FTK Windows Server 2008 SYSTEM Filter

I recently found it necessary to quickly grab a large amount of SYSTEM registry files to determine the current control set and time zone information. FTK displays this information upon clicking the SYSTEM registry file. However, when you have a bunch of disk images loaded, it is a pain to navigate to all of them. Below is my filter to grab the SYSTEM file from /Windows/System32/config/. This should work on other OS versions too, but I have not tested yet. It has been working for me on Windows Server 2008 R2 64bit.

<?xml version="1.0" encoding="UTF-8"?>
&lt;exportedFilter xmlns="<a href="http://www.accessdata.com/ftk2/filters&quot;&gt;&lt;filter">http://www.accessdata.com/ftk2/filters"&gt;&lt;filter</a> name="W2K8 System Hive" matchCriterion="all" id="f_1000005" read_only="false" description=""&gt;&lt;rule position="0" enabled="true" id="a_9148" operator="is_member"&gt;&lt;one_int value="850"/&gt;&lt;/rule&gt;&lt;rule position="1" enabled="true" id="a_9171" operator="contains"&gt;&lt;one_string value="/Windows/System32/config/SYSTEM"/&gt;&lt;/rule&gt;&lt;/filter&gt;&lt;attribute id="a_9148" type="set"&gt;&lt;table&gt;ftk_CustomCategories&lt;/table&gt;&lt;column&gt;CustomCategoryID&lt;/column&gt;&lt;/attribute&gt;&lt;attribute id="a_9171" type="string"&gt;&lt;table&gt;cmn_ObjectFiles&lt;/table&gt;&lt;column&gt;Path&lt;/column&gt;&lt;/attribute&gt;&lt;/exportedFilter&gt;
Posted in Uncategorized | Leave a comment

More FTK Filters

In my last post, I mentioned two useful FTK filters for quickly finding files of interest. Below are two more that may be helpful to a digital investigator examining a Microsoft Windows Server 2008 R2 server (may work on others, but I have not tried)

Remote Desktop Logs (there are other log files, but I found this filter to be very useful):

<?xml version="1.0" encoding="UTF-8"?>
<exportedFilter xmlns="http://www.accessdata.com/ftk2/filters"><filter name="W2K8 RDP Logs" matchCriterion="all" id="f_1000006" read_only="false" description="Windows Server 2008 RDP Logs"><rule position="0" enabled="true" id="a_9001" operator="starts_with_caseignore"><one_string value="Microsoft-Windows-TerminalServices"/></rule><rule position="1" enabled="true" id="a_9001" operator="contains_caseignore"><one_string value="%4Operational"/></rule><rule position="2" enabled="true" id="a_9001" operator="contains_caseignore"><one_string value="Manager"/></rule><rule position="3" enabled="true" id="a_9185" operator="is"><one_string value="evtx"/></rule></filter><attribute id="a_9001" type="string"><table>cmn_Objects</table><column>ObjectName</column></attribute><attribute id="a_9185" type="string"><table>cmn_ObjectFiles</table><column>Extension</column></attribute></exportedFilter>

Windows Firewall logs:

<?xml version="1.0" encoding="UTF-8"?>
<exportedFilter xmlns="http://www.accessdata.com/ftk2/filters"><filter name="W2K8 Windows Firewall Logs" matchCriterion="all" id="f_1000009" read_only="false" description="Microsoft-Windows-Windows Firewall With Advanced Security"><rule position="0" enabled="true" id="a_9001" operator="contains_caseignore"><one_string value="Microsoft-Windows-Windows Firewall With Advanced Security"/></rule></filter><attribute id="a_9001" type="string"><table>cmn_Objects</table><column>ObjectName</column></attribute></exportedFilter>
Posted in Forensics | Tagged , | Leave a comment

FTK Filters are Your Friend

I have been working on a forensic investigation of about 20 Windows Server 2008 R2 VMs using FTK 4.2. FTK makes examining many systems manageable. One feature that has saved me a tremendous amount of time is the Filters feature. Filters allow you to quickly, well, filter, out wanted or unwanted files that meet your defined criteria.

Continue reading

Posted in Forensics | Tagged , , , | Leave a comment

Going Paperless: Where Paper Meets Bits and Bytes

A client consulted me about going to a paperless environment. His company utilizes several different forms and numerous other documents through the course of daily business. These documents were typically filed in file cabinets after their initial use, never to be used again. The paper copies were retained simply out of fear that their online records management company would either go out of business, taking their data with them, or would start charging for online storage and archiving services.
After evaluating his business needs, I recommended a network based scanner, file server, backup server, and off-site backup solution. Everything installed rather flawlessly. Training was provided and business policies and procedures were updated. He has since destroyed all paper copies of files and has removed a majority of the file cabinets in his business.
This solution made me think about my current state of affairs for document management at my home.

Continue reading

Posted in Uncategorized | Tagged , , , | Comments Off

Logging User Activities within Linux with bash scripts

I am just starting to learn the power of bash scripting. So, this script below may not be the best way of doing this, but hear me out. I often find myself trying to figure out what commands I executed in order to accomplish a task in Linux. Sometimes I just get carried away and forget to write things down. Enter my script below:

DATE=$(date +%Y%m%d)
SHELL=/bin/bash script -q -t 2>/home/$USERNAME/.$USERNAME-console.tlog.$DATE -a /home/$USERNAME/.$USERNAME-console.log.$DATE

 This script grabs the current date and name of the logged on user and creates hidden files that log the commands and output of what the user enters at the command line. The script command above also records separate timing information too. The timing information gives you an idea of how long it took to enter a command.  Save the above script as login.sh and give it executable permissions:

chmod +x login.sh

You will also need to ensure the script is launched when the user drops to a terminal session. This can be done be done by setting the user’s shell to login.sh Of course, you will need the complete path to the script, like /home/user/login.sh

This script can also be useful for logging administrator activities. Granted, the administrator can see the shell script and the logs, it is a step in the right direction. If anyone knows how to improve upon this (especially making it less prone to admin tampering), I would be interested in learning more. You could also use various log collection tools to grab the log files and store them centrally.

Let me hear your thoughts.

Posted in Linux | Tagged , , , | Leave a comment