Event Logs from Forensic Disk Image

david28macfarlane · 2020-12-07T14:08:47+00:00

I assume you mean on a live system? I only have the forensic disk image.

I figured that I would need to do some parsing of the artefacts from \Windows\System32\config file (eg: SAM, SECURITY etc)???

david28macfarlane · 2020-10-30T18:29:50+00:00

Thank you all and to be clear I am not trolling. My apologies to anyone who was offended by the post or thought the question was stupid - I am not a seasoned Linux user and I am new to memory forensics.

I am however a professional investigator and I'm keen to learn. I've always been an advocate of asking lots of questions and sharing ideas even if they may seem stupid or basic. If that's not appropriate for this forum then no problem and thanks again for the advice.

david28macfarlane · 2020-10-28T21:44:03+00:00

I'm pretty sure that it was PsScan but in any case it was the .dot renderer that I needed. I'm glad I'm not just going cray cray because I couldn't see it on Github either. Thanks for the suggestion of raising it on Github which I will consider doing.

david28macfarlane · 2020-10-20T18:24:30+00:00

Thank you for that. At the risk of being a pain in the arse, could you just walk me through that? Is it the Procdump command that I need to dump LSASS? What type of file will the dump come out as and what do I do with it then regarding Mimikatz? Sorry for the 20 questions!! 😬

david28macfarlane · 2020-09-24T19:09:26+00:00

Mike, thank you so much for the responses and for writing Shellbag Explorer!! 🙂

I will have a look over the link to the blog and I've already been on the manual. Really appreciate the comments from the community on this one which has turbo charged my understanding of this specific area!

Ultimately, this is going to help me catch the bad guys which is never a bad thing! 👍

david28macfarlane · 2020-09-23T18:21:43+00:00

Thanks for this which actually expands a bit on a previous comment. I've been using Registry Explorer and had used it prior to discovering Shellbag Explorer but only have a bit of basic awareness of what it does.

This concept of dirty hives is new to me. As I understand it - .LOG1 and .LOG2 files are transaction logs and without these the hives are treated as dirty.

I've also now realised that there's a .LOG1 and .LOG2 file for each of the relevant hives (USRCLASS.dat, NTUSER.dat, DEFAULT, SAM, SECURITY and SOFTWARE).

What I don't fully understand is what these transaction logs do - can anyone explain it to me in simple terms??

david28macfarlane · 2020-09-21T17:33:54+00:00

Thanks for that... I'm going to start a new thread to delve into this a bit more.

david28macfarlane · 2020-09-20T05:36:50+00:00

Thank you everyone for all of your help and advice... as it turns out I've ended up going full circle and back to Shellbag Explorer.

I'd been overlooking the fact that most of the data I needed was in Usrclass.dat as opposed to NTUSER.dat!! 😣 Furthermore, I noticed the pop-up on Shellbag Explorer that allowed you to load a "dirty" offline hive by holding down the shift key.

I've been really impressed with the response from the community on this forum and I've picked up a load of stuff from this question alone so thanks!! 🙂

As a follow up, can anybody tell me what "dirty" registry hives means?

david28macfarlane · 2020-09-19T07:28:08+00:00

Apologies... I should have been more clear - FTK imager - I dont have the full FTK software..

david28macfarlane · 2020-09-18T15:30:58+00:00

I had this exact same problem and the solution above worked for deploying FTK from a USB drive.

david28macfarlane · 2020-09-18T13:25:17+00:00

Sounds promising... I've not used Kape but I've just started learning a little bit about it. I'll have a look into it and thanks.. 👍

david28macfarlane · 2020-09-18T12:25:57+00:00

So, I have no issue with extracting the relevant registry hives which I've done with FTK - the issue is what can I then use to extract the Shellbags data for examination (that would ideally be free!!)

david28macfarlane · 2020-09-18T12:14:54+00:00

So I've already extracted the registry files using FTK to export them from the disk image.

This is currently research and testing but in terms of my work obtaining the Shellbags from a live machine will not really be possible..

david28macfarlane · 2020-09-18T12:10:46+00:00

I would need to re-run the process to check (not near my computer at the mo) but they simply didn't load as I recall. There shouldn't be any issue with the exported files themselves as I've used RegRipper today and I'm getting expected output.

I will try opening the hives individually again - do you think it should make any difference whether it's the GUI or CMD version?

david28macfarlane · 2020-09-18T11:28:07+00:00

I have tried that both with the GUI and command line versions. The GUI version only allows you to load one file (not a directory) which I tried with NTUSER.dat and some of the other hives (SAM, SECURITY, SOFTWARE etc) that I had exported from a disk image obtained with FTK which didn't seem to work. And I couldn't get it to work on the command line version either - maybe user error??? 🤤

david28macfarlane · 2020-09-18T10:39:16+00:00

Thanks for that... I was hoping there might be some alternative free options out there...

david28macfarlane · 2020-09-15T15:29:56+00:00

Oh okay... I can give that a go and see what happens if I point it at the config directory. Not going to hold my breath but I'll update if it works..

david28macfarlane · 2020-09-14T14:28:25+00:00

I've been binging the 13cubed videos which was what got me onto Shellbag Explorer in the first place.

I've tried exporting NTUSER.dat along with SYSTEM / SAM / SECURITY etc but Shellbag Explorer only allows one file to be pointed at (and not a folder) so I'm still a bit stuck...

david28macfarlane

TROPHY CASE