SANS SIFT – Using regtime.pl

The following is an overview of how I used the SANS Forensics SIFT Workstation VM image to investigate a laptop that was infected with malware. The goal of the investigation was to determine if possible how the machine got infected, and when it was infected. To this end I used the regtime.pl utility that is supplied with the image.

The regtime.pl utility will process the timestamps in each key of a registry HIVE and produce output that is compliant to the SleuthKit’s mactime format.

After starting the SIFT workstation I mounted the suspect hard drive to a read-only mount point. The regtime.pl utility can be found in the the “/usr/local/src/windows-perl/” directory.

cd /usr/local/src/windows-perl/

Using the command format of “perl regtime.pl -m <HIVENAME> -r <filepath> > /tmp/regtime-<HIVENAME>” the regtime.pl each HIVE on the suspect drive was processed.

The options used were:-

-m

mactime output

<HIVENAME>

HKLM/SAM
HKLM/SECURITY
HKLM/Software
HKLM/SYSTEM
HKLU

<filepath>

/<read-only mount path>/windows/system32/config/SECURITY

/<read-only mount path>/windows/system32/config/system

/<read-only mount path>/windows/system32/config/software

/<read-only mount path>/Document & Settings/<username>/NTUSER.DAT

Once I had the separate output files I then ran “cat” to join them all together. This was done by using the command:

cat <filename> >> /tmp/regtime-body

Then I ran the Sleuthkit mactime program across the mactime body file in 3 ways.

    1. Mactime -b /tmp/regtime-body > /tmp/regtime-mactime
    2. Mactime -b /tmp/regtime-body -d -m > /tmp/regtime-mactime.csv
    3. Mactime -b /tmp/regtime-body -d -m 2009-01-01 > /tmp/regtime-mactime2009.csv
-b format output in mactime body format
-d create a comma delimited file
-m use numeric months and not named (i.e. 01 not Jan)
2009-01-01 print only timestamps after this date

The first one will give a full dump in standard Sleuthkit mactime default output. The second one will output a full mactime file in a comma delimited format where each line has its own timestamp. The last one is the same as the second except I am only outputting any information that changed after the 1st Jan 2009.

From there I copied the processed mactime files from the SIFT virtual workstation onto a machine with Excel2007 on it. You really want to be using Office2007 to get around the row limit in previous versions of excel. The benefit of using Excel is that it can be quick and easy to sort, search and filter information that may be of interest in the mactime output files. For example, loading up the regtime-mactime2009.csv file I can do a find all on common registry keys that malware play with.

image

Attached is a copy of the first item found in the registry and the items around it. When reviewing the timeline there is a 3 minute interval where a number of registry keys are modified, however there is no other activity for hours on either side of this activity. This would be a good indication that we may want to look at exactly what changes were made in the registry (if they still exist) to see if this was malware activity.

In the next blog post, I will use the same process using the Sleuthkit tools.

About these ads
1 comment
  1. PaulK said:

    I am having a syntax problem with regtime.pl.

    There is a single space between -r and /mnt/…..

    sansforensics@SIFT-Workstation:/usr/local/src/windows-perl$ ./regtime.pl –m HKLM-SECURITY –r /mnt/windows_mount/WINDOWS/system32/config/SECURITY >> /home/sansforensics/cases/SU2010-01063/bodyfile
    Unknown option: mnt/windows_mount/windows/system32/config/security
    sansforensics@SIFT-Workstation:/usr/local/src/windows-perl$

    Any ideas what I did wrong? It seems to be only taking the / for the -r flag.

    Thanks

    -PaulK

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: