SSegurança #infosec #DFIR: Forense em Windows: Análise de Registro

Há dois meses atrás divulguei um material (109 pag.) sobre Forense de Memória, tanto no blog da Techbiz Forense quanto no blog SSegurança.

Como o feedback foi muito positivo, resolvi também publicar por aqui o material que preparei sobre Forense de Registro Windows (83 pag.)

Forense windows registro_sandro_suffert

View more presentations from suffert

Livros:

I - Windows Forensic Analysis v2, Harlan Carvey

Capítulo 3 – Windows Memory Analysis, Capítulo 4 – Registry Analysis

II - EnCE – The Official Encase Certified Examiner Study Guide, 2^ndEdition, Steve Bunting

Capítulos 3 – First Response e 9 – Windows Operating System Artifacts e 10 – Advanced Windows - Registry

III - Malware Forensics – Investigating and Analyzing Malicious Code, James Aquilina, - Eoghan Casey, Cameron Malin

Capítulos 3 – Memory Forensics: Analyzing Physical and Process Memory Dumps e 9 – Analysis of a Suspect Program

IV – Microsoft Windows Registry Guide, 2^nd Edition

V - "Registry Forensics" de Harlan Carvey <= :http://www.amazon.com/Windows-Registry-Forensics-Advanced-Forensic/dp/1597495808

Papers / Documentações:

“Inside the Registry” Windows NT Magazine – Mark Russinovich

http://technet.microsoft.com/en-us/library/cc750583.aspx

Windows 7 UserAssist Registry Keys - Didier Stevens: Into The Box Magazine.

http://intotheboxes.wordpress.com/2010/04/05/into-the-boxes-issue-0x1/

Guide To Profiling USB Device Thumbdrives and Drive Enclosure on Win7, Vista, and XP http://blogs.sans.org/computer-forensics/files/2009/09/USBKEY-Guide.pdf

http://blogs.sans.org/computer-forensics/files/2009/09/USB_Drive_Enclosure-Guide.pdf

RegRipper Documentation -http://regripper.net/RR/Documents/Documents.zip - Registry Reference Deleted Apps ACMRU Windows Forensic Analysis -RegRipper version 2.02 Cheat Sheet

AccessData Registry Viewer Documentationhttp://www.accessdata.com/supplemental.html

Registry Quick Find Chart Registry Offset UserAssist Registry Key

Forensic Analysis of the Windows Registry in Memory - Brendan Dolan-Gavitt: http://www.dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf

Recovering Deleted Data From the Windows Registry - Timothy Morgan: http://www.dfrws.org/2008/proceedings/p33-morgan.pdf

Forensic Analysis of Unnalocated Space in Windows Registry Hive Files – Jolantha Thomasen (University of Liverpool)

http://www.sentinelchicken.com/data/JolantaThomassenDISSERTATION.pdf

Ferramentas:

1) Virtual Machines:

1.0) VMWare Workstation, Server ou Player:http://www.vmware.com

1.1) VM SIFT Workstation 2.0: https://computer-forensics2.sans.org/community/siftkit/

2) Ferramentas Free/GPL:

2.1 - FTKImager -http://www.accessdata.com/downloads.html#FTKImager
2.2 - Process Monitor - Sysinternals -http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

2.4 – Reg Ripper (+ RegSlack, + RegScan, +RipXp) -http://regripper.net/?page_id=150

2.5 – Registry Viewer - AccessData:http://www.accessdata.com/downloads.html#ForensicProducts

2.6 – Registry Summary Report Files - AccessData:http://www.accessdata.com/downloads/rsrfiles/AllRSRFiles.zip

2.7 – RegExtract (GUI/CLI) – WoanWare:http://www.woanware.co.uk/downloads/

2.8 – RegShot - http://sourceforge.net/projects/regshot/files/

2.9 – RegLookup -http://projects.sentinelchicken.org/reglookup/download/

2.10 – USBDeview -http://www.nirsoft.net/utils/usb_devices_view.html

2.11 – USBDeviceForensics -http://www.woanware.co.uk/usbdeviceforensics/

2.12 – UserAssist -http://blog.didierstevens.com/programs/userassist/

2.12 – FGET – https://www.hbgary.com/community/free-tools/

2.13 – TimeLord -http://computerforensics.parsonage.co.uk/timelord/timelord.htm

2.14 – MiTec Windows Registry Recovery –http://www.mitec.cz/wrr.html

3) Ferramentas Comerciais:

3.1 – AccessData FTK 3.1 + Registry Viewer –http://www.accessdata.com

3.2 – Encase Forensics 6.17 – http://www.guidancesoftware.com

UserAssist Decoder V3.3 Enscript -https://support.guidancesoftware.com/forum/downloads.php?do=file&id=832 (requer acesso ao suporte da Guidance)

Registry Examiner Enpack -https://support.guidancesoftware.com/forum/downloads.php?do=file&id=752 (requer acesso ao suporte da Guidance)

3 comments:

Anonymous12/20/2011 5:00 PM
Your presentation is not perhaps available in English?
SS12/20/2011 6:36 PM
Unfortunately no, but all the books, papers and tools listed above are written in english..

Best Regards,

SS
Marcelo da Silva Conterato11/24/2012 5:56 PM
Oi Sandro, você teria esse material em PDF, para leitura no Tablet. Obrigado.

pro.marcelo.conterato@hotmail.com

Wednesday, September 21, 2011

Forense em Windows: Análise de Registro

3 comments: