Sunday, 16 September 2012

TLN tools updated - New features added

I've been continuing to play and refine some of the tools I've recently posted. As mentioned they were only beta and I still consider them to be just that. As always usage of the tools should be at your own risk and I provide no warranty for the result set they provide. However in saying that as we continue to refine them hopefully my readers can see some consistent and expected results. One of the other issues I've had with posting my tools is that when copied to a  text file you can have some issues when running them. Due to the spaces added at the end of the file which can cause Perl EOF errors which can be confusing if you're new to Perl. To resolve this I've created my own Google Code repository and I've uploaded both the Perl scripts and the executable. Hopefully this will resolve that issue.

You can find this repository and the tools at the following location.
http://code.google.com/p/sploited/

The reason for the following changes with the firefox and chrome scripts was because the scripts weren't that useful from an automated perspective due to Firefox using a random folder name e.g  "xxxxxxxx.default" to store the user profile. So by creating a file listing before using tsk fls, to create a bodyfile, the output can be then be parsed to firefox.pl and chrome.pl to automatically find the required files for the timeline. The other benefit to this is that many users don't automatically store the profiles in their user profile due to profile storage space. Its not uncommon to find the browser history files in the root of the C drive because the user has moved it and therefore my tool still accommodates for this scenario.

 Firefox.pl  
 - Added the -d option to allow parsing of the downloads.sqlite database to TLN format  
 - Added the -a option which uses the bodyfile output from tsk fls and parses each places/download.sqlite database discovered within it.  
 - Addded the -u option to include the username within the TLN format  


 Chrome.pl  
 - Added the -d option to allow parsing of the downloads table within the History sqlite database  
 - Added the -a option which uses the bodyfile output from tsk fls and parses each History sqlite database discovered within it  
 - Added the -u option to include the username within the TLN format  

 IDX.pl  
 - Resolved a bug with the script where IDX files that contained output on multiple lines were not parsed correctly  

As mentioned above I've added each of the files to the code repository. Hopefully for any Perl guru's out there you might be able to see some issues with my code or potentially some more efficient ways of coding the tools. Please feel free to update those tools and let me know any changes that can be made so we can all benefit. I'd be really keen to see if anybody is finding the tools a benefit to their investigations and maybe have some examples that can be shown also. Feel free to add thanks or issues to the comments below I look forward to having some feedback.

I have a number of future scripts in mind for adding logs to the TLN format. For any of you out there that require a script feel free to let me know and I can see if i can help out. In saying that for anybody out there with some basic scripting skills its very easy to pick Perl up and create some basic regex queries. Before you know it any file with a date and something useful within it can be added to your timelines and assist with your investigations..


No comments:

Post a Comment