Friday 9 March 2012

Inspecting Registry key differences on SIFT with "regdump.pl" and Meld

Recently, I read some favourable reviews (on the Ubuntu forum) about a open source diff program called meld. Commonly used in programming, diff programs are used to compare 2 separate files.
There is an existing Unix command line diff program called "diff" however, I think a GUI diff editor makes it much easier/quicker to visualise lots of little differences.

Note: This post isn't going to be anything special but it might introduce you to handy tool which you can add to your SIFT kit.

So, lets take meld for a spin on SIFT V2.12 shall we?

To install meld, at a command line terminal type:
"sudo apt-get install meld"

Already installed on the SIFT VM is the "regdump.pl" Perl script.
All you have to do is give it the Registry hive (eg "NTUSER.DAT") and the key (eg "Software\\Microsoft\\winmine" which is the Minesweeper Registry entries) plus some arguments (-r for recursively listing and v to print the values). Note: When listing the key, ensure you use "\\" to separate subkey names.

I have used FTK Imager to grab 2 copies of my "NTUSER.DAT" files. One with my impressive Minesweeper records ("NTUSER.DAT")and the second one taken after I reset those records (NTUSER-2.DAT). Oh, the sacrifices this Minesweeping Monkey makes!

We start our exploration by typing:

"regdump.pl /cases/NTUSER.DAT -rv Software\\Microsoft\\winmine > ntuser1-winmine.txt"

and

"regdump.pl /cases/NTUSER-2.DAT -rv Software\\Microsoft\\winmine > ntuser2-winmine.txt"

Note: These commands store the outputs of "regdump.pl" in the "ntuser1-winmine.txt" and "ntuser2-winmine.txt" files in the current directory ("/home/sansforensics/").

So now that we have our Registry listings, let's compare them.

First, let's use the existing Unix command line "diff" with the "-y" argument to list the 2 files side by side:

"diff -y ntuser1-winmine.txt ntuser2-winmine.txt"

which outputs something like:

$$$PROTO.HIV\Software\Microsoft\winmine [2011-08-02T09:52:57Z |    $$$PROTO.HIV\Software\Microsoft\winmine [2012-03-09T06:32:01Z
Difficulty (REG_DWORD) = 0x00000002 (2)                Difficulty (REG_DWORD) = 0x00000002 (2)
Height (REG_DWORD) = 0x00000010 (16)                Height (REG_DWORD) = 0x00000010 (16)
Width (REG_DWORD) = 0x0000001e (30)                Width (REG_DWORD) = 0x0000001e (30)
Mines (REG_DWORD) = 0x00000063 (99)                Mines (REG_DWORD) = 0x00000063 (99)
Mark (REG_DWORD) = 0x00000001 (1)                Mark (REG_DWORD) = 0x00000001 (1)
AlreadyPlayed (REG_DWORD) = 0x00000001 (1)            AlreadyPlayed (REG_DWORD) = 0x00000001 (1)
Color (REG_DWORD) = 0x00000001 (1)                Color (REG_DWORD) = 0x00000001 (1)
Sound (REG_DWORD) = 0x00000000 (0)                Sound (REG_DWORD) = 0x00000000 (0)
Xpos (REG_DWORD) = 0x000002a8 (680)                Xpos (REG_DWORD) = 0x000002a8 (680)
Ypos (REG_DWORD) = 0x0000016c (364)                Ypos (REG_DWORD) = 0x0000016c (364)
Time1 (REG_DWORD) = 0x00000010 (16)                  |    Time1 (REG_DWORD) = 0x000003e7 (999)
Time2 (REG_DWORD) = 0x00000065 (101)                  |    Time2 (REG_DWORD) = 0x000003e7 (999)
Time3 (REG_DWORD) = 0x000003e7 (999)                Time3 (REG_DWORD) = 0x000003e7 (999)
Name1 (REG_SZ) = A                          |    Name1 (REG_SZ) = Anonymous
Name2 (REG_SZ) = A                          |    Name2 (REG_SZ) = Anonymous
Name3 (REG_SZ) = Anonymous                    Name3 (REG_SZ) = Anonymous

sansforensics@SIFT-Workstation:~$


You can also call "diff" without the side-by-side formatting and so it only shows the differences (leaving out the common lines):

"diff ntuser1-winmine.txt ntuser2-winmine.txt"

which outputs something like:

1c1
< $$$PROTO.HIV\Software\Microsoft\winmine [2011-08-02T09:52:57Z]
---
> $$$PROTO.HIV\Software\Microsoft\winmine [2012-03-09T06:32:01Z]
12,13c12,13
< Time1 (REG_DWORD) = 0x00000010 (16)
< Time2 (REG_DWORD) = 0x00000065 (101)
---
> Time1 (REG_DWORD) = 0x000003e7 (999)
> Time2 (REG_DWORD) = 0x000003e7 (999)
15,16c15,16
< Name1 (REG_SZ) = A
< Name2 (REG_SZ) = A
---
> Name1 (REG_SZ) = Anonymous
> Name2 (REG_SZ) = Anonymous
sansforensics@SIFT-Workstation:~$


Now lets compare "diff" with the meld GUI.

To launch meld:
Go to the Ubuntu menu at the top of the screen and select:
Applications ... Programming .... Meld Diff Viewer

Or at the command line terminal type:
"meld &"

Go to File ... New and then in the resultant pop up (under the "File Comparison" tab), we "Browse" the "Original" dropbox to "/home/sansforensics/ntuser1-winmine.txt". Similarly, we set the "Mine" dropbox to "/home/sansforensics/ntuser2-winmine.txt" and then press "OK".

Here's what you should now see:


Whats the Diff?

As you can see, for our purposes a GUI diff makes it a LOT easier to see what has changed.
We can easily see that not only have my glorious record times/names been changed, but the so has the last access time for the key.

I don't recommend using meld over more than one key eg don't "regdump.pl" the top level "Software" key and then try to compare everything - it's too confusing.
For example, if the 2 hives have different programs installed, the "regdump.pl" output line numbers won't match up and meld will mark whole blocks as different.

One interesting feature of meld is the ability to do a three-way (Oh Grow Up!) compare . Interesting, but I'm not sure how useful it would be in a real investigation.

Thus ends our brief test drive. If you know of any other good (Unix/Windows) "diff" tools/hints, please leave a comment!

UPDATE:
I have since discovered SIFT's "regcompare.pl" GUI (located in "/usr/local/bin"). This program uses the Parse::Win32Registry Perl module (same as RegRipper) to graphically compare 2 Registry hives. You can see below that any changed values are also displayed. Users can also search for changes and bookmark Registry entries. It can be launched from the command line (in the background) by typing:
"regcompare.pl &"

Using "regcompare.pl" to compare MineSweeper Registry Entries


Other SIFT GUI Registry Viewers (located in "/usr/local/bin") ...
The "regview.pl" GUI is also based on the Parse::Win32Registry Perl module. It lets users (read-only) browse a Registry hive. Users can also search for and bookmark Registry entries. It can be launched from the command line (in the background) by typing:
"regview.pl &"

There is another Registry editor called "yaru" (which funnily stands for "yet another registry viewer"). This viewer can:
- display allocated Registry data
- display unallocated Registry data,
- search for data,
- save a copy of the hive to another file and
- display a Report on certain Registry entries.

Users can launch "yaru" via the Applications ... Forensics ... "YARU Registry Editor" SIFT menu or via the command line by typing:
"yaru &"