SANS SIFT – Using regtime.pl
The following is an overview of how I used the SANS Forensics SIFT Workstation VM image to investigate a laptop that was infected with malware. The goal of the investigation was to determine if possible how the machine got infected, and when it was infected. To this end I used the regtime.pl utility that is supplied with the image.
The regtime.pl utility will process the timestamps in each key of a registry HIVE and produce output that is compliant to the SleuthKit’s mactime format.
After starting the SIFT workstation I mounted the suspect hard drive to a read-only mount point. The regtime.pl utility can be found in the the “/usr/local/src/windows-perl/” directory.
cd /usr/local/src/windows-perl/
Using the command format of “perl regtime.pl -m <HIVENAME> -r <filepath> > /tmp/regtime-<HIVENAME>” the regtime.pl each HIVE on the suspect drive was processed.
The options used were:-
| -m |
mactime output |
| <HIVENAME> |
HKLM/SAM |
| <filepath> |
/<read-only mount path>/windows/system32/config/SECURITY /<read-only mount path>/windows/system32/config/system /<read-only mount path>/windows/system32/config/software /<read-only mount path>/Document & Settings/<username>/NTUSER.DAT |
Once I had the separate output files I then ran “cat” to join them all together. This was done by using the command:
cat <filename> >> /tmp/regtime-body
Then I ran the Sleuthkit mactime program across the mactime body file in 3 ways.
-
- Mactime -b /tmp/regtime-body > /tmp/regtime-mactime
- Mactime -b /tmp/regtime-body -d -m > /tmp/regtime-mactime.csv
- Mactime -b /tmp/regtime-body -d -m 2009-01-01 > /tmp/regtime-mactime2009.csv
| -b | format output in mactime body format |
| -d | create a comma delimited file |
| -m | use numeric months and not named (i.e. 01 not Jan) |
| 2009-01-01 | print only timestamps after this date |
The first one will give a full dump in standard Sleuthkit mactime default output. The second one will output a full mactime file in a comma delimited format where each line has its own timestamp. The last one is the same as the second except I am only outputting any information that changed after the 1st Jan 2009.
From there I copied the processed mactime files from the SIFT virtual workstation onto a machine with Excel2007 on it. You really want to be using Office2007 to get around the row limit in previous versions of excel. The benefit of using Excel is that it can be quick and easy to sort, search and filter information that may be of interest in the mactime output files. For example, loading up the regtime-mactime2009.csv file I can do a find all on common registry keys that malware play with.
Attached is a copy of the first item found in the registry and the items around it. When reviewing the timeline there is a 3 minute interval where a number of registry keys are modified, however there is no other activity for hours on either side of this activity. This would be a good indication that we may want to look at exactly what changes were made in the registry (if they still exist) to see if this was malware activity.
In the next blog post, I will use the same process using the Sleuthkit tools.
I am having a syntax problem with regtime.pl.
There is a single space between -r and /mnt/…..
sansforensics@SIFT-Workstation:/usr/local/src/windows-perl$ ./regtime.pl –m HKLM-SECURITY –r /mnt/windows_mount/WINDOWS/system32/config/SECURITY >> /home/sansforensics/cases/SU2010-01063/bodyfile
Unknown option: mnt/windows_mount/windows/system32/config/security
sansforensics@SIFT-Workstation:/usr/local/src/windows-perl$
Any ideas what I did wrong? It seems to be only taking the / for the -r flag.
Thanks
-PaulK