search

evild3ad / MemProcFS-Analyzer

MemProcFS-Analyzer - Automated Forensic Analysis of Windows Memory Dumps for DFIR
https://lethal-forensics.com
GNU General Public License v3.0
462 stars 53 forks source link

TimeZoneInformation - files do not always exist #17

Closed Bloggzy closed 1 year ago

Bloggzy commented 1 year ago

When analyzing the "Desktop" image (https://dfirmadness.com/case001/DESKTOP-SDN1RPT-memory.zip) from the Stolen Szechuan Sauce challenge (https://dfirmadness.com/the-stolen-szechuan-sauce/), I saw some errors being thrown as the TimeZoneInformation registry locations didn't exist.

Get-Content : Cannot find path 'X:\registry\HKLM\SYSTEM\ControlSet001\Control\TimeZoneInformation\TimeZoneKeyName.txt' because it does not exist. At C:\Demo\MPFSA\MemProcFS-Analyzer-v0.6\MemProcFS-Analyzer.ps1:1880 char:28 Get-Content : Cannot find path 'X:\registry\HKLM\SYSTEM\ControlSet001\Control\TimeZoneInformation\(_Key_).txt' because it does not exist. At C:\Demo\MPFSA\MemProcFS-Analyzer-v0.6\MemProcFS-Analyzer.ps1:1881 char:26 Get-Content : Cannot find path 'X:\registry\HKLM\SYSTEM\ControlSet001\Control\TimeZoneInformation\ActiveTimeBias.txt' because it does not exist. At C:\Demo\MPFSA\MemProcFS-Analyzer-v0.6\MemProcFS-Analyzer.ps1:1882 char:27

In the analyzer script (v0.6) under the "# Timezone Information" section (lines: 1879-1882) you could possibly include a few checks and handle it in case those files don't exist?

e.g. if (Test-Path "") or similar?

evild3ad commented 1 year ago

Implemented. Thanks for reporting!

Possibly because of the usage of Windows 10 Enterprise Evaluation and/or an unfinished Windows setup.

# Timezone Information
if (Test-Path "$DriveLetter\registry\HKLM\SYSTEM\ControlSet00$CurrentControlSet\Control\TimeZoneInformation")
{
    <snip>
}
else
{
    Write-Host "[Error] TimeZoneInformation Registry Subkey does NOT exist." -ForegroundColor Red
}

TimeZoneInformation

Bloggzy commented 1 year ago

Nice work.