EnScript - Registry - EnCase 7

Just a quick question, which might be obvious; are there definitely registry hives on the volume labelled "C"? Because that is what your script is assuming.

Also, in it's current state it doesn't check whether the hive is selected or not - in fact is .IsSelected() even an option in EnCase 7? I thought they preferred tags or something.

The evidence file I am using for testing is a standard build of Windows 7, with the operating system drive flagged as C.

What I used previously to detect if a file was selected for EnCase 7 is
(ItemIteratorClass i(c, 0, ItemIteratorClassCURRENTVIEW_SELECTED);
Which provided I have the file selected and it is on screen view when running the script.

K-

I have never seen the RegClass used this way on a 'static' evidence file. The common use of that class is against a 'live' remote node, not an evidence file.

You can certainly mount the registry hives with the entry.MountVolume() method and query whatever values you want, but I don't think you can use that class against an image file int he way you are trying.

Lance

Hi Kwilley,
First comment Doing a direct comparison with string data has been problematic in some cases for me in the past. There is a better method which does a text based comparison instead. It also allows for case sensitive or not.

if (e.Name() == "C") {
use this instead
if (e.Name().Compare("C") == 0) {

Next comment I am not sure if this is intended or not, but I have not been able to that HKEY_CURRENT_USER mode to work on a static evidence file. I suspect that it is because there really is not "current" user on a dead box. Here is what I use to target user registry on a dead box, and this also works on a live box should you want to move in that direction. I use HKEY_HIVE mode and pass in the ntuser.dat file directly. It is a little bit more work, but it also gives you more control into which user your parser will target.


class MainClass {

void Main(CaseClass c) {
if (c) {
for(ItemIteratorClass iter(c); EntryClass e=iter.GetNextEntry();) {
if (e.Name().Compare("ntuser.dat") == 0) {
Console.WriteLine("Registry On " + e.ItemPath());
RunRegistry(c, e);
break;
}
}
}
else
Console.WriteLine("Need An Open Case");
}
}

If you wanted to target only a single user, you could modify the if statement like this

if (e.Name().Compare("ntuser.dat") == 0 && e.Parent().Name().Compare("user123") == 0) {

Also, since you are not looking inside of compound files to find these registry hives, and you are not working with hashing or signatures of individual files, there are a couple of options you can supply to the ItemIteratorClass to speed up the process a bit.

for(ItemIteratorClass iter(c, NORECURSE|NOPROXY); EntryClass e=iter.GetNextEntry();) {

NORECURSE will tell the iterator to *not* hand you files from inside of already mounted compound files. You are looking for a file (which happens to be a compound file) directly in the volume, and then work with it through the RegistryClass interface. You do not need to do anything with it as a compound file.
NOPROXY is an interface that we get by default from the ItemIteratorClass which will proxy certain properties hashes, sig, entropy. If the case has not already calculated any of these properties, this proxy will determine that they need to be calculated and do it for you before passing the value back through the iterator. The value is also then saved in the case.

James

Also, in it's current state it doesn't check whether the hive is selected or not - in fact is .IsSelected() even an option in EnCase 7? I thought they preferred tags or something.

Hi Chris_Ed,
Good eye on catching that, but as Kwilley explained it is handled by the ItemIteratorClass object now in EnCase v7. The IsSelected property is still a valid property in v7, but confusingly it doesn't give you a true value even when you use the mentioned CURRENTVIEW_SELECTED mode of the iterator. When using that mode, you do not have to check whether an item was selected or not, since the iterator will only return items that match the mode that was selected.

This also helped to fix a problem in v6 that existed when operating against selected files. Those blue checks were very volatile, so if you started an EnScript with a lengthy process but then unchecked those files, your EnScript would suddenly finish instantly because there were no more blue checked files in your case. This isn't an issue in v7.

The IsSelected property is actually implemented in NodeClass which is inherited by pretty much every other class in the EnScript API. It is there for a lot of operations outside of the iterator. For instance, when you do a raw keyword search, you are allowed to hold many keywords in that window, but only the blue checked keywords will be used during that current search.

James

K-

I have never seen the RegClass used this way on a 'static' evidence file. The common use of that class is against a 'live' remote node, not an evidence file.

You can certainly mount the registry hives with the entry.MountVolume() method and query whatever values you want, but I don't think you can use that class against an image file int he way you are trying.

Lance

Hi Lance,
This is actually one of the beauties of the RegistryClass interface. It abstracts a live machine from a dead machine. It also abstracts a Windows XP with a "$$$Proto.hiv" root object from a Windows Vista and on with a "CMI-CreateHive{12345…}" root object. If you manually mount these registry files, you have to know how to handle all of this in your code.

The other benefit of using RegistryClass over direct mounting is that direct mounting takes a long time. It causes EnCase to parse every record of every sub-key and every value below all of those. With the RegistryClass interface, EnCase is able to parse a couple root objects to find its way into the specific sub-keys that you have described in the RegCommandClass instructions. It doesn't need to parse the entire file to find its way to a handful of keys. The process is tons quicker.

Now, RegistryClass may not be the answer to all registry key parsing, but it works for the majority of the tasks. Most specifically, deleted items will not be presented through RegistryClass.

James

James,

Super helpful posts, as always. Thank you! )

Hi Kwilley,
First comment Doing a direct comparison with string data has been problematic in some cases for me in the past. There is a better method which does a text based comparison instead. It also allows for case sensitive or not.

if (e.Name() == "C") {
use this instead
if (e.Name().Compare("C") == 0) {

Next comment I am not sure if this is intended or not, but I have not been able to that HKEY_CURRENT_USER mode to work on a static evidence file. I suspect that it is because there really is not "current" user on a dead box. Here is what I use to target user registry on a dead box, and this also works on a live box should you want to move in that direction. I use HKEY_HIVE mode and pass in the ntuser.dat file directly. It is a little bit more work, but it also gives you more control into which user your parser will target.


class MainClass {

void RunRegistry(CaseClass c, EntryClass e) {
RegistryClass reg(e);
RegCommandClass cmds();
new RegCommandClass(cmds, "Command Two", RegCommandClassREADKEY,
RegCommandClassHKEY_HIVE, "", "", 0, 2);
RegValueClass values();
if (reg.Run(cmds, values)) {
BookmarkClass folder(c.BookmarkRoot(), "Reg", NodeClassFOLDER);
BookmarkDataClass newData(folder);
newData.SetRoot(values);
}
}

void Main(CaseClass c) {
if (c) {
for(ItemIteratorClass iter(c); EntryClass e=iter.GetNextEntry();) {
if (e.Name().Compare("ntuser.dat") == 0) {
Console.WriteLine("Registry On " + e.ItemPath());
RunRegistry(c, e);
break;
}
}
}
else
Console.WriteLine("Need An Open Case");
}
}

If you wanted to target only a single user, you could modify the if statement like this

if (e.Name().Compare("ntuser.dat") == 0 && e.Parent().Name().Compare("user123") == 0) {

Also, since you are not looking inside of compound files to find these registry hives, and you are not working with hashing or signatures of individual files, there are a couple of options you can supply to the ItemIteratorClass to speed up the process a bit.

for(ItemIteratorClass iter(c, NORECURSE|NOPROXY); EntryClass e=iter.GetNextEntry();) {

NORECURSE will tell the iterator to *not* hand you files from inside of already mounted compound files. You are looking for a file (which happens to be a compound file) directly in the volume, and then work with it through the RegistryClass interface. You do not need to do anything with it as a compound file.
NOPROXY is an interface that we get by default from the ItemIteratorClass which will proxy certain properties hashes, sig, entropy. If the case has not already calculated any of these properties, this proxy will determine that they need to be calculated and do it for you before passing the value back through the iterator. The value is also then saved in the case.

James

Hi James,

I just wanted to say thank you ever so much for the in-depth post you made about this script it really did help me overcome the problems I was having. Its been a weird transition into EnScript v7 and I really valued the guidance.

Thanks
Kieran

..I really valued the guidance.

I see what you did there.