Monday, November 28, 2011

Extending Reg Ripper, again.

A few months ago I posted how to automate the process of reporting all date/time instances a USB connection was made (including from Restore Points), using a combination of Mount Image Pro, SubInACL.exe, Reg Ripper, and some batch script Kung Foo. For one engagement, the scope was 50 + hard drives. Exercising this process reduced analysis time from hours to minutes per hard drive and translated into a significant time and cost savings to the client.

Recently, I received 50 + SYSTEM registry hives from various host systems. Note, due to special circumstances only the SYSTEM hives were provided -- fyi -- there are other artifacts that log USB connections. All hives where preserved in Logical Evidence File (L01s) format. Using Encase I took a look at the L01 files. Based on full path information of the SYSTEM registry hives collected, it appeared they were from both active and Restore Point locations.

For this engagement I needed to report all date/time instances a USB connection was made based on the SYSTEM registry hives provided...

Since I was dealing with hives from various hosts within the L01s-- the only thing segregating them was the directory structure  (full path information) they were preserved in. It would be key to preserve this same full path information for each hive in whatever output/report created. This would allow one to tie a Hive back to a specific host later on.

Therefore, it was time to put my thinking cap on. Below is the list of options I came up with:
  1. Manually parse out the Hives.
  2. Run the Encase Advanced Enscript USB parser, but that outputs into a messy log file that is not delimited. Experience also tells me it can be hit or miss.
  3. Export the Hives and run Reg Ripper on each of them one by one, manually building a report as I go.
  4. Build a Reg Ripper batch script, but this would not preserve the file name and full path source of the hive in the output.
  5. Script that sh!@t!!
I like being challenged so scripting that sh!@t using Python sounded trivial. Note, as I stated in my post about using Python to automate the process of creating folder structures, my coding skillz are script kiddie at best so please no LuLzing.

The requirements of the tool needed to be:
  • Recursively walk through a directory structure (using Encase I exported all L01's preserving folder paths to a case folder).
  • Identify any "SYSTEM" or "_REGISTRY_MACHINE_SYSTEM" registry hives.
  • For each Hive it finds:
    • Append File name to processing audit log
    • Run Reg Ripper against it with specific plug in ( USBSTOR3 to show me all USB connections)
    • Import Reg Ripper output into Python memory based list/db
    • For each line imported, append full path of original hive parsed (for audit purposes -- will allow me to tie a hive back to it's original source later).
  • Export CSV report for all hive files found.
Below is the pretty Python code I compiled. For fun I’m going to try to add some error handling, convert to OO, and port into an Executable. For now, all I can say is it works and saved me a ton of manual effort/time.

import os, fnmatch, csv
a = []

def find_files(directory, pattern): #Recursively walk directory path for files
    print 'Recursively search directory for SYSTEM hives..'
    for root, dirs, files in os.walk(directory):
        for basename in files:
            if fnmatch.fnmatch(basename, pattern):
                filename = os.path.join(root, basename)
                yield filename

for filename in find_files('C:\directory_structure_to_search)' , '*SYSTEM'):  #Define dir path and hive type to look for
    print 'Found Hive:', filename
    print 'Ripping...'
    os.system('""C:\\Program Files (x86)\\RegRipper032911\\rip.exe " -r "' + filename + '" -p usbstor3> c:\\final.csv"')
    print 'Done Ripping.'
    print 'Processing Output...'

    with open('c:\\final.csv', 'r+') as f: #Import RegRipper output into list
        writer = csv.writer(f)
        reader = csv.reader(f)
        for row in reader:
    log = open('c:\\log.txt', 'r+') #Append each processed file to log output
    log.writelines(filename + '\n')   

output = open('c:\\output.csv', 'r+') #print 'Writing output CSV'
wr = csv.writer(output)
for i in a:
    print i
print a
print 'Done'

Dav Nads

1 comment: