Archive for VSC Toolset

VSC Toolset Update

I’ve made various updates to VSC Toolset since its last public release in September 2012 and wanted to write a quick post about some of the updates for those interested. The most significant additions to the tool have been two new batch scripts: one for comparing the contents of a directory between two VSCs and one for extracting the USB device connection and disconnection events from one or more VSCs (based on the event log and Event IDs detailed here).  There have also been numerous user interface and general usability enhancements made to the tool.  Read on for more details, or you can skip to the VSC Toolset page to download the latest version.

CompareDirectory Batch Script

It can be helpful to see how the contents of a directory have changed over time.  For example, identifying how an employment contract has been updated, not updated, or even created and deleted over a period of time can be critical in accomplishing the goals of your examination.  VSC Toolset previously supported (and still supports) running a batch script utilizing diff.exe to compare two VSCs, but that may be overkill in many cases.  Being able to specify a particular directory for comparison is much quicker and helps to eliminate the noise found in the output of running diff.exe against the entire VSC.

The “CompareDirectory” batch script addition to VSC Toolset works by first creating a file listing of each directory to be compared using the “dir” command.  It then compares the two directory listings using diff.exe, generating output similar to the screenshot below.

CompareDirectory Batch Script Sample Output

EventLogUSB-Win7 Batch Script

In my last post, I introduced a batch script that can be executed against a Microsoft-Windows-DriverFrameworks-UserMode/Operational event log originating from a Windows 7 system to identify USB device connection and disconnection events.  In order to port over a version of the batch script compatible with VSC Toolset, I made a couple of slight modifications (primarily to the input variables).  Simply select the linked VSCs against which you want to execute the batch script and click “Run Command”; VSC Toolset takes care of the rest (with some help from Log Parser).  A separate CSV file containing the USB connection and disconnection events is created for each VSC the batch script is executed against.  Note that you’ll need the LogParser.exe and LogParser.dll file in the same directory as the VSC Toolset executable for this batch script to work.  Log Parser can be downloaded here.

The real benefit in running the EventLogUSB-Win7 batch script against multiple VSCs is that it allows you to recover USB connection and disconnection events that have since rolled off the current DriverFrameworks-UserMode/Operational event log.  This can be invaluable in cases where the length of time a certain device was connected to the system is important and the time frame of interest is prior to the earliest event in the current DriverFrameworks-UserMode/Operational event log.

Other Updates

In addition to the CompareDirectory and EventLogUSB-Win7 batch scripts, various user interface and general usability enhancements to VSC Toolset were made.  These include tips in the output of some commands (e.g. CompareDirectory) to help make the output easier to understand and a few help buttons added to the interface in some situations (depending on which command is specified in the Command drop-down box) to clarify exactly what a specific parameter is requesting.  The file system view, visible after clicking “Browse Shadow Copy”, has also been improved to allow for sorting by file name or date by clicking the appropriate column header.

To ease the burden of finding all of the supporting tools you’ll need to take full advantage of VSC Toolset, I’ve added the download links and any special requirements for each on the VSC Toolset page.  This information was previously scattered across multiple blog posts.

I’m always open to and appreciate feedback, including suggestions for improvement and bug reports.  You can download the latest version of VSC Toolset here.

**Update 02-19-14**
Corey Harrell’s auto_rip has been integrated into VSC Toolset.  Version 20140216 includes this update.

VSC Toolset Update: File Recovery

I’ve recently added an important functionality that has been missing from VSC Toolset: the ability to systematically extract files from shadow copies.  You can now do this with VSC Toolset either by utilizing the “Copy” command from the main window or via browsing the directory structure of a shadow copy and utilizing the context menu option.

When browsing an individual shadow copy, you can easily verify the location of the files or folders you wish to copy and extract them accordingly.  To extract files in this manner, simply navigate to the folder of interest, highlight the files or folders you wish to extract, and select “Copy” from the right-click context menu.  You will be prompted to select a location to save the data, then a small status window will appear while the data is being extracted (see screenshot below).  The downside to this approach is that you must copy the files of interest from each shadow copy individually.  To alleviate this problem, the option to copy a selected file or folder from multiple shadow copies in a single operation is available from the main window of VSC Toolset.

Copying Files via VSC Browser Context Menu

By utilizing the Copy command from the main VSC Toolset window, you can extract a file or folder from multiple shadow copies in a batch processing manner.  It’s as simple as selecting the shadow copies from which to extract the file or folder, inputting the path (or browsing to it using the Browse button), and clicking the Run Command button.  It’s important that the path to the file or folder of interest be the full path on the drive containing the VSCs.  For example, if the image containing the shadow copies is mounted as the H: drive, the path to the file/folder to copy should be something like H:foldersubfolderfile.txt.  VSC Toolset will then use the batch files associated with the copy operation to copy the specified file or folder from all selected shadow copies.  The extracted files will be stored in the “VSCToolset_OutputExtractedFiles” folder (the location of which may be changed under Tools –> Options).

Copying Files from VSC Toolset Main Window

All copy operations issued with VSC Toolset are simply passing parameters to a robocopy batch file that resides in the VSC Toolset “batch” folder.  Robocopy is a powerful copying utility and is a standard feature of Windows Vista and above.  For information on Robocopy options, check out this Microsoft article.  With VSC Toolset copy operations, the /COPYALL flag is passed for file and folder copies to copy all file information (including time stamps).  Additionally, the /E flag is passed during folder copy operations to include empty subdirectories. These options can of course be modified by changing the respective batch files within the “batch” folder used by VSC Toolset.  CopyFile.cmd and CopyFolder.cmd are the batch scripts used to issue the robocopy commands for file and folder copying, respectively. The robocopy log, which can also be customized by modifying the batch files, is saved in the “VSCToolset_OutputRobocopyLogs” directory that is created by VSC Toolset upon issuing a copy operation.

A couple of other improvements have been made as well, including adding multiple threads for processing.  By making VSC Toolset a multi-threaded application, the user interface remains responsive even when running time-consuming operations such as Diff or a large copy operation.  This allows you to immediately start a process such as running Diff against a couple of shadow copies and then running a RegRipper plugin or profile against one or more shadow copies while Diff is still executing in the background.

You can download the latest version of VSC Toolset here.

For tips on setting up and using VSC Toolset, check out this blog post. To get the most out of the program, you’ll need the accompanying tools below. Also, keep in mind that with the exception of RegRipper, all accompanying executable files and scripts should be stored in the same directory as the VSC Toolset executable in order for the program to see them.

Feedback, suggestions, and bug reports are always welcome and appreciated.

Quickly Find the Date Range of EVTX Event Logs

It’s helpful to know the date range that an event log spans, as that information lets you know whether or not you should expect the events from a particular time to be included in the event log, assuming the events you’re interested in are being audited.  I’ve often used Harlan’s evtrpt.pl script (available on the WFA 2e DVD) to find, among other things, the date range that is covered by an EVT file.  This has proven to be very helpful in identifying whether a particular event log covers the time frame of interest in an examination.  However, to my knowledge, no such script exists for EVTX files.

I originally wrote a batch script for pulling the date range from EVTX files as an add-on to VSC Toolset, but I figured it would be helpful to have the ability to run it against the most current version of event logs (i.e. those not in volume shadow copies) as well.  A couple of modifications to the VSC Toolset batch script made it ready for use on its own.

In writing the batch script, I decided to harness the power of Log Parser to get the job done.  If you’re unfamiliar with Log Parser, it’s a great tool from Microsoft that allows you to interpret data files (event logs, for example) as SQL records and execute SQL queries against them to quickly pull out specific information.  The command that I used to find the oldest event record (by TimeGenerated) in an event log is “logparser -i: EVT “SELECT TOP 1 TimeGenerated FROM %1 ORDER BY TimeGenerated ASC”.  Walking through the command, I simply notify Log Parser that the input file is an event log and then specify the query that I want to execute against the file.  The “%1” indicates the value passed into the batch file (G:filesSecurity.evtx, for example). The query instructs Log Parser to return the top value existing in the TimeGenerated field when that field is listed in ascending order.  You should actually get the same results without “ORDER BY TimeGenerated ASC” since we’re only interested in the first entry of the event log.To find the newest event record by TimeGenerated, I simply had to sort the event log in reverse order by TimeGenerated.  This can be done by changing the “ASC” in the previous command to “DESC”.  I also gathered the oldest and newest records by TimeWritten to report in addition to the TimeGenerated values.  The bulk of the code and work on my part in writing the batch file came from formatting the output for a very easy-to-read display.  I won’t break down the code I used for that here, but it turned out to be a nice exercise in batch programming for me.

To use the script, download it here and copy the Log Parser executable and DLL into the same folder as the script (or vice versa).  Note that you’ll have to install Log Parser from the MSI before the executable and DLL are available in the Program Files directory.  Then execute the evtxdaterange.bat script from the command line, passing in the path to the extracted event log.  For example, issuing “evtxdaterange k:filesSecurity.evtx” should give you output similar to that in the screenshot below.

If you’re interested in learning more about Log Parser, I would recommend taking a look at the Log Parser Toolkit book (however there are also many resources available online, such as this article by Chad Tilbury).  If you’re interested in batch scripting, there are countless online references, including this one by Corey Harrell that goes over getting started with batch scripting.

VSC Toolset Update

I thought it would be helpful to quickly be able to determine the date range covered by an event log within a shadow copy, particularly if the most current version doesn’t go back far enough.  So if you’re interested in finding which shadow copy contains the event log covering the date range of interest, you can simply run the EventLogDateRange command against all shadow copies to pinpoint which event logs you’ll want to parse.  Event log parsing has also been incorporated in the latest update, via Log Parser.  You can read about the other updates and download the latest version of VSC Toolset here.

VSC Toolset Update: Browsing Shadow Copies

I don’t plan to regularly post about tool updates, but I figured there’s enough in the most recent update to VSC Toolset that I might want to write a bit about it.  As indicated by the title of this post, the biggest change incorporates the ability to browse shadow copies using an Explorer-like interface.  Although you can easily write a batch file to list the directory contents of each shadow copy, it’s nice to be able to see the directory structure.  The “Browse Selected VSCs” button will open all selected linked VSCs.  This allows you to open a directory view of two (or more) shadow copies and view them side by side to visually see the differences between them.  If you find it easier to view the directory contents in another view mode other than “Details”, you can right-click on the list view pane and select a different view mode.

I’ve also tweaked how the VSCs are listed in the main interface.  For example, when you’re viewing a list of the shadow copies on a drive, you will no longer see “ShadowCopy1”, “ShadowCopy2”, etc..  Instead, you should see something like “VSC1: 4/24/2012”, “VSC2: 5/12/2012”, etc.. Including the date right beside the listing makes it quicker to determine which VSC(s) you may be interested in, based on the creation date.

Other minor updates include:

  • Removed the “List Shadows” button – shadow copies are now automatically listed upon selecting the drive letter
  • Logging is now in local time instead of UTC
  • Added an “Open Output Folder” button that…well, opens the output folder
  • Added another parameter input box, allowing for up to three additional parameters that can be specified at run time to execute against one or more shadow copies using a simple batch script
  • As noted in the release notes of another recent update, jump lists and custom RegRipper plugin files now have built-in functionality with VSC Toolset (see here for more details).
You can download the latest version of VSC Toolset here.

For tips on setting up and using VSC Toolset, check out this blog post. To get the most out of the program, you’ll need the accompanying tools below. Also, keep in mind that with the exception of RegRipper, all accompanying executable files and scripts should be stored in the same directory as the VSC Toolset executable in order for the program to see them.

Feedback, suggestions, and bug reports are always welcome.

VSC Toolset Update

I’ve updated VSC Toolset with a couple of new features, including integrating some new scripts with it.  You can now choose a specific RegRipper plugin to run against one or more VSCs (specifying either the NTUSER.DAT hive or one of the hives in the config directory).  I’ve also incorporated link file parsing (thanks for Corey for the batch file and script) and the ability to run diff.exe against two shadow copies to see only the differences between the two.  Running diff against VSCs was one of my favorite features that Corey covered in his VSC series and I wanted to make a point to incorporate it in the GUI.  It’s quite time consuming to do this, but it can be helpful if you’re interested in exactly which files have changed between VSCs.  If you decide to run diff using VSC Toolset, the GUI will appear unresponsive while its running.  I will eventually need to make the app multi-threaded to avoid this, but I have confirmed that this command does work with VSC Toolset (at least in the test runs that I’ve completed).

One change I’ve made that will affect those deciding to extend VSC Toolset by writing their own batch files is that I’ve specified a directory called “~LinkedVSC” that is created in the root of the “C:” drive to hold all symbolic links to VSCs.  The main reasoning for this is to enable a user to simply add this directory as evidence in another application such as FTK Imager if they are interested in taking a look at all linked VSCs.  I ran into the annoyance of having to add C:vsc1, C:vsc2, etc. to other applications individually instead of being able to add them all at the same time, so I created a directory to store all symbolic links to VSCs.  This doesn’t make a huge difference in writing batch files for VSC Toolset, you’ll just need to make sure you reference the symbolic link as “C:~LinkedVSCvsc%1” instead of “C:vsc%1”.

A couple of other minor improvements include not listing drive letters that do not make sense to list (non-local drives, etc.) and including the volume label beside the drive letter for easier identification.  Additionally, the second and third parameter text boxes and labels are only shown when applicable (and customized when shown).  For example, selecting “RegRipper-ntuser” from the command drop-down box displays a single text box labeled “User Name”.  Selecting “RegRipper-plugin(config_dir)” displays two text boxes labeled “Hive Name” and “Plugin Name”, respectively.  If a command does not require user-specified parameters, no text boxes are shown.  This will hopefully make it easier for those that may not be as familiar with running some of the commands that are integrated with VSC Toolset, but will likely just serve as a reminder for most.  Note that if a custom batch file is being used (one that is not currently integrated with VSC Toolset), both parameter text boxes will be displayed.

To take advantage of the LinkFiles.bat and Diff.bat scripts, you’ll need to download the respective Perl script and executable.  You can download lslnk-directory-parse2.pl from the Win4n6 Yahoo Group under FilesTools; you can download diff.exe from UnxUtils.  Both the Perl script and the executable will need to be in the same directory as the VSC Toolset executable.  Also, note that you will need ActiveState Perl or something similar to run the link file parsing command since it’s a Perl script.  As with the previous version, you can simply copy all RegRipper files into the “regripper” folder that is included with the VSC Toolset download.  You can download the latest version of VSC Toolset here.