Friday, November 30, 2007

Registery Repository Project....

Well now that I am back from Holiday and waded through all the e-mails and voice mails I can finally try and get something out here.

For anyone who has not followed the comments on Harlans blog for Pimp my Registry I have volunteered to create a database for a registry repository. I have created an initial ERD diagram and was wondering if all you readers out there would take a look at it and see if there is any information that I have missed. I tried to keep the names informative so that is why they seem long. The pdf can be found here. A description of the fields can be found here

The group_app table will define what type of investigation you may want to do, ie: CP, Fraud, IR, etc.. The category_table will define the type of categories the apps are, ie: P2P, Internet, Security, ETC.. I also tried to think ahead and added the tables to be used for Parameter files (INI and config files) and any notable files that might be used within an application. I have also added a user table because I think it is important that who ever submits entries to be added should be able to be contacted to ask questions about them. This will also provide some ownership to the data as well.

I have also thought of a few other things to add but I would like the public's opinion. Do the following fields add value to the Registry_Info table?

Key_created_on_Install - was the key created on installation of the app or created later

Format of data - Unicode, ROT13, etc..


Are there any other additions anyone thinks should be added?

The main goal of this project will be to collect this information into 1 source and then from that source export the information into usable files (parameter files, xml, html, csv, etc..) that can be used with other programs as well as the programs that I have written to read/parse the registry into a database and report on it.

Hopefully this will all makes sense to you.

As always Questions/Comments/Thoughts/Modifications?

Friday, November 2, 2007

Vista Recycle Bin Names in X-ways.....

For all you X-Ways forensics users out there here is a script/executable that you can define to x-ways that will copy to the clipboard the actual name of the $R file based on the $I file. You can then add the file name to the comments section in the directory browser.

To use in define the file to x-ways as in callable executable program. In the Recycle.Bin directory right click on the $I file and call the executable program and it will copy the actual file name to the clipboard for you so you can just paste it in your directory browser.

Questions/Comments/Suggestions/Improvements????

Dumpster Diving with Ovie.....

On the Oct 15 Cyberspeak Podcast Ovie Carroll talked about Vista Recycle bin forensics. Based on Ovie's chat I have created a program that will read the $I files and create a simple report. The report consists of the $I file name, the actual filename with directory, the date/time the file was deleted and the file size. I have also added the functionality to copy the $R (actual data file that was deleted) to the actual name into a directory specified by you.

So what does the prorgam do? Once you fire up the gui you need to provide a filename for the database that is created that will store the data that is read. Provide a direcotry where the $I files are, if you want to copy the $R files to there original names then they need to be in the same directory. Optionally you need to provide an output directory where you want to write out the deleted files to with there actual names. Once that is done then press the buttons and watch it go to work. When you are ready to run the report you can either sort the data in ascending or descending order based on the deletion date and show the report in either excel or your favorite web browser.

If you want to see the gory details the code is provided. As always this script can be run on OS's other then Windows (the report piece will have to be modified some).

The programs can be found here. As always Questions/Comments/Improvements let me know.