Thursday, July 5, 2012

wtmp timeline efforts


In DFIR activities timelines are often determinant to understand what happened (lot of refs here). Luckily Kristinn Gudjonsson provided the community with the great log2timeline tool (here, from now l2t) that, along with the invaluable Brian Carrier's SleuthKit, gives a (temporal) order to chaos. But l2t is not currently considering valuable artifacts coming from wtmp/btmp files on Linux systems.

wtmp (utmp? btmp!)


For a rapid introduction to those files let's see what wikipedia says about them: "utmp, wtmp, btmp and variants such as utmpx, wtmpx and btmpx are files on Unix-like systems that keeps track of all logins and logouts to the system. The utmp file keeps track of the current login state of each user. The wtmp file records all logins and logouts history. The btmp file records failed login attempts. The utmp, wtmp and btmp files were never a part of any official Unix standard, such as Single UNIX Specification, while utmpx and corresponding APIs are part of it". Here we are.

Having included those information in the timeline of a (for example) compromised Linux server could help a lot in answering the who part of the canonical DFIR questions. Moreover keeping tracks on every registered login/logout of who is currently logged should be really useful. Indeed, it's preferable to have a quite verbose timeline to prune/filter during analysis than not having this logs included (and be obliged to manually correlate the various outputs, when spotted).
 

format


wtmp, btmp and utmp (not considered here, but should be considered during live/memory analysis) share a common format. Since the target OS is Linux, the format is found inside wtmp.h include file or, easier, in the utmp(5) man. An excerpt is following: 

           /* Values for ut_type field, below */

           #define EMPTY         0 /* Record does not contain valid info
                                      (formerly known as UT_UNKNOWN on Linux) */
           #define RUN_LVL       1 /* Change in system run-level (see
                                      init(8)) */
           #define BOOT_TIME     2 /* Time of system boot (in ut_tv) */
           #define NEW_TIME      3 /* Time after system clock change
                                      (in ut_tv) */
           #define OLD_TIME      4 /* Time before system clock change
                                      (in ut_tv) */
           #define INIT_PROCESS  5 /* Process spawned by init(8) */
           #define LOGIN_PROCESS 6 /* Session leader process for user login */
           #define USER_PROCESS  7 /* Normal process */
           #define DEAD_PROCESS  8 /* Terminated process */
           #define ACCOUNTING    9 /* Not implemented */

           #define UT_LINESIZE      32
           #define UT_NAMESIZE      32
           #define UT_HOSTSIZE     256

           struct exit_status {              /* Type for ut_exit, below */
               short int e_termination;      /* Process termination status */
               short int e_exit;             /* Process exit status */
           };

           struct utmp {
               short   ut_type;              /* Type of record */
               pid_t   ut_pid;               /* PID of login process */
               char    ut_line[UT_LINESIZE]; /* Device name of tty - "/dev/" */
               char    ut_id[4];             /* Terminal name suffix,
                                                or inittab(5) ID */
               char    ut_user[UT_NAMESIZE]; /* Username */
               char    ut_host[UT_HOSTSIZE]; /* Hostname for remote login, or
                                                kernel version for run-level
                                                messages */
               struct  exit_status ut_exit;  /* Exit status of a process
                                                marked as DEAD_PROCESS; not
                                                used by Linux init(8) */
               /* The ut_session and ut_tv fields must be the same size when
                  compiled 32- and 64-bit.  This allows data files and shared
                  memory to be shared between 32- and 64-bit applications. */

           #if __WORDSIZE == 64 && defined __WORDSIZE_COMPAT32
               int32_t ut_session;           /* Session ID (getsid(2)),
                                                used for windowing */
               struct {
                   int32_t tv_sec;           /* Seconds */
                   int32_t tv_usec;          /* Microseconds */
               } ut_tv;                      /* Time entry was made */
           #else
                long   ut_session;           /* Session ID */
                struct timeval ut_tv;        /* Time entry was made */
           #endif

               int32_t ut_addr_v6[4];        /* Internet address of remote
                                                host; IPv4 address uses
                                                just ut_addr_v6[0] */
               char __unused[20];            /* Reserved for future use */
           };







Despite semantic it should be easy to parse the data from files: but when you go delving into something what often happens is that few things are straightforward...



































Alignment oddity?







The following is an example of the first entry in a wtmp file, where an entry is an instance of struct utmp.






00000000  02 00 00 00 00 00 00 00  7e 00 00 00 00 00 00 00  |........~.......|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00  7e 7e 00 00 72 65 62 6f  |........~~..rebo|
00000030  6f 74 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |ot..............|
00000040  00 00 00 00 00 00 00 00  00 00 00 00 32 2e 36 2e  |............2.6.|
00000050  6e 6f 73 79 20 3b 29 2e  78 38 36 5f 36 34 00 00  |36.fuffa.x86_64.|
00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000090  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000100  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000110  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000120  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000130  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000140  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000150  00 00 00 00 85 a8 d6 4e  a9 f2 09 00 00 00 00 00  |.......N........|
00000160  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000170  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|







Possibly something weird "happened" but when summing sizeof of every "struct utmp" field the result was 382 (bytes), instead of 384 as it's easy guessed from hex-viewing. So there is some alignment which currently is not obvious to me. Recalling the first lines from the previous example







00000000  02 00 00 00 00 00 00 00  7e 00 00 00 00 00 00 00  |........~.......|



00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|



00000020  00 00 00 00 00 00 00 00  7e 7e 00 00 72 65 62 6f  |........~~..rebo| 





the ut_line string (char[32]) must start at ninth byte, but we have two "unknown" preceding bytes. Actually I did not clarify this issue (more testing needed, I rely on the community or in more free-time to come...), but I considered ut_type to be 4 bytes long and so the first line become





00000000  02 00 00 00 00 00 00 00  7e 00 00 00 00 00 00 00  |........~.......|





with ut_type=2 and ut_pid = 0. You are advised that this cut could be wrong, anyway on my cases I didn't face any problem when getting ut_types.




































going further







Having all fields parsed from file, it was time to extract and summarize the login/logout entries. If you think that wtmp entries contain a simple (almost) human readable information, you're wrong: or, probably better, when you known how-to, well, it's simple. To achieve the result another read of  wtmp man is needed, with the aid of the last Linux command implementation (one here). The following C code belongs to last.c:











    for(i = listnr - 1; i >= 0; i--) {
        bp = utl+i;
        /*
         * if the terminal line is '~', the machine stopped.
         * see utmp(5) for more info.
         */
        if (!strncmp(bp->ut_line, "~", LMAX)) {
            /* 
             * utmp(5) also mentions that the user 
             * name should be 'shutdown' or 'reboot'.
             * Not checking the name causes e.g. runlevel
             * changes to be displayed as 'crash'. -thaele
             */
            if (!strncmp(bp->ut_user, "reboot", NMAX) ||
            !strncmp(bp->ut_user, "shutdown", NMAX)) {    
            /* everybody just logged out */
            for (T = ttylist; T; T = T->next)
                T->logout = -bp->ut_time;
            }

            currentout = -bp->ut_time;
            crmsg = (strncmp(bp->ut_name, "shutdown", NMAX)
                ? "crash" : "down ");
            if (!bp->ut_name[0])
            (void)strcpy(bp->ut_name, "reboot");
            if (want(bp, NO)) {
            ct = utmp_ctime(bp);
            if(bp->ut_type != LOGIN_PROCESS) {
                print_partial_line(bp);
                putchar('\n');
            }
            if (maxrec && !--maxrec)
                return;
            }
            continue;



            ... 










I did not followed exactly what found in last.c, but I used it to correlate steps: in other words I made some tests and observations to write the code, then I checked results with last output. From my point of view this was more formative than a rough language porting. I made a switch statement on ut_types looking for: "User Process", which is a user login on the ut_line from the ut_host specified; "End Process", which is a user logout if the corresponding ut_line registered a login; "Run Level", which could be a shutdown; "Boot Time", which could be a rebooting. It could happens that wtmp registers a booting without a precedent shutdown (a crash?): in this cases the script PURGEs the still-logged-in users, so you cannot get the assurance that the users' work times are right (they should be smaller). Regarding btmp files, they are simpler since they contain only one entry type, which represents a failed login.




































scripting... (and timeline)







I do not want to stuck with technical details since the Perl script utmpp.pl is open source and can be downloaded from hotoloti (download here). What makes this script different from the last tool is that it's able to generate a Sleuthkit mactime v3.x timeline of logins and logouts (the so called body file), and that body file can be added to other body files (like that one coming from Sleuthkit fls) to get a more complete timeline of events. Moreover, the script shows not only logins/logouts but who is currenlty logged at that event time, example following (not in mactime output format):










type = [0x0007] User Process
pid = 5192 [0x1448]
line = pts/7
user = root
host = foo.it
tv_sec  = 1335961904 (Wed May  2 12:31:44 2012)
tv_usec = 780918
ut_addr_v6 string = 157574295
ut_addr_v6 IPV4 = 192.168.200.10NOTE = LOGIN  ( user=root@foo.it logged in on line=pts/7 now=root@foo.it_pts/6 gino@:1101.0_pts/0 root@foo.it_pts/7 root@:1100.0_pts/3 )











I made out a template for X-Ways Forensics too ("a template is a dialog box that provides means for editing custom data structures in a more comfortable and error-preventing way than raw hex editing does, info here), even if this great DFIR (more-than-a) tool has the capability to understand and parse wtmp file. 



































Log2Timeline (I forgot selinux)







I felt that the utmpp.pl script was too isolated and too unmanageable, so I wondered if it could be useful to expand the effort to get something more "shareable" and useful. What if not l2t? I wrote to Kristinn Gudjonsson to ask if it could be useful having such script included: moments after my email, Kristinn provided suggestions and instructions on what to do. Results: Log2Timeline has a new input module called utmp (Fast&Furious collaboration)! Actually the script is hosted in the experimental branch and it's subject to testing and revision. Feel free to download, test and send feedback.





I forgot selinux (wiki helps here). Selinux creates audit logs like "/var/log/audit/audit.log" which were not included in l2t input modules. They are quite simple to parse, so I wrote another l2t input module called (guess what?!) selinux: another useful source to be included in timelines. Again, it's hosted in the experimental branch of Log2Timeline.


































thanks







This post and those scripts born from a compromised Linux server with EXT4 file system case. During the analysis I experienced how many benefits could come out from DFIR sharing. Without Log2Timeline and the Sleuthkit it would have been much more harder to get the job done. Moreover I want to thanks Simson Garfinkel and Kevin Fairbanks for the Sleuthkit version that includes EXT4 support (originally made by Willi Ballenthin here) and for the prompt support when facing a fls body file issue (one more field with respect to mactime v3.x format, be sure to download the last Ext4_Dev branch). Finally, I learned a lot from the Sans blog EXT4 series written by Hal Pomeranz, first part here. Following these great examples and trying to "repay", here there is something hopefully useful to the community.











Pubblicato da



a





2 comments:
      















Link a questo post





Etichette:
,
,
,










Reazioni: 















            

          

          

        

Friday, May 25, 2012


          

        










Exploring Internet Explorer with RegRipper









































In the last case...





I was feeling that some Internet Explorer artifacts were missing, so I decided to take a look at RegRipper plugins that parse the user registry NTUSER.DAT to see if they could help me. Honestly I have not a clear idea on where to search for a sign since I usually get information from IE cache files and not from registry.



























RegRipper IE plugins mini-survey





Actually there exist 4 Internet Explorer plugins, being:


    

  • ie_main: (NTUSER) despite the reported description in the source file header ("the plugin Checks keys/values set by new version of Trojan.Clampi") the plugin parses (details later) the "Software\Microsoft\Internet Explorer\Main" key and it was written by Harlan Carvey at 19/09/2009.
    • 

  • ie_settings: (NTUSER) the plugin reports the User Agent string used by IE when visiting sites and the ZoneSecurityUpgrade value inside the "Software\Microsoft\Windows\CurrentVersion\Internet Settings" key. Written by Harlan Carvey at 16/10/2009.
    • 

  • ie_version: (SOFTWARE) it gets the IE software version from "Microsoft\Internet Explorer" key, again Harlan wrote it at 16/10/2009.
    • 

  • iexplore: (NTUSER) written by E. Rye at 08/03/2010, it simply outputs all values inside "Software\Microsoft\Internet Explorer\Main" key.
    • 






So there are a couple of plugins aimed to answer a specific question and two (they could be called) reporting plugin. Just to take a look at them working, here are their outputs on a bunch of hives that Marco provided to me (thanks Marco... ). Note: the hives are coming from a Windows7 x64 os.

















 

 "#!&%##!ùù^?***@#!"



"Why are you complaining about showing them? Should I have asked for a signed permission??! Ok, I will make coffee for a week... sig" 





















Launching ie_main v.20091019



ie_main v.20091019



(NTUSER.DAT) Gets values beneath user's Internet Explorer\Main key




Software\Microsoft\Internet Explorer\Main



LastWrite Time Thu Sep  1 18:09:10 2011 (UTC)




IE8TourShownTime                     Thu Jul 28 16:04:54 2011 UTC



IE8RunOnceLastShown_TIMESTAMP        Thu Jul 28 16:04:31 2011 UTC



Enable Browser Extensions            yes                 



Start Page Redirect Cache AcceptLangs  it                  



AutoHide                             yes                 



Play_Animations                      yes                 



XMLHTTP                              1                   



IE9TourShown                         1                   



Start Page Redirect Cache            http://it.msn.com/?ocid=iehp



Search Page                          http://go.microsoft.com/fwlink/?LinkId=54896



IE8TourShown                         1                   



Display Inline Images                yes                 



DownloadWindowPlacement              ,‚ÿÿƒÃ¿Ã¿Ã¿Ã¿Ã¿Ã¿Ã¿Ã¿Ã¿Ã¿¹Ã¶9Ö



FullScreen                           no                  



Show_StatusBar                       yes                 



CompatibilityFlags                   0                   



Check_Associations                   no                  



DisableScriptDebuggerIE              yes                 



IE9RunOncePerInstallCompleted        1                   



Disable Script Debugger              yes                 



NoUpdateCheck                        1                   



UseClearType                         no                  



NotifyDownloadComplete               yes                 



Local Page                           C:\Windows\system32\blank.htm



IE8RunOncePerInstallCompleted        1                   



IE9TourShownTime                     âÃ¾¸NÃŒ            



Do404Search                          1                   



IE9RunOnceCompletionTime             Ã½¸NÃŒ            



Show_ToolBar                         yes                 



Start Page Redirect Cache_TIMESTAMP  ²Ã¥ ö?MÃŒ            



Save_Session_History_On_Exit         no                  



Show_FullURL                         no                  



Cache_Update_Frequency               Once_Per_Session    



Show_URLinStatusBar                  yes                 



IE8RunOnceLastShown                  1                   



Show_URLToolBar                      yes                 



IE8RunOnceCompletionTime             H @MÃŒ            



Use FormSuggest                      yes                 



Anchor Underline                     yes                 



IconCache                            08aku2z             



Use_DlgBox_Colors                    yes                 



Start Page                           http://www.google.it/



Play_Background_Sounds               yes                 



As you can see, there is a little garbage in the previous output (bold-red) but the most notable fact is that the plugin is not answering to the question about Trojan/Clampi and its output shows (almost) all values inside the "Software\Microsoft\Internet Explorer\Main" key. In that cases (when you expect something you do not get)(or you get something you do not expect) it's advisable to take a look inside the plugin: indeed there are a lot of information inside a RegRipper plugin, and a look at them should be always done despite being or not a Perl coding guru, as we can see it's easy to understand:







#-----------------------------------------------------------
# ie_main.pl
#   Checks keys/values set by new version of Trojan.Clampi
#
# Change history
#   20091019 [hca] % created
#   20110830 [fpi] + banner, no change to the version number
#
# References
#   http://support.microsoft.com/kb/895339
#   http://support.microsoft.com/kb/176497
# 
# copyright 2009 H. Carvey
#-----------------------------------------------------------
package ie_main;
use strict;

my %config = (hive          => "NTUSER\.DAT",
              hasShortDescr => 1,
              hasDescr      => 0,
              hasRefs       => 0,
              osmask        => 22,
              version       => 20091019);

sub getConfig{return %config}
sub getShortDescr {
    return "Gets values beneath user's Internet Explorer\\Main key";    
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}

my $VERSION = getVersion();

sub pluginmain {
    my $class = shift;
    my $ntuser = shift;
    ::logMsg("Launching ie_main v.".$VERSION);
    ::rptMsg("ie_main v.".$VERSION); # 20110830 [fpi] + banner
    ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner
    my $reg = Parse::Win32Registry->new($ntuser);
    my $root_key = $reg->get_root_key;
    
    my $key_path = 'Software\\Microsoft\\Internet Explorer\\Main';
    my $key;
    if ($key = $root_key->get_subkey($key_path)) {
        ::rptMsg($key_path);
        ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
        ::rptMsg("");
        
        my %main;
        
        my @vals = $key->get_list_of_values();
        
        if (scalar(@vals) > 0) {
            foreach my $v (@vals) {
                my $name = $v->get_name();
                my $data = $v->get_data();
                next if ($name eq "Window_Placement");
                
                $data = unpack("V",$data) if ($name eq "Do404Search");
                
                if ($name eq "IE8RunOnceLastShown_TIMESTAMP" || $name eq "IE8TourShownTime") {
                    my ($t0,$t1) = unpack("VV",$data);
                    $data = gmtime(::getTime($t0,$t1))." UTC";
                }
                $main{$name} = $data;
            }
        
            foreach my $n (keys %main) {
                my $str = sprintf "%-35s  %-20s",$n,$main{$n};
                ::rptMsg($str);
            }
        }
        else {
            ::rptMsg($key_path." has no values.");
        }
    }
    else {
        ::rptMsg($key_path." not found.");
    })
}
1;





The comment description (2nd line) it's wrong and it's probably due to a cut-and-paste "header" plugin (I usually forget something during that process...): the getShortDesc function is showing the correct description (I will do a "fix" on that), as stated by the References in the source file header. Note: references usually make up the knowledge base used by the author, they should be checked at least once to well understand the plugin.



By inspecting the source code, other interesting stuffs come out: not all values are treated in the same way. The Window_Placement is skipped, the Do404Search is unpacked as an unsigned long in little-endian order (for non-perl-coders, check the unpack-cheat-sheet: it's really important to understand this "data interpreter", and it's easy to do), the IE8RunOnceLastShown_TIMESTAMP and IE8TourShownTime are FILETIMEs. Finally the garbage: some values have  data that it's not correctly managed (syntactic level) since it cannot be printed as ASCII/UTF8, as done for values like IE8TourShownTime. The reason is quite obvious: at the time author wrote the plugin, those special values were the only available, so the "new-ones" are not considered special by the plugin and they provide garbage when reported as ASCII/UTF8. This fact could lead to a statement like the following:











"When plugins get old, you will leak the FForce: always train with them!"







"I will do!











Basically RR users should test their favorite plugins by running them when the target software (Internet Explorer in the case) get updated or when a new Windows version is released (at least).



The following is the output coming from the  iexplore plugin, same hive:









Launching iexplore v.20100308
iexplore v.20100308
(NTUSER.DAT) Get Main Key contents from HKCU\Software\Microsoft\Internet Explorer

Software\Microsoft\Internet Explorer\Main
LastWrite Time Thu Sep  1 18:09:10 2011 (UTC)
        IE8RunOnceLastShown_TIMESTAMP -> l├▓☼   @M├î☺
        IE8TourShownTime -> ┬ós"↨@M├î☺
        Enable Browser Extensions -> yes
        Start Page Redirect Cache AcceptLangs -> it
        Play_Animations -> yes
        AutoHide -> yes
        XMLHTTP -> 1
        IE9TourShown -> 1
        Start Page Redirect Cache -> http://it.msn.com/?ocid=iehp
        Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896
        IE8TourShown -> 1
        Display Inline Images -> yes
        DownloadWindowPlacement -> ,         ├é┬é├┐├┐ ┬â├┐├┐├┐├┐├┐├┐├┐├┐├┐├┐
        FullScreen -> no
        Show_StatusBar -> yes
        CompatibilityFlags -> 0
        Check_Associations -> no
        DisableScriptDebuggerIE -> yes
        IE9RunOncePerInstallCompleted -> 1
        Disable Script Debugger -> yes
        NoUpdateCheck -> 1
        UseClearType -> no
        Window_Placement -> ,   ☻   ♥   ├é┬é├┐├┐ ┬â├┐├┐├┐├┐├┐├┐├┐├┐├┐├┐┬Æ  
        NotifyDownloadComplete -> yes
        Local Page -> C:\Windows\system32\blank.htm
        IE8RunOncePerInstallCompleted -> 1
        IE9TourShownTime -> ├ó┬ü├¥┬©▬N├î☺
        Do404Search -> ☺
        IE9RunOnceCompletionTime ->  ┬Ø├¢┬©▬N├î☺
        Show_ToolBar -> yes
        Start Page Redirect Cache_TIMESTAMP -> ┬▓├Ñ ├Â?M├î☺
        Save_Session_History_On_Exit -> no
        Show_FullURL -> no
        Cache_Update_Frequency -> Once_Per_Session
        IE8RunOnceLastShown -> 1
        Show_URLinStatusBar -> yes
        IE8RunOnceCompletionTime -> H◄ ↨@M├î☺
        Show_URLToolBar -> yes
        Use FormSuggest -> yes
        Anchor Underline -> yes
        IconCache -> 08aku2z
        Use_DlgBox_Colors -> yes
        Start Page -> http://www.google.it/
        Play_Background_Sounds -> yes

Software\Microsoft\Internet Explorer\Main\Default Feeds
LastWrite Time Thu Jul 28 15:58:53 2011 (UTC)

Software\Microsoft\Internet Explorer\Main\WindowsSearch
LastWrite Time Thu Sep  1 07:49:17 2011 (UTC)
        UpgradeTime -> |├╗├À┬ª{h├î☺
        LastCrawl -> ├┤+a┬╗┬Øa├î☺
        ConfiguredScopes -> 5
        Version -> 6.1.7601.17514
        User Favorites Path -> file:///C:\Users\Marco\Favorites\ 





As you can see, there is more garbage respect the previous plugin: the reason is in the code shown later. But there are more subkeys parsed: "Default Feeds" and "WindowsSearch", which could be somewhat useful (with garbage again). Let's see inside the source code







#-----------------------------------------------------------
# iexplore.pl
#
# Change history
#   20110830 [fpi] + banner, no change to the version number
#
# References
# 
# copyright 2010 E. Rye esten@ryezone.net
#-----------------------------------------------------------
package iexplore;
use strict;

my %config = (hive => "NTUSER\.DAT",
              osmask => 22,
              hasShortDescr => 1,
              hasDescr => 0,
              hasRefs => 0,
              version => 20100308);
              
sub getConfig{return %config}
sub getShortDescr {
    return "Get Main Key contents from HKCU\\Software\\Microsoft\\Internet Explorer";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}

my $VERSION = getVersion();

sub pluginmain {
    my $class = shift;
    my $hive = shift;
    ::logMsg("Launching iexplore v.".$VERSION);
    ::rptMsg("iexplore v.".$VERSION); # 20110830 [fpi] + banner
    ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner
    
    my $reg = Parse::Win32Registry->new($hive);
    my $root_key = $reg->get_root_key;
    my $key_path = "Software\\Microsoft\\Internet Explorer\\Main";
    my $key;
    
    if ($key = $root_key->get_subkey($key_path)) {
        ::rptMsg($key_path);
        ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
        my %vals = getKeyValues($key);
        if (scalar(keys %vals) > 0) {
            foreach my $v (keys %vals) {
                ::rptMsg("\t".$v." -> ".$vals{$v});
            }
        }
        else {
            ::rptMsg($key_path." has no values.");
        }

        my @sk = $key->get_list_of_subkeys();
        if (scalar(@sk) > 0) {
            foreach my $s (@sk) {
                ::rptMsg("");
                ::rptMsg($key_path."\\".$s->get_name());
                ::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)");
                my %vals = getKeyValues($s);
                foreach my $v (keys %vals) {
                    ::rptMsg("\t".$v." -> ".$vals{$v});
                }
            }
        }
        else {
            ::rptMsg("");
            ::rptMsg($key_path." has no subkeys.");
        }
    }
    else {
        ::rptMsg($key_path." not found.");
        ::logMsg($key_path." not found.");
    }
}

sub getKeyValues {
    my $key = shift;
    my %vals;
    my @vk = $key->get_list_of_values();
    if (scalar(@vk) > 0) {
        foreach my $v (@vk) {
            next if ($v->get_name() eq "" && $v->get_data() eq "");
            $vals{$v->get_name()} = $v->get_data();
        }
    }
    else {
    }
    return %vals;
}
1;



As shown, this the most basic form of a plugin with 1level subkey recursion: it simply reports all values inside the Main key and all values inside all Main's subkeys. The report is done by using the facility rptMsg provided by rip.pl, and that's the reason why it shows garbage (since not all data values are ASCII/UTF8 strings or numbers). There isn't any logic to handle special data.











"This is the first FForce exercise, try it!"







"I can move the rock...!







Regarding the last two IE plugins, that's their output (as expected they do their work). Just one note regarding ie_settings: there are many-many-many values and subkeys inside "Software\Microsoft\Windows\CurrentVersion\Internet Settings", and the plugin's name could be a little misleading, just thinking about renaming it...







Launching ie_version v.20091016
ie_version v.20091016
(Software) Get IE version and build

Microsoft\Internet Explorer
LastWrite Time Wed Aug 17 01:27:51 2011 (UTC)

IE Build   = 98112
IE Version = 9.0.8112.16421










Launching ie_settings v.20091016
ie_settings v.20091016
(NTUSER.DAT) Gets IE settings

Software\Microsoft\Windows\CurrentVersion\Internet Settings
User Agent = Mozilla/4.0 (compatible; MSIE 8.0; Win32)
ZonesSecurityUpgrade = Fri Jul 29 12:40:52 2011 (UTC)
































So now?



I took a look at hives and I saw that exist a lot of subkey and values used by Internet Explorer: check the fantastic work made by Geoff Chappell here and particulary here. Honestly I was overcome when looking at them, but I tried to face the problem using a drive-by-ignorance approach.









"By Ignorance?

Are you interested in the Dark side of FForce?"







 "Hum hem... no... (I should study more)"







What I mean is that I did not start my exploration to answer a specific question: I simply opened the hives I got and explored how many keys/values they contained. The mission was to identify interesting values and to parse them correclty (syntactic level), so to create a reporting plugin with almost no garbage and to add some keys/values.





























NTUSER \Software\Microsoft\Internet Explorer





I began from "HKCU\Software\Microsoft\Internet Explorer", and here are results from my observations on 4 NTUSER hives, there are much more subkeys beyond "Main" which can be present depending on IE version/use and possibly on OS version:







#   Registries coming from (and tested on):

#       (A) Windows7 Professional 32bit - IE 9.0.8112.16421
#       (B) Windows7 Ultimate 64bit     - IE 9.0.8112.16421
#       (C) Windows XP Home 32bit       - IE 8.0.6001.18702
#       (D) Windows Vista 64bit         - IE 7.0.6002.18005

#



#    (P) means parsed, (*) means not parsed but interesting (a TODO), nothing 

#    means not parsed.

#
#   HKCU\Software\Microsoft\Internet Explorer subkeys list:
#
#   Activities                  (*)         [ A            ]
#   ApprovedExtensions          (*)         [     B        ]
#   ApproveExtensionsMigration  (*)         [  A  B        ]
#   AutoComplete                (P)         [  A           ]
#   BrowserEmulation                        [  A  B  C     ]
#   CaretBrowsing                           [  A           ]
#   CommandBar                              [  A  B  C  D  ]
#   Default HTML Editor                     [        C  D  ]
#   Default MHTML Editor                    [           D  ]
#   Desktop                                 [  A  B  C  D  ]
#   Document Windows                        [  A  B  C  D  ]
#   DOMStorage                  (P)         [  A  B  C     ]
#   Download                    (*)         [  A  B  C  D  ]
#   DxTrans                                 [  A           ]
#   Expiration                              [  A           ]
#   Explorer Bars                           [  A           ]
#   Extensions                  (*)         [  A  B  C  D  ]
#   Feed Discovery                          [  A           ]
#   Feeds                                   [  A        D  ]
#   Geolocation                 (*)         [  A           ]
#   GPActivities                            [  A           ]
#   GPU                                     [  A  B        ]
#   Help_Menu_URLs                          [  A  B  C  D  ]
#   IEDevTools                  (*)         [  A  B        ]
#   IETld                       (P)         [  A  B  C     ]
#   InformationBar                          [        C  D  ]
#   IntelliForms                (*)         [  A  B  C  D  ]
#   International               (*)         [  A  B  C  D  ]
#   InternetRegistry                        [  A  B  C  D  ]
#   LinksBar                                [  A  B  C     ]
#   LinksExplorer                           [  A     C  D  ]
#   LowRights                               [     B     D  ]
#   LowRegistry                             [  A  B  C  D  ]
#   Main                        (P)         [  A  B  C  D  ]
#   MAO Settings                            [  A  B  C     ]
#   Media                                   [  A     C  D  ]
#   MenuExt                     (*)         [  A  B  C  D  ]
#   MINIE                                   [  A  B        ]
#   New Windows                             [  A  B  C  D  ]
#   PageSetup                               [  A  B  C  D  ]
#   PhishingFilter              (*)         [  A  B  C  D  ]
#   Privacy                     (P)         [  A     C     ] (user settings ndr)
#   ProtocolExecute                         [  A           ]
#   Recovery                    (P)         [  A  B  C     ]
#   Safety                                  [  A           ]
#   SearchScopes                (*)         [  A  B  C  D  ]
#   SearchUrl                               [  A  B  C  D  ]
#   Security                    (*)         [  A  B  C  D  ]
#   Services                                [  A  B  C  D  ] (empty? ndr)
#   Settings                                [  A  B  C  D  ]
#   Setup                                   [  A  B     D  ]
#   SiteMode                                [  A  B  C  D  ]
#   SQM                         (*)         [  A  B  C     ]
#   Styles                                  [  A           ]
#   Suggested Sites             (P)         [  A  B  C     ]
#   TabbedBrowsing                          [  A  B  C  D  ]
#   TaskbarPreview                          [  A           ]
#   Text Scaling                            [  A           ]
#   Toolbar                                 [  A  B  C  D  ]
#   TypedURLs                               [     B  C     ] (hum?! ndr)
#   UpgradeIEAd                             [  A           ]
#   URLSearchHooks              (*)         [  A  B  C  D  ]
#   User Preferences            (*)         [  A  B  C     ]
#   View Source Editor                      [  A           ]
#   Zoom                                    [  A  B  C  D  ]












As you guessed, the previous square is taken from a new RegRipper plugin I made, in which I tried to correctly (syntactic level) parse some keys and their values. Here is the output on the usual hive:










Launching ToBeNamed v.20120513ToBeNamed v.20120513
(NTUSER.DAT) Get HKCU information on Internet Explorer

Software\Microsoft\Internet Explorer
LastWrite Time Thu Aug 25 15:30:43 2011 (UTC)
  Download Directory = 'C:\Users\Marco\Downloads'

Software\Microsoft\Internet Explorer\AutoComplete not found.

Software\Microsoft\Internet Explorer\DOMStorage
LastWrite Time Tue Aug 23 14:04:06 2011 (UTC)
Subkeys:
  live.com             ---  Tue Aug 23 14:04:30 2011 UTC
  mediaset.it          ---  Mon Aug 22 09:16:43 2011 UTC
  Total                ---  Tue Aug 23 14:04:30 2011 UTC

Software\Microsoft\Internet Explorer\IETld
LastWrite Time Wed Aug 17 08:25:32 2011 (UTC)
  Internet Explorer version = 9.0.8112.16434

Software\Microsoft\Internet Explorer\Main
LastWrite Time Thu Sep  1 18:09:10 2011 (UTC)
  Anchor Underline                         = yes
  AutoHide                                 = yes
  Cache_Update_Frequency                   = Once_Per_Session
  Check_Associations                       = no
  CompatibilityFlags                       = 0 [0x00000000]
  Disable Script Debugger                  = yes
  DisableScriptDebuggerIE                  = yes
  Display Inline Images                    = yes
  Do404Search                              = 1 [0x01000000]
  DownloadWindowPlacement                  = <skipped>
  Enable Browser Extensions                = yes
  FullScreen                               = no
  IconCache                                = 08aku2z
  IE8RunOnceCompletionTime                 = Thu Jul 28 16:04:54 2011 UTC
  IE8RunOnceLastShown                      = true  [1]
  IE8RunOnceLastShown_TIMESTAMP            = Thu Jul 28 16:04:31 2011 UTC
  IE8RunOncePerInstallCompleted            = true  [1]
  IE8TourShown                             = true  [1]
  IE8TourShownTime                         = Thu Jul 28 16:04:54 2011 UTC
  IE9RunOnceCompletionTime                 = Fri Jul 29 17:41:18 2011 UTC
  IE9RunOncePerInstallCompleted            = true  [1]
  IE9TourShown                             = true  [1]
  IE9TourShownTime                         = Fri Jul 29 17:41:18 2011 UTC
  Local Page                               = C:\Windows\system32\blank.htm
  NotifyDownloadComplete                   = yes
  NoUpdateCheck                            = true  [1]
  Play_Animations                          = yes
  Play_Background_Sounds                   = yes
  Save_Session_History_On_Exit             = no
  Search Page                              = http://go.microsoft.com/fwlink/?Lin
kId=54896
  Show_FullURL                             = no
  Show_StatusBar                           = yes
  Show_ToolBar                             = yes
  Show_URLinStatusBar                      = yes
  Show_URLToolBar                          = yes
  Start Page                               = http://www.google.it/
  Start Page Redirect Cache                = http://it.msn.com/?ocid=iehp
  Start Page Redirect Cache AcceptLangs    = it
  Start Page Redirect Cache_TIMESTAMP      = Thu Jul 28 16:03:59 2011 UTC
  Use FormSuggest                          = yes
  Use_DlgBox_Colors                        = yes
  UseClearType                             = no
  Window_Placement                         = <skipped>
  XMLHTTP                                  = true  [1]

  Software\Microsoft\Internet Explorer\Main\WindowsSearch
  LastWrite Time Thu Sep  1 07:49:17 2011 (UTC)
    ConfiguredScopes          = 5 [0x00000005]
    LastCrawl                 = Tue Aug 23 14:05:36 2011 UTC
    UpgradeTime               = Thu Sep  1 07:49:17 2011 UTC
    User Favorites Path       = file:///C:\Users\Marco\Favorites\
    Version                   = 6.1.7601.17514

Software\Microsoft\Internet Explorer\Privacy not found
(IE should use the default Privacy settings)

Software\Microsoft\Internet Explorer\Recovery
LastWrite Time Fri Jul 29 09:53:55 2011 (UTC)

  Software\Microsoft\Internet Explorer\Recovery\Active
  LastWrite Time Thu Jul 28 17:03:54 2011 (UTC)

  Software\Microsoft\Internet Explorer\Recovery\AdminActive
  LastWrite Time Thu Sep  1 18:09:17 2011 (UTC)

  Software\Microsoft\Internet Explorer\Recovery\PendingDelete not found.

Software\Microsoft\Internet Explorer\Suggested Sites
LastWrite Time Fri Jul 29 17:41:18 2011 (UTC)
  Enabled                        = 0
  MigrationTime                  = Fri Jul 29 17:41:18 2011 UTC
  ObjectsCreated                 = false [0]
  ObjectsCreated_TIMESTAMP       = Thu Jul 28 16:04:54 2011 UTC
  SlicePath                      = C:\Users\Marco\Favorites\Links\Siti suggeriti
.url






I will not post here the source code since it's quite large but let's dig a little inside it. First, you can see output (bold-red) like "NoUpdateCheck = true  [1]": here I guessed that value is boolean since there were present other values like "yes/no" and since I found that data are always "0" or "1". But assumptions are the "mother of errors" and so I printed the original data number inside "[]": if you get values different from "0|1" then my guessing is wrong. The plugin will issue a warning in the case, so don't worry too much. Outputs like "Windows_Placement = <skipped>" mean  that the plugin (coff coff...) is not interested in the data, but I think I will change the behavior and it will print the binary blob in hexadecimal format. Finally, when you see a value inside "[]" that is redundant and it's used to validate translators (more on them later).




Another interesting thing - that one specific - is the subkey "Software\Microsoft\Internet Explorer\Privacy" which is related to the Privacy user settings. What I found is that if the user changes these settings from default to some other custom values, the subkey "Privacy" will appear and will contain values. That's the reason why, when it's missing, the plugin writes "(IE should use the default Privacy settings)". On another hive, that's the result:







[...]







Software\Microsoft\Internet Explorer\Privacy
LastWrite Time Fri Sep 23 22:34:00 2011 (UTC)
  CleanDownloadHistory           = true  [1]
  CleanPassword                  = true  [1]
  CleanTrackingProtection        = true  [1]
  ClearBrowsingHistoryOnExit     = true  [1]
  UseAllowList                   = false [0]







Quite interesting, isn't' it? (By the way this was the real starting reason of my post... sig, one minute to understand and a lot of time to write plugins and post... but that's sharing...). Could be anti-forensics or better counter-forensics (more from Harlan)?



Finally you could have spotted that the IE version reported in the SOFTWARE is a little different from the one reported in the NTUSER hive: the first is "9.0.8112.16421", the second is "9.0.8112.16434". Homework...



Regarding the mentioned translators: I use lookup table (Perl hashes) to associate values and their data interpretations, which I (unfortunaly) called translator(s). A snip on the code:







[...] 



my %IE_MAIN_WINSEARCH_TRANSLATE = (
    "AutoCompleteGroups"                    =>  \&trNumHex,
    "Cleared"                               =>  \&trBool,
    "Cleared_TIMESTAMP"                     =>  \&trFileTime,
    "ConfiguredScopes"                      =>  \&trNumHex,
    "Disabled"                              =>  \&trBool,
    "EnabledScopes"                         =>  \&trNumHex,
    "LastCrawl"                             =>  \&trFileTime,
    "UpgradeTime"                           =>  \&trFileTime
); 



[...]



When the plugin encounter a value that is the list then the values will be parsed using the specified translator (which is a sort of callback function): if new values come out, it's easy to add them to the list (or not) if a special translator is needed, otherwise the regular rptMsg facility will be used.













"I can feel your FForce..."









"(I should take a shower)





























NTUSER Software\Microsoft\Windows\CurrentVersion\Internet Settings



Another huge source of information (with many subkeys and values)... another RR plugin! (urrah)



Since the post is becoming too long I will omit some details: depending of feedback, I could write a specific post on the plugin. I try to parse the following keys at least: "5.0", "CACHE", "P3P", "Url History", "Wpad", "ZoneMap", references here: "Internet Explorer 6.0 Registry Settings", "WinInet Registry Settings", "Web Proxy Autodiscovery Protocol", "How the Windows Update client determines which proxy server to use to connect to the Windows Update Web site", "Automatic Discovery for Firewall and Web Proxy Clients ", etc.. Since the plugin is a reporting one, I felt the need to add few lines about the subkeys not parsed, to provide something that analysts could be delve into. Let's see its output on "our" hive:











Launching internet_settings v.20120515
internet_settings v.20120515
(NTUSER.DAT) Get HKCU information on Internet Settings

Software\Microsoft\Windows\CurrentVersion\Internet Settings
LastWrite Time Wed Aug 31 14:08:37 2011 (UTC)
  AutoConfigProxy                = wininet.dll
  CertificateRevocation          = true  [1]
  DisableCachingOfSSLPages       = false [0]
  EmailName                      = User@
  EnableHttp1_1                  = true  [1]
  EnableNegotiate                = true  [1]
  IE5_UA_Backup_Flag             = 5.0
  MigrateProxy                   = true  [1]
  MimeExclusionListForCache      = multipart/mixed multipart/x-mixed-replace mul
tipart/x-byteranges
  PrivacyAdvanced                = false [0]
  PrivDiscUiShown                = true  [1]
  ProxyEnable                    = false [0]
  SecureProtocols                = 160 [0x000000A0]
  UrlEncoding                    = false [0]
  User Agent                     = Mozilla/4.0 (compatible; MSIE 8.0; Win32)
  UseSchannelDirectly            = 0x01000000
  WarnOnIntranet                 = false [0]
  WarnOnPost                     = 0x01000000
  WarnonZoneCrossing             = false [0]
  ZonesSecurityUpgrade           = Fri Jul 29 12:40:52 2011 UTC


 *Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0
  LastWrite Time Thu Jul 28 15:58:52 2011 (UTC)

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
  LastWrite Time Thu Jul 28 15:58:52 2011 (UTC)
    Signature                 = Client UrlCache MMF Ver 5.2

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
  LastWrite Time Fri Jul 29 12:40:58 2011 (UTC)
    CacheLimit                = 256000 KB
    CachePrefix               =

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
  LastWrite Time Thu Jul 28 15:58:52 2011 (UTC)
    CacheLimit                = 8192 KB
    CachePrefix               = Cookie:

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
  LastWrite Time Thu Jul 28 15:58:52 2011 (UTC)
    CacheLimit                = 8192 KB
    CachePrefix               = Visited:

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensib
le Cache
  LastWrite Time Fri Sep  2 06:55:10 2011 (UTC)

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensib
le Cache\DOMStore
  LastWrite Time Thu Aug  4 15:55:12 2011 (UTC)
    CacheLimit                = 1000 KB
    CacheOptions              = 0x8
    CachePath                 = %USERPROFILE%\AppData\Local\Microsoft\Internet E
xplorer\DOMStore
    CachePrefix               = DOMStore
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensib
le Cache\feedplat
  LastWrite Time Thu Jul 28 15:58:52 2011 (UTC)
    CacheLimit                = 8192 KB
    CacheOptions              = 0x0
    CachePath                 = %USERPROFILE%\AppData\Local\Microsoft\Feeds Cach
e
    CachePrefix               = feedplat:
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensib
le Cache\iecompat
  LastWrite Time Fri Jul 29 09:53:57 2011 (UTC)
    CacheLimit                = 8192 KB
    CacheOptions              = 0x9
    CachePath                 = %APPDATA%\Microsoft\Windows\IECompatCache
    CachePrefix               = iecompat:
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensib
le Cache\iedownload
  LastWrite Time Fri Jul 29 17:41:15 2011 (UTC)
    CacheLimit                = 8192 KB
    CacheOptions              = 0x9
    CachePath                 = %APPDATA%\Microsoft\Windows\IEDownloadHistory
    CachePrefix               = iedownload:
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensib
le Cache\ietld
  LastWrite Time Thu Jul 28 15:58:52 2011 (UTC)
    CacheLimit                = 8192 KB
    CacheOptions              = 0x9
    CachePath                 = %APPDATA%\Microsoft\Windows\IETldCache
    CachePrefix               = ietld:
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensib
le Cache\MSHist012011080820110815
  LastWrite Time Wed Aug 17 08:21:29 2011 (UTC)
    CacheLimit                = 8192 KB
    CacheOptions              = 0xB
    CachePath                 = %USERPROFILE%\AppData\Local\Microsoft\Windows\Hi
story\History.IE5\MSHist012011080820110815
    CachePrefix               = :2011080820110815:
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensib
le Cache\MSHist012011081520110822
  LastWrite Time Mon Aug 22 07:57:07 2011 (UTC)
    CacheLimit                = 8192 KB
    CacheOptions              = 0xB
    CachePath                 = %USERPROFILE%\AppData\Local\Microsoft\Windows\Hi
story\History.IE5\MSHist012011081520110822
    CachePrefix               = :2011081520110822:
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensib
le Cache\MSHist012011082220110829
  LastWrite Time Mon Aug 29 08:00:42 2011 (UTC)
    CacheLimit                = 8192 KB
    CacheOptions              = 0xB
    CachePath                 = %USERPROFILE%\AppData\Local\Microsoft\Windows\Hi
story\History.IE5\MSHist012011082220110829
    CachePrefix               = :2011082220110829:
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensib
le Cache\MSHist012011082920110830
  LastWrite Time Mon Aug 29 08:00:42 2011 (UTC)
    CacheLimit                = 8192 KB
    CacheOptions              = 0xB
    CachePath                 = %USERPROFILE%\AppData\Local\Microsoft\Windows\Hi
story\History.IE5\MSHist012011082920110830
    CachePrefix               = :2011082920110830:
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensib
le Cache\MSHist012011083020110831
  LastWrite Time Tue Aug 30 07:52:35 2011 (UTC)
    CacheLimit                = 8192 KB
    CacheOptions              = 0xB
    CachePath                 = %USERPROFILE%\AppData\Local\Microsoft\Windows\Hi
story\History.IE5\MSHist012011083020110831
    CachePrefix               = :2011083020110831:
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensib
le Cache\MSHist012011083120110901
  LastWrite Time Wed Aug 31 08:41:58 2011 (UTC)
    CacheLimit                = 8192 KB
    CacheOptions              = 0xB
    CachePath                 = %USERPROFILE%\AppData\Local\Microsoft\Windows\Hi
story\History.IE5\MSHist012011083120110901
    CachePrefix               = :2011083120110901:
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensib
le Cache\MSHist012011090120110902
  LastWrite Time Thu Sep  1 04:22:06 2011 (UTC)
    CacheLimit                = 8192 KB
    CacheOptions              = 0xB
    CachePath                 = %USERPROFILE%\AppData\Local\Microsoft\Windows\Hi
story\History.IE5\MSHist012011090120110902
    CachePrefix               = :2011090120110902:
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensib
le Cache\MSHist012011090220110903
  LastWrite Time Fri Sep  2 06:55:10 2011 (UTC)
    CacheLimit                = 8192 KB
    CacheOptions              = 0xB
    CachePath                 = %USERPROFILE%\AppData\Local\Microsoft\Windows\Hi
story\History.IE5\MSHist012011090220110903
    CachePrefix               = :2011090220110903:
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensib
le Cache\PrivacIE:
  LastWrite Time Fri Jul 29 09:53:58 2011 (UTC)
    CacheLimit                = 1024 KB
    CacheOptions              = 0x9
    CachePath                 = %APPDATA%\Microsoft\Windows\PrivacIE
    CachePrefix               = PrivacIE:
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensib
le Cache\UserData
  LastWrite Time Fri Jul 29 17:41:17 2011 (UTC)
    CacheLimit                = 1000 KB
    CacheOptions              = 0x8
    CachePath                 = %APPDATA%\Microsoft\Internet Explorer\UserData
    CachePrefix               = UserData
    CacheRepair               = 0x0


  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache
  LastWrite Time Thu Jul 28 16:03:49 2011 (UTC)
    Signature                 = Client UrlCache MMF Ver 5.2

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Conte
nt
  LastWrite Time Mon Aug  1 13:11:07 2011 (UTC)
    CacheLimit                = 256000 KB
    CachePrefix               =

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Cooki
es
  LastWrite Time Thu Jul 28 16:03:48 2011 (UTC)
    CacheLimit                = 8192 KB
    CachePrefix               = Cookie:

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Histo
ry
  LastWrite Time Thu Jul 28 16:03:48 2011 (UTC)
    CacheLimit                = 8192 KB
    CachePrefix               = Visited:


  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Exten
sible Cache
  LastWrite Time Thu Jul 28 16:05:04 2011 (UTC)

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Exten
sible Cache\DOMStore
  LastWrite Time Thu Jul 28 16:04:05 2011 (UTC)
    CacheLimit                = 1000 KB
    CacheOptions              = 0x8
    CachePath                 = %USERPROFILE%\AppData\LocalLow\Microsoft\Interne
t Explorer\DOMStore
    CachePrefix               = DOMStore
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Exten
sible Cache\iecompat
  LastWrite Time Thu Jul 28 16:04:55 2011 (UTC)
    CacheLimit                = 8192 KB
    CacheOptions              = 0x9
    CachePath                 = %APPDATA%\Microsoft\Windows\IECompatCache\Low
    CachePrefix               = iecompat:
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Exten
sible Cache\ietld
  LastWrite Time Thu Jul 28 16:03:49 2011 (UTC)
    CacheLimit                = 8192 KB
    CacheOptions              = 0x9
    CachePath                 = %APPDATA%\Microsoft\Windows\IETldCache\Low
    CachePrefix               = ietld:
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Exten
sible Cache\MSHist012011072820110729
  LastWrite Time Thu Jul 28 16:04:30 2011 (UTC)
    CacheLimit                = 8192 KB
    CacheOptions              = 0xB
    CachePath                 = %USERPROFILE%\AppData\Local\Microsoft\Windows\Hi
story\Low\History.IE5\MSHist012011072820110729
    CachePrefix               = :2011072820110729:
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Exten
sible Cache\PrivacIE:
  LastWrite Time Thu Jul 28 16:04:01 2011 (UTC)
    CacheLimit                = 1024 KB
    CacheOptions              = 0x9
    CachePath                 = %APPDATA%\Microsoft\Windows\PrivacIE\Low
    CachePrefix               = PrivacIE:
    CacheRepair               = 0x0

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Exten
sible Cache\UserData
  LastWrite Time Thu Jul 28 16:05:04 2011 (UTC)
    CacheLimit                = 1000 KB
    CacheOptions              = 0x8
    CachePath                 = %APPDATA%\Microsoft\Internet Explorer\UserData\L
ow
    CachePrefix               = UserData
    CacheRepair               = 0x0


 *Software\Microsoft\Windows\CurrentVersion\Internet Settings\CACHE
  LastWrite Time Thu Jul 28 15:58:39 2011 (UTC)
    Persistent                = 1


 *Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P
  LastWrite Time Thu Jul 28 15:58:28 2011 (UTC)

  Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History
  LastWrite Time Thu Jul 28 15:58:28 2011 (UTC)
  ANALYST NOTE:
    No per-domain cookie decisions subkeys are present

 *Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
  LastWrite Time Thu Sep  1 11:48:06 2011 (UTC)

    NETWORK SUBKEY: {248FCCF6-AA10-4609-ACFB-9CB9849B58E8}_{64E2FC55-36A5-4BEE-8
13F-0AF28B619F1A}
    LastWrite Time Wed Aug 31 14:24:17 2011 (UTC)
      WpadDecision              = 0
      WpadDecisionReason        = 1
      WpadDecisionTime          = Wed Aug 31 14:24:17 2011 UTC
      WpadNetworkName           = Rete non identificata
      -- MAC SUBKEYS --         *no* MAC subkeys (unidentified network)

    NETWORK SUBKEY: {248FCCF6-AA10-4609-ACFB-9CB9849B58E8}
    LastWrite Time Thu Aug 25 13:45:54 2011 (UTC)
      WpadDecision              = 0
      WpadDecisionReason        = 1
      WpadDecisionTime          = Wed Aug  3 07:11:41 2011 UTC
      WpadNetworkName           = Rete  2
      -- MAC SUBKEYS --
      00-09-0f-e4-37-47         LastWritten Thu Aug 25 13:45:54 2011 UTC

    NETWORK SUBKEY: {248FCCF6-AA10-4609-ACFB-9CB9849B58E8}_{67358AD6-9D44-4D73-A
12C-9490D94ED958}
    LastWrite Time Wed Aug 31 13:43:47 2011 (UTC)
      WpadDecision              = 0
      WpadDecisionReason        = 1
      WpadDecisionTime          = Wed Aug 31 13:43:47 2011 UTC
      WpadNetworkName           = Rete non identificata
      -- MAC SUBKEYS --         *no* MAC subkeys (unidentified network)

    NETWORK SUBKEY: {B5D922E7-8B67-44FD-926F-B616962C7248}
    LastWrite Time Thu Jul 28 16:04:31 2011 (UTC)
      WpadDecision              = 0
      WpadDecisionReason        = 1
      WpadDecisionTime          = Thu Jul 28 16:04:31 2011 UTC
      WpadNetworkName           = Rete
      -- MAC SUBKEYS --
      00-09-11-8d-14-5f         LastWritten Thu Jul 28 16:03:58 2011 UTC

    NETWORK SUBKEY: {ED4D141B-8DF1-4779-A7AA-8FD1D3123048}
    LastWrite Time Thu Aug 25 13:45:54 2011 (UTC)
      WpadDecision              = 3
      WpadDecisionReason        = 1
      WpadDecisionTime          = Thu Aug 25 13:22:20 2011 UTC
      WpadNetworkName           = Rete non identificata
      -- MAC SUBKEYS --         *no* MAC subkeys (unidentified network)

    MACs SUBKEY: 00-09-11-8d-14-5f
    LastWrite Time Thu Jul 28 16:04:31 2011 (UTC)
      WpadDecision              = 0
      WpadDecisionReason        = 1
      WpadDecisionTime          = Thu Jul 28 16:04:31 2011 UTC

    MACs SUBKEY: 00-09-0f-e4-37-47
    LastWrite Time Thu Aug 25 13:45:54 2011 (UTC)
      WpadDecision              = 0
      WpadDecisionReason        = 1
      WpadDecisionTime          = Wed Aug  3 07:11:41 2011 UTC




 *Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
  LastWrite Time Fri Jul 29 12:41:00 2011 (UTC)
    (default)                 =
    AutoDetect                = 1
    UNCAsIntranet             = 0
    -- 'ZoneMap' subkeys -- not parsed:
      Domains                   Thu Jul 28 15:58:39 2011 UTC
      EscDomains                Thu Jul 28 15:58:38 2011 UTC
      ProtocolDefaults          Thu Jul 28 15:58:39 2011 UTC
      Ranges                    Thu Jul 28 15:58:39 2011 UTC



















Subkeys not parsed in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings'


    Activities           ---  Thu Jul 28 16:04:54 2011 UTC
    Connections          ---  Fri Sep  2 09:28:45 2011 UTC
    Http Filters         ---  Thu Jul 28 15:58:28 2011 UTC
    Lockdown_Zones       ---  Thu Jul 28 15:58:39 2011 UTC
    Passport             ---  Fri Jul 29 07:03:48 2011 UTC
    TemplatePolicies     ---  Fri Jul 29 07:03:48 2011 UTC
    Zones                ---  Thu Jul 28 16:03:47 2011 UTC



















I must admit a long report, that could be cut especially regarding the cache settings. First, all values inside the "Software\Microsoft\Windows\CurrentVersion\Internet Settings" are parsed and reported (ie_settings is included). Then there are the cache and lowcache settings (in green and purple colors), useful when correlated with the cache files residing on the disk. The P3P (Platform for Privacy Preferences, some info here) parsing simply reports how many configured sites esist ("No per-domain cookie decisions subkeys are present", that means none). It could be interested to analyze Wpad settings and history, like that one reported (omitting details for shortness). Last observation: the plugin reports the subkeys that are not parsed (last lines in blue color), since they could be of great importance in some cases.



























Finally the end...





Feel free to try the plugins and to report errors, preferably on the win4n6 mailing list and/or on the RegRipperPlugins Google Code site: they were released with the RegRipperPlugins package 20120528. Try them and give feedback to understand what causes those values to change, how they change and when (semantic level): it would be of great importance to have some real-life cases, I mean hives and your considerations. Let's improve the FForce (forensic force)!





















"frrrbzzzzzzzz bzzz bzzzzzzzzzz"



"I don't fear your encryption!"









" ... (just breathing, dumb!)"





















Pubblicato da



a





No comments:
      















Link a questo post





Etichette:
,










Reazioni: 















        

      










Subscribe to:
Posts (Atom)