Wednesday, 7 March 2012

The (Wannabe) Dark Lord of the SIFT


Obi-Wan has taught you well?


Recently, I deleted some posts relating to the M57.biz Jean scenario. However, I also think that there was some helpful (non M57 specific) information on using various SIFT tools for Windows investigations. Consequently, I have re-mixed some of the deleted posts into this non-case specific post.

Before channelling the Dark Lord of the SIFT, I recommend reading "Digital Forensics With Open Source Tools" (Altheide & Carvey) and "Windows Forensic Analysis DVD Toolkit 2 Ed" (Carvey) or at least have them handy. Of particular interest are the following pages from DFWOST:
pp 19-23 Working with Images on Linux
pp 79-89 Windows Registry, Event Logs, Prefetch Files, Shortcut files
pp 143-153 IE and Firefox Artifacts
pp 161-164 Outlook PST
WFADT also covers some of the above topics in greater detail - for example, Ch 4 Windows Registry (p 158) includes a section on finding USB artifacts (p 207).

A Bit of Unix Background

Most SIFT tools are located in the "/usr/local/bin" directory and can be run from a terminal window using the "sansforensics" login. If you know the command name (eg XYZ), you can type "which XYZ" and it will tell you where the exe is located. Because "/usr/local/bin" has been added to the PATH environment variable, you don't have to type something like "/usr/local/bin/XYZ" every time you want to launch the exe - you can just type "XYZ" and the shell will search/find it OK.
You can also use the TAB key to auto-complete directory names / command names - perfect for the lazy monkey typist in all of us. eg typing "ls /ca" then TAB will autocomplete the command to "ls /cases/" (assuming there isn't another folder/directory starting with "ca").
Also, all Ubuntu shell/terminal commands are saved to a history file and you can cycle through previous commands by using the UP / DOWN arrows on the keyboard.

Redirection (">")  is another handy unix tool to know - eg "ls -al > sometextfile.txt" will store the output of the ls (list files) command to a file called "sometextfile.txt" in the current directory. You can then read the file using gedit (a GUI text editor) or the "more" command (eg "more sometextfile.txt").
You can also use ">>" to append ie add to the end of a file. eg "ls -al >> sometextfile.txt" will add the file listing to whatever is already in "sometextfile.txt".

Piping ("|") is also useful for chaining commands together - eg "ls -al | more" will print out a detailed file listing via the more command (which pauses a scrolling screen until a key is pressed). The pipe symbol is obtained by pressing SHIFT and the \ key (at least on my keyboard).

The "find" command, can be used to find files by name eg "find . -iname *.txt -print" will print out a list of all .txt files (case-insensitive) under the current directory (.) - this will include any .txt files under a sub-directory.

The "grep" command can be used to search through a file for keywords. eg "grep -in monkeys *.txt" will (case-insensitive) search all .txt files for the term "monkeys" and print the results to screen. A more comprehensive search can be obtained via "find . -type f -exec grep -in XYZ '{}' \;" this will search all files under the current directory for the XYZ search term.

Calculating MD5 hashes can be done via "md5sum ABC" where ABC represents the file you wish to calculate the hash for.

Help for the commands is usually available by typing "man XYZ" for unix system commands. Some of the SIFT tools are scripts and/or do not use the man help method. If they do have help, its usually in the form "XYZ -h" or "XYZ -help" (where XYZ is the script name/executable name). If in doubt, typing the exe/script name without arguments will usually bring up a usage hint.

Selected List of SIFT Tools

FYI On the SIFT desktop, there's a "Tool Descriptions for SIFT Workstation 2.12" PDF  and there's also the "SIFT Cheatsheet" PDF.

In no particular order, here are some of the SIFT tools I have used and what they're used for:

Ubuntu File Browser to er ... browse files (eg browse each mounted user's Desktop / Recent links). You can access it by double-clicking on the.SIFTWORKSTATION Desktop icon (or any of the other folder shortcuts on the desktop).

"galleta" to analyse Internet Cookies eg "galleta cookie.txt > cookie-results.txt".

"pasco" to analyse the Internet Explorer cache eg "pasco index.dat > index-dat-results.txt" or
"find /mnt/caseX/Documents\ and\ Settings -iname index.dat -exec pasco '{}' \; > all-index-dat-results.txt"
which will find all "index.dat" files and then run pasco against them and store the results in "all-index-dat-results.txt". Note the escape characters "\" before spaces in the path (eg "/Documents\ and\ Settings") which tells the terminal that a special character is coming up. You could also use TAB to auto-complete the various directory names instead of typing the whole thing.

"rifiuti" can be used to see what was emptied from the Windows Recycle Bin via the RECYCLER INFO2 file. eg "rifiuti /mnt/caseX/RECYCLER/S-1-5-21-484763869-796845957-839522115-1004/INFO2"

"exiftool" to extract metadata about a file eg "exiftool abc.doc > abc-doc-metadata.txt"

"lp" to analyse file link metadata eg "lp shortcut.lnk > shortcut-metadata.txt"

"pf" to analyse the Windows Prefetch files eg "ls Prefetch/*.pf | pf -m > prefetch-results.txt" will list all .pf files and then call "pf" for each and store the results.

"readpst" to extract the contents of an MS outlook.pst file. eg "readpst -M- D outlook.pst" will extract all emails (including deleted ones) into the current directory under various sub-folders such as Inbox, Sent Items, Outbox. You can then open the emails up in a text editor and/or use grep to search for interesting terms.
Update: A similar .pst extraction tool called "pffexport" is also installed on SIFT and it has the added advantage of extracting/decoding any email attachments.You can launch it using something like:
"pffexport outlook.pst".

The Regripper "rip.pl" script can be used to analyse the contents of the Windows Registry (eg Mounted devices, recentdocs, typed paths, timezone, environment paths, typed URLS, USB storage, computer name, SAM parsing for User/Group info etc.) eg "rip.pl -r /mnt/caseX/Documents\ and\ Settings/Administrator/NTUSER.DAT -p userassist" will display the Administrators User Assist Key contents using the userassist plugin. A more comprehensive plugin list is available from the "Tool Descriptions for SIFT Workstation 2.12" PDF mentioned earlier.

"foremost" to carve out any deleted files based on file headers in unallocated space / file slack. See "SANS SIFT Cheat Sheet" PDF under the "Recovering data" section (p 20).
Basically you use "blkls" (from TSK) twice - once to list deleted (unallocated) disk blocks and again for files in slack space. We capture both outputs to separate files and then run the "foremost" executable with those captured outputs. eg "blkls -o 63 /mnt/ewf/caseX-image >/home/sansforensics/unalloc-caseX.blkls" and "blkls -s -o 63 /mnt/ewf/caseX-image >/home/sansforensics/slack-caseX.blkls". Followed by "foremost -o unalloc-output-directory /home/sansforensics/unalloc-caseX.blkls" and "foremost -o slack-output-directory /home/sansforensics/slack-caseX.blkls". The respective "unalloc-output directory" / "slack-output-directory" folders will now contain a file listing of any recovered files (called "audit.txt") in addition to recovered versions of those files (without their original filenames though). BTW the 63 indicates the sector offset to the file system obtained via (TSK) "sudo mmls /mnt/ewf/caseX-image"

"usp" to find USB storage device artifacts on an NTFS volume. eg "sudo usp -disk /mnt/ewf/caseX-image 32256". Note the 32256 represents the byte offset of the file system from the beginning of the image. The files system in this example starts at sector 63 so ...  512 byte sector X 63 sectors = 32256 bytes.

"evtx_view" to view Windows Event (.Evt) Log files from "/mnt/caseX/WINDOWS/system32/config". This GUI can be accessed from the Applications, Forensics top menu on the SIFT VM.

"SQLite Manager" Firefox plugin to view SQLite databases such as places, cookies, downloads, form history.


Creating A Super Timeline

Basically a huge CSV file containing a list of files ordered by time. Where applicable, it also lists entries for created/modified/accessed times for each of those files. It makes it easier to pinpoint what files were changed in a given time period. There's a nice demo presentation by Rob Lee for SANS 508 from 2009 on the SANS 508 course web page (you need to login to view it). The steps are also documented in the "SIFT Cheat Sheet" PDF (p. 19 "Creating Super Timelines" section).
Warning: It took my VM over 1 hour 20 minutes (mostly to do the initial "timescanner" command) for a 3 GB image. Loading the resultant 24 MB CSV (using SIFT's OpenOffice) took a while too.

Decoding Email Attachments

Say you run "readpst" and then come across an email with an attachment encoded in base64. To obtain a copy of the file attachment, open the original email containing the attachment using a GUI Text Editor (eg gedit). When there's an attachment in an email, it will be delineated by a boundary marker (something like "----boundary-LibPST-iamunique-1649760492_-_-"). Then there will be a bunch of other fields with the last one being the "filename=abc.doc" field (for example). We then copy-and-paste all those characters after the filename into a seperate new file and then save it temporarily (eg "tempabc").
Now we have to decode the temporary ("tempabc") attachment from base64, strip out any garbage characters and store the result in a file with the email's attachment original filename (eg "abc.doc"). One handy command for this is: "base64 -di tempabc > abc.doc"
A subsequent "md5sum abc.doc" can then be used to compare it with another source so we can show that the email attachment matches/does not match another file.

There are heaps more SIFT tools but due to time/sanity constraints I think I'll stop here ... If you have a favourite SIFT tool, please be sure to share it in the comments section.
I have heard some good things about the meld tool for comparing differences between files - has anyone else used it?