Wednesday, October 27, 2010

Sniper Forensics 2.0 Tools, Links, and Commands

OK...so I figured that there would be a lot of questions about the tools I use and the command syntax that I covered in SF2. There is obviously a LOT I was not able to cover due to time constraints, so if anyone has any specific questions about which tools do what, how to use them, and how to interpret the output, please let me know and I will create a FAQ blog post.

Thank you for attending my talk! I hope you get out of it as much I put into it!

Happy Hunting!

Tools
====
F-Response (http://www.f-response.com/)
Memoryze (http://www.mandiant.com/products/free_software/memoryze/)
Audit Viewer ( http://www.mandiant.com/products/free_software/mandiant_audit_viewer/)
UnxUtils (http://sourceforge.net/projects/unxutils/)
Grep (http://gnuwin32.sourceforge.net/packages/grep.htm)
TextPad (http://www.textpad.com/download/)
Case Notes (http://www.qccis.com/forensic-tools)
The Sleuth Kit (http://www.sleuthkit.org/sleuthkit/download.php)
Log2Timeline (http://log2timeline.net/)
SIFT Workstation (https://computer-forensics2.sans.org/community/siftkit/)
AnalyzeMFT (http://www.integriography.com/)
RegRipper (http://regripper.net/?page_id=150)
RipXP (http://regripper.net/?page_id=150)
FTK Imater 3.0 (http://www.accessdata.com/downloads.html)



Syntax
=====
Use these commands to rip registry hives.
C:\tools\RegRipper\rip.exe –r c:\cases\customerX\registry\SAM –f SAM > c:\cases\ripped\systemY_sam_ripped.txt

C:\tools\RegRipper\rip.exe –r c:\cases\customerX\registry\system –f System> c:\cases\ripped\systemY_system_ripped.txt

C:\tools\RegRipper\rip.exe –r c:\cases\customerX\registry\ntuser.dat –f ntuser> c:\cases\ripped\systemY_ntuser.dat.userX_ripped.txt

Use these commands to create a bodyfile and timeline. If you want a more detailed explanation of how to generate timelines, read my blog posts about timeline creation.

C:\tools\TSK\fls –m ‘C:/’ –f ntfs –r \\.\F: > c:\cases\customerX\timelines\systemY_bodyfile

Perl C:\tools\TSK\mactime.pl –d –b C:\cases\customerX\timelines\systemY_bodyfile\systemY_timeline.csv

You can add logs to your bodyfile with Log2Timeline
C:\>Perl C:\Perl\bin\Log2timeline –t >> c:\cases\customerX\timelines\systemY_bodyfile
You can hives and NTUSER.dat files to your bodyfile with regtime
C:\>Perl C:\tools\bin\regtime.pl –m HKLM/system –r c:\cases\customerX\hives\system >> \c:\cases\customerX\timelines\systemY_bodyfile

Search for suspect keywords
C:\cases\customerX\ripped>strings *.txt | grep –i
C:\cases\customerX\timeline>strings *.csv | grep –i

Search for suspect timeframe
C:\cases\customerX\ripped>strings *.txt | grep –i
C:\cases\customerX\timeline>strings *.csv | grep –i

Know how to stack your searches! CRITICAL!!!

Grep –i | grep –i
Grep –i | grep –i | grep –i

3 comments:

  1. Thanks for using Memoryze and Audit Viewer. Have you played with the latest version of Memoryze (1.4.2900)? Also, I am interested in hearing about any experiences using Memoryze in conjunction with F-response. If you setup Memoryze to run against the drive/file/device F-response exposes as the remote machine's memory, Memoryze should execute just as if you were running against a memory image (use the "memory file" parameter).

    Thanks,
    Jamie

    ReplyDelete
  2. I wish I could have been there. I like the idea of the targeted approach and would love to have seen the presentation. Any idea if a recording was made and will be available?
    Ken

    ReplyDelete
  3. Hey there Chris. Great article and well put together. One thing I what to echo is that I belive the use of non-commercial tools actually helps in analysis capability and adds to agility.

    I recently gave a talk in Silicon Valley and an anonomous evaluation submitter actually wrote in effect "...its impossible to be effiecient if your digital forensics is done without commercial tools." I did not get a name nor was the argument supported so this is all I had to go on in respect to feedback. (The other posters that evaluated the talk were largely postive.)

    My guess is this was an attempt to argue against open-source projects and non-commercially developed tools like Volatility and Brian Carrier's TSK, and Harlan's Reg Ripper. I still belive the best analysis engine out there is actually located between an analyst's ears and it is up to them to executre appropriate tool-selection that enables them to analyze the information and come to correct solutions. This is not restricted only to the realm of flashy, well-funded commercial software IMHO.

    ReplyDelete