Monday, March 30, 2015

Registry Reporter - Beta Release

Almost an hour and a half after the official end of the day, but the Beta 0.1 of Registry Reporter has been officially released for testing. Please remember this is a beta, and therefore should not be used for production level work.

The beta release has been posted to the following URL:


If you find issues please send me an email to: erik@erikmiyake.us

  1. Describe the steps you took to cause the error.
  2. What hive and what key you were reading from.

In addition to errata, I would appreciate feedback on features and design.

Thanks,
Erik



Wednesday, March 25, 2015

Registry Reporter - Last post before beta release

If you did not see my prior post, I've renamed what I was calling "Registry Explorer" to be "Registry Reporter".  It's been a long road to this point. Many distractions slowed down the beta release timeline, including the addition of new features and behaviors into the "Registry Reporter" application.

I've been suffering from the Engineer's Dilemma: of when to release, when is it ready? To avoid further slippage on the beta release, I've drawn a line in the sand for myself of the end of this week.

So expect a post with download link by end of day .. March 29th, 2015 PST. There it has been said, and soon as this post is published it must be a reality.

Clarification: As I was writing, I realized that I was switching between being lazy and using abbreviations and spelling out the whole terms. Since the terms also appear in the application itself, I thought I would explain:

  • NK - Named Registry Key (visually represented as a folder icon in the application)
  • VK - Value Registry Key (visually represented as a file document icon in the application)

Here the are new features:

Main Interface
The main interface layout has remained basically the same, with the only alteration being the addition of the "Bookmarks" (upper left) and "VK Data Hex" (lower left) tabs. Most  of the additional features are available through drop down menus.

Table displays VK and NK.
The data table (picture aboce) which displays the registry keys, for the Named Key selected in the tree on the left hand side, now displays both the Value Key and Named Key. Previous it only displayed the Value Keys for the selected Name Key. This table allows you to drill down in the registry structure by double clicking on a Named Key in the table.

Bookmark
You can now bookmark the selected key in the data table. This allows you to identify keys of interest for reporting purposes and bookmarking them for later reference.

Bookmarks
 The bookmarked registry key can be found under the "Bookmarks" tab. Selecting the bookmark will cause the data table to display key or keys children.


Modified Within
You can now select a key of interest (NK or VK) and populate the Timestamp tab with entries within 1Hr or 24Hrs of the selected NK key or selected VK key's parent.

Hex of Value
You can now view and interact with the hex data for the Value Keys raw data through a hex control (pictured above) under the "VK Data Hex" tab. This allows you to copy values, hash data selections, and much more. This hexcontrol only displays the data for the selected Value key.


Raw Hive - View
You can also view the selected key in situ within the hive itself (pictured above). This is launched through a drop down menu from the data table and the hexcontrol is displayed in a dialog window. The selected key is broken out into it's separate parts so you can see the internal structure. Placing the mouse cursor over a colored break out region causes a tool tip to display the selection name i.e. Slack (in the picture above).

Raw Hive - View
A limited data probe feature has been implemented. Manually selecting bytes will cause the data to be interpreted if the selection size matches the type i.e. a 2 byte selection populates the rows: Char. UInt16, and Int16. Clicking on a break out region causes that region to automatically be selected and the value displayed in the probe table. In the picture above, the cell size was clicked on and the value of the cellsize (-88) can be see in the Int32 row.


The following features are in the pipeline to be completed:

  1. Indicator of Compromise (IOC) 
    • Registry IOCs based on Mandiant OpenIOC format.
    • Online support for sharing registry IOC definitions.
    • Creation of IOCs based on the select key, or selected data.
    • IOC report generation.
    • Note: if anyone has examples of  RegistryIOCs that they currently use or have created. I would appreciate seeing them. 
  2. Timestamp Helper
    • Adding value keys with timestamps within the keys data to the timestamp filtering.
    • This feature allows items like UserAssist entries which can have an embedded timestamp to be used for timeline based activity tracking.
    • Users can define a custom helper for keys which have a fixed offset for the timestamp and where the key can be identified through a direct full path or regex full path match.
    • Registry value keys which have a variable offset will be support and developed as time allows and user interest warrants. 
  3. Saving Bookmarks  
    • saving bookmarks.
  4. Recovery Of Keys 
    • Key recovery has been written, but I've not taken the time to complete my due dilligence, to my satisfaction, so it will not be part of the initial beta release.


Wednesday, March 11, 2015

Forensic Framework - Teaser 3

Just finished posting the video for the third teaser. The feature updates below had eaten up time that was supposed to be allocated to the Registry Reporter (new name for what I was calling Registry Explorer). I'm getting back to the Registry Reporter this week, so expect a beta soon.

Below is the teaser 3:


Feature Updates:

Overlay Toolbox
- Treble Layout
- Editable Favorites
- Drag and Drop to the Hex Control
- Selectable palette
Hex Tools
- Dropper Select
- Paint Brush Select
- XRAY vision
-Selected color auto cycling
Data Probes
- GUI Rearrangement
Data Visualization
- Control overhaul
- Scrolling and paging updates.
- Zoom level buttons
- Display of selections in hex control
Hex Control
- added SeekUntil overlay feature
- modified to support tool behavior changes


Image: XRAY feature

User can enable the XRAY tool and select an overlay type to have the hex control highlight items which match the overlay type. Some overlay types are more discriminating than others, and are therefore more effective to identify data of interest i.e. "Windows 64 LE Timestamp" vs UInt64.

Image: Favorites toolbox editor

A user can customize a favorites toolbox with only the overlay types that they wish to work with at the time. These custom toolboxes can be saved and loaded later.

Image: Data probes

Data probes allow a user to selected an offset within the hex control and have it evaluated against different data types. The data probes are broken into three categories: Binary(Numeric), Timestamp, and Text Encoding.


Image: Binary probe

Image: Timestamp probe

The display formatting, timezone, and valid date ranges can be modified for the timestamp probe. The data range allows the timestamp probe control to only display decoded data time values which fall within the range of interest. This helps eliminate dates such as  3 AD, January 1rst  ...( I think that is a Monday)...  which probably doesn't have any relevance to your data.   
 
Image: Encoding probe

The visualization control has been overhauled to provide more intuitive controls, magnification, and paging/scrolling. 

Image: Visualization - gradient

Image: Visualization - High low

Image: Visualization - Unicode - English