Difference between pages "Barnyard2" and "Windows 7"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
==About ==
 
Barnyard2 is an open source interpreter for Snort unified2 binary output files.
 
Its primary use is allowing Snort to write to disk in an efficient manner and
 
leaving the task of parsing binary data into various formats to a separate
 
process that will not cause Snort to miss network traffic.
 
  
Barnyard2 has 3 modes of operation:
 
  1. batch (or one-shot),
 
  2. continual, and
 
  3. continual w/ bookmark.
 
  
In batch (or one-shot) mode, barnyard2 will process the explicitly specified
+
== File Structure ==
file(s) and exit.
+
File systems are covered separately.
  
In continual mode, barnyard2 will start with a location to look and a specified
+
== SSD ==
file pattern and continue to process new data (and new spool files) as they
+
Per MS [http://support.microsoft.com/kb/2727880 KB2727880], when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.
appear.
+
  
Continual mode w/ bookmarking will also use a checkpoint file (or waldo file in
+
Further, [http://technet.microsoft.com/en-us/magazine/ff356869.aspx this TechNet post] states:
the snort world) to track where it is. In the event the barnyard2 process ends
+
<i>Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.</i>
while a waldo file is in use, barnyard2 will resume processing at the last
+
entry as listed in the waldo file.
+
  
The "-f", "-w", and "-o" options are used to determine which mode barnyard2
+
   
will run in. It is legal for both the "-f" and "-w" options to be used on the
+
command line at the same time, however any data that exists in the waldo file
+
will override the command line data from the "-f" and "-d" options. See the
+
command directives section below for more detail.
+
  
Barnyard2 processing is controlled by two main types of directives: input
 
processors and output plugins. The input processors read information in from a
 
specific format ( currently the spo_unified2 output module of Snort ) and
 
output them in one of several ways.
 
  
==History ==
+
== Jump Lists ==
Barnyard is a critical tool for the parsing of Snort's unified binary files, processing and on-forwarding to a variety of output plugins. Unfortunately it has not seen an updated in over 4 years and is not going to be maintained by the original developers. With the new version of the unified format (ie. unified2) arriving we need something to bridge this gap.
+
[[Jump Lists]] are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).
To quote directly from the Snort FAQ:
+
* "Barnyard is an output system for Snort. Snort creates a special binary output format called unified. Barnyard reads this file, and then resends the data to a database backend. Unlike the database output plug-in, Barnyard is aware of a failure to send the alert to the database, and it stops sending alerts. It is also aware when the database can accept connections again and will start sending the alerts again."
+
  
The SXL team love barnyard. So much so that we want it to stay and have been tinkering around with the code to give it a breath of new life. Here is what we have achieved to far for this reinvigorated code base:
+
== Registry ==
Parsing of the new unified2 log files.
+
The [[Windows_Registry]] remains a central component of the Windows 7 operating system.
*Maintaining majority of the command syntax of barnyard.
+
*Addressed all associated bug reports and feature requests arising since barnyard-0.2.0.
+
*Completely rewritten code based on the GPLv2 Snort making it entirely GPLv2.
+
  
== References ==
+
== Known keys of forensic interest ==
All information on this page is referenced to [http://www.securixlive.com/barnyard2/about.php securixlive.com] where further information about Barnyard can be found.
+
 
 +
'''SAM Registry'''
 +
 
 +
SAM\\SAM\\Domains\\Account\\Users
 +
 
 +
SAM\\SAM\\Domains\\Account\\UsersSAM\\Domains\\Builtin\\Aliases
 +
 
 +
 
 +
'''Security Registry'''
 +
 
 +
Security\\Policy\\PolAcDmSPolicy\\PolPrDmS
 +
 
 +
Security\\Policy\\PolAdtEv
 +
 
 +
Security\\Policy\\Secrets
 +
 
 +
'''NTUSER Registry'''
 +
NTUSER\\Control Panel\\Desktop
 +
NTUSER\\Control Panel\\don\
 +
NTUSER\\Environment
 +
NTUSER\\Network
 +
NTUSER\\Printers\\Settings\\Wizard\\ConnectMRU
 +
NTUSER\\Software
 +
NTUSER\\Software\\Adobe\\Acrobat Reader\\Software\\Adobe\\Acrobat Reader\\
 +
NTUSER\\Software\\Ahead
 +
NTUSER\\Software\\America Online\\AOL Instant Messenger (TM)\\CurrentVersion\\Users
 +
NTUSER\\Software\\Ares
 +
NTUSER\\Software\\bindshell.net\\Odysseus
 +
NTUSER\\Software\\Blizzard Entertainment\\Warcraft III\\String
 +
NTUSER\\Software\\Cain\\Settings
 +
NTUSER\\Software\\DECAFme
 +
NTUSER\\Software\\Google\\Google Toolbar\\4.0\\whitelist
 +
NTUSER\\Software\\Google\\NavClient\\1.1\\History
 +
NTUSER\\Software\\JavaSoft\\Java Update\\Policy\\JavaFX
 +
NTUSER\\Software\\JavaSoft\\Prefs\\haven
 +
NTUSER\\Software\\Microsoft
 +
NTUSER\\Software\\Microsoft\\Command Processor
 +
NTUSER\\Software\\Microsoft\\Dependency Walker\\Recent File List
 +
NTUSER\\Software\\Microsoft\\IntelliPoint\\AppSpecific
 +
NTUSER\\Software\\Microsoft\\Internet Explorer\\Main
 +
NTUSER\\Software\\Microsoft\\Internet Explorer\\MainSoftware\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoCompleteSoftware\\Microsoft\\Internet Account Manager\\Accounts
 +
NTUSER\\Software\\Microsoft\\Internet Explorer\\Settings
 +
NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLs
 +
NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLsTime
 +
NTUSER\\Software\\Microsoft\\MediaPlayer\\Player\\RecentFileList
 +
NTUSER\\Software\\Microsoft\\Microsoft Management Console\\Recent File List
 +
NTUSER\\Software\\Microsoft\\Multimedia\\OtherSoftware\\Microsoft\\CTF\\LangBarAddIn
 +
NTUSER\\Software\\Microsoft\\Office\\14.0Software\\Microsoft\\Office\\14.0
 +
NTUSER\\Software\\Microsoft\\Office\\Software\\Microsoft\\Office\\
 +
NTUSER\\Software\\Microsoft\\OfficeSoftware\\Microsoft\\Office\\
 +
NTUSER\\Software\\Microsoft\\PIMSRV
 +
NTUSER\\Software\\Microsoft\\Search Assistant\\ACMru
 +
NTUSER\\Software\\Microsoft\\Snapshot Viewer\\Recent File List
 +
NTUSER\\Software\\Microsoft\\Terminal Server Client\\DefaultSoftware\\Microsoft\\Terminal Server Client\\Servers
 +
NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers
 +
NTUSER\\Software\\Microsoft\\User Location Service\\Client
 +
NTUSER\\Software\\Microsoft\\Windows Live Contacts\\Database
 +
NTUSER\\Software\\Microsoft\\Windows Live Mail
 +
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Persisted
 +
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers
 +
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts
 +
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows
 +
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles
 +
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\0a0d020000000000c000000000000046
 +
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion
 +
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache
 +
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Applets
 +
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer
 +
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket
 +
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32
 +
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComputerDescriptions
 +
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel
 +
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts
 +
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU
 +
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder
 +
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2
 +
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PublishingWizard\\AddNetworkPlace\\AddNetPlace\\LocationMRU
 +
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs
 +
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU
 +
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
 +
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage
 +
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU
 +
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths
 +
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist
 +
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Wallpaper\\MRU
 +
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery
 +
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\{8AD9C840-044E-11D1-B3E9-00805F499D93}
 +
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\FileHistory
 +
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
 +
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap
 +
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet SettingsSoftware\\Microsoft\\Internet Explorer\\Main\\WindowsSearch
 +
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer
 +
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UFH\\SHC
 +
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UnreadMail
 +
NTUSER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop
 +
NTUSER\\Software\\Nico Mak Computing\\WinZip
 +
NTUSER\\Software\\ORL\\VNCHooks\\Application_Prefs
 +
NTUSER\\Software\\ORL\\VNCviewer\\MRUSoftware\\RealVNC\\VNCViewer4\\MRU
 +
NTUSER\\Software\\Piriform\\CCleaner
 +
NTUSER\\Software\\Privoxy
 +
NTUSER\\Software\\RealNetworks\\RealPlayer\\6.0\\Preferences
 +
NTUSER\\Software\\RealVNC\\VNCViewer4\\MRU
 +
NTUSER\\Software\\SimonTatham\\PuTTY\\SshHostKeys
 +
NTUSER\\Software\\Skype
 +
NTUSER\\Software\\SmartLine Vision\\aports
 +
NTUSER\\Software\\SysInternals
 +
NTUSER\\Software\\Sysinternals\\RootkitRevealer
 +
NTUSER\\Software\\VMware
 +
NTUSER\\Software\\WinRAR\\ArcHistory

Revision as of 14:18, 12 September 2013


File Structure

File systems are covered separately.

SSD

Per MS KB2727880, when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.

Further, this TechNet post states: Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.



Jump Lists

Jump Lists are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).

Registry

The Windows_Registry remains a central component of the Windows 7 operating system.

Known keys of forensic interest

SAM Registry

SAM\\SAM\\Domains\\Account\\Users

SAM\\SAM\\Domains\\Account\\UsersSAM\\Domains\\Builtin\\Aliases


Security Registry

Security\\Policy\\PolAcDmSPolicy\\PolPrDmS

Security\\Policy\\PolAdtEv

Security\\Policy\\Secrets

NTUSER Registry NTUSER\\Control Panel\\Desktop NTUSER\\Control Panel\\don\ NTUSER\\Environment NTUSER\\Network NTUSER\\Printers\\Settings\\Wizard\\ConnectMRU NTUSER\\Software NTUSER\\Software\\Adobe\\Acrobat Reader\\Software\\Adobe\\Acrobat Reader\\ NTUSER\\Software\\Ahead NTUSER\\Software\\America Online\\AOL Instant Messenger (TM)\\CurrentVersion\\Users NTUSER\\Software\\Ares NTUSER\\Software\\bindshell.net\\Odysseus NTUSER\\Software\\Blizzard Entertainment\\Warcraft III\\String NTUSER\\Software\\Cain\\Settings NTUSER\\Software\\DECAFme NTUSER\\Software\\Google\\Google Toolbar\\4.0\\whitelist NTUSER\\Software\\Google\\NavClient\\1.1\\History NTUSER\\Software\\JavaSoft\\Java Update\\Policy\\JavaFX NTUSER\\Software\\JavaSoft\\Prefs\\haven NTUSER\\Software\\Microsoft NTUSER\\Software\\Microsoft\\Command Processor NTUSER\\Software\\Microsoft\\Dependency Walker\\Recent File List NTUSER\\Software\\Microsoft\\IntelliPoint\\AppSpecific NTUSER\\Software\\Microsoft\\Internet Explorer\\Main NTUSER\\Software\\Microsoft\\Internet Explorer\\MainSoftware\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoCompleteSoftware\\Microsoft\\Internet Account Manager\\Accounts NTUSER\\Software\\Microsoft\\Internet Explorer\\Settings NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLs NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLsTime NTUSER\\Software\\Microsoft\\MediaPlayer\\Player\\RecentFileList NTUSER\\Software\\Microsoft\\Microsoft Management Console\\Recent File List NTUSER\\Software\\Microsoft\\Multimedia\\OtherSoftware\\Microsoft\\CTF\\LangBarAddIn NTUSER\\Software\\Microsoft\\Office\\14.0Software\\Microsoft\\Office\\14.0 NTUSER\\Software\\Microsoft\\Office\\Software\\Microsoft\\Office\\ NTUSER\\Software\\Microsoft\\OfficeSoftware\\Microsoft\\Office\\ NTUSER\\Software\\Microsoft\\PIMSRV NTUSER\\Software\\Microsoft\\Search Assistant\\ACMru NTUSER\\Software\\Microsoft\\Snapshot Viewer\\Recent File List NTUSER\\Software\\Microsoft\\Terminal Server Client\\DefaultSoftware\\Microsoft\\Terminal Server Client\\Servers NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers NTUSER\\Software\\Microsoft\\User Location Service\\Client NTUSER\\Software\\Microsoft\\Windows Live Contacts\\Database NTUSER\\Software\\Microsoft\\Windows Live Mail NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Persisted NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\0a0d020000000000c000000000000046 NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Applets NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32 NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComputerDescriptions NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2 NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PublishingWizard\\AddNetworkPlace\\AddNetPlace\\LocationMRU NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Wallpaper\\MRU NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\{8AD9C840-044E-11D1-B3E9-00805F499D93} NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\FileHistory NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet SettingsSoftware\\Microsoft\\Internet Explorer\\Main\\WindowsSearch NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UFH\\SHC NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UnreadMail NTUSER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop NTUSER\\Software\\Nico Mak Computing\\WinZip NTUSER\\Software\\ORL\\VNCHooks\\Application_Prefs NTUSER\\Software\\ORL\\VNCviewer\\MRUSoftware\\RealVNC\\VNCViewer4\\MRU NTUSER\\Software\\Piriform\\CCleaner NTUSER\\Software\\Privoxy NTUSER\\Software\\RealNetworks\\RealPlayer\\6.0\\Preferences NTUSER\\Software\\RealVNC\\VNCViewer4\\MRU NTUSER\\Software\\SimonTatham\\PuTTY\\SshHostKeys NTUSER\\Software\\Skype NTUSER\\Software\\SmartLine Vision\\aports NTUSER\\Software\\SysInternals NTUSER\\Software\\Sysinternals\\RootkitRevealer NTUSER\\Software\\VMware NTUSER\\Software\\WinRAR\\ArcHistory