my two cent ,
people create tools with their knowledge , tools don't create people.
if you don't know what you are looking for , tools won't do the job for you.
forensic investigation is a science but the difference between a " good" investigator and a tool is the humain factors ( deduction , research ,imagination ect … ) we have to find the right balance …
roll
Wow thats deep dd85! On a practical level the basis of understanding the workings of a tool are vital for the investigator, however caseload dictates that my time to test new tools is limited.
Have I ever 'really' sat down and tested Encase? No. I've verified findings sometimes in other tools but I've never had the time and inclination to get under the hood of such a complex tool. However, Helix, for example, I have spent quite a bit of time testing to see what it does and how it does it, what reg keys are changed when using the Windows part etc.
I would dearly love to rigorously test all the tools I use but I would never complete my cases and thats what pays the bills.
Nick
I've never had the time and inclination to get under the hood of such a complex tool.
I agree with your point about thoroughly testing and validating tools. However, I think the ‘under the hood knowledge’ in this case refers to having a detailed knowledge of the underlying file system, operating system etc, for the purposes of discovering what the tool does not, rather than does do.
When I was referring to "under the hood" knowledge, I was referring to knowing how things are done…for example, when you click on a button or choose a function in EnCase (or any other tool) do you know what it does? How is file signature analysis performed? What are the differences between EnCases proprietary evidence file format and dd?
These are all rhetorical questions, but this is what I'm referring to. I'm also referring to things that fatrabbit pointed out…sure you can find a Registry entry, but do you know what caused it to be created or modified? What is the significance of the Last Write time, and how does that entry relate to other artifacts located in the Registry, file system, etc?
nickfx, you said that you looked at Helix to see "what reg keys are changed when using the Windows part etc. "…what did you find?
H. Carvey
"Windows Forensics and Incident Recovery"
http//
http//windowsir.blogspot.com
Hi Harlen
You asked me to post my findings on changes made when Helix is booted into the Windows side.
Following is the raw data which details the changes to the system when the Helix Windows side boots into the welcome screen, 'I agree' is selected and when the main menu appears Helix is closed via the 'file-exit' command. (Helix 1.7 used)
(No other programs are running except the core system drivers, e.g. no firewall, anti-virus etc)
I've been planning to work on this core data to publish the results with explanatory notes to the community.
When different functions/programs within Helix are used more reg keys are changed/added etc but that is alot more work which I haven't time to get around to.
Sorry it's such a long list!
Keys added 14
————–
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{7EBEFBC0-3200-11D2-B4C2-00A0C9697D07}\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{C06FF265-AE09-48F0-812C-16753D7CBA83}\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#{2f412ab5-ed3a-4590-ab24-b0ce2aa77d3c}&{9B365890-165F-11D0-A195-0020AFD156E4}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#{2f412ab5-ed3a-4590-ab24-b0ce2aa77d3c}&{9B365890-165F-11D0-A195-0020AFD156E4}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{a5dcbf10-6530-11d2-901f-00c04fb951ed}\##?#Root#SYSTEM#0000#{9ea331fa-b91b-45f8-9285-bd2bc77afcde}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{fb6c428a-0353-11d1-905f-0000c0cc16ba}\##?#USB#ROOT_HUB#4&467fdfe&1#{f18a0e88-c30c-11d0-8815-00a0c906beP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\MediaResources\msvideo\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\MediaResources\msvideo\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\StillImage\Events\STIProxyEvent\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\StillImage\Events\STIProxyEvent\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\STORAGE\v_YA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\HTTP\Parameters\S
Keys deleted 28
—————-
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}\I
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}\I
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{7EBEFBC0-3200-11D2-B4C2-00A0C9697D07}\v
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{C06FF265-AE09-48F0-812C-16753D7CBA83}\c
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#GLOBAL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#GLOBAL\Device Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#GLOBAL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#GLOBAL\Device Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#GLOBAL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#GLOBAL\Device Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#GLOBAL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#GLOBAL\Device Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\GLOBAL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\GLOBAL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{a5dcbf10-6530-11d2-901f-00c04fb951ed}\-
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{fb6c428a-0353-11d1-905f-0000c0cc16ba}\#
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\MediaResources\msvideo\D
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\MediaResources\msvideo\D
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\StillImage\Events\STIProxyEvent\N
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\StillImage\Events\STIProxyEvent\N
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\STORAGE\M
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\HTTP\Parameters\e
Values deleted 12
——————
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196} "DeviceInstance"
Type REG_SZ
Data USB\Vid_0573&Pid_4d22\5&39e0bbf6&0&1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#GLOBAL "SymbolicLink"
Type REG_SZ
Data \\?\USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\GLOBAL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#GLOBAL\Device Parameters "FriendlyName"
Type REG_SZ
Data Hauppauge WinTV USB Pro (PAL I) t ????????????t ??????t ????????????t ????????t ????????????????@ ??? ????? ?
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196} "DeviceInstance"
Type REG_SZ
Data USB\Vid_0573&Pid_4d22\5&39e0bbf6&0&1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#GLOBAL "SymbolicLink"
Type REG_SZ
Data \\?\USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\GLOBAL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#GLOBAL\Device Parameters "FriendlyName"
Type REG_SZ
Data Hauppauge WinTV USB Pro (PAL I) t ????????????t ??????t ????????????t ????????t ????????????????@ ??? ????? ?
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196} "DeviceInstance"
Type REG_SZ
Data USB\Vid_0573&Pid_4d22\5&39e0bbf6&0&1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#GLOBAL "SymbolicLink"
Type REG_SZ
Data \\?\USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\GLOBAL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#GLOBAL\Device Parameters "FriendlyName"
Type REG_SZ
Data Hauppauge WinTV USB Pro (PAL I) t ????????????t ??????t ????????????t ????????t ????????????????@ ??? ????? ?
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196} "DeviceInstance"
Type REG_SZ
Data USB\Vid_0573&Pid_4d22\5&39e0bbf6&0&1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#GLOBAL "SymbolicLink"
Type REG_SZ
Data \\?\USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\GLOBAL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#GLOBAL\Device Parameters "FriendlyName"
Type REG_SZ
Data Hauppauge WinTV USB Pro (PAL I) t ????????????t ??????t ????????????t ????????t ????????????????@ ??? ????? ?
Values changed 1
—————–
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG "Seed"
Old type REG_BINARY
New type REG_BINARY
Old data 54, 8F, 94, CE, 1E, 15, E0, EE, 2B, BC, DB, 1D, 05, F1, 1A, E2, B2, DD, B2, D3, 35, 66, 43, 9B, 01, C9, 4D, 0D, 6B, F8, 8B, 2E, 11, 14, 28, 6A, 7B, C5, 14, 93, 29, 3B, 51, 1A, 64, 95, B2, 02, 26, FA, 58, 9B, 9E, 3C, 3D, 46, F2, 41, 9F, 11, 17, 56, B3, D8, 56, 83, AC, 10, 58, 90, FE, 7C, 25, F7, 62, 86, 8C, 92, 78, 53
New data 81, 93, EF, AA, 07, BE, B6, 12, 4D, A0, 11, DA, DD, F8, E1, 1D, 91, 98, 70, B3, E0, 47, 8E, D4, F6, 8C, 8B, 5C, 86, 3A, 74, F6, 81, 86, D8, A0, 13, 09, 71, 7F, 4B, 50, 81, 3A, 78, 12, F6, F8, 3F, EC, CE, C3, C6, 44, D8, B8, 16, B0, 64, 0B, 75, 82, 32, 00, 90, 82, AE, 64, 2F, F7, 5E, ED, 5F, B9, 6C, BD, 62, 91, 48, 1D
Files changed 8
—————-
c\WINDOWS\Prefetch\HELIX.EXE-2AC0706C.pf
Old date 1/23/2006 923 PM
New date 1/23/2006 927 PM
Old size 65,744 bytes
New size 65,816 bytes
c\WINDOWS\system32\config\software.LOG
Old date 1/23/2006 923 PM
New date 1/23/2006 927 PM
Old size 1,024 bytes
New size 1,024 bytes
c\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR
Old date 1/23/2006 926 PM
New date 1/23/2006 927 PM
Old size 1,392,640 bytes
New size 1,392,640 bytes
c\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP
Old date 1/23/2006 926 PM
New date 1/23/2006 927 PM
Old size 728 bytes
New size 728 bytes
c\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER
Old date 1/23/2006 926 PM
New date 1/23/2006 927 PM
Old size 4 bytes
New size 4 bytes
c\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP
Old date 1/23/2006 925 PM
New date 1/23/2006 927 PM
Old size 3,568 bytes
New size 3,568 bytes
c\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA
Old date 1/23/2006 926 PM
New date 1/23/2006 927 PM
Old size 5,718,016 bytes
New size 5,718,016 bytes
c\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP
Old date 1/23/2006 926 PM
New date 1/23/2006 927 PM
Old size 2,840 bytes
New size 2,840 bytes
nick,
Interesting. I'd expect to see the update to c\WINDOWS\Prefetch\HELIX.EXE-2AC0706C.pf as well as some of the other file changes, but I find the deletion of the "..DeviceClasses\{6994ad05-93ef-11d0-…" key information to be…odd.
I'll have to try using Helix myself.
Harlan
Harlen,
I completely agree and almost didnt post it as I don't have explanations yet, but it happened on the 3 occasions I tested it so something is going on there. I need to test it on a clean Virtual Machine really as some keys specific to my system, such as refering to a USB TV box are being adjusted.
The Cyberspeak podcast had an interview with the Helix chap Drew Fahey on the 7th Jan I think it was, and they mentioned an email from a guy who was testing it and mentioned about 35 keys changed.
My plan is to test each aspect of the distro with all the effects each of the embedded tools makes to the system but I think my work is cut out just figuring out what happens at boot and close!
If you or anyone else has any time to take a look, many hands…
I wonder if this should be a specific thread?
Cheers
Nick
nick,
This does need to be it's own thread…burying something like this in another thread is probably a very bad thing.
Harlan
Harlen,
There is a Helix thread running under the Open Source Topic, I'll repost the data there and we can carry on where we left off.
Cheers
Nick