Yesterday I found myself trying to work out why a remote machine had suddenly had its MRU keys and subkeys deleted. Unfortuately, or fortuately depending on how you want to look at it, there was nothing obvious so I had the excuse to “play”. When I started to look into the machine I was working off two potential scenarios. I had a malware infection or an end user who was trying to cover their tracks by using a 4″x2″ to clean the registry(deleting the whole LastVisitedMRU+OpenSaveMRU trees, and not just wiping the values is a fairly brutal approach).
Because the computer wasn’t giving up its secrets easily, I have ended up spending more time then normal working on the machine, instead of just getting the desktop team to re-image it. Let me just say, this is not a scenario where I needed to be careful to preserve evidence, its more a case of using forensic techniques for incident response. Plus, if I polluted the evidence, then it just meant I would send the box off to be rebuilt.
Since the machine was remote, and I didnt have the bandwidth to undertake a remote image, I went looking for a way to be able to grab the live registry to do some timeline anlaysis on. I had previous worked out the time window when the changes occurred by comparing System Restore snapshot hives. My googling led me to HD Moore’s blog post on “Exporting the Registry for Fun and Profit“.
When you use the SAVE option with reg.exe it will export the keys and save the output in the HIVE file format. From what I have seen so far, when it does the export it also preserves the lastwrite timestamp details on the keys and values also.
So now, if you want to do basic timeline analysis only on portions/key areas of a remote registry, you can use reg.exe SAVE to export a small section of the registry. Plus, its much quicker to download key areas of the registry hives when your bandwidth is limited.
Some keys areas may be:-
reg.exe SAVE \HKLM\Software\Windows reg.exe SAVE \HKLM\System\CurrentControlSet\Services reg.exe SAVE \HKCU\Software\Windows
Some of the tools and techinques I have used for the first time on this machine were:-
analyzeMFT.py (extract filesystem info from the MFT table)