NIST Forensic Challenge

A RegistryRipper Walk through...

This article illustrates how to use Harlan Carvey's powerful RegistryRipper tool set to answer the questions in the NIST sample Hacking Case (Ref. http://www.cfreds.nist.gov/Hacking_Case.html). Being a long time Linux user and now a Mac user I thought that this would be a great learning exercise to introduce some basic command line foo and forensic investigation by answering the questions presented by this challenge. These are my notes... I hope you can learn something from them.

Getting Started

Acquire the images and perform hashing/check sum on each as well as the assembled image. To download the images, I ran a FOR loop which took several hours to complete:

$ for i in {1..8}; do curl http://www.cfreds.nist.gov/images/hacking-dd/SCHARDT.00$i -o SCHARDT.00$i; done

Append the image parts into one large image for analysis:

$ for i in `ls SCHARDT.00*`; do cat $i >> SCHARDT.img; done

Generate MD5 check sums of all disk images:

$ for i in `ls SCHARDT.*`; do md5 $i >> $i.md5; done

At this point I have a working copy of the forensic image. To get started with RegistryRipper on OS X there are a few tweaks that I have implemented to make life easier.

Tweaks and Prerequisites

In the next series of steps a few prerequisite changes are made and then I describe the steps that I used to use rip.pl in a batch mode to process all the registry hives with their respective plugins. The output from each "rip" is then appended to a single report from which most of the questions in this challenge can be answered. Change the Perl interpreter path on the first line of rip.pl to /usr/bin/perl (being that this was developed on windows Mr. Carvey preference is Windows centric) Install the required Win32Registry module from CPAN

cpan> install Parse::Win32Registry

Generate a CSV of all the available plugins - take a few minutes to browse these and become familiar with their descriptions:

rip.pl -l -c > plugins.csv

Then generate a list of plugins by type, e.g. SECURITY, SYSTEM, SOFTWARE

awk -F, '{print $3, $1}' < plugins.csv | sort

Generate a distinct list of plugin Hive Types

awk '{print $1}' < plugins.sorted.txt | uniq
All
NTUSER.DAT
SAM
Security
Software
System

Generate a listing of plugins by type so that one can automate/script rip.pl plugins by hive type:

for i in `cat list`; do grep ^$i plugins.sorted.txt | awk '{print $2}' >> hive.plugin.$i; done

This results in the following files being created:

$ wc -l hive.plugin.*
1 hive.plugin.All
40 hive.plugin.NTUSER.DAT
1 hive.plugin.SAM
1 hive.plugin.Security
30 hive.plugin.Software
31 hive.plugin.System

Registry Parsing

On my mbp I review and then mount the image with the hdiutil command which places the volume under "/Volumes/Untitled\ 1":

hdiutil imageinfo SCHARDT.img
hdiutil attach -readonly SCHARDT.img

Copy all the registry hives from the image to the current working directory:

$ cp /Volumes/Untitled\ 1/WINDOWS/system32/config/software .
$ cp /Volumes/Untitled\ 1/WINDOWS/system32/config/SECURITY .
$ cp /Volumes/Untitled\ 1/WINDOWS/system32/config/SAM .
$ cp /Volumes/Untitled\ 1/WINDOWS/system32/config/system .
$ cp /Volumes/Untitled\ 1/Documents\ and\ Settings/Mr.\ Evil/NTUSER.DAT .

Generate a massive report by concatenating rip.pl output for each hive. Here I have generated a wrapper script to call each 'for' loop for the respective plugin groups:

$ cat run.rip.sh
 
#!/bin/bash
for i in `cat hive.plugin.Software`; do echo plugin $i >> report.regripper.txt; rip.pl -r evidence/registry/software -p $i>> report.regripper.txt;done

for i in `cat hive.plugin.Security`; do echo plugin $i >> report.regripper.txt; rip.pl -r evidence/registry/SECURITY -p $i>> report.regripper.txt;done

for i in `cat hive.plugin.System`; do echo plugin $i >> report.regripper.txt; rip.pl -r evidence/registry/system -p $i>> report.regripper.txt;done

for i in `cat hive.plugin.NTUSER.DAT`; do echo plugin $i >> report.regripper.txt; rip.pl -r evidence/registry/NTUSER.DAT -p $i>> report.regripper.txt;done

The result of the above is a file with over 3800 lines of rip.pl plugin output.

Questions and Answers

1. What is the image hash? Does the acquisition and verification hash match?

All the parts concatenated together result in one image with hashes

MD5 (SCHARDT.img) = aee4fcd9301c03b3b054623ca261959a

2. What operating system was used on the computer?

By visual inspection of the file system it appears to be Windows XP, but what version? RegRipper helps out here:

$ ./rip.pl -r /Volumes/Untitled/WINDOWS/system32/config/software -p winver
  Launching winver v.20081210
  ProductName = Microsoft Windows XP
  InstallDate = Thu Aug 19 22:48:27 2004

3. When was the install date?

Searching the report generated by the run.rip.sh script for keyword "install" or if you knew from experience that this can be found in the plugin winnt_cv then you would find the install date:

InstallDate = Thu Aug 19 22:48:27 2004

In EDT that would be Thu Aug 19 17:48:27 2004

4. What is the timezone settings?

$ ./rip.pl -r /Volumes/Untitled/WINDOWS/system32/config/system -p timezone
   Launching timezone v.20080324
   TimeZoneInformation key
   ControlSet001\Control\TimeZoneInformation
   LastWrite Time Thu Aug 19 17:20:02 2004 (UTC)
     DaylightName   -> Central Daylight Time
     StandardName   -> Central Standard Time
     Bias           -> 300 (6 hours)
     ActiveTimeBias -> 360 (5 hours)

5. Who is the registered owner?

The registry keys are:

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\RegisteredOrganization
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\RegisteredOwner

The output from winnt_cv shows that a name "Greg Schardt" is registered as the owner

6. What is the computer account name?

Output from plugin compname reveals this:

ComputerName = N-1A9ODN6ZXK4LQ

7. What is the primary domain name?

Note, the answer I found differs from the answer published by NIST.

DefaultDomainName = N-1A9ODN6ZXK4LQ

8. When was the last recorded computer shutdown date/time?

ShutdownTime = Fri Aug 27 15:46:33 2004 (UTC), Fri Aug 27 10:46:33 (CST)

9. How many accounts are recorded (total number)?

$ rip.pl -r evidence/registry/SAM -p samparse | grep Username
   Launching samparse v.20080415
   Username        : Administrator [500]
   Username        : Guest [501]
   Username        : HelpAssistant [1000]
   Username        : SUPPORT_388945a0 [1002]
   Username        : Mr. Evil [1003]

So that would be 5 total.

10. What is the account name of the user who mostly uses the computer?

Mr. Evil

11. Who was the last user to logon to the computer?

Path      : %SystemDrive%\Documents and Settings\Mr. Evil
SID       : S-1-5-21-2000478354-688789844-1708537768-1003
LastWrite : Fri Aug 27 15:46:23 2004 (UTC)
LoadTime  : Fri Aug 27 15:08:24 2004 (UTC)

12. A search for the name of “Greg Schardt” reveals multiple hits. One of these proves that Greg Schardt is Mr. Evil and is also the administrator of this computer. What file is it? What software program does this file relate to?

Looking at the mounted file system simply grepping for the name yields some results:

$ grep -ir "Greg Schardt" *
Program Files/Look@LAN/irunin.ini:%REGOWNER%=Greg Schardt
Program Files/Look@LAN/irunin.ini:%USERNAME%=Greg Schardt
WINDOWS/Look@LAN Setup Log.txt:Value data = Greg Schardt

Grep for "Greg Schardt" shows that the file irunin.ini matches twice and shows that the name "Greg Schardt" was entered as the Registered Owner and Username when installing the Look@LAN software

13. List the network cards used by this computer

plugin networkcards
NetworkCards
Microsoft\Windows NT\CurrentVersion\NetworkCards
 
Xircom CardBus Ethernet 100 + Modem 56 (Ethernet Interface)  [Thu Aug 19 17:07:19 2004]
Compaq WL110 Wireless LAN PC Card  [Fri Aug 27 15:31:44 2004]

14. This same file reports the IP address and MAC address of the computer. What are they?

%LANIP%=192.168.1.111 
%LANNIC%=0010a4933e09

15. An internet search for vendor name/model of NIC cards by MAC address can be used to find out which network interface was used. In the above answer, the first 3 hex characters of the MAC address report the vendor of the card. Which NIC card was used during the installation and set-up for LOOK@LAN?

http://www.wireshark.org/tools/oui-lookup.html shows that 0010a4 is registered to 00:10:A4 Xircom.

16. Find 6 installed programs that may be used for hacking.

Looking at the contents of "Program Files" provides some insight:
1. Look@LAN
2. Cain
3. Network Stumbler
4. mIRC
5. Ethereal/Wireshark
6. 123WASP

17. What is the SMTP email address for Mr. Evil?

/Volumes/Untitled 1/Program Files/Agent/Data/AGENT.INI:SMTPUserName="whoknowsme@sbcglobal.net"

18. What are the NNTP (news server) settings for Mr. Evil?

NewsServer="news.dallas.sbcglobal.net"

Found using grep:

$ grep --color=auto -ir "News.dallas.sbcglobal.net" *
  
Binary file Documents and Settings/Mr. Evil/Local Settings/Application Data/Identities/{EF086998-1115-4ECD-9B13-9ADC067B4929}/Microsoft/Outlook Express/Folders.dbx matches
   Program Files/Agent/Data/AGENT.INI:NewsServer="news.dallas.sbcglobal.net"

19. What two installed programs show this information?

Forte Agent 1.9 Release
Outlook Express

20. List 5 newsgroups that Mr. Evil has subscribed to?

In the OE data folder for Mr. Evil we find:

/Volumes/Untitled/Documents and Settings/Mr. Evil/Local Settings/Application Data/Identities/{EF086998-1115-4ECD-9B13-9ADC067B4929}/Microsoft/Outlook Express

$ ls -al *.dbx | awk '{print $NF}'
Items.dbx
Folders.dbx
Inbox.dbx
Offline.dbx
Outbox.dbx
alt.2600.cardz.dbx
alt.2600.codez.dbx
alt.2600.crackz.dbx
alt.2600.dbx
alt.2600.hackerz.dbx
alt.2600.moderated.dbx
alt.2600.phreakz.dbx
alt.2600.programz.dbx
alt.binaries.hacking.beginner.dbx
alt.binaries.hacking.computers.dbx
alt.binaries.hacking.utilities.dbx
alt.binaries.hacking.websites.dbx
alt.dss.hack.dbx
alt.hacking.dbx
alt.nl.binaries.hack.dbx
alt.stupidity.hackers.malicious.dbx
free.binaries.hackers.malicious.dbx
free.binaries.hacking.beginner.dbx
free.binaries.hacking.computers.dbx
free.binaries.hacking.talentless.troll-haven.dbx
free.binaries.hacking.talentless.troll_haven.dbx
free.binaries.hacking.utilities.dbx
free.binaries.hacking.websites.dbx

Gives us a concise list of dbx files, obviously Items, Folders, Inbox, Offline, and Outbox are not valid News Group files. The remaining *.dbx files are plainly recognizable as News groups.

21. A popular IRC (Internet Relay Chat) program called MIRC was installed. What are the user settings that was shown when the user was online and in a chat channel?

mirc.ini section labeled [mirc] shows the following descriptive information that is created when mIRC is installed (line numbers added for reference):

166 [mirc]
167 user=Mini Me
168 email=none@of.ya
169 nick=Mr
170 anick=mrevilrulez
171 host=Undernet: US, CA, LosAngelesSERVER:losangeles.ca.us.undernet.org:6660GROUP:Undernet

22. This IRC program has the capability to log chat sessions. List 3 IRC channels that the user of this computer accessed.

IRC chat logs are stored under directory 'logs' by default, the log files found on this image are:

#Chataholics.UnderNet.log
#CyberCafe.UnderNet.log
#Elite.Hackers.UnderNet.log
#ISO-WAREZ.EFnet.log
#LuxShell.UnderNet.log
#evilfork.EFnet.log
#funny.UnderNet.log
#houston.UnderNet.log
#mp3xserv.UnderNet.log
#thedarktower.AfterNET.log
#ushells.UnderNet.log
m5tar.UnderNet.log

23. Ethereal, a popular “sniffing” program that can be used to intercept wired and wireless internet packets was also found to be installed. When TCP packets are collected and re-assembled, the default save directory is that users \My Documents directory. What is the name of the file that contains the intercepted data?

Location: /Volumes/Untitled 1/Documents and Settings/Mr. Evil
File: interception: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)

24. Viewing the file in a text format reveals much information about who and what was intercepted. What type of wireless computer was the victim (person who had his internet surfing recorded) using?

From the command line tshark shows the following:

$ tshark -R http.user_agent -Tfields -e http.user_agent -r evidence/interception

Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; PPC; 240x320)
...(truncated list)...

Viewing the HTTP headers in Wireshark shows the version number of Pocket PC:

UA-OS: Windows CE (Pocket PC) - Version 4.20

25. What websites was the victim accessing?

The following produces a sorted/unique list of sites visited in the pcap:

$ tshark -R http.host -Tfields -e http.host -r interception | sort -u

login.passport.com
login.passport.net
mobile.msn.com
www.passportimages.com

26. Search for the main users web based email address. What is it? The following reads the pcap and pipes the ASCII output to egrep looking for a pattern matching an email address:

$ tcpdump -r evidence/interception -A | egrep --color=auto "\w+([._-]\w)*@\w+([._-]\w)*\.\w{2,4}"

findme69@hotmail.com

However this turns out to be the incorrect answer when compared to the official solutions... searching the file system in a similar manner yields the correct answer:

$ egrep -rohI "\w+([._-]\w)*@\w+([._-]\w)*\.\w{2,4}" * >>  email.found.txt

wc -l email.found.txt
  81 email.found.txt

Create a distinct/sorted list of email addresses list.txt

$ cat email.found.txt | sort -u >> list.txt

Loop through the distinct list of email addresses and count the matches in the email.found.txt file. The resulting contains a line with the email address and the number of times it was found in the email.found.txt file.

$ for i in `cat list.txt`; do echo -n $i: >> email.counts.txt;  grep -ic $i email.found.txt >> email.counts.txt; done

Sort the email.counts.txt file in reverse order, by general numeric, use the ":" character to delimit fields, finally sort on the second field which is the address count. This will produce output of all the email address counts sorted in descending order.

$ cat email.counts.txt | sort -r -g -t: -k2
mrevilrulez@yahoo.com:12
info@mosnews.com:6
jim@mcmahon.cc:4
webmaster@2600.com:3
fred@wardriving.com:3
PASSCODE@HOTMAIL.COM:3
PASSADMINBOT@HOTMAIL.COM:3
HERE@HOTMAIL.COM:3
suckme@oyea.lick:2
slim532@hotmail.com:2
drudge@drudgereport.com:2
a30aac9@posting.goog:2
Rating@Mail.ru:2
DRUDGE@DRUDGEREPORT.COM:2
tmt3i0tnq18gm819ecv27r73vm6hnoddcn@4ax.com:1
teandson@aol.com:1
seabach@shaw.ca:1
president@whitehouse.gov:1
nightwolf@confine.com:1
mauddib@dune.com:1
mailbot@yahoo.com:1
logaritmo50@yahoo.com:1
logaritmo50@hotmail.com:1
jfoster3@ec.rr:1
img4i0lqhsh6n7hlqth96lfd5jd1acjrh9@4ax.com:1
hp01@mailadded.com:1
heyjude18@hotmail.com:1
hacked@2600.com:1
frisco@blackant.net:1
dqbug010mo29ufsbo4dq491vvihucqfh69@4ax.com:1
corenode01a@yahoo.remo:1
chris@splitinfinity.com:1
chillen@hoo.com:1
cathomas@msn.com:1
beatnik@mail.gr:1
T50admin@usa.net:1
LmT@marijuana.com:1
9a64i0p9vk73bpmnq4s40iq6asem5k80er@4ax.com:1
5_@_Warez.com_:1
123@123.com:1
10237466@twister.sout:1

mrevilrulez@yahoo.com appears 12 times... more than any of the other addresses found.

27. Yahoo mail, a popular web based email service, saves copies of the email under what file name?

launch[1].htm

28. How many executable files are in the recycle bin?

Dc1.exe:     PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Dc2.exe:     PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Dc3.exe:     PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Dc4.exe:     PE32 executable for MS Windows (GUI) Intel 80386 32-bit

29. Are these files really deleted?

No.

30. How many files are actually reported to be deleted by the file system?

$ ./recbin.pl /Volumes/Untitled\ 1/RECYCLER/S-1-5-21-2000478354-688789844-1708537768-1003/INFO2
   1    Wed Aug 25 16:18:25 2004     C:\Documents and Settings\Mr. Evil\Desktop\lalsetup250.exe
   2    Fri Aug 27 15:12:30 2004     C:\Documents and Settings\Mr. Evil\Desktop\netstumblerinstaller_0_4_0.exe
   3    Fri Aug 27 15:15:26 2004     C:\Documents and Settings\Mr. Evil\Desktop\WinPcap_3_01_a.exe
   4    Fri Aug 27 15:29:58 2004     C:\Documents and Settings\Mr. Evil\Desktop\ethereal-setup-0.10.6.exe

31. Perform a Anti-Virus check. Are there any viruses on the computer? I cheated and ran the mounted file system on another Windows VM running ClamAV (before I discovered http://www.clamxav.com/). Several nasty items found!

ClamAV reports:

   Scan Started Thu Oct 01 18:21:05 2009
   -------------------------------------------------------------------------------


   Y:\My Documents\COMMANDS\enum.exe: Hacktool.EnumPlus FOUND
   Y:\My Documents\COMMANDS\snitch.exe: Trojan.PSW.Snitch.11 FOUND
   Y:\My Documents\ENUMERATION\NT\enum\enum.tar.gz: Hacktool.EnumPlus FOUND
   Y:\My Documents\ENUMERATION\NT\enum\files\enum.exe: Hacktool.EnumPlus FOUND
   Y:\My Documents\ENUMERATION\NT\ntreskit.zip: W32.Nemo FOUND
   Y:\My Documents\EXPLOITATION\NT\Brutus\BrutusA2.exe: Virtool.Brutus FOUND
   Y:\My Documents\EXPLOITATION\NT\brutus.zip: Virtool.Brutus FOUND
   Y:\My Documents\EXPLOITATION\NT\Get Admin\GetAdmin.exe: Exploit.WinNT.GetAdmin.B FOUND
   Y:\My Documents\EXPLOITATION\NT\netbus\NetBus170.zip: Trojan.Netbus.KeyHook170 FOUND
   Y:\My Documents\EXPLOITATION\NT\sechole\SECHOLE.EXE: Trojan.W32.Sehole.A FOUND
   Y:\My Documents\EXPLOITATION\NT\sechole\sechole3.zip: Trojan.W32.Sehole.A FOUND
   ----------- SCAN SUMMARY -----------
   Known viruses: 625565
   Engine version: 0.95.2
   Scanned directories: 766
   Scanned files: 10879
   Infected files: 11

   Data scanned: 2240.21 MB
   Data read: 1710.52 MB (ratio 1.31:1)
   Time: 778.843 sec (12 m 58 s)
   --------------------------------------
   Completed
   --------------------------------------

Conclusion

What started out as an exercise in RegistryRipper (rip.pl) turns out to be a mixture of BASH command line foo and host/network forensics. The RegistryRipper tools and related plugins are very powerful utilities which enable the analyst to assess a registry hive on almost any platform. I hope this tutorial/how-to has been of some use... please feel free to contact me with any corrections or suggestions.