Showing posts from 2012

wtmp timeline efforts

In DFIR activities timelines are often determinant to understand what happened (lot of refs here ). Luckily Kristinn Gudjonsson provided the community with the great log2timeline tool ( here , from now l2t ) that, along with the invaluable Brian Carrier 's SleuthKit , gives a (temporal) order to chaos . But l2t is not currently considering valuable artifacts coming from wtmp / btmp files on Linux systems. wtmp (utmp? btmp!) For a rapid introduction to those files let's see what wikipedia says about them: " utmp, wtmp, btmp and variants such as utmpx, wtmpx and btmpx are files on Unix-like systems that keeps track of all logins and logouts to the system . The utmp file keeps track of the current login state of each user . The wtmp file records all logins and logouts history . The btmp file records failed login attempts . The utmp, wtmp and btmp files were never a part of any official Unix standard, such as Single UNIX Specificat

Exploring Internet Explorer with RegRipper

In the last case... I was feeling that some Internet Explorer artifacts were missing, so I decided to take a look at RegRipper plugins that parse the user registry NTUSER.DAT to see if they could help me. Honestly I have not a clear idea on where to search for a sign since I usually get information from IE cache files and not from registry. RegRipper IE plugins mini-survey Actually there exist 4 Internet Explorer plugins, being: ie_main: ( NTUSER ) despite the reported description in the source file header (" the plugin Checks keys/values set by new version of Trojan.Clampi ") the plugin parses (details later) the " Software\Microsoft\Internet Explorer\Main " key and it was written by Harlan Carvey at 19/09/2009. ie_settings: ( NTUSER ) the plugin reports the User Agent string used by IE when visiting sites and the ZoneSecurityUpgrade value inside the " Software\Microsoft\Windows\CurrentVersion\Inter