Thursday, November 29, 2018

Daily Blog #512: Forensic Lunch Test Kitchen 11/29/18

Hello Reader,
       Tonight we tested out Maxim Suhanov's YARP library and his provided script to extract and decompress the LZNT1 compressed keys in the CIT\System key we talked about last night.

Here is what we learned:

  • YARP is a great python registry library, clearly I'm just scratching the surface of what it can do
  • LZNT1 requires a minimum chunk size equal to the cluster size of the ntfs drive to decompress data
  • The CIT\System key on my test system had two values to be decompressed
  • The first value appears to contain system executables
  • The second value appears to contain user executables
  • There is some overlap between the CIT\System key and the recentfilecache.bcf
  • The CIT\System key refers to the recentfilecache.bcf file
  • The CIT\System key contained calls to rundll with parameters

You can watch the video here:

No comments:

Post a Comment