System Combo Timeline:
The syscombotln tool has been updated to fix several bugs and time/date issues. I have also decided to stop being lazy and updated all of the internal modules and external scripts/tools associated with this tool to properly handle the TLN format as Harlan outlined. This includes the TLN.EnScript which is NOT included in the syscombotln tool.
New functionality includes parsing the Windows XP setupapi.log file. I have included this functionality due to a little analysis trick pointed out to me by Jason Luttgens and Jon Gross of Mandiant. Basically any time a Windows Help (chm) file is executed the information is logged in the user’s HTML Help (hh.dat) file. This information can be used to specify some Initial Infection Vector information. This information, in turn, may be augmented by driver-based information which, in Windows XP, is logged in the setupapi.log file. I cannot provide specifics at this time, but I can tell you that you will know suspicious entries when you see them. (If anybody has specific examples, please provide them in the comments.) Although I have not had time to parse the hh.dat file, I have had time to parse the setupapi.log file. The syscombotln module for this file is very basic but it should handle all files well (please let me know if you experience cases where it does not). An added benefit of parsing this log file is that external USB storage device installation information will also be added to your timelines. And if there are anti-forensic efforts recommending deleting this log, you know we want to review it’s information and add it to our timelines.
Just a quick note. When researching the information in the last post I ran across this great resource by IronGeek. Once again he has posted some amazing content. Take a look at his “Forensically interesting spots in the Windows 7, Vista and XP file system and registry” resource. You might have known about this, but it is new to me, so just in case you missed it as well.
Scripts and Tools:
I have decided to start uploading my scripts and tools when I generate an update. To this end I have created the Scripts and Tools page which includes some Window Registry tools (including some older RegRipper plugins) and a few Enscripts. Check this page often for updates and new scripts/tools. Leave comments with comments, updates, requests. To help with consistency, I have also started using Subversion to help me track development of all my projects. Basically because I have been brow-beating (unsuccessfully) Harlan to do the same with his tools. I have started keeping all my projects on an external USB drive (which I backup often). To keep each project separate I use the following steps.
- Copy folder to Projects directory.
- Type “svnadmin create /media/<usb drive>/Dev/Projects/Repo/<project name>”
- Type “svn import <project name> file:///media/<usb drive>/Dev/Projects/Repo/<project name> -m “Initial Import”
- Move original project directory “mv <project name> <project name>_bk”
- Check out repository “svn checkout file:///media/<usb drive>/Dev/Projects/Repo/<project name> <project name>”
- Double check files are there and work with it a little while.
- Delete _bk
This works across Linux systems and should work on Windows systems using something like tortoisesvn. Hopefully you find that useful for your script and tool development.
Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.