Obtaining Information about the Operating System
Sunday, July 31, 2011
When I approach an analysis I perform the same initial steps to shed light on the system under examination. The first step is to review the master boot record and the second step is to obtain general information about the operating system and its configuration. The impact of the information on a digital forensic analysis can be significant.
Quick note before anyone takes the time to read further. My post doesn’t offer any new information. The registry keys referenced are well documented and the automation of Regripper is not new. I find it helpful to see how other analysts use tools and I thought others may feel the same way. My post demonstrates how Regripper can be automated in a batch file to reveal general information about a system; thereby saving some time when completing the information gathering examination step.
RegRipper is an open source tool for extracting data stored in the registry. When reviewing Regripper’s output I reference a document I created (outlines various artifacts) which allows me to see the data from registry keys in a specific order. I never thought twice about reviewing the output like this since I was only getting the initial information about the operating system. A couple of weeks ago I was going through Regripper reports when it dawned on me that I should automate the process. Create one report showing the information from the registry keys in a specific order. I wrote a small batch script to automate the creation of the operating system information report. If you just want the script then use the link at the end of the post. Otherwise, you can keep reading to see my thought process of how I put the script together before checking out the file. The script organizes information into the following five categories: general operating system information, user information, software information, networking information, and storage locations.
Thought Process behind the Batch File
General Operating System Information
The first category has a significant impact on how the examination is conducted since it contains information about the operating system such as version, timezone settings, and machine security identifier (SID). The operating system version will dictate where certain artifacts are located and what tools can be used while the timezone settings should be self explanatory. The machine security identifier comes into play when looking at the user accounts’ SIDs since it shows if the user account is from the local or remote system. The following is the category’s information of interest and the registry keys containing the data:
* Operating system version and product name (HKLM\Software\Microsoft\Windows NT\Currentversion\)
* Registration information for owner and organization entered during installation (HKLM\Software\Microsoft\Windows NT\Currentversion\)
* Machine Security Identifier (SID) (HKLM\Security\Policy\PolAcDms)
* Shutdown information (HKLM\System\Controlset###\Control\Windows)
* Timezone information (HKLM\System\Currentcontrolset\Control\Timezoneinformation)
* Auditing configuration (HKLM\Security\Policy\PolAdtEv)
* Determine if the NTFS last access time is set to not to update (HKLM\System\CurrentControlSet\Control\Filesystem\NtfsDisableLastAccessUpdate)
User Account Information
The next category obtains information about the user accounts associated with the computer. The information includes the configured local user accounts and groups as well as the artifacts of other user accounts (such as Windows domain users) logging onto the system. The category can help focus the examination on the activity of specific user accounts. The following is the category’s information of interest and the registry keys containing the data:
* Configured local user accounts and groups (HKLM\SAM\Domains\Account\)
* User profiles on machine and registered with Windows (Profilelist registry key)
* Logon username of the specified user account (HKCU\ Software\Microsoft\Windows\CurrentVersion\Explorer)
* Previous user accounts to log onto the machine (HKLM\Software\Microsoft\Windows NT\Currentversion\Winlogon\Defaultusername and HKLM\Software\Microsoft\Windows NT\Currentversion\Winlogon\Altdevaultusername)
Software Information
The software category obtains information about programs installed and executed on the system. Knowing the software on a system can help shed light on the potential data available. For example, if the examination is interested in locating financial files then the software category will reveal the financial programs on the system thereby identifying the relevant file types. The following is the information of interest in the category and the registry keys containing the data:
* Programs showed on the Add/Remove Programs control panel applet (HKLM\Software\Microsoft\Windows\Currentversion\Uninstall)
* File system paths to various programs (HKLM\Software\Microsoft\Windows\Currentversion\App paths)
* Information about installed products (HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData)
* Default web browser (one area to check is HKLM\Software\Classes\HTTP\shell\open\command)
* User specific software (HCU\Software)
* User activity via the Windows Explorer shell may show programs ran (HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist)
* Executables associated with the user account (XP is HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache and Vista/7 is is HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache in userclass.dat)
Networking Information
The next category obtains information about networking such as the computer’s name, network shares, and firewall settings. The majority of computers are connected to some sort of network and the information in this category helps explain the type of network the system came from. The following is the information of interest in the category and the registry keys containing the data:
* Computer name (HKLM\System\Currentcontrolset\Control\Computername)
* Domain and hostname (HKLM\System\Currentcontrolset\Services\Tcpip\Parameter)
* Configured network shares on the computer (HKLM\System\Currentcontrolset\Services\Lanmanserver\Shares)
* Configured persistent routes (HKLM\System\ControlSet###\Services\Tcpip\Parameters\PersistentRoutes)
* Firewall configuration (HKLM\System\Currentcontrolset###\Services\Sharedaccess\Parameters\Firewallpolicy)
* Networking information (HKLM\System\Currentcontrolset###\Network)
* Cache of computers seen by Windows Explorer (HKCU\Software\Microsoft\Windows\Currentversion\Explorer\Computerdescriptions)
Storage Location Information
The last category obtains information about the potential storage locations for user data. The category can reveal additional devices or folders that may contain data of interest. For example, the majority of Window systems I’ve seen in a corporate environment belong to a Windows domain where the IT departments have users store information on servers instead of their own computer (for backup purposes). One method used is to redirect certain folders in the user account’s profile – such as the My Documents- to a folder on the server. The storage location information category will quickly highlight this type of configuration. The following is the information of interest in the category and the registry keys containing the data:
* Devices and volumes mounted to the computer (HKLM\System\MountedDevices)
* Location of the user account profile folders (HKCU\Software\Microsoft\Windows\Currentversion\Explorer\User shell folders)
* Map network drives available to a user (HKCU\Software\Microsoft\Windows\Currentversion\Explorer\Map network drive MRU)
* Volumes mounted by a user (HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2)
Putting the Batch File Together
Putting the batch file together was fairly simple since I already outlined the order of the information I wanted presented and Regripper had plug-ins to extract the data from the registry. The batch file repeats the following three lines for each Regripper plugin to create one report about the operating system and how it’s configured.
echo: >> operating_system_information.txt
rip.exe -r "%regpath%\SECURITY" -p polacdms >> operating_system_information.txt
echo .........................................................................................................>> operating_system_information.txt
The two lines starting with echo are for formatting purposes. The echo: inserts a blank line in the operating_system_information.txt while the other echo command inserts a line of dots to separate each Regripper plug-in. Rip.exe is the commandline version of Regripper and there are two options. The –r specifies the registry hive and –p specifies the plug-in to run. The variable %regpath% gets populated with a prompt for the folder path containing the registry hives.
The batch file gets put in the Regripper folder and gets executed by double clicking the file. Three screenshots show the script against an image mounted with FTK imager.
The information in the report doesn’t include everything that I’d want to know over the span of an examination but it does provide the initial information about the operating system and how it’s configured. Automating the process makes me a little bit more efficient when I’m completing the examination step.
I uploaded the batch file to the jIIr Google site and the file can be downloaded here (to execute the file change the file extension from txt to bat).
Quick note before anyone takes the time to read further. My post doesn’t offer any new information. The registry keys referenced are well documented and the automation of Regripper is not new. I find it helpful to see how other analysts use tools and I thought others may feel the same way. My post demonstrates how Regripper can be automated in a batch file to reveal general information about a system; thereby saving some time when completing the information gathering examination step.
RegRipper is an open source tool for extracting data stored in the registry. When reviewing Regripper’s output I reference a document I created (outlines various artifacts) which allows me to see the data from registry keys in a specific order. I never thought twice about reviewing the output like this since I was only getting the initial information about the operating system. A couple of weeks ago I was going through Regripper reports when it dawned on me that I should automate the process. Create one report showing the information from the registry keys in a specific order. I wrote a small batch script to automate the creation of the operating system information report. If you just want the script then use the link at the end of the post. Otherwise, you can keep reading to see my thought process of how I put the script together before checking out the file. The script organizes information into the following five categories: general operating system information, user information, software information, networking information, and storage locations.
Thought Process behind the Batch File
General Operating System Information
The first category has a significant impact on how the examination is conducted since it contains information about the operating system such as version, timezone settings, and machine security identifier (SID). The operating system version will dictate where certain artifacts are located and what tools can be used while the timezone settings should be self explanatory. The machine security identifier comes into play when looking at the user accounts’ SIDs since it shows if the user account is from the local or remote system. The following is the category’s information of interest and the registry keys containing the data:
* Operating system version and product name (HKLM\Software\Microsoft\Windows NT\Currentversion\)
* Registration information for owner and organization entered during installation (HKLM\Software\Microsoft\Windows NT\Currentversion\)
* Machine Security Identifier (SID) (HKLM\Security\Policy\PolAcDms)
* Shutdown information (HKLM\System\Controlset###\Control\Windows)
* Timezone information (HKLM\System\Currentcontrolset\Control\Timezoneinformation)
* Auditing configuration (HKLM\Security\Policy\PolAdtEv)
* Determine if the NTFS last access time is set to not to update (HKLM\System\CurrentControlSet\Control\Filesystem\NtfsDisableLastAccessUpdate)
User Account Information
The next category obtains information about the user accounts associated with the computer. The information includes the configured local user accounts and groups as well as the artifacts of other user accounts (such as Windows domain users) logging onto the system. The category can help focus the examination on the activity of specific user accounts. The following is the category’s information of interest and the registry keys containing the data:
* Configured local user accounts and groups (HKLM\SAM\Domains\Account\)
* User profiles on machine and registered with Windows (Profilelist registry key)
* Logon username of the specified user account (HKCU\ Software\Microsoft\Windows\CurrentVersion\Explorer)
* Previous user accounts to log onto the machine (HKLM\Software\Microsoft\Windows NT\Currentversion\Winlogon\Defaultusername and HKLM\Software\Microsoft\Windows NT\Currentversion\Winlogon\Altdevaultusername)
Software Information
The software category obtains information about programs installed and executed on the system. Knowing the software on a system can help shed light on the potential data available. For example, if the examination is interested in locating financial files then the software category will reveal the financial programs on the system thereby identifying the relevant file types. The following is the information of interest in the category and the registry keys containing the data:
* Programs showed on the Add/Remove Programs control panel applet (HKLM\Software\Microsoft\Windows\Currentversion\Uninstall)
* File system paths to various programs (HKLM\Software\Microsoft\Windows\Currentversion\App paths)
* Information about installed products (HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData)
* Default web browser (one area to check is HKLM\Software\Classes\HTTP\shell\open\command)
* User specific software (HCU\Software)
* User activity via the Windows Explorer shell may show programs ran (HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist)
* Executables associated with the user account (XP is HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache and Vista/7 is is HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache in userclass.dat)
Networking Information
The next category obtains information about networking such as the computer’s name, network shares, and firewall settings. The majority of computers are connected to some sort of network and the information in this category helps explain the type of network the system came from. The following is the information of interest in the category and the registry keys containing the data:
* Computer name (HKLM\System\Currentcontrolset\Control\Computername)
* Domain and hostname (HKLM\System\Currentcontrolset\Services\Tcpip\Parameter)
* Configured network shares on the computer (HKLM\System\Currentcontrolset\Services\Lanmanserver\Shares)
* Configured persistent routes (HKLM\System\ControlSet###\Services\Tcpip\Parameters\PersistentRoutes)
* Firewall configuration (HKLM\System\Currentcontrolset###\Services\Sharedaccess\Parameters\Firewallpolicy)
* Networking information (HKLM\System\Currentcontrolset###\Network)
* Cache of computers seen by Windows Explorer (HKCU\Software\Microsoft\Windows\Currentversion\Explorer\Computerdescriptions)
Storage Location Information
The last category obtains information about the potential storage locations for user data. The category can reveal additional devices or folders that may contain data of interest. For example, the majority of Window systems I’ve seen in a corporate environment belong to a Windows domain where the IT departments have users store information on servers instead of their own computer (for backup purposes). One method used is to redirect certain folders in the user account’s profile – such as the My Documents- to a folder on the server. The storage location information category will quickly highlight this type of configuration. The following is the information of interest in the category and the registry keys containing the data:
* Devices and volumes mounted to the computer (HKLM\System\MountedDevices)
* Location of the user account profile folders (HKCU\Software\Microsoft\Windows\Currentversion\Explorer\User shell folders)
* Map network drives available to a user (HKCU\Software\Microsoft\Windows\Currentversion\Explorer\Map network drive MRU)
* Volumes mounted by a user (HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2)
Putting the Batch File Together
Putting the batch file together was fairly simple since I already outlined the order of the information I wanted presented and Regripper had plug-ins to extract the data from the registry. The batch file repeats the following three lines for each Regripper plugin to create one report about the operating system and how it’s configured.
echo: >> operating_system_information.txt
rip.exe -r "%regpath%\SECURITY" -p polacdms >> operating_system_information.txt
echo .........................................................................................................>> operating_system_information.txt
The two lines starting with echo are for formatting purposes. The echo: inserts a blank line in the operating_system_information.txt while the other echo command inserts a line of dots to separate each Regripper plug-in. Rip.exe is the commandline version of Regripper and there are two options. The –r specifies the registry hive and –p specifies the plug-in to run. The variable %regpath% gets populated with a prompt for the folder path containing the registry hives.
The batch file gets put in the Regripper folder and gets executed by double clicking the file. Three screenshots show the script against an image mounted with FTK imager.
Prompt for folder containing the registry hives |
Asks to parse user's registry hive then prompts for its folder location |
Regripper parsing the registry hives and creating the report |
Portion of the report showing the Software and Networking Information categories |
The information in the report doesn’t include everything that I’d want to know over the span of an examination but it does provide the initial information about the operating system and how it’s configured. Automating the process makes me a little bit more efficient when I’m completing the examination step.
I uploaded the batch file to the jIIr Google site and the file can be downloaded here (to execute the file change the file extension from txt to bat).