Home > incident response > EnCase + RegRipper + dtSearch + … for incident response

EnCase + RegRipper + dtSearch + … for incident response

So there I was, working an IR case …. The forensics version of “It was a dark and stormy night.” For all the typical reasons, I cannot share the details, but I can share some “what worked” tips that may be helpful to others. Please bear in mind that these are just small pieces of a much larger IR response plan, toolkit, and process.

1) Keep a running log of everything you do. This is SOP for forensics, IR, etc for well known reasons. One additional reason that isn’t often mentioned is that it serves as a governor on your pace. If you’re taking the time to collect your thoughts into a log, more of your thoughts have a chance to catch up with you, make it onto the page, and join in building the overall picture of the event. Without this governor, a lot of information is never documented, possible leads aren’t explored, and you will feel less like you’re in control of your response.

2) Dump the registry hives as early as you reasonably can and set up a process for running them through RegRipper. I used a combination of tools to simplify this:

  • A batch file to create the default folder structure.
  • An EnScript to locate and extract all the registry hives
  • A Python script to walk through all the files in a given directory, run the appropriate RegRipper plug in on it, and write the output to a dedicated output directory.

This combination of tools allowed me to quickly process a system in a repeatable fashion while minimizing the chances of human error creeping in.

3) With all the RegRipper output organized by system, I pointed dtSearch at the folder containing all the output and indexed it. This allowed me to quickly search the RegRipper output from all of the systems for new information came in.

4) malware often stomps on the MAC times but may leave the information in the File Name attributes alone. There are a lot of ways of getting at this information, but I dumped the $MFT out, ran my analyzeMFT tool against it, and created a spreadsheet I could use to do further analysis. This is a very rough form of timeline analysis but, no matter how you do it, timelines are crucial and should be developed. Further, they should be developed with the most accurate data possible.

5) If you’ve got malware and don’t know anything about how it behaves, I suggest you take a look at Lenny Zeltser’s site and in particular  at his material on reverse engineering malware. He teaches a superb SANS course on the topic, but he also has a one hour video and a PDF of his slides on the site that will really help you get started.

As I said, this is hardly a definitive list of what to do when working an IR case, but it might give you some ideas to include in your response toolkit.

Categories: incident response
  1. Jim
    June 7, 2010 at 2:03 am

    That would be Lenny Zeltser. 🙂

  2. keith
    July 23, 2010 at 12:00 pm


    Is it possible to share batch file, enscript,phython script and your analyzeMFT tool with me?

    I would appreciate verry much thx


  3. Elizabeth
    August 2, 2010 at 12:39 pm

    For your enscript, are you able to create directories on the host? I wrote a similar enscript, but wanted to put all of the NTUser.dats in a separate directory. And also pull all of the Registries from Snapshots (for RipXP whichr requires a certain directory structure), but EnCase doesn’t make it easy…

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: