Artifacts

Archive for June, 2012


Tor Vidalia Bundle

Posted by:  /  Tags:

Author Name
Matt Nelson
Artifact or Program Version
Vidalia Bundle
Artifact Description
This artifact contains information pertinent to a “default” Tor Vidalia Bundle. The Vidalia Bundle contains Tor, Vidalia, Polipo, and Torbutton. No browser (like Firefox) is included.

Obviously, these artifacts are based on a default full install of the Vidalia Bundle; the user could choose to change some of the features of the install. (like not starting Vidalia at startup, skipping the start menu, or skipping install pieces)


Specific Files:
Tor.exe – executable that handles the creating the “circuit” to the Tor onion network.(vers. 0.2.2.37)
Vidalia – gui controller for Tor. Aids in the configuration of Tor. (without editing config files manually) vers. 0.2.19
Polipo – a tiny caching web proxy. Allows for sending applications through Tor that are not direct SOCKS capable.
Torbutton – a Firefox extension that allows for quickly switching to the Tor browsing. (Firefox must be enabled; Torbutton has been rolled into the TorBrowser)
Additionally, if the user can make configuration changes to Tor by making it a Relay, an Exit Relay, or a Bridge. The user can also server up a Tor Hidden Service that is only available on the Tor network.
Registry Keys
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Polipo
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Tor
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Vidalia
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Polipo\DisplayName: “Polipo 1.0.4.1”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Polipo\UninstallString: “”C:\Program Files\Vidalia Bundle\Uninstall.exe””
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Polipo\NoModify: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Polipo\NoRepair: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Tor\DisplayName: “Tor 0.2.2.37”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Tor\UninstallString: “”C:\Program Files\Vidalia Bundle\Uninstall.exe””
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Tor\NoModify: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Tor\NoRepair: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Vidalia\DisplayName: “Vidalia 0.2.19”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Vidalia\UninstallString: “”C:\Program Files\Vidalia Bundle\Uninstall.exe””
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Vidalia\NoModify: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Vidalia\NoRepair: 0x00000001
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\[username]\Desktop\vidalia-bundle-0.2.2.37-0.2.19.exe: “Vidalia Bundle 0.2.2.37-0.2.19”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe: “Vidalia”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run\Vidalia: “”C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe””
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Polipo\Install_Dir: “C:\Program Files\Vidalia Bundle”
File Locations
Default install location:
C:\Program Files\Vidalia Bundle
Default Tor location:
C:\Program Files\Vidalia Bundle\Tor\tor.exeDefault location of the Tor configuration file:
C:\Documents and Settings\[username]\Local Settings\Application Data\Vidalia\torrc < (contains the Tor configuration details)Default Polipo location:
C:\Program Files\Vidalia Bundle\Polipo\polipo.exeDefault Polipo config file location:
C:\Program Files\Vidalia Bundle\Polipo\polipo.conf < (contains the Polipo configuration details)Other Key dirs/files:C:\Documents and Settings\[username]\Local Settings\Application Data\Vidalia
geoip-cache
torrc
torrc.orig.1
vidalia.conf
vidalia.pidC:\Documents and Settings\[username]\Local Settings\Application Data\Tor
geoipC:\Program Files\Vidalia Bundle\Vidalia\
cached-certs
cached-consensus
cached-descriptors
cached-descriptors.new
Research Links
https://www.torproject.org/about/overview.html.en
http://www.pps.univ-paris-diderot.fr/~jch/software/polipo/
Forensic Programs of Use
RegShot, WireShark, ProcessHacker
Any Other Information
Network Indicators (local):
polipo.exe – 127.0.0.1, port 8118/TCP, Listening (Polipo proxy port)
tor.exe – 127.0.0.1, port 9050/TCP, Listening (Tor listening SOCKS)
tor.exe- localhost, port 9051/TCP, Listening (control port)
If Tor has completed a “circuit” to the Tor network you will see established connections to various hosts:
tor.exe – chuck-pc.here.xxx, 1144, [111.111.111.1111], 9001, TCP, Established < IP can vary
tor.exe – chuck-pc.here.xxx, 1144, host.somewhere.com, 9001, TCP, Established < remote hostname can vary
As the circuits drop and new ones establish you will see them drop and come online.


Win7 HomeGroup Reg Particulars

Posted by:  /  Tags:

Author Name
Matt Nelson
Submission Title
Win7 HomeGroup Reg Particulars
Artifact or Program Version
HomeGroup Information
Artifact Description
A few of the particulars out of the registry for a Win7 system that may be part of a HomeGroup.
IPv6 must be enabled.

Per Microsoft:

A homegroup is a group of computers on a home network that can share files and printers. Using a homegroup makes sharing easier. You can share pictures, music, videos, documents, and printers with other people in your homegroup. Other people can’t change the files that you share unless you give them permission to do so. You can help protect your homegroup with a password, which you can change at any time.

– In Windows 7 Starter and Windows 7 Home Basic, you can join a homegroup, but you can’t create one.

– If a homegroup already exists on your network, you’ll be asked to join it instead of creating a new one.

– If your computer belongs to a domain, you can join a homegroup but you can’t create one. You can access files and resources on other homegroup computers, but you can’t share your own files and resources with the homegroup.


Registry Keys
-=Created or Joined HomeGroup=-

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\HomeGroup\CreatedOrJoinedHomeGroup: 0×00000001


-=Member Computers (of the HomeGroup):=-

HKLM\SYSTEM\ControlSet001\services\HomeGroupProvider\ServiceData\Members\5f325793fe322a229e41646c0278c3d052ebcb32.HomeGroupClassifier\ComputerName: [computer name]

HKLM\SYSTEM\ControlSet001\services\HomeGroupProvider\ServiceData\Members\4a0aaaa82ac735e645ca3e6c9ec98e8ae2d6d406.HomeGroupClassifier\ComputerName: [computer name]

Note: the [*********].HomeGroupClassifier is a unique string to the computer

 

-=Owner/User that set up the HomeGroup:=-

HKLM\SYSTEM\CurrentControlSet\services\HomeGroupProvider\ServiceData\Owner: “[user name]”

 

-=Primary System ID of the HomeGroup=-

HKLM\SYSTEM\CurrentControlSet\services\HomeGroupProvider\ServiceData\OwnerId: “4a0aaaa82ac735e645ca3e6c9ec98e8ae2d6d406.HomeGroupClassifier”

 

-=Computer that Joined HomeGroup=-

HKLM\SYSTEM\CurrentControlSet\services\HomeGroupProvider\ServiceData\OwnerMachineName: “[computer name]”

 

-=User name that joined the HomeGroup=-

HKLM\SYSTEM\CurrentControlSet\services\HomeGroupProvider\ServiceData\LocalJoiningUser: “[user name]”

 

-=HomeGroup pasword=-

HKLM\SYSTEM\CurrentControlSet\services\HomeGroupProvider\ServiceData\Password:

Note: this is automatically set up by the system.

 

-=What is shared on the HomeGroup=- (for the analyzed system)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\HomeGroup\HME\SharingPreferences\S-1-5-21-440289028-1358208096-2242387208-1000\ShareDocuments: 0×00000001

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\HomeGroup\HME\SharingPreferences\S-1-5-21-440289028-1358208096-2242387208-1000\SharePictures: 0×00000001

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\HomeGroup\HME\SharingPreferences\S-1-5-21-440289028-1358208096-2242387208-1000\ShareMusic: 0×00000001

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\HomeGroup\HME\SharingPreferences\S-1-5-21-440289028-1358208096-2242387208-1000\ShareVideos: 0×00000001

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\HomeGroup\HME\SharingPreferences\S-1-5-21-440289028-1358208096-2242387208-1000\ShareMediaToAllDevices: 0×00000000

Note: Specific to user SID

 

-=HomeGroup Shared printers=-

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\HomeGroup\PrintingPreferences\Printers: 0×00000001

 

-=MAC addresses of Member systems w/name=-

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\HomeGroup\HME\Members\00-0C-29-5E-11-BC: “primary computer”

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\HomeGroup\HME\Members\8C-11-11-4C-C1-C7: “member computer”

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\HomeGroup\HME\Members\8C-11-11-4C-C1-C6: “member computer”

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\HomeGroup\HME\Members\2C-11-11-BA-94-EC: “member computer”

Note: the “member computer” has multiple MACs – a laptop with wired/wireless NICs

 

Research Links
http://windows.microsoft.com/en-US/windows7/products/features/homegroup