connected) from the PolPrDmS key. In this example, the Security hive was extracted from a standalone system used by a home user. In instances where the system was connected to a domain, the pri- mary domain SID can be parsed from the “Default” value of that key, and it will be visible following “Primary Domain SID:”. Later in this chapter, we’ll discuss local user accounts found in the SAM hive, as well as the ProfileList key from the Software hive, and see how an analyst can use this information. The other key that is of use and interest to analysts from the Security hive is the “PolAdtEv” key. Parsing the binary data retrieved from this value is not a trivial task. However, our under- standing of how this data can be parsed and understood can be helped along with Microsoft (MS) KnowledgeBase (KB) article 246120 [2]. As stated, this article applies to Windows NT 4.0, and there are only seven areas of auditing listed in the article. However, Figure 3.1 Audit Policy through Windows XP has nine areas of auditing, as illustrated in Figure 3.1. Local Security Settings (Windows XP) 88 Chapter 3 CASE STUDIES: THE SYSTEM In order to view the information illustrated in Figure 3.1, all we need to do is open the Administrative Tools Control Panel applet and select the Local Security Policy shortcut. Another way to view this information (one that is useful during live response, as it can be added to a batch file) is to run auditpol.exe; running it on that same live system, the following can be observed: D:\tools>auditpol Running ... (X) Audit Enabled System = No Logon = No Object Access = No Privilege Use = Success and Failure Process Tracking = No Policy Change = No Account Management = No Directory Service Access = No Account Logon = No Okay, so that’s how we can extract the information from a live system, but what about from an acquired image? Using MS KB article 246120 as a basis and toggling various settings on and off, we can see what modifications affect which areas of the data, and develop an extrapolation of the data to our Windows XP system. Or, the RegRipper plug-in auditpol.pl can be used to extract and parse the necessary information, either as part of a plug-ins file or run individually through rip.pl (or rip.exe), as shown below: Launching auditpol v.20080327 auditpol Policy\PolAdtEv LastWrite Time Mon Jul 12 18:09:46 2010 (UTC) Auditing is enabled. Audit System Events = N Audit Logon Events = N Audit Object Access = N Audit Privilege Use = S/F Audit Process Tracking = N Audit Policy Change = N Audit Account Management = N Audit Dir Service Access = N Audit Account Logon Events = N This information can be very valuable as it tells us a lot about the state of auditing on the system at the time that an image was Chapter 3 CASE STUDIES: THE SYSTEM 89 acquired. First, the LastWrite time of the key lets us know when the settings were last modified (the time is listed in Universal Coordinated Time, or UTC). This can be very helpful in under- standing why we see, or don’t see, certain events in the Event Log, as well as provide an indication of when the audit policy was changed. There’ve been a number of examinations where I’ve created a time line and seen clearly when the incident occurred, and seen that as a result of response and remediation actions taken by local IT staff, antivirus scans have been run and the audit policy has been updated, just before an image was acquired from the system. Next, we see whether or not auditing is enabled, and if so, which events are audited. This will also provide us with some indication of what we can expect to see in the Event Log. For example, if auditing of successful logon events isn’t enabled, then we wouldn’t expect to be able to see when someone logged into the system using a user account, either legitimately or as a result of compromised credentials. I have used this informa- tion during examinations quite extensively; during one instance, I used the fact that auditing for both successful logins and failed log-in attempts were both enabled, but there were no indications of remote logins through the Remote Desktop Protocol (RDP), to further illustrate that a particular user account had been accessed locally and used to view illegal images. It is important to note that while this key and value exist on Windows Vista and 7 systems, there has yet to be extensive test- ing on these systems. Figure 3.2 illustrates the audit policy on a Windows 7 Ultimate system. As you can see from Figure 3.2, there are nine areas of audit- ing listed, just as there are with Windows XP. In fact, the audit policies in Figures 3.1 and 3.2 look very similar. However, the “Default” value for the PolAdtEv key on Windows XP contains data that is 44 bytes long, whereas on available Windows Vista and 2008 systems, the data is 136 bytes long, and 138 bytes on available Windows 7 systems.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    73 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us