EricZimmerman
Change default behaviour of nl true
Description
This Pull Request changes the default behaviour when the flag nl is set to false. Before the commit if there are no transaction logs and it detects a dirty registry hive it aborts. This commit logs a warning to the console instead of aborting the processing of a dirty hive. In some cases triage tools either fail to pick up the transaction logs or the transaction logs have been erased from disk via anti-forensics techniques. Currently if this is the case and the registry is dirty they are not processed leading to certain hives not showing up on DFIRBatch.
I have had this happen on several cases and I believe that it is better to have some visibility rather than entire users/ hives being absent. An example of this happening was one of the compromised users on a case had a dirty registry hive with no transaction logs and within the hive was WinSCP registry keys showing the exfiltration IP address and protocol used to exfiltrate.
I am aware of nl true existing however this means that all transaction logs are ignored even if it exists for some users/hives and I would like the ability to process the transaction logs if they are present. I am willing to discuss this and put it under a separate argument if you believe this is not a sane default to have.
Edit: Changed based on feedback by Eric to modify nl true instead
Checklist:
Please replace every instance of [ ] with [X] OR click on the checkboxes after you submit your PR
~~- [X] I have generated a unique GUID for my Batch file(s)~~
~~- [X] I have tested and validated the new Batch file(s) against test data and achieved the desired output~~
~~- [X] I have placed the Batch file(s) within the .\RECmd\BatchExamples directory~~
~~- [X] I have set or updated the version of my Batch file(s)~~
~~- [X] I have made an attempt to document the artifacts within the Batch file(s)~~
~~- [X] I have consulted the Guide/Template to ensure my Map(s) follow the same format~~
Thank you for your submission and for contributing to the DFIR community!
It would be better if you change the behavior of NL true to process transaction logs if they exist else with your proposed behavior
I don't know why you wouldn't be reviewing the output from the console anyway to know when you had failures, which from my recollection, should be shown at the bottom of the output when any hive has an error
I will look into adjusting this when I get a chance. Also I know when running KAPE and the RECmd_DFIRBatch.mkape it doesn't actually display console output or log it to a file but I believe it will be a good idea to adjust that for better visibility.
It would if debug was used.
On Sat, Aug 31, 2024, 3:24 PM reece394 @.***> wrote:
I will look into adjusting this when I get a chance. Also I know when running KAPE and the RECmd_DFIRBatch.mkape it doesn't actually display console output or log it to a file but I believe it will be a good idea to adjust that for better visibility.
— Reply to this email directly, view it on GitHub https://github.com/EricZimmerman/RECmd/pull/68#issuecomment-2323022722, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABARKJXLL7AHGS5RPVPLC4TZUIJ73AVCNFSM6AAAAABNODAUYOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMRTGAZDENZSGI . You are receiving this because you commented.Message ID: @.***>
Changed based on feedback to use nl true instead. Modified the description of the nl flag as well to clarify the behaviour change
so lets sum up here.
if logs exist use them if not, process without so you get something?