dfirhub

SignatureCatalog

Windowsv1

Author: Mike Pilkington

description

Obtain detached signature catalog files

paths

2 paths
paths use Windows environment syntax

collection commands 

# PowerShell Artifact Collection Script
# Target: SignatureCatalog
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase   = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }

function Collect-Artifact {
    param(
        [Parameter(Mandatory)][string]$SourceDir,
        [Parameter(Mandatory)][string]$FolderName,
        [string]$FileMask = "*"
    )
    # Expand wildcards in any path segment (e.g. 'Program Files*',
    # 'ScreenConnect Client*'). robocopy itself does not glob the source.
    $sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
        Where-Object { $_.PSIsContainer })
    if ($sources.Count -eq 0) {
        $Summary.Missed++
        return
    }
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    $null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
    foreach ($src in $sources) {
        robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
        if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
    }
}

# 1. SignatureCatalog
Collect-Artifact -SourceDir "C:\Windows\System32\CatRoot" -FolderName "SignatureCatalog"

# 2. SignatureCatalog
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\CatRoot" -FolderName "SignatureCatalog"

Write-Host ("Collection complete. Copied: {0}  Missed: {1}  Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green

Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

notes

Validating digital signatures of an offline system can be problematic.

Microsoft relies mostly on detached signature files to sign Windows

executables. Checking those on an offline system using sigcheck.exe

from SysInternals requires importing the target system's detached

signature files into the anlysis system. To use with sigcheck, slightly

rename the collected GUID directories (keeping the names in a GUID format),

copy them to C:\Windows\System32\CatRoot of your analysis machine, restart

Cryptographic Services, then run sigcheck against the target system files.

This will import the target's signature files into the local analysis

machine's signature database and should accurately validate the target

system's files (which presumabley were collected with other KAPE modules).

Kudos to Troy Larson for providing this workaround technique.