An X-Ways X-Tension querying registry hives from your case to get a quick overview of the computer system configuration, users and commonly used malware keys.
Overview
XT_Info searches for \windows\system32\config\[security,software,system] hives, then queries
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*\ProfileImagePath
for available user directories and loads each available NTUSER.DAT as well.
Query format:
- Query one or multiple keys:
Format: <path>\<key>[,<key>] HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load,Run
- Query all keys:
Format: <path>\* HKLM\Software\Microsoft\Windows\CurrentVersion\Run*
- Query multiple paths:
Format: <path>\*\<path> (plus key(s) or *) HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\*\IPAddress
Note that “CurrentControlSet” is automatically translated to the current control set key.
Resources
Developed in C# and tested with X-Ways 19.7 SR-3 x64.
Registry queries are based on code from https://github.com/EricZimmerman/Registry
X-Tensions API:
http://www.x-ways.net/forensics/x-tensions/XT_functions.html
http://www.x-ways.net/forensics/x-tensions/XWF_functions.html
c# Plugin API based on code from:
https://github.com/stdio-h/x-tensions (modified version of https://github.com/jp-slackspace/x-tension-c-sharp)
Artifacts are heavily based on https://www.forensicswiki.org/wiki/Windows_Registry
Roadmap
External artifacts (import or config file)
Export / Report results
Download
Current development version is available here (use at own risk, no warranty). Open your case, browse a Windows image and run the XT_Info plugin. If asked to “Force unload?”, click “No” or you will not be able to issue any new queries. Note that the GUI might be minimized or sent to background upon start.
Recent Comments