Avançar para o conteúdo principal

Forensic Analysis of Revo Uninstaller Pro

In a recent engagement I found an application that I never encounter before. I searched a bit online but I couldn't find any articles related to this application and the artifacts it leaves behind. This guide is by no means an exhaustive examination of the application.

Revo Uninstaller Pro[1] is an application that enabled the users to remove applications from the computer. But the most interesting feature is that it enabled the user to remove some Windows Artifacts like, Web History, Search History, UserAssist, comDlg32, etc.

Windows Registry Artifacts

While installing the tool I found that it creates Windows Registry keys in the user NTUSER.DAT Hive. The location of the data is "Software\VS Revo Group\Revo Uninstaller Pro\".



The "TrackCleaner" subkey stores the user settings responsible for deleting various windows artifacts. The Last Write Time is not the last execution date but the last time that the user changed the settings.



For example, inside "Software\VS Revo Group\Revo Uninstaller Pro\TrackCleaner\Windows" we see that the preset for the user is to remove the ComDlg32 Windows Artifact.


Inside the MSOffice subkey you find the Microsoft Office related configuration. It's stored in a cryptic form.


That simples translates into:
CARDH  -> Microsoft Office Access
CERDH   -> Microsoft Office Excel
CPPRDH -> Microsoft Office PowerPoint
CWRDH  -> Microsoft Office Word

Removing Software

When the user tries to remove an pre-existing application using Revo Uninstaller Pro que default behavior it's to created a System Restore Point. You can see this setting if you navigate to "Software\VS Revo Group\Revo Uninstaller Pro\Uninstaller" in the "Create System Restore Pont" value.



Then you can search for the event ID 8194 in the Windows Application Event Log and find out what application was actually removed.



RegRipper Plugin:

To speed up the process of analyzing I created a regripper plugin that I share with you guys [2]. 



More research is needed for this application. If time permits I will post more about it in the future.

[1] https://www.revouninstaller.com
[2] https://github.com/tsousahs/RegRipper2.8/blob/master/plugins/revouninstaller.pl


Comentários

Enviar um comentário

Mensagens populares deste blogue

Windows Registry Forensics - Book Review

A couple of months ago I finished reading my first Harlan Carvey book - Windows Registry Forensics. I must say I loved it and learn a lot. Chapter 1 - Registry Analysis - In this chapter Harlan introduces the foundations needed to build the knowledge he intended to share with the book. It goes into the Microsoft Windows Registry internal structure and basics Digital Forensics investigation principals like the Locard's Exchange Principal and the Least Frequency of Occurrence. I really like this phrase. Something that is very important to keep in mind when considering whether to engage in live response activities ( as opposed to acquiring and image of the hard drive and conducting postmortem analysis) is that while actions do have an effect on the system (processes loaded into memory, files created on the system as a result of your actions, etc) so does your inaction .  - Harlan Carvey , Windows Registry Forensics Chapter 2 - Processes and Tools - This chapter presents s
Enviar um comentário
Ler mais

Yet Another DFIR Blog!

Well yes. I created another Digital Forensics & Incident Response Blog. You may ask why. I recently read the Rob Lee[1] and Harlan Carvey[2] blog posts and was motivated to give something back to the community. I am by no means an Expert Forensicator like some heavy hitters in the community but I am willing to share my knowledge and learn with you if you so choose to write a comment to my upcoming blog posts. So Who Am I? I am a digital forensics & incident response Portuguese consultant. I work from the most simple incident/digital forensic investigation to enterprise wide engagements in some critical infrastructure in Portugal. I recently finished SANS FOR508 and got my GCFA. I hope with this blog I can improve the body of knowledge in the digital forensics & incident response industry and get some fun out of it. Feel free to get in though with me. I would love to hear from you. [1] https://www.sans.org/blog/how-to-make-a-difference-in-the-digital-forensics
Enviar um comentário
Ler mais