BinInt

...thoughts and news on digital forensics, pentesting, electronic investigations, and the computer underground.

6/01/2025
Posted by Matt C

Turning RegRipper into WindowsRipper

Harlan Carvey has given us a great tool in RegRipper and it’s undeniable that many examiners have found it to be a useful addition to their toolbox. RegRipper has a very specific purpose – parse the Windows registry. With some modification, we can turn RegRipper into WindowsRipper, an extremely powerful Windows triage tool. Using WindowsRipper we can parse much more than just the registry.


Read on and watch the video to see just what WindowsRipper could become.

5/14/2025
Posted by Matt C

What Can Happen With Just an IP Address

After the Facebook post last week, much of the backlash consisted of, "Who cares if someone has my IP address? That information is almost always out there." Well, here is a great example of what someone can do with an IP address.

Here’s something to really think about.. I was able to obtain all of the information in this post for 16 cents and by just using an email and IP address from a piece of spam.

Family members, ages, schools, anniversary dates, marriage lengths, hobbies, interests, phone numbers, addresses, property records, property taxes, pictures of their house, pictures of them, pictures of their children and grandchildren, deeds on their house, bankruptcies, employment history, previous addresses, previous creditors, and bits of social security numbers.

I’m pretty sure I’d be able to fake my way through one of those password reset forms.. you know, where you set up a “secret question” asking what your dogs name was, or where you went to school?

Beyond that, I’m fairly confident that at this point, if I were to call his bank and pretend to be him, I could easily pass when they asked me personal questions.

5/14/2025
Posted by Matt C

Run RegRipper Against a Mounted Drive

This post was written by guest blogger Adam James. Please feel free to post any questions or comments for him on this blog.
-------------------------------------------------

Modifying RegRipper to automatically run against a selected mounted drive.

When using RegRipper I began running into user to computer interface problems. Namely, for some reason I would select a hive file to process, but forget to tell RegRipper what plugin file to use against it. After doing this several dozen times and having to rerun the reports after realizing I had done it, I started thinking about ways to modify RegRipper to alleviate my obvious “stupid” user issues. I figured since I can’t remember to select the plugin types I want, why can’t the program just throw all the available plugins against the hive and determine which ones should work against it. Then that got me thinking… for that matter why am “I” having to know where all these registry hives are at. I have to extract them from an image, remember where I took them from, and then run RegRipper against each one. That is way too much work. I wish RegRipper would just do that all for me so I can do what I really care about, look at the great output from the program.

To accomplish this task there were a couple of problems that needed to be solved. The rest of this post will be about how a proof of concept that I did solved these problems.

Problems:
1.RegRipper is intended to only run plugins against a single and specified type of registry hive. The plugins can be run against any single hive it is just not likely that any of the key value pairs will be successfully foundoHow if it is not of the correct type.
2.RegRipper expects the user to know the location of each registry hive that needs to be processed.

Potential Solutions:
1.Modify RegRipper to allow the user to select one or more registry hives. Have RegRipper attempt to determine each hive’s type and then run only the plugins that are intended for that hive against it.

This is pretty easy… right? All we need to do is (a)come up with some code to determine a hive file type, (b)programmatically determine what hive type a plugin is supposed to run against, (c)allow the user to select multiple hives, and then (d)iterate through all of the hives. That doesn’t seem too bad.

a.To determine the hive type, Harlan has already provided us with code in rip.pl that tries to guess the hive type, so that is done, we just need to add it to RegRipper. For my proof of concept I came up with a similar way, I just used different keys. (starts at line 563 of code)

b.To determine the hive each plugins should be run against the basic design of the RegRipper could be used. In each plugin the developer can specify what hive types the plugin should be run against. You could just pull the %config=>hive value from the plugin and use that. When reviewing the plugins I noticed that some could be potentially run against multiple hive types. I figured to keep closer to the current user experience it might be a better idea to still allow users to create their own plugin files, so I came up with my own format. Instead of putting just the plugin name in the plugin file, place the hive type you want to run it against in front of it. ie: “system:usbstor”. I had to modify the main RegRipper code to parse the new plugin file format, and also keep it backward compatible with the current plugin file format. (starts at line 434 of the code)

c.To allow the user to select multiple hive files an additional perl module is required. I used the FileOp::OpenDialog which allows the user to select multiple files. (line 251 of the code)

d.Since selecting multiple files with the OpenDialog returns an array of file names looping through them is easy to implement. (line 267 of the code)

So the first problem has been successfully solved and I no longer have to remember to change the plugin file type each time I run RegRipper against a new hive. As a side benefit I can run RegRipper against all of my exported hive files all at once if I want to also. Now on to the next problem.


2.Modify RegRipper to allow it to be run against a mounted drive. Have the program find all of the relevant hive files on the system and process them in a systematic manner.
Now this one looks a little more difficult… maybe? Ok, so we need to (a)allow the user to select a drive letter to run against, (b)grab the basic hive files from windows\system32\config, (c)parse the software hive for a list of profiles and grab the NTUSER.DAT file for each profile, (d)then iterate through all of the identified registry files. Shouldn’t be too tough, I guess.
a.To allow the user to specify running RegRipper against a mounted drive I added a checkbox to the GUI. When this box is checked the BrowseForFolder option from the FileOp perl module is used. (line 605 of the code)

b.Grabbing the basic hives from the mounted drive is a little more difficult than it first looks. Sure the standard location is C:\Windows\System32\config. I first tried this, but when running it on actual cases ran into some issues. Seems some of our corporate clients for some reason have created their own golden images that put the %systemroot% at somewhere other than C:\Windows such as C:\Win.

Now this creates a little bit of an issue, as it messes up what should have been an easy step. To resolve this on Windows XP the %systemroot% can be determined from the boot.ini file in a fairly straightforward manner. (starts at line 639 of the code) To resolve this issue in Vista and beyond is a little more difficult. The boot configurations are now stored in a registry hive called the BCD. So you have to parse the GUID and element key/value pairs to get the value that specifies the %systemroot%. (starts at line 614 of the code) If you want to replicate what is in the code I provided a link at the end of this post that should provide the relevant information about the BCD.

Lastly I tossed in some extra code just in case the boot.ini and BCD registry hives can’t be found to default to windows\system32\config. Cause it never hurts to try if nothing else was found.

c.To determine the profiles on the system Harlan has already provided the code in the profilelist plugin. I used a modification of that code to grab all of the NTUSER.DAT files. (starts at line 690 of the code).

d.The issue of iterating through multiple hive files was solved in the previous problem. For this I just had to make sure each hive file found was placed in an array to be processed. (line 267 of the code, again)

For me the proof of concept works. It is definitely a rough cut in my opinion, but the source is all there and this post explains the process if anyone wants to make improvements. I am not totally sure I really like the output file that this proof on concept results in, but it is a start. Drastically changing the output options of RegRipper is probably a more difficult undertaking than making it run against a mounted drive, so it may not be worth it.

Links
http://regripper.net/?page_id=150 (download the code)

http://search.cpan.org/~jenda/Win32-FileOp-0.14.1/FileOp.pm

http://ezinearticles.com/?Windows-Vista-Boot-Process-Overview&id=794745

http://www.geoffchappell.com/viewer.htm?doc=notes/windows/boot/bcd/index.htm&tx=5

5/09/2025
Posted by Matt C

Free VPN Accounts

The last post about Facebook including users' IP addresses in notification emails got a lot of traffic. We also sent quite a bit of traffic to myiptest.com through the link provided in the story. Adrian from myiptest.com contacted me about VPN access as he also helps run hideipvpn.com.

The benefits of using a VPN or proxy service is clear. Your personal IP address won't be seen by the sites you visit and it can help protect your privacy. If you were using a VPN/proxy service, you wouldn't have been affected by the Facebook notification email problem. If you need more info on VPNs, visit the Wikipedia articles for VPN and Proxy servers.

I have not used the services of hideipvpn.com yet and hadn't heard of them before, but I did check out their privacy policy and terms of service. Both seem to be standard and I didn't see anything concerning, but I always suggest checking them out for yourself. As with anything else, use at your own risk. You can also see some reviews of their service here and here.

Adrian was kind enough to set aside 25 free accounts for readers of this blog. For full disclosure, he also promised me use of a premium/paid account.

Since there is no reason to turn down a free account, go grab one from here. If you don't make it in time to get one of these accounts, check out the hideipvpn.com blog for future chances. You can also follow them on Twitter. Please let me know how things go and leave me a comment about what you think of their service.

Update: Be aware that during the sign-up process your passwords will be emailed to you in plain text. They also seem to be stored on the hideipvpn.com's servers in plain text. Use a unique password for this site and make sure you don't use it anywhere else.

It also looks like they never validate your Google Checkout or Paypal account since it will never be charged.

5/07/2025
Posted by Matt C

Facebook Leaks IP Addresses

Update: It looks like Facebook fixed the default behavior of the sent emails. Your IP Address is no longer included in the notification emails. I will give Facebook credit that they solved this in less than 24 hours. Now, if they can just shore up some of the other issues...

Original Post:
Facebook has nice email notifications whenever a friend comments on your status, sends you a message, or a variety of other reasons. The emails have subjects similar to "John Doe commented on your wall post." The unfortunate thing is that this email also appears to contain John Doe's (or your other friend's) IP address.

The email headers contain a line similar to:
X-Facebook: from zuckmail ([MTAuMzAuNDcuMjAw])

Copy this line out and feed it to this page:
http://www.myiptest.com/staticpages/index.php/trace-email-sender

You will get the IP address of your friend and clicking on it will get a geolocation-based map. This will also show you if your friend used their cell phone to post and who they use as their service provider.

This information is great when a fugitive is taunting law enforcement through their Facebook page, but not when a wife is trying to hide from an abusive husband and assumes Facebook is the best form of communication.

This isn't the end of the world compared to some of Facebook's other privacy problems, however, there is simply no need for Facebook to include these IP addresses and it should be quickly fixed.

1/25/2025
Posted by Matt C

Looking for new Authors

Hi all...

I just don't seem to write as many posts as I'd like, but I don't want this space to go to waste. If you have some topics you'd like to write about, please let me know. I'd love to add some new authors to this blog.

Let me know at matt @ binint.com or DM on Twitter @_remnant_.

Facebook is rolling out the new Privacy options today. There are a couple good things and a couple bad things. I suggest reading this article by the EFF for a good breakdown on the new changes. Sadly, your friends still have some bearing over how your information is used. In my opinion, Applications still get way too much leeway on what personal information they are able to see, collect, and use.

To maximize your privacy, I suggest the following changes. This guide should walk you through each screen and make sure you don't miss anything important.

The basic Privacy Settings screen looks like this:
Start with the first group, Profile Information. There are several settings to update and every choice within this group should be set to "Friends Only". You'll have to click the Edit Settings button for Photo Albums and set each album to "Friends Only" as well.

The next group is Contact Information. This is how my settings look, but you may want to adjust for your own tastes.


The next group is Applications and Websites. The options here are:
For "What you share", click on Learn More and you'll see an info screen. Click the link in the very last sentence or just go here.

Click on "Edit Settings" for each application. Change the options to "Friends Only". You might want to look at the "Additional Permissions" to see if the application can post to your stream.

Also, on the top right of this screen there is the drop down box labeled "Show". Make sure you go through all of those screens so that you don't miss any applications.

A quick note about Applications... make sure you delete any Applications you aren't using. Every application has access to your personal information and this really isn't a good thing. Take it straight from the creator of Mafia Wars.

The next group within Applications and Websites is "What Your Friends Can Share About You". Uncheck everything and then click Save Changes.

The last two sections, "Blocked Applications" and "Ignore Application Invites" probably don't need to be edited.

The fourth main section is Search. In this section you will need to Uncheck "Allow Indexing" and set "Appear in Search Results" to "Friends of Friends" or "Friends Only". This section will help restrict the general public from finding your profile. Again, the point of this article and the settings presented is to protect your privacy.

The last main section is Block List and probably doesn't need to be edited at this time.

Now we've walked through the main sections to protect your privacy. This is a great first step, but as the EFF article points out

Looking even closer at the new Facebook privacy changes, things get downright ugly when it comes to controlling who gets to see personal information such as your list of friends. Under the new regime, Facebook treats that information — along with your name, profile picture, current city, gender, networks, and the pages that you are a "fan" of — as "publicly available information" or "PAI."
To help minimize what you're sharing with the public, you'll have to change some of this info as well.

To begin, click on "Edit My Profile" underneath your profile picture. Uncheck "Show my sex in my profile" and make sure the dropdown box underneath your birthday is set to "Don't show my birthday in my profile".

Next find the box on the lefthand pane that shows your friends. Click on the pencil and uncheck the box that says "Show my friends on my profile".

Your profile picture is displayed publicly despite your Photo Album settings. If you're not comfortable showing your picture to the world, change it to something else.

The final pieces of information will have to be removed entirely if you don't want them publicly displayed. Current City, Networks, Recent Activity, and Fan Pages are all publicly available. I deleted everything (although I really didn't have much to begin with).

To see how your new Profile looks to the public, click on Privacy Settings, Profile Information, and then Preview Profile. If there is any information displayed that you don't want, go back through the settings and remove it. Again, some things must be manually deleted.

After following these steps, the only information I have publicly displayed is my name, my fake profile picture, and one Fan Page.


Good luck changing your settings. If there was something I missed, please let me know in the comments. If you have trouble changing a setting, let me know that as well and I'll try to help you out.

10/30/2009
Posted by Matt C

News Story

Here is a news story that Jim and I participated in on Facebook and securing your private information.

http://www.wowt.com/home/headlines/67332677.html

10/23/2009
Posted by Matt C

Facebook Security - Relying on Friends

Another article came along regarding Facebook security and hijacked applications. What I found most interesting was this quote:

On top of all these security issues, in August many Facebook users were surprised to discover the vast amounts of personal information they were revealing by their use of Facebook quizzes. Even if you limit access to your profile through privacy settings, Facebook quiz applications can see everything on your profile page when you take a quiz...or even when your friend takes one. To make matters worse, Facebook does not screen developers for trustworthiness nor do they require developers to comply with a privacy policy.
"...or even when your friend takes one." I've always thought that it's kind of shady that quizzes and applications can access my friends' personal data. I shy away from the apps and quizzes for this specific reason. But, are my friends providing me the same courtesy? By being on Facebook, am I putting my personal information security in my friends' hands? Facebook has done better with increased privacy settings, and hopefully users have changed those settings to be more restrictive.

If I was a malicious user, I would absolutely create as many quizzes as I could that would take advantage of the automatic data mining capabilities of Facebook.

It seems like a recurring theme on this blog lately, but be careful of what you post online.

10/20/2009
Posted by Matt C

"Bad" Social Networking Links

Wow. We all know that social networking can be "bad". Here are a few recent articles.

  • Exclusive: U.S. Spies Buy Stake in Firm That Monitors Blogs, Tweets
  • How Social Networking Can Hurt You
  • How Hackers Find Your Weak Spots
  • Opinion: Twitter, Facebook Security Depends on Vigilant Developers, Sensible Users
  • Researcher: Hackers Hijack Some Facebook Apps
  • Facebook, Twitter users beware: Crooks are a mouse click away
  • Does your social class determine your online social network?

10/18/2009
Posted by Matt C

Interview and Interrogation - Balloon Boy

Stan B. Walters is well known as "The Lie Guy". He gets a fair amount of press and I've attended his Kinesic Interview and Interrogation course. Stan often uses current events to illustrate his techniques and talking points. In his most recent blog post, he takes on the "Balloon Boy" family.

We now know that the balloon stunt was a hoax. Stan mentions that "it all came down to the verbal and nonverbal cues of deception generated by the Heenes." Unfortunately, he doesn't go into any detail on what he thinks those cues were. However, there are a few listed in the CNN article linked above.

Stan talks about narrative based interviews as a way of gathering information. You can learn a lot from just listening to someone talk and watching their body language. He also mentions that the interviewer needs to be aware of what signals they are giving back to the interviewee. These are a lot of the same points I tried to make in the Social Engineering Podcast and Stan's post is a good read.

10/13/2009
Posted by Matt C

Cellebrite Gets Early Info

I've been waiting for an Android phone to hit Verizon for a while, so I've been following some mobile phone blogs. This post from Boy Genius Report was interesting to me on the cell phone forensics front.

One of Cellebrite's selling points for forensic use is that they often get previews of new devices in order to get their units up to speed for use in the carrier's stores. The photos in the BGR post (if real) certainly give some credibility to that statement. I wonder if other cell forensic suites get similar updates.

10/04/2009
Posted by Matt C

Social Engineer Interview Podcast

I mentioned a few posts back that I've been helping contribute content over at Social-Engineer.org. Today they released their first podcast and I was lucky enough to be the interview guest. The podcast builds on this post I did a while back about interviewing techniques.

I think the podcast presents some useful information. Even though the topic is interrogation, pieces of the conversation should be useful in everyday interaction.

Give it a listen and let me know what you think. If you RSS and don't want to come back here to leave comments, hit me up on Twitter @_remnant_ .

Thanks to everyone over at Social-Engineer.org for making a great site and some fun times.

9/22/2009
Posted by Matt C

FTK3 Review

For those forensic folk that may have not have seen this, I did a review of FTK3 for the good folks over at Forensic 4Cast. Check it out here, http://4cast.whitfields.org/?p=438.

Also, follow the 4Cast guys on Twitter at @Schizophreud and @englishgit.

9/20/2009
Posted by Matt C

Burglary by the Tweets

It's not hard to look around and see that people are posting way too much personal information online. There are tons of articles about it and now we can even find out if you're gay or straight.

Most of the information seems harmless and a lot of people don't care if others know about their personal lives. But how much trouble can it get you in to? One couple thinks their Twitter posts led to their burglary.

Is it that easy?! Let's find out...

Chirpcity.com let's you search tweets by location. I chose a random city from the list and then searched for all tweets mentioning "vacation".


How lucky that the first result includes a potential victim. I don't want to get a real person in trouble here and create a ready-made victim, so I'm blocking out all identifying information. Plus, I don't think this person is actually going to be gone for five weeks during the school year as their Twitter feed also says they're a student. See how quickly we can learn about someone?

Ok, so let's go look at Twitter profile.


Now we're getting somewhere. Our second webpage gave us their last name and website address. If we wanted to learn more we could check out their webpage to hopefully see what kind of stuff they might have we could steal. Now we just need to find out where they live. Cue Zabasearch.com!


This was the most recent entry was for this person. I blacked out all the personal info so it doesn't look like much, but I now have a middle initial and possible address. I guess I could double check with other people searching sites. For a low monthly fee I could even subscribe to a data mining site and have instant information that includes much more than this!

Using free resources and five minutes of my time I located a potential victim and her address. I suppose it would be worth it to spend another 30 minutes and drive by the address to scope it out. Of course, if I really was a criminal I would have found multiple victims to go check out.

I guess it really is that easy. Be careful everybody!