Harlan Carvey has given us a great tool in RegRipper and it’s undeniable that many examiners have found it to be a useful addition to their toolbox. RegRipper has a very specific purpose – parse the Windows registry. With some modification, we can turn RegRipper into WindowsRipper, an extremely powerful Windows triage tool. Using WindowsRipper we can parse much more than just the registry. Read on and watch the video to see just what WindowsRipper could become.

Adam James, a coworker who did the coding for this project, and I took a look at RegRipper and decided it could be morphed nicely into an amazing triage tool. The first thing Adam did was modify RegRipper to work against a mounted drive. You can read his explanation in the previous post or simply know that his code allows RegRipper to look at a mounted drive, find the Windows installation folder and walk through all of the User profiles found on the drive parsing each NTUSER.dat file. The code was recently posted on the RegRipper.net site.

Using this updated version of RegRipper, we can now ask it parse some other items within the Windows OS. As a proof of concept, we have RegRipper calling Harlan’s script for LNK file parsing, launching an external GUI program, and also executing a plugin that calls a command line function. This last item will let us launch any other program that has a CLI simply by running a RegRipper plugin.

RegRipper’s current architecture is laid out nicely for becoming a triage tool. When you run RegRipper, you can choose a “plugin” for each specific registry hive. Each plugin consists of numerous modules, which can be run on their own using rip.exe. For instance, looking inside the NTUSER.dat plugin, we see that it runs the following modules.

# List of plugins for the Registry Ripper
#————————————-
# NTUSER.DAT
logonusername
acmru
adoberdr
aim
applets
fileexts
comdlg32
compdesc
# The controlpanel plugin is intended for Vista systems only
# User hives from systems prior to Vista will show ‘not found’
controlpanel
#listsoft
#logon_xp_run
mmc
mndmru
mp2
mpmru
mspaper
officedocs
recentdocs
realplayer6
runmru
tsclient
typedurls
muicache
userassist
user_run
vncviewer
winzip
user_win
winrar
wallpaper
vista_bitbucket

Using this architecture, we can build a plugin that consists of modules for a specific purpose. For instance, in addition to incident response work we also receive HR cases that often involve inappropriate use (typically porn). We could build a plugin called “Inappropriate Internet Use” to call modules to parse parts of the registry, internet history, recent internet searches, and create thumbnail pages of the internet cache.  Many of these report items would be created by calling outside executables, bypassing the need for coding a custom module. The plugin would look something like this:

# List of plugins for WindowsRipper
#————————————-
# INAPPROPRIATE INTERNET USE
logonusername
recentdocs
typedurls
recentsearches (calling Nirsoft’s MyLastSearch)
internethistory (calling Pasco)
cachedthumbnails (calling Easy Thumbnails)

Hopefully this example shows the potential that this type of a tool has. We’re even working on a timeline plugin.

With a strong community effort, WindowsRipper could grow based on a large library of custom modules. Users could create their own plugins based on these modules. Some modules could include PhotoRec for file carving, MD5Sum for hashing, many of the Nirsoft.net tools and a host of others. We can launch all of these against a mounted drive and compete with other triage programs such as Drive Prophet.

We recorded a short video of our WindowsRipper proof of concept in action. This video shows RegRipper parsing items other than registry and launching external programs from both the main executable and a custom plugin. View the video here.

What we have done is a rough mockup in just a few hours. The plugins and code we have written isn’t clean enough to be released yet – but it could be. Please let us know your thoughts on turning RegRipper into WindowsRipper. Good idea? Bad idea?

In the past I have been blogging over at Binary Intelligence, a joint blog shared with co-worker Jim O’Gorman. Both Jim and I have been busy with work and other projects and have somewhat outgrown the site. I wanted a place where it would be easier to post content that included videos, custom scripts and code, and other downloadable items that didn’t work out so well on a site hosted by Blogger.

I’ve imported most of the content from Binary Intelligence over to here, but because of the way the import works every post lists me as the author. Keep in mind that anything written prior to this post (May 23rd) may have been written by Jim. Binary Intelligence will most likely be dormant, but may see a post every now and then.

Hopefully this new format works out as well I would like it to.

After the Facebook post last week, much of the backlash consisted of, “Who cares if someone has my IP address? That information is almost always out there.” Well, here is a great example of what someone can do with an IP address.

Here’s something to really think about.. I was able to obtain all of the information in this post for 16 cents and by just using an email and IP address from a piece of spam.

Family members, ages, schools, anniversary dates, marriage lengths, hobbies, interests, phone numbers, addresses, property records, property taxes, pictures of their house, pictures of them, pictures of their children and grandchildren, deeds on their house, bankruptcies, employment history, previous addresses, previous creditors, and bits of social security numbers.

I’m pretty sure I’d be able to fake my way through one of those password reset forms.. you know, where you set up a “secret question” asking what your dogs name was, or where you went to school?

Beyond that, I’m fairly confident that at this point, if I were to call his bank and pretend to be him, I could easily pass when they asked me personal questions.

This post was written by guest blogger Adam James. Please feel free to post any questions or comments for him on this blog.

————————————————-

Modifying RegRipper to automatically run against a selected mounted drive.

When using RegRipper I began running into user to computer interface problems. Namely, for some reason I would select a hive file to process, but forget to tell RegRipper what plugin file to use against it. After doing this several dozen times and having to rerun the reports after realizing I had done it, I started thinking about ways to modify RegRipper to alleviate my obvious “stupid” user issues. I figured since I can’t remember to select the plugin types I want, why can’t the program just throw all the available plugins against the hive and determine which ones should work against it. Then that got me thinking… for that matter why am “I” having to know where all these registry hives are at. I have to extract them from an image, remember where I took them from, and then run RegRipper against each one. That is way too much work. I wish RegRipper would just do that all for me so I can do what I really care about, look at the great output from the program.

To accomplish this task there were a couple of problems that needed to be solved. The rest of this post will be about how a proof of concept that I did solved these problems.

Problems:

1.RegRipper is intended to only run plugins against a single and specified type of registry hive. The plugins can be run against any single hive it is just not likely that any of the key value pairs will be successfully foundoHow if it is not of the correct type.

2.RegRipper expects the user to know the location of each registry hive that needs to be processed.

Potential Solutions:

1.Modify RegRipper to allow the user to select one or more registry hives. Have RegRipper attempt to determine each hive’s type and then run only the plugins that are intended for that hive against it.

This is pretty easy… right? All we need to do is (a)come up with some code to determine a hive file type, (b)programmatically determine what hive type a plugin is supposed to run against, (c)allow the user to select multiple hives, and then (d)iterate through all of the hives. That doesn’t seem too bad.

a.To determine the hive type, Harlan has already provided us with code in rip.pl that tries to guess the hive type, so that is done, we just need to add it to RegRipper. For my proof of concept I came up with a similar way, I just used different keys. (starts at line 563 of code)

b.To determine the hive each plugins should be run against the basic design of the RegRipper could be used. In each plugin the developer can specify what hive types the plugin should be run against. You could just pull the %config=>hive value from the plugin and use that. When reviewing the plugins I noticed that some could be potentially run against multiple hive types. I figured to keep closer to the current user experience it might be a better idea to still allow users to create their own plugin files, so I came up with my own format. Instead of putting just the plugin name in the plugin file, place the hive type you want to run it against in front of it. ie: “system:usbstor”. I had to modify the main RegRipper code to parse the new plugin file format, and also keep it backward compatible with the current plugin file format. (starts at line 434 of the code)

c.To allow the user to select multiple hive files an additional perl module is required. I used the FileOp::OpenDialog which allows the user to select multiple files. (line 251 of the code)

d.Since selecting multiple files with the OpenDialog returns an array of file names looping through them is easy to implement. (line 267 of the code)

So the first problem has been successfully solved and I no longer have to remember to change the plugin file type each time I run RegRipper against a new hive. As a side benefit I can run RegRipper against all of my exported hive files all at once if I want to also. Now on to the next problem.

2.Modify RegRipper to allow it to be run against a mounted drive. Have the program find all of the relevant hive files on the system and process them in a systematic manner.

Now this one looks a little more difficult… maybe? Ok, so we need to (a)allow the user to select a drive letter to run against, (b)grab the basic hive files from windows\system32\config, (c)parse the software hive for a list of profiles and grab the NTUSER.DAT file for each profile, (d)then iterate through all of the identified registry files. Shouldn’t be too tough, I guess.

a.To allow the user to specify running RegRipper against a mounted drive I added a checkbox to the GUI. When this box is checked the BrowseForFolder option from the FileOp perl module is used. (line 605 of the code)

b.Grabbing the basic hives from the mounted drive is a little more difficult than it first looks. Sure the standard location is C:\Windows\System32\config. I first tried this, but when running it on actual cases ran into some issues. Seems some of our corporate clients for some reason have created their own golden images that put the %systemroot% at somewhere other than C:\Windows such as C:\Win.

Now this creates a little bit of an issue, as it messes up what should have been an easy step. To resolve this on Windows XP the %systemroot% can be determined from the boot.ini file in a fairly straightforward manner. (starts at line 639 of the code) To resolve this issue in Vista and beyond is a little more difficult. The boot configurations are now stored in a registry hive called the BCD. So you have to parse the GUID and element key/value pairs to get the value that specifies the %systemroot%. (starts at line 614 of the code) If you want to replicate what is in the code I provided a link at the end of this post that should provide the relevant information about the BCD.

Lastly I tossed in some extra code just in case the boot.ini and BCD registry hives can’t be found to default to windows\system32\config. Cause it never hurts to try if nothing else was found.

c.To determine the profiles on the system Harlan has already provided the code in the profilelist plugin. I used a modification of that code to grab all of the NTUSER.DAT files. (starts at line 690 of the code).

d.The issue of iterating through multiple hive files was solved in the previous problem. For this I just had to make sure each hive file found was placed in an array to be processed. (line 267 of the code, again)

For me the proof of concept works. It is definitely a rough cut in my opinion, but the source is all there and this post explains the process if anyone wants to make improvements. I am not totally sure I really like the output file that this proof on concept results in, but it is a start. Drastically changing the output options of RegRipper is probably a more difficult undertaking than making it run against a mounted drive, so it may not be worth it.

Links

http://regripper.net/?page_id=150 (download the code)

http://search.cpan.org/~jenda/Win32-FileOp-0.14.1/FileOp.pm

http://ezinearticles.com/?Windows-Vista-Boot-Process-Overview&id=794745

http://www.geoffchappell.com/viewer.htm?doc=notes/windows/boot/bcd/index.htm&tx=5

Update: It looks like Facebook fixed the default behavior of the sent emails. Your IP Address is no longer included in the notification emails. I will give Facebook credit that they solved this in less than 24 hours. Now, if they can just shore up some of the other issues…

Original Post:

Facebook has nice email notifications whenever a friend comments on your status, sends you a message, or a variety of other reasons. The emails have subjects similar to “John Doe commented on your wall post.” The unfortunate thing is that this email also appears to contain John Doe’s (or your other friend’s) IP address.

The email headers contain a line similar to:

X-Facebook: from zuckmail ([MTAuMzAuNDcuMjAw])

Copy this line out and feed it to this page:

http://www.myiptest.com/staticpages/index.php/trace-email-sender

You will get the IP address of your friend and clicking on it will get a geolocation-based map. This will also show you if your friend used their cell phone to post and who they use as their service provider.

This information is great when a fugitive is taunting law enforcement through their Facebook page, but not when a wife is trying to hide from an abusive husband and assumes Facebook is the best form of communication.

This isn’t the end of the world compared to some of Facebook’s other privacy problems, however, there is simply no need for Facebook to include these IP addresses and it should be quickly fixed.

Facebook is rolling out the new Privacy options today. There are a couple good things and a couple bad things. I suggest reading this article by the EFF for a good breakdown on the new changes. Sadly, your friends still have some bearing over how your information is used. In my opinion, Applications still get way too much leeway on what personal information they are able to see, collect, and use.

To maximize your privacy, I suggest the following changes. This guide should walk you through each screen and make sure you don’t miss anything important.

The basic Privacy Settings screen looks like this:
Start with the first group, Profile Information. There are several settings to update and every choice within this group should be set to “Friends Only”. You’ll have to click the Edit Settings button for Photo Albums and set each album to “Friends Only” as well.

The next group is Contact Information. This is how my settings look, but you may want to adjust for your own tastes.

The next group is Applications and Websites. The options here are:
For “What you share”, click on Learn More and you’ll see an info screen. Click the link in the very last sentence or just go here.

Click on “Edit Settings” for each application. Change the options to “Friends Only”. You might want to look at the “Additional Permissions” to see if the application can post to your stream.

Also, on the top right of this screen there is the drop down box labeled “Show”. Make sure you go through all of those screens so that you don’t miss any applications.

A quick note about Applications… make sure you delete any Applications you aren’t using. Every application has access to your personal information and this really isn’t a good thing. Take it straight from the creator of Mafia Wars.

The next group within Applications and Websites is “What Your Friends Can Share About You”. Uncheck everything and then click Save Changes.

The last two sections, “Blocked Applications” and “Ignore Application Invites” probably don’t need to be edited.

The fourth main section is Search. In this section you will need to Uncheck “Allow Indexing” and set “Appear in Search Results” to “Friends of Friends” or “Friends Only”. This section will help restrict the general public from finding your profile. Again, the point of this article and the settings presented is to protect your privacy.

The last main section is Block List and probably doesn’t need to be edited at this time.

Now we’ve walked through the main sections to protect your privacy. This is a great first step, but as the EFF article points out

Looking even closer at the new Facebook privacy changes, things get downright ugly when it comes to controlling who gets to see personal information such as your list of friends. Under the new regime, Facebook treats that information — along with your name, profile picture, current city, gender, networks, and the pages that you are a “fan” of — as “publicly available information” or “PAI.”

To help minimize what you’re sharing with the public, you’ll have to change some of this info as well.

To begin, click on “Edit My Profile” underneath your profile picture. Uncheck “Show my sex in my profile” and make sure the dropdown box underneath your birthday is set to “Don’t show my birthday in my profile”.

Next find the box on the lefthand pane that shows your friends. Click on the pencil and uncheck the box that says “Show my friends on my profile”.

Your profile picture is displayed publicly despite your Photo Album settings. If you’re not comfortable showing your picture to the world, change it to something else.

The final pieces of information will have to be removed entirely if you don’t want them publicly displayed. Current City, Networks, Recent Activity, and Fan Pages are all publicly available. I deleted everything (although I really didn’t have much to begin with).

To see how your new Profile looks to the public, click on Privacy Settings, Profile Information, and then Preview Profile. If there is any information displayed that you don’t want, go back through the settings and remove it. Again, some things must be manually deleted.

After following these steps, the only information I have publicly displayed is my name, my fake profile picture, and one Fan Page.

Good luck changing your settings. If there was something I missed, please let me know in the comments. If you have trouble changing a setting, let me know that as well and I’ll try to help you out.

Here is a news story that Jim and I participated in on Facebook and securing your private information.

http://www.wowt.com/home/headlines/67332677.html

Another article came along regarding Facebook security and hijacked applications. What I found most interesting was this quote:

On top of all these security issues, in August many Facebook users were surprised to discover the vast amounts of personal information they were revealing by their use of Facebook quizzes. Even if you limit access to your profile through privacy settings, Facebook quiz applications can see everything on your profile page when you take a quiz…or even when your friend takes one. To make matters worse, Facebook does not screen developers for trustworthiness nor do they require developers to comply with a privacy policy.

“…or even when your friend takes one.” I’ve always thought that it’s kind of shady that quizzes and applications can access my friends’ personal data. I shy away from the apps and quizzes for this specific reason. But, are my friends providing me the same courtesy? By being on Facebook, am I putting my personal information security in my friends’ hands? Facebook has done better with increased privacy settings, and hopefully users have changed those settings to be more restrictive.

If I was a malicious user, I would absolutely create as many quizzes as I could that would take advantage of the automatic data mining capabilities of Facebook.

It seems like a recurring theme on this blog lately, but be careful of what you post online.

Wow. We all know that social networking can be “bad”. Here are a few recent articles.

• Exclusive: U.S. Spies Buy Stake in Firm That Monitors Blogs, Tweets
• How Social Networking Can Hurt You
• How Hackers Find Your Weak Spots
• Opinion: Twitter, Facebook Security Depends on Vigilant Developers, Sensible Users
• Researcher: Hackers Hijack Some Facebook Apps
• Facebook, Twitter users beware: Crooks are a mouse click away
• Does your social class determine your online social network?

Stan B. Walters is well known as “The Lie Guy”. He gets a fair amount of press and I’ve attended his Kinesic Interview and Interrogation course. Stan often uses current events to illustrate his techniques and talking points. In his most recent blog post, he takes on the “Balloon Boy” family.

We now know that the balloon stunt was a hoax. Stan mentions that “it all came down to the verbal and nonverbal cues of deception generated by the Heenes.” Unfortunately, he doesn’t go into any detail on what he thinks those cues were. However, there are a few listed in the CNN article linked above.

Stan talks about narrative based interviews as a way of gathering information. You can learn a lot from just listening to someone talk and watching their body language. He also mentions that the interviewer needs to be aware of what signals they are giving back to the interviewee. These are a lot of the same points I tried to make in the Social Engineering Podcast and Stan’s post is a good read.