Once you have a drive letter for your image, you simply point Autoruns to the System Root and User Profile (location of NTUSER.DAT) that you wish to interrogate. This is very easy if you are lucky enough to be working with Microsoft VHD files, or more commonly will be accomplished using a third party tool like IMDisk to mount a forensic image. The first step is to mount your drive or image on your local system. It also provides a better ability to detect rootkits since the target system is offline and hence not protected by any malware hiding mechanisms. This is exactly the feature needed to leverage Autoruns with forensic images. In version 10 of Autoruns, there is now an option to "Analyze Offline System". The painful workaround was to boot the forensic image using something like Live View or Guidance's Physical Disk Emulator, and run Autoruns on the booted system. However, in a dead computer forensics environment, its usefulness was hampered by this limitation. This is perfectly fine in a live response scenario when you are primarily working with systems that are up and running. Until recently Autoruns had one big limitation: it had to be run on a live system.
Over the years it has added some very useful features, including digital signature checks and the ability to ignore signed (and verified) Microsoft executables. It very quickly shows what executables are set to run during boot or login, as well as enumerating many other interesting locations like Explorer shell extensions, browser helper objects, and toolbars.
It is essentially a targeted registry dump, peering into at least a hundred different Windows Registry keys that the boot and logon processes rely upon. It has a myriad of uses, from optimizing the boot process to rooting out persistence mechanisms commonly used by malware. Immediately apply the skills and techniques learned in SANS courses, ranges, and summitsĪutoruns from Sysinternals is one of my favorite (free) tools.
0 kommentar(er)
