Forensics Tools – find_times.py
Recently, we had the pleasure to join David Cowen on several episodes of his weekly show Forensic Lunch. In this particular episode on Youtube, we discussed some of our recent research on discovering previously unknown Windows registry values with embedded timestamp information. As promised, we are releasing our script to the community at large so that anyone interested can help contribute to the script and the results of the research. With that we’re happy to present find_times.py.
This script works to identify values within the registry that MIGHT contain timestamp data. Basically, we attempt to brute force a valid timestamp from value data within the registry using several different timestamp formats. If we end up parsing data into a valid timestamp we show that information to the user in the hopes that they can further examine the key to determine its forensic worth. Since we’re brute-forcing the parsing with many different timestamp formats, we’re going to inherently generate a lot of false positives. To reduce this, we implement several types of sanity checks to filter results down to a much more likely set of potential timestamps.
The most basic sanity check we do is that we allow for the user to specify a date range to constrain the result set. Doing this allows the user to have fine control over specifying the range of timestamps they’re interested in finding, providing a way to narrow our search to periods we know interesting activity took place. A bit more advanced and very useful is that we provide other options to specify time ranges helping to filter out more false positives. Provided the accompanying software hive, we can parse the install Windows installation timestamp (\Microsoft\Windows NT\CurrentVersion\InstallDate) and use that as the low date. This is useful since it’s much less likely that real timestamps of consequence are from prior to when the operating system was first installed. There is finally the option to use the LastWriteTime of each registry key as the high date filter for timestamps found in values belonging to that key. This particular filter is greatly useful as each time a registry key has a value written, this timestamp is updated. Since it is kept on a per key basis, it can represent the timestamp of activity most recent to that particular key. All of these filter options will likely preclude some valid timestamps concerning scheduled or upcoming dates but will really help filter the data to a manageable set of results ready for further research.
Most important of all, our goal is to develop our knowledge of windows registry timestamp artifacts. So we’ve created a Collaborative Spreadsheet so that we can aggregate all of the crowd-sourced research on this. To help contribute, just comment on the contributor page of it and we’ll add you to the editing group. Let’s all build on the knowledge that we have as a community.
The script is now available at our company GitHub page https://github.com/504ensicsLabs. Please download, use, and contribute to the tool. Most importantly, talk about anything interesting that you find. We want to hear about cool uses you found for the script and that new artifact you found!