I'd mentioned in some of my previous posts that I'm interested in methods to script the work we have completed previously and in particular conducting investigations of live machines rather than offline analysis which for many analysts I'm sure do not always have this flexiblity. My methods use open source or freely available tools as I do not have access to other more advanced forensics tools which some of you may use.
Here is a summary of the tools i'll be using in this tutorial
- The Sleuth Kit (TSK) (download)
- WFAT Timeline Tools (download)
- RegRipper (download)
- HoboCopy (download)
.\tools\tsk\fls -r -m C:/ \\.\C: > .\output\tsk-bodyfile.txt .\tools\tln\bodyfile.exe -f output\tsk-bodyfile.txt -s %COMPUTERNAME% >> output\events.txt
The above command executes FLS and requests that FLS create a bodyfile of the C drive using -m to have the file in mactime, -r to recurse on directory entries. This command will take a number of minutes to execute and may take considerable time the larger the hard drive size is that you're investigating. The second command executes the timeline bodyfile tool which will convert our body file in our initial events file.
Its debatable whether the next step should actually be completed first as the more tools we execute the more chance we have of losing information and prefetch files. I'd also like to add at this point that if its possible you should send the output back to a usb drive connected to the local workstation or send to a network location. This will also allow us to maintain as much forensic information on the investigated workstation as possible. In my case i'll be creating a script that pipes the output directly to the machine i'm investigating and purely for demonstration purposes.
I run the pref tool from the WFAT timeline tools to dump the prefetch files from the windows prefetch folder. In this case my windows install location is C:\Winnt however it may be different in your circumstances.
.\tools\tln\pref.exe -d C:\WINNT\prefetch -t -s %COMPUTERNAME% >> .\output\events.txt
In order to conduct any activities on the registry using RegRipper or other tools we'll need to work on an offline copy of the hives rather than the live hives. I found a tool that allows me to do this called HoboCopy. HoboCopy allows me to copy the live system folders to a directory of my choice. HoboCopy mentions on its website that it can do this by creating a Volume Shadow Copy (VSS) snapshot and then copying the file from VSS. To get a copy of the system hives I execute the following commands:
.\tools\hob\hobocopy.exe %SYSTEMROOT%\System32\Config\ output default .\tools\hob\hobocopy.exe %SYSTEMROOT%\System32\Config\ output SAM .\tools\hob\hobocopy.exe %SYSTEMROOT%\System32\Config\ output SECURITY .\tools\hob\hobocopy.exe %SYSTEMROOT%\System32\Config\ output SOFTWARE .\tools\hob\hobocopy.exe %SYSTEMROOT%\System32\Config\ output SYSTEM
To gather a copy of the user hives firstly we need to understand which accounts are actually on the system. I created a FOR loop that loops through the "Documents and Settings" folder and for each folder it discovers it uses hobocopy to grab a copy of the dat file. Again if you're using windows 7 you may wish to modify this to the users folder instead. The code is as follows.
FOR /F "tokens=*" %%G IN ('dir /b ^"C:\Documents and Settings\*^"') DO .\tools\hob\hobocopy.exe "c:\Documents and Settings\%%G" .\output\hives\%%G NTUSER.DAT
At this point we have a copy of each of our hive files that we'd like to investigate. I now want to run regripper against each of the hives that i've collected
FOR /F "tokens=*" %%G IN ('dir /b ^"C:\Documents and Settings\*^"') DO ( .\tools\rr\rip.exe -r .\output\hives\%%G\NTUSER.DAT -f ntuser >> output\rr-ntuser-%%G.txt .\tools\tln\regtime.exe -r
output\hives\%%G\NTUSER.DAT -u %%G -s %COMPUTERNAME%>> output\events.txt .\tools\rr\rip.exe -r
output\hives\%%G\NTUSER.DAT -p userassist_tln -u %%G >> output\events.txt .\tools\rr\rip.exe -r
output\hives\%%G\NTUSER.DAT -p autorun >> output\rr-autorun.txt
I decided to add in both the timeline output as well as the standard output as it can be useful to review both. Currently the method we are using is the "kitchen sink" type method to timelining which on any normal computer will provide us with a huge amount of information that we most likely are not interested in all of it. Its up to us an analyst to clip this data to something more meaningful to our investigation. At this point all i'm showing is how to collect the information however you may want to exclude or add certain commands for your own benefit and to clip that data to something more meaningful to your investigation.
The next step we wish to conduct is to run regripper against our system hives and we can do so by using the following commands
output\default -f default >> .\output\rr-default.txt .\tools\rr\rip.exe -r
output\SAM -f SAM >>
output\rr-sam.txt .\tools\rr\rip.exe -r
output\SECURITY -f SECURITY >>
output\rr-security.txt .\tools\rr\rip.exe -r
output\Software -f SOFTWARE >>
output\rr-software.txt .\tools\rr\rip.exe -r
output\System -f SYSTEM >>
The above creates individual output files and so you'll also want to run output to add to our events file.
.\tools\tln\regtime.exe -m HKLM\default -r .\output\default >> output\events.txt .\tools\tln\regtime.exe -m HKLM\Sam -r .\output\sam >> output\events.txt .\tools\tln\regtime.exe -m HKLM\Security -r .\output\security >> output\events.txt .\tools\tln\regtime.exe -m HKLM\Software -r .\output\software >> output\events.txt .\tools\tln\regtime.exe -m HKLM\System -r .\output\system >> output\events.txt
Unfortunately the above is going to add a large amount of noise to our output and events file so you'll need to decide what is beneficial to your investigation. Finally we run the parse command and parse our events file out to the CSV file that we'll use for our investigation.
.\tools\tln\parse.exe -f .\output\events.txt -c > .\output\timeline.csv
The parse command does offer us a -r option which allows us to specify a range of dates. This may allow us to clip our data considerably however we obviously need to have a strong understanding of when our incident may have occured.
We now have our batch file which can be modified to be run against a remote system using tools such as PsExec provided within Microsoft SysInternals. It would require some modification for this to be possible however its a simple task to achieve. This script would copy our required tools and folder structure to the remote computer and then execute our script to begin running. Finally the script could zip the output files and copy the files back to our investigation system.
If this script is combined within many of the other common forensics tools it would provide a strong foundation for live response and providing some degree of assurance that a machine was either infected or clean. At this point I believe being able to execute regripper against a live machine is beneficial however whether the timeline component of this script is beneficial i'm not sure. In terms of live response there are most likely many better ways to investigate the state of the system which potentially require less work to analyse than the above.
I hope this is of benefit to some of you.