fyi -- there are other artifacts that log USB connections. All hives where preserved in Logical Evidence File (L01s) format. Using Encase I took a look at the L01 files. Based on full path information of the SYSTEM registry hives collected, it appeared they were from both active and Restore Point locations.
For this engagement I needed to report all date/time instances a USB connection was made based on the SYSTEM registry hives provided...
Since I was dealing with hives from various hosts within the L01s-- the only thing segregating them was the directory structure (full path information) they were preserved in. It would be key to preserve this same full path information for each hive in whatever output/report created. This would allow one to tie a Hive back to a specific host later on.
Therefore, it was time to put my thinking cap on. Below is the list of options I came up with:
- Manually parse out the Hives.
- Run the Encase Advanced Enscript USB parser, but that outputs into a messy log file that is not delimited. Experience also tells me it can be hit or miss.
- Export the Hives and run Reg Ripper on each of them one by one, manually building a report as I go.
- Build a Reg Ripper batch script, but this would not preserve the file name and full path source of the hive in the output.
- Script that sh!@t!!
The requirements of the tool needed to be:
- Recursively walk through a directory structure (using Encase I exported all L01's preserving folder paths to a case folder).
- Identify any "SYSTEM" or "_REGISTRY_MACHINE_SYSTEM" registry hives.
- For each Hive it finds:
- Append File name to processing audit log
- Run Reg Ripper against it with specific plug in ( USBSTOR3 to show me all USB connections)
- Import Reg Ripper output into Python memory based list/db
- For each line imported, append full path of original hive parsed (for audit purposes -- will allow me to tie a hive back to it's original source later).
- Export CSV report for all hive files found.