Events Ripper

Not long ago, I made a brief mention of Events Ripper, a proof-of-concept tool I wrote to quickly provide situational awareness and pivot points for analysts who were already on the road to developing a timeline. The idea behind the tool is that artifacts are compound objects, and have value based not just on their time stamps, their value can also be predicated on the analysis questions or goals, or just the nature of their path, or some other factor. 

The tool leverages the fact that analysts are already creating timelines, and uses the intermediate events file format to develop situational awareness and pivot points to facilitate analysis. Many times, we’re looking through a timeline for some root cause or predicating event, but we’re dealing with the fact that there was some normal system behavior (such as an update) that’s caused a large number of events to be generated.

At the moment, the available plugins target Windows Event Log data, in many cases producing output similar to what analysts are used to seeing in ShimCache or AmCache parser output. So, of course, the output of the various plugins are going to depend upon the Windows Event Logs you’ve included in the timeline, as well as how long it’s been since the activity in question occurred (i.e., logs roll over), and what specifically is being audited (although that pertains more to the Security Event Log). Further, they’re doing to also depend upon what’s being logged, something you can check via the auditpol.exe native utility (or the auditpol.pl RegRipper plugin). For example, I’ve once saw a Security Event Log with over 35,000 records, and they were all successful logins. Yep, that’s it…just successful logins, and because of the nature of the system, most of them were type 3 logins…which is why I wrote a plugin to just get a count of logins by type, so that it’s easy to see this information about your data quickly.

That’s one of the keys to this tool…to be able to quickly and easily distill and discern some important insight about the data that you have from a system. As such, the real value of this tool comes from analysts using it, exploring it, and asking questions, talking about how to view and manage the data they have. 

Tools like this are especially useful in diverse environments wher

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from Windows Incident Response

Read the original article: