SlideShare a Scribd company logo

SANS Forensics 2009 - Memory Forensics and Registry Analysis

M
mooyix

This document summarizes Brendan Dolan-Gavitt's presentation on combining registry analysis and memory forensics. It discusses how the Windows registry contains both stable and volatile data, and how analyzing registry hives extracted from memory images allows accessing both types of data. The document outlines tools like VolReg and VolRip that were created to perform registry analysis on memory, enabling capabilities like extracting password hashes and tracking USB devices. Combining these forensic domains can provide new insights but some challenges remain regarding completeness of data in memory images.

1 of 33
Downloaded 445 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Most read
19
20
Most read
21
22
23
24
Most read
25
26
27
28
29
30
31
32
33
Registry Analysis and Memory Forensics: Together at Last Brendan Dolan-Gavitt Georgia Institute of Technology
Who I Am • Developer on Volatility project • Grad student and researcher at Georgia Tech • Author of “Push the Red Button” blog
Overview
Overview • Registry Analysis
Overview • Registry Analysis • Memory Forensics +
Overview • Registry Analysis • Memory Forensics + • Combining the fields =
Overview • Registry Analysis • Memory Forensics + • Combining the fields = • Lots of examples throughout
Windows Registry • Centralized, hierarchical configuration database • Structured like a filesystem • Keys = Directories, Values = Files • Rich source of forensic information
Windows Registry (cont.) • Registry appears as unified tree, but is made up of distinct hives • Standard set of systemwide hives, as well as per-user hives • Note: Registry contains some volatile data available only at runtime
Registry Data • Removable media / USB keys • Artifacts from P2P programs • Malware persistence artifacts • Password hashes (encrypted)
Registry Forensics Tools • RegLookup • Fast, robust registry parser • Parse::Win32Registry • Lower level perl module • Good for rolling your own tools • RegRipper • Undisputed king of registry analysis • Produces reports of forensic info
Memory Forensics • Analysis of volatile data based on memory snapshots • Allows extraction of live data, with • Higher integrity (smaller attack surface) • Repeatable results • Ability to ask new questions later
Memory Forensics Tools • Memoryze • HBGary Responder • Volatility • GPL, collaborative development • Supports plugins • My favorite ;)
Data in Memory • Current tools can extract a ton of information from memory images • Processes • Loaded DLLs • Threads • Rootkit behavior • Drivers • Injected code • Open files • Encryption keys
Combining Registry and Memory Analysis • Windows keeps registry data in memory • By figuring out the internals of the Windows Configuration Manager... • We can combine these two fields!
Design Goals • Access stable registry data • Access volatile registry data • Speed up incident response • Apply existing registry analyses
Solution: VolReg • Suite of plugins for Volatility 1.3 • Provides API to access registry data from XPSP2 memory images • Adds new commands for: • Showing keys / values • Dumping registry as CSV • Extracting password hashes
VolReg: Hivescan $ volatility hivescan • Hivescan: finds raw offsets in -f image.dd Offset (hex) memory image of registry hives 42168328 42195808 0x2837008 0x283db60 47598392 0x2d64b38 • Not very useful by itself, but 155764592 155973608 0x948c770 0x94bf7e8 208587616 0xc6ecb60 needed for other plugins 208964448 234838880 0xc748b60 0xdff5b60 243852936 0xe88e688 • Once we have one hive offset, 251418760 252887048 0xefc5888 0xf12c008 256039736 0xf42db38 we can get a nicer list of all hives 269699936 339523208 0x10134b60 0x143cb688 in memory 346659680 377572192 0x14a99b60 0x16814b60
VolReg: Hivelist • Given one of the offsets from hivescan, finds all other hives in memory • Keep this list around! • The addresses in this list are what we will use for the other registry plugins
Hivelist Example $ volatility hivelist -f image.dd -o 0x2837008 Address Name 0xe2610b60 Documents and SettingsS----Local Settings[...]UsrClass.dat 0xe25f0578 Documents and SettingsS----NTUSER.DAT 0xe1d33008 Documents and SettingsLocalServiceLocal Settings[...]UsrClass.dat 0xe1c73888 Documents and SettingsLocalServiceNTUSER.DAT 0xe1c04688 Documents and SettingsNetworkServiceLocal Settings[...]UsrClass.dat 0xe1b70b60 Documents and SettingsNetworkServiceNTUSER.DAT 0xe1658b60 WINDOWSsystem32configsoftware 0xe1a5a7e8 WINDOWSsystem32configdefault 0xe165cb60 WINDOWSsystem32configSAM 0xe1a4f770 WINDOWSsystem32configSECURITY 0xe1559b38 [no name] 0xe1035b60 WINDOWSsystem32configsystem 0xe102e008 [no name]
VolReg: Printkey • Given a hive address and a key, prints the key and its subkeys and values • Shows last modified time, formats values according to type • Includes volatile keys & values as well • Good for just looking around
Printkey Example $ volatility printkey -f image.dd -o 0xe1035b60 Key name: $$$PROTO.HIV (Stable) Last updated: Mon Jul 4 18:16:59 2005 Subkeys: ControlSet001 (Stable) ControlSet002 (Stable) LastKnownGoodRecovery (Stable) SYSTEM hive MountedDevices (Stable) Select (Stable) Setup (Stable) WPA (Stable) Volatile data! CurrentControlSet (Volatile) Values: $ volatility printkey -f image.dd -o 0xe1035b60 CurrentControlSet Key name: CurrentControlSet (Volatile) Last updated: Mon Jul 4 18:16:59 2005 Subkeys: Values: REG_LINK SymbolicLinkValue : RegistryMachineSystemControlSet001 (Volatile)
VolReg: Hashdump • Local account password hashes are stored in the registry (encrypted) • Hashdump module decrypts and prints these hashes • If LanMan hash is in use, rainbow tables can recover password in minutes • Use this power for good :)
Hashdump Example System hive SAM hive $ volatility hashdump -f image.dd -y 0xe1035b60 -s 0xe165cb60 Administrator:500:08f3a52bdd35f179c81667e9d738c5d9:ed88cccbc08d1c18bcded317112555f4::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:ddd4c9c883a8ecb2078f88d729ba2e67:e78d693bc40f92a534197dc1d3a6d34f::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:8bfd47482583168a0ae5ab020e1186a9::: phoenix:1003:07b8418e83fad948aad3b435b51404ee:53905140b80b6d8cbe1ab5953f7c1c51::: ASPNET:1004:2b5f618079400df84f9346ce3e830467:aef73a8bb65a0f01d9470fadc55a411c::: S----:1006:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Hashes can now be cracked using John the Ripper, rainbow tables, etc.
Others (not shown) • Cachedump: dumps cached domain credentials • Lsadump: dumps LSA protected storage (can contain passwords) • Hivedump: dumps CSV of all keys and (optionally) values
Design Goals • Access stable registry data [✓] • Access volatile registry data [✓] • Speed up incident response [?] • Apply existing registry analyses [X]
Solution: VolRip • Python→Perl interface that makes VolReg look like Parse::Win32Registry • Now we can run RegRipper against memory! • Existing analysis plugins just work
VolRip Setup • Linux only (sorry!) • Requirements: Inline::Python, VolReg • Extract VolRip tarball into Volatility directory • Run rip.pl with the memory image and address of the hive: perl rip.pl -r image.dd@0xe1035b60 -f system
VolRip Example: Tracking USB Keys $ perl rip.pl -r image.dd@0xe1035b60 -p usbstor Launching usbstor v.20080418 USBStor ControlSet001EnumUSBStor Disk&Ven_Generic&Prod_STORAGE_DEVICE&Rev_0.01 [Sun Jun 27 05:58:42 2004] S/N: 6&a344881&0 [Wed Jun 30 00:23:07 2004] FriendlyName : Generic STORAGE DEVICE USB Device ParentIdPrefix: 7&192c45c3&0 Disk&Ven_LEXAR&Prod_JUMPDRIVE_SPORT&Rev_1000 [Sat Jun 25 16:50:48 2005] S/N: 0A4F1011180132130804&0 [Mon Jul 4 18:17:50 2005] FriendlyName : LEXAR JUMPDRIVE SPORT USB Device ParentIdPrefix: 7&2930a404&0 $ perl rip.pl -r image.dd@0xe1035b60 -p usbstor2 SPLATITUDE,Disk&Ven_Generic&Prod_STORAGE_DEVICE&Rev_0.01,6&a344881&0, 1088554987,Generic STORAGE DEVICE USB Device,7&192c45c3&0,DosDevicesE: SPLATITUDE,Disk&Ven_LEXAR&Prod_JUMPDRIVE_SPORT&Rev_1000,0A4F1011180132130804&0, 1120501070,LEXAR JUMPDRIVE SPORT USB Device,7&2930a404&0,DosDevicesD:
Design Goals • Access stable registry data [✓] • Access volatile registry data [✓] • Speed up incident response [✓] • Apply existing registry analyses [✓]
Caveats • Since analysis is done on memory, some things might be missing • Can be especially annoying with hash dumping -- both System and SAM must be in memory • Possible future direction: dump all available registry data, then use fragment recovery
Conclusions • Applying registry analysis to memory can give you powerful new tools! • Some existing registry tools can be coaxed into working with memory • Still need tools to analyze volatile registry data (new RegRipper plugins?)
Thanks! • To you all, for listening • To AAron Walters and the folks in #volatility • To Harlan Carvey, Tim Morgan, and many others for their work and insight on all matters registry-related ? ? ? ? ...any questions? ? ?

More Related Content

PPTX
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
PDF
Ethereum-Cryptocurrency (All about Ethereum)
عطاءالمنعم اثیل شیخ
 
PDF
Continuous Go Profiling & Observability
ScyllaDB
 
PDF
Carlos García - Pentesting Active Directory [rooted2018]
RootedCON
 
PDF
Finding attacks with these 6 events
Michael Gough
 
PDF
Modern Kernel Pool Exploitation: Attacks and Techniques
Michael Scovetta
 
PDF
SSH
Zach Dennis
 
PPTX
Introduction to filesystems and computer forensics
Mayank Chaudhari
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
Ethereum-Cryptocurrency (All about Ethereum)
عطاءالمنعم اثیل شیخ
 
Continuous Go Profiling & Observability
ScyllaDB
 
Carlos García - Pentesting Active Directory [rooted2018]
RootedCON
 
Finding attacks with these 6 events
Michael Gough
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Michael Scovetta
 
SSH
Zach Dennis
 
Introduction to filesystems and computer forensics
Mayank Chaudhari
 

What's hot (20)

PPT
Stream ciphers presentation
degarden
 
PPT
Keyloggers.ppt
Chetanmalviya8
 
PDF
Scouter Tutorial & Sprint
GunHee Lee
 
PDF
ReCertifying Active Directory
Will Schroeder
 
PPTX
Memory forensics
Sunil Kumar
 
PDF
Secure Your Encryption with HSM
Narudom Roongsiriwong, CISSP
 
PPTX
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
PDF
MindMap - Forensics Windows Registry Cheat Sheet
Juan F. Padilla
 
PPTX
EVM - The Heart of Ethereum
Truong Nguyen
 
PDF
9
9klas
 
PDF
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
PPT
Windowsforensics
Santosh Khadsare
 
PDF
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Valeriy Kravchuk
 
PDF
Blockcerts: The Open Standard for Blockchain Credentials
SSIMeetup
 
TXT
Getweeklyhoursbyuser
hasheemm
 
PDF
KeyLoggers - beating the shit out of keyboard since quite a long time
n|u - The Open Security Community
 
PPTX
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
PDF
Windows logging cheat sheet
Michael Gough
 
PDF
UM2019 Extended BPF: A New Type of Software
Brendan Gregg
 
PDF
Linux fundamental - Chap 15 Job Scheduling
Kenny (netman)
 
Stream ciphers presentation
degarden
 
Keyloggers.ppt
Chetanmalviya8
 
Scouter Tutorial & Sprint
GunHee Lee
 
ReCertifying Active Directory
Will Schroeder
 
Memory forensics
Sunil Kumar
 
Secure Your Encryption with HSM
Narudom Roongsiriwong, CISSP
 
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
MindMap - Forensics Windows Registry Cheat Sheet
Juan F. Padilla
 
EVM - The Heart of Ethereum
Truong Nguyen
 
9
9klas
 
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
Windowsforensics
Santosh Khadsare
 
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Valeriy Kravchuk
 
Blockcerts: The Open Standard for Blockchain Credentials
SSIMeetup
 
Getweeklyhoursbyuser
hasheemm
 
KeyLoggers - beating the shit out of keyboard since quite a long time
n|u - The Open Security Community
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
Windows logging cheat sheet
Michael Gough
 
UM2019 Extended BPF: A New Type of Software
Brendan Gregg
 
Linux fundamental - Chap 15 Job Scheduling
Kenny (netman)
 
Ad

Viewers also liked (11)

PPTX
Windows Registry Forensics with Volatility Framework
Kapil Soni
 
PPT
Windows forensic artifacts
n|u - The Open Security Community
 
PPT
Live Memory Forensics on Android devices
Nikos Gkogkos
 
PPT
Mac Memory Analysis with Volatility
Andrew Case
 
PPT
Memory Forensics
Prince Boonlia
 
PPTX
Li-Fi : Future Technology in Wireless Communication
Kapil Soni
 
PDF
CNIT 127 Ch Ch 1: Before you Begin
Sam Bowne
 
PDF
CNIT 128 Ch 6: Mobile services and mobile Web (part 2: SAML to end)
Sam Bowne
 
PDF
Practical Malware Analysis: Ch 15: Anti-Disassembly
Sam Bowne
 
PDF
CNIT 126 9: OllyDbg
Sam Bowne
 
PDF
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)
Sam Bowne
 
Windows Registry Forensics with Volatility Framework
Kapil Soni
 
Windows forensic artifacts
n|u - The Open Security Community
 
Live Memory Forensics on Android devices
Nikos Gkogkos
 
Mac Memory Analysis with Volatility
Andrew Case
 
Memory Forensics
Prince Boonlia
 
Li-Fi : Future Technology in Wireless Communication
Kapil Soni
 
CNIT 127 Ch Ch 1: Before you Begin
Sam Bowne
 
CNIT 128 Ch 6: Mobile services and mobile Web (part 2: SAML to end)
Sam Bowne
 
Practical Malware Analysis: Ch 15: Anti-Disassembly
Sam Bowne
 
CNIT 126 9: OllyDbg
Sam Bowne
 
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)
Sam Bowne
 
Ad

Similar to SANS Forensics 2009 - Memory Forensics and Registry Analysis (20)

PDF
You suck at Memory Analysis
Francisco Ribeiro
 
PDF
Registry
messyclick
 
PPT
Registry forensics
Prince Boonlia
 
PDF
Mem forensic
Chong-Kuan Chen
 
PPT
Vista Forensics
CTIN
 
PDF
Defeating Windows memory forensics
lmilkovic
 
PPTX
Windows forensic
MD SAQUIB KHAN
 
PDF
Hunting malware with volatility v2.0
Frank Boldewin
 
PDF
Memory forensics cheat sheet
Martin Cabrera
 
PPTX
Concepts of Malicious Windows Programs
Natraj G
 
PDF
Blackhat USA 2011 - Cesar Cerrudo - Easy and quick vulnerability hunting in W...
Michael Boman
 
PDF
nullcon 2011 - Memory analysis – Looking into the eye of the bits
n|u - The Open Security Community
 
PPTX
Unmasking Careto through Memory Forensics (video in description)
Andrew Case
 
PDF
Marat-Slides
Marat Vyshegorodtsev
 
PDF
3
Marat Vyshegorodtsev
 
PDF
www.indonezia.net Hacking Windows Registry
Chandra Pr. Singh
 
PDF
Hta f42
SelectedPresentations
 
PDF
CNIT 152: 12b Windows Registry
Sam Bowne
 
PPTX
Windows Registry
primeteacher32
 
PDF
Memory Forensic CheatSheet - SANS Institute
Anderson Carvalho Silva
 
You suck at Memory Analysis
Francisco Ribeiro
 
Registry
messyclick
 
Registry forensics
Prince Boonlia
 
Mem forensic
Chong-Kuan Chen
 
Vista Forensics
CTIN
 
Defeating Windows memory forensics
lmilkovic
 
Windows forensic
MD SAQUIB KHAN
 
Hunting malware with volatility v2.0
Frank Boldewin
 
Memory forensics cheat sheet
Martin Cabrera
 
Concepts of Malicious Windows Programs
Natraj G
 
Blackhat USA 2011 - Cesar Cerrudo - Easy and quick vulnerability hunting in W...
Michael Boman
 
nullcon 2011 - Memory analysis – Looking into the eye of the bits
n|u - The Open Security Community
 
Unmasking Careto through Memory Forensics (video in description)
Andrew Case
 
Marat-Slides
Marat Vyshegorodtsev
 
3
Marat Vyshegorodtsev
 
www.indonezia.net Hacking Windows Registry
Chandra Pr. Singh
 
Hta f42
SelectedPresentations
 
CNIT 152: 12b Windows Registry
Sam Bowne
 
Windows Registry
primeteacher32
 
Memory Forensic CheatSheet - SANS Institute
Anderson Carvalho Silva
 

SANS Forensics 2009 - Memory Forensics and Registry Analysis

  • 1. Registry Analysis and Memory Forensics: Together at Last Brendan Dolan-Gavitt Georgia Institute of Technology
  • 2. Who I Am • Developer on Volatility project • Grad student and researcher at Georgia Tech • Author of “Push the Red Button” blog
  • 6. Overview • Registry Analysis • Memory Forensics + • Combining the fields =
  • 7. Overview • Registry Analysis • Memory Forensics + • Combining the fields = • Lots of examples throughout
  • 8. Windows Registry • Centralized, hierarchical configuration database • Structured like a filesystem • Keys = Directories, Values = Files • Rich source of forensic information
  • 9. Windows Registry (cont.) • Registry appears as unified tree, but is made up of distinct hives • Standard set of systemwide hives, as well as per-user hives • Note: Registry contains some volatile data available only at runtime
  • 10. Registry Data • Removable media / USB keys • Artifacts from P2P programs • Malware persistence artifacts • Password hashes (encrypted)
  • 11. Registry Forensics Tools • RegLookup • Fast, robust registry parser • Parse::Win32Registry • Lower level perl module • Good for rolling your own tools • RegRipper • Undisputed king of registry analysis • Produces reports of forensic info
  • 12. Memory Forensics • Analysis of volatile data based on memory snapshots • Allows extraction of live data, with • Higher integrity (smaller attack surface) • Repeatable results • Ability to ask new questions later
  • 13. Memory Forensics Tools • Memoryze • HBGary Responder • Volatility • GPL, collaborative development • Supports plugins • My favorite ;)
  • 14. Data in Memory • Current tools can extract a ton of information from memory images • Processes • Loaded DLLs • Threads • Rootkit behavior • Drivers • Injected code • Open files • Encryption keys
  • 15. Combining Registry and Memory Analysis • Windows keeps registry data in memory • By figuring out the internals of the Windows Configuration Manager... • We can combine these two fields!
  • 16. Design Goals • Access stable registry data • Access volatile registry data • Speed up incident response • Apply existing registry analyses
  • 17. Solution: VolReg • Suite of plugins for Volatility 1.3 • Provides API to access registry data from XPSP2 memory images • Adds new commands for: • Showing keys / values • Dumping registry as CSV • Extracting password hashes
  • 18. VolReg: Hivescan $ volatility hivescan • Hivescan: finds raw offsets in -f image.dd Offset (hex) memory image of registry hives 42168328 42195808 0x2837008 0x283db60 47598392 0x2d64b38 • Not very useful by itself, but 155764592 155973608 0x948c770 0x94bf7e8 208587616 0xc6ecb60 needed for other plugins 208964448 234838880 0xc748b60 0xdff5b60 243852936 0xe88e688 • Once we have one hive offset, 251418760 252887048 0xefc5888 0xf12c008 256039736 0xf42db38 we can get a nicer list of all hives 269699936 339523208 0x10134b60 0x143cb688 in memory 346659680 377572192 0x14a99b60 0x16814b60
  • 19. VolReg: Hivelist • Given one of the offsets from hivescan, finds all other hives in memory • Keep this list around! • The addresses in this list are what we will use for the other registry plugins
  • 20. Hivelist Example $ volatility hivelist -f image.dd -o 0x2837008 Address Name 0xe2610b60 Documents and SettingsS----Local Settings[...]UsrClass.dat 0xe25f0578 Documents and SettingsS----NTUSER.DAT 0xe1d33008 Documents and SettingsLocalServiceLocal Settings[...]UsrClass.dat 0xe1c73888 Documents and SettingsLocalServiceNTUSER.DAT 0xe1c04688 Documents and SettingsNetworkServiceLocal Settings[...]UsrClass.dat 0xe1b70b60 Documents and SettingsNetworkServiceNTUSER.DAT 0xe1658b60 WINDOWSsystem32configsoftware 0xe1a5a7e8 WINDOWSsystem32configdefault 0xe165cb60 WINDOWSsystem32configSAM 0xe1a4f770 WINDOWSsystem32configSECURITY 0xe1559b38 [no name] 0xe1035b60 WINDOWSsystem32configsystem 0xe102e008 [no name]
  • 21. VolReg: Printkey • Given a hive address and a key, prints the key and its subkeys and values • Shows last modified time, formats values according to type • Includes volatile keys & values as well • Good for just looking around
  • 22. Printkey Example $ volatility printkey -f image.dd -o 0xe1035b60 Key name: $$$PROTO.HIV (Stable) Last updated: Mon Jul 4 18:16:59 2005 Subkeys: ControlSet001 (Stable) ControlSet002 (Stable) LastKnownGoodRecovery (Stable) SYSTEM hive MountedDevices (Stable) Select (Stable) Setup (Stable) WPA (Stable) Volatile data! CurrentControlSet (Volatile) Values: $ volatility printkey -f image.dd -o 0xe1035b60 CurrentControlSet Key name: CurrentControlSet (Volatile) Last updated: Mon Jul 4 18:16:59 2005 Subkeys: Values: REG_LINK SymbolicLinkValue : RegistryMachineSystemControlSet001 (Volatile)
  • 23. VolReg: Hashdump • Local account password hashes are stored in the registry (encrypted) • Hashdump module decrypts and prints these hashes • If LanMan hash is in use, rainbow tables can recover password in minutes • Use this power for good :)
  • 24. Hashdump Example System hive SAM hive $ volatility hashdump -f image.dd -y 0xe1035b60 -s 0xe165cb60 Administrator:500:08f3a52bdd35f179c81667e9d738c5d9:ed88cccbc08d1c18bcded317112555f4::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:ddd4c9c883a8ecb2078f88d729ba2e67:e78d693bc40f92a534197dc1d3a6d34f::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:8bfd47482583168a0ae5ab020e1186a9::: phoenix:1003:07b8418e83fad948aad3b435b51404ee:53905140b80b6d8cbe1ab5953f7c1c51::: ASPNET:1004:2b5f618079400df84f9346ce3e830467:aef73a8bb65a0f01d9470fadc55a411c::: S----:1006:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Hashes can now be cracked using John the Ripper, rainbow tables, etc.
  • 25. Others (not shown) • Cachedump: dumps cached domain credentials • Lsadump: dumps LSA protected storage (can contain passwords) • Hivedump: dumps CSV of all keys and (optionally) values
  • 26. Design Goals • Access stable registry data [✓] • Access volatile registry data [✓] • Speed up incident response [?] • Apply existing registry analyses [X]
  • 27. Solution: VolRip • Python→Perl interface that makes VolReg look like Parse::Win32Registry • Now we can run RegRipper against memory! • Existing analysis plugins just work
  • 28. VolRip Setup • Linux only (sorry!) • Requirements: Inline::Python, VolReg • Extract VolRip tarball into Volatility directory • Run rip.pl with the memory image and address of the hive: perl rip.pl -r image.dd@0xe1035b60 -f system
  • 29. VolRip Example: Tracking USB Keys $ perl rip.pl -r image.dd@0xe1035b60 -p usbstor Launching usbstor v.20080418 USBStor ControlSet001EnumUSBStor Disk&Ven_Generic&Prod_STORAGE_DEVICE&Rev_0.01 [Sun Jun 27 05:58:42 2004] S/N: 6&a344881&0 [Wed Jun 30 00:23:07 2004] FriendlyName : Generic STORAGE DEVICE USB Device ParentIdPrefix: 7&192c45c3&0 Disk&Ven_LEXAR&Prod_JUMPDRIVE_SPORT&Rev_1000 [Sat Jun 25 16:50:48 2005] S/N: 0A4F1011180132130804&0 [Mon Jul 4 18:17:50 2005] FriendlyName : LEXAR JUMPDRIVE SPORT USB Device ParentIdPrefix: 7&2930a404&0 $ perl rip.pl -r image.dd@0xe1035b60 -p usbstor2 SPLATITUDE,Disk&Ven_Generic&Prod_STORAGE_DEVICE&Rev_0.01,6&a344881&0, 1088554987,Generic STORAGE DEVICE USB Device,7&192c45c3&0,DosDevicesE: SPLATITUDE,Disk&Ven_LEXAR&Prod_JUMPDRIVE_SPORT&Rev_1000,0A4F1011180132130804&0, 1120501070,LEXAR JUMPDRIVE SPORT USB Device,7&2930a404&0,DosDevicesD:
  • 30. Design Goals • Access stable registry data [✓] • Access volatile registry data [✓] • Speed up incident response [✓] • Apply existing registry analyses [✓]
  • 31. Caveats • Since analysis is done on memory, some things might be missing • Can be especially annoying with hash dumping -- both System and SAM must be in memory • Possible future direction: dump all available registry data, then use fragment recovery
  • 32. Conclusions • Applying registry analysis to memory can give you powerful new tools! • Some existing registry tools can be coaxed into working with memory • Still need tools to analyze volatile registry data (new RegRipper plugins?)
  • 33. Thanks! • To you all, for listening • To AAron Walters and the folks in #volatility • To Harlan Carvey, Tim Morgan, and many others for their work and insight on all matters registry-related ? ? ? ? ...any questions? ? ?