BibTex RIS Cite

Using PowerShell to Capture and Compare Windows Registry and Live Memory Artifacts with Online Databases to Identify Suspect Files.

Year 2018, Volume: 7 Issue: 2, 78 - 89, 01.06.2018

Narasimha Karpoor Shashidhar

Abstract

System administrators and forensic investigators alike face a multitude of challenges when seeking to identify sources of pertinent data while in the course of their work. The inconsistent identification and acquisition of significant registry keys is frustrating, second only to the common practice of overlooking unique data stored in system memory. Also challenging, is the practice of identifying suspect file signatures from the resulting data. Many tools are available for scanning and identifying suspect files, and as such it makes sense to utilize them where possible. In this paper, we present a PowerShell tool and the accompanying method to acquire, parse, and display not only significant registry data, but also perform live memory acquisition of the application compatibility cache where key registry attributes are stored before being later written to the registry. These keys, stored in memory, are of particular interest since they can be an indicator of executed processes that are not yet recorded in the registry, and therefore potentially helpful to system administrators and investigators. This tool identifies the contents of the Application Compatibility Cache stored in volatile memory, and compares them to the same dataset recorded to disk in the Windows Registry. The items that exist in memory, but are absent from the registry on disk, are hashed and submitted to the VirusTotal.com database where the results are returned and presented in the form of a report. This paper contains not only positive VirusTotal.com results, but also other significant data from the registry that may be of interest to the administrator and investigator.

Keywords

–Registry Memory PowerShell Appcompatcache ShimCache

References

  • [1] T. Roy and A. Jain, “Windows registry forensics: an imperative step in tracking data theft via USB devices”, International Journal of Computer Science and Information Technologies (IJCSIT), 3(3), 4427-33, 2012.
  • [2] D.J. Farmer. A forensic analysis of the Windows registry. Champlain College Burlington, Vermont, 2007.
  • [3] https://msdn. microsoft.com/enus/library/windows/desktop/ms724877(v=vs.8 5).aspx, MSDN. Microsoft.Com. “Structure of the Registry”. Latest Access Time for the website is 2 July 2018.
  • [4] https://technet.microsoft.com/enus/library/ee176771.aspx, Microsoft, “Registry Overview”. Latest Access Time for the website is March 25, 2018.
  • [5] S. Zhang, L. Wang, R. Zhang, and Q. Guo, “Exploratory study on memory analysis of windows 7 operating system”, In Advanced Computer Theory and Engineering (ICACTE), 3rd International Conference on (Vol. 6, pp. V6-373). IEEE, August 2010.
  • [6] M. H. Ligh, A. Case, J. Levy, and A. Walters. The art of memory forensics: detecting malware and threats in windows, linux, and Mac memory. John Wiley & Sons, 2010.
  • [7] A. Aljaedi, D. Lindskog, P. Zavarsky, R. Ruhl, and F. Almari, "Comparative analysis of volatile memory forensics: live response vs. memory imaging", Privacy, Security, Risk and Trust (PASSAT) and 2011 IEEE Third International Conference on Social Computing (SocialCom), 2011 IEEE Third International Conference on. IEEE, 2011.
  • [8] http://nvlpubs.nist.gov/nistpubs/SpecialPublic ations/NIST.SP.800-61r2.pdf, NIST Special Publication 800-86, Guide to Integrating Forensic Techniques into Incident Response, Latest Access Time is July 2, 2018.
  • [9] https://docs.microsoft.com/enus/powershell/scripting/getting-started/gettingstarted-with-windowspowershell?view=powershell-6, Microsoft, “Getting Started with Windows PowerShell”. Latest Access Time for the report is July 2, 2018.
  • [10] https://www.microsoft.com/enus/download/details.aspx?id=50395, “Windows PowerShell”. Latest Access Time for the website is July 2, 2018.
  • [11] https://msdn.microsoft.com/enus/library/ms714395%28v=vs.85%29.aspx, “Cmdlet Overview”, Latest Access Time for the website is July 2, 2018.
  • [12] https://docs.microsoft.com/enus/powershell/module/microsoft.powershell.co re/about/about_pipelines?view=powershell-6, “About Pipelines”, Latest Access Time for the website is July 2, 2018.
  • [13] https://docs.microsoft.com/enus/powershell/module/, “About Objects”, Latest Access Time for the website is July 2, 2018.
  • [14] microsoft.powershell.core/about/about_obj ects?view=powershell-6, “About Objects”, Latest Access Time for the website is July 2, 2018.
  • [15] https://github.com/google/rekall, “Rekall Framework”, Latest Access Time for the website is July 2, 2018.
  • [16] Python. Python.org. 2016.
  • [17] J. Williams, and B. McCrillis, Memory Forensiscs; Always Test Your Forensics Tools. White Paper, Available: https://www.renditioninfosec.com/whitepapers / Rendition%20InfoSec%20- %20Memory%20Forensics %20Tool %20Testing.pdf. 2018.
  • [18] http://www.volatilityfoundation.org/26. 2016, “Volatility Framework”, Latest Access Time for the website is July 2, 2018.
  • [19] https://github.com/keydet89/RegRipper2.8. 2017. “Registry Ripper”, Latest Access Time for the website is July 2, 2018.
  • [20] https://binaryforay.blogspot.com/2015/05/i ntroducing-appcompatcacheparser.html, “AppCompatCacheParser”. Eric Zimmerman. Latest Access Time is July 2, 2018.
  • [21] https://support.virustotal.com/hc/enus/articles/115002126889-How-it-works. “VirusTotal API”, VirusTotal.com. Latest Access Time for the website is July 2, 2018.
  • [22] https://technet.microsoft.com/enus/library/cc978714.aspx?f=255&MSPPError =-2147217396, “Command Processor,” Latest Access Time for the website is July 2, 2018.
  • [23] https://technet.microsoft.com/enus/library/cc939696.aspx, “AppInit_DLLs,” Latest Access Time is July 2, 2018.
  • [24] https://blogs.msdn.microsoft.com/mithuns/ 2010/03/24/image-file-execution-options-ifeo/, “Image File Execution Options (IFEO),” Latest Access Time is July 2, 2018.
  • [25] https://docs.microsoft.com/en-us/windowshardware/drivers/install/hklm-systemcurrentcontrolset-services-registry-tree, Microsoft Corp., “HKLM\SYSTEM\ CurrentControlSet\Services Registry Tree,” Latest Access Time for the website is July 2, 2018.
  • [26] https://docs.microsoft.com/enus/dotnet/framework/winforms/controls/know n-folder-guids-for-file-dialog-custom-places, “Known Folder GUIDs for File Dialog Custom Places,” Latest Access Time for the website is July 2, 2018.
There are 26 citations in total.

Details

Primary Language English
Journal Section Research Article
Authors

Narasimha Karpoor Shashidhar This is me

Publication Date June 1, 2018
Published in Issue Year 2018 Volume: 7 Issue: 2

Cite

IEEE N. K. Shashidhar, “Using PowerShell to Capture and Compare Windows Registry and Live Memory Artifacts with Online Databases to Identify Suspect Files”., IJISS, vol. 7, no. 2, pp. 78–89, 2018.