Sunday, February 14, 2010

GNB's Timeline EnScript

A former colleague of mine, Geoff Black, has a pretty cool timeline EnScript (zip file) available on his website. I have been playing around with it and have meant to blog about it for a while...

The contents of the zip are as follows:

Timeline Report.EnPack
Timeline Report.EnScript (actual code)
Timeline_Report_README.pdf
Timeline_Report_WHATSNEW.pdf
Include\GNB_HTMLlib.EnScript (library file)
Include\GNB_XMLlib.EnScript (library file)


I must say that it's nice that Geoff has given us the code to his Timeline script so that one can modify as desired. It's also nice that he includes README and WHATSNEW files so you can have something to reference for past and present versions.

Simply unzip these items (without the pdfs) into your EnCaseX\EnScript folder and you are ready to go. You can run the script by either double clicking the EnPack or the EnScript, just make sure to add a disk image to the case first ;-). When you run it you will see the following:



There are a lot of options you can choose. Here's a closeup of the interface itself:



You can pick a certain time period with a start and stop date for the timeline (boxed in blue). You can pick the type of output you want (boxed in pink), whether you want Records, Bookmarks, a Tab Delimited report (TSV), how many entries you'd like in each TSV file and whether or not you would like an HTML report better suited for IE or Firefox. There are more Script Options and Time Options (boxed in green) that allow you to select files you want in the timeline report (default is all files) and which time entries you are interested in seeing (default is all). You can modify the order to the Output Fields (boxed in red) for the TSV file or remove fields that are not of interest. Other fields are self explanatory.

While the script is running you can see the progress bar at the bottom right. If you choose the HTML report option you may end up with several HTML files (depending on how many files are selected and how many entries per file you have selected) and if this is the case each file is named in order for example:

TimelineReport-FF.html
TimelineReport-FF2.html
TimelineReport-FF3.html

and so on... You can see an example report below:



The latest change is highlighted, but you can see that some files might have the same time stamp for different fields. In this case the file will be listed twice, once with Created highlighted and once with Accessed highlighted (from the README).

You can check out some of Geoff's other EnScripts and CEIC presentations at his website: http://www.geoffblack.com/forensics.

Yahoo Messenger EnScripts

There are a couple of publicly available Yahoo Messenger EnScripts/EnPacks out, such as:

Yahoo Decoder in unallocated by Lance Mueller

YahooMessenger-Parser by Paul Bobby

Pretty useful scripts, however they don't handle right-to-left languages like Hebrew and Arabic. Here are some before pics from my test run with Hebrew:

Lance Mueller's script's output:



Paul Bobby's scripts' output:



As you can see, (well if you know what Hebrew letters are supposed to look like) the letters come out as some gobbeldy-gook. This is something I've been meaning to comment on for a while, having written various chat EnScripts at the beginning of my GSI employment. I have just gotten around to it now... The "encryption" method is the same for all unicode languages in that it is a byte-by-byte xor with the local username. The problem is that the encoding becomes distorted when it is just saved in a string. For example the letters ש and ל with UTF-8 encodings d7a9 and d79c respectively become c397 and c2a9 (it is left as an exercise for the reader to figure out why). So here comes a solution that I have used in the past.

The EnScripting language has a class called MemoryFileClass, which allows you to have in memory buffers that you can treat as files. You can create them, open them, read and write to them as you would any other file. So the idea is simple enough: write to a memory buffer as you decrypt the message and then extract the message after all decryption has taken place. This is accomplished by adding a couple of helper functions to Paul Bobby's code:

bool WriteBuffer(MemoryFileClass &file, char msg) {
file.SetCodePage(CodePageClass::ANSI);
int temp = msg;
file.WriteBinaryInt(temp, 1);
return file.IsValid();
}

void ReadBuffer(MemoryFileClass &file, String &msg) {
file.SetCodePage(CodePageClass::UTF8);
file.Seek(0);
file.ReadString(msg);
}


Now we can just call the functions as appropriate when decrypting and outputting the messages. You can see the correct output after this modification below (yeah, the conversation is lame and is just a test ;-):



The complete modified EnScript is available on the GSI forum (registration required):

A thread on the GSI forum with Paul Bobby's fixed EnScript

Briefly: Volatility News (2/14)

I'm a little behind in my blogging, but I wanted to post about a few items that people might not have noticed. So here it is just in time for Valentines Day.

Volatility SQL Plugins

I modified the Volatility SQL output plugins (download link) slightly. I changed the schema in the dlllist_2.py plugin:

memory_plugins/dlllist_2.py

Table Name: dlls

pname Process name (changed)
pid Process ID
cmdline Command Line text
base Base Address
size Size
path Path of DLL
memimage Memory image information was extracted from

I also removed the Volatility files (vutils.py and commands.py) since there were two patches that address the items I changed in those files. So now all you have to do is download Volatility from the SVN and unzip the plugins like before.

For the more adventurous, the SQL rendering plugins have been incorporated into the experimental branch of Volatility (thank you Scudette!). You can download all branches with the following command:


svn checkout http://volatility.googlecode.com/svn/branches Vol_All


For the experimental branch (located in the experimental folder) you must have Python 2.6 installed.

Volatility User Manual

There is a new Volatility User Manual contributed to the VDP by Mark Morgan. It is a compilation of past VDP articles and blogposts and covers all public plugins to date. Shouts to Mark!

EnCase Enscripts + Volatility = Takahiro Haruyama's Memory Forensics Toolkit

Takahiro Haruyama has released a new version of his Memory Forensics Toolkit. I had played around with his previous version. Now there is no excuse for the EnCase reliant not to get in on memory forensics ;-) Shouts to Takahiro for making it easier for these users!

Sunday, February 07, 2010

Briefly: Memory Analysis EnScripts

I came across a post for the Memory Forensic Toolkit EnScript in the GSI Forum a few days ago. I finally got a chance to play around with it a little today and this will be a very brief overview.

Prerequisite: EnCase 6.14 or higher.

Simply download the toolkit from the link above and unzip it into your EnCaseX.X.X\EnScripts folder. You should see something like the following in your EnScript pane with a Windows 7 folder and Windows XP:



I have only tested the XP scripts at this time. EnScripts available:

- PsList: List of all processes
- KMList: Show all loaded kernel modules
- ConnList: View all TCP connections
- VadSearch: VAD process in the search for a string
- DllList: List Dlls
- OpenFiles: List of open files that the process
- ProcDump: Extracting of a process to exe format
- PsScan: Enumerates process information (EPROCESS)
- ConnScan: Enumerates TCP connection information (TCPT_OBJECT)
- KMScan: Enumerates kernel modules (LDR_MODULE)
- Vtypes/Win32/x86: library to use the above scripts

You can run these EnScripts on raw memory dumps, just make sure to check the blue box for the memory dump you would like to run the EnScript against. Just double click the script you'd like to run.

Here's an example run of PsList:



And ConnScan:



The output is very similar to Volatility and goes to the console by default. You can easily modify the script to output to a text file, Excel spreadsheet or any other output type you can think about, however.

For some EnScripts like dlllist, you are prompted for a PID to run it against. You can modify the script to run agains all PIDs however, if desired.



There is also a Microsoft Crash Analyzer which I have yet to try.

Forensic Regexes

The other day on the #volatility channel we were discussing how it might be nice to have a list of Perl Regex for common things like IP addresses etc. Here are a few items we came up with:

IP Address: (?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)

MAC Address: ([a-fA-F0-9]{2}\:){5}[a-fA-F0-9]{2}

URL: (http|https|ftp|mail)\:[\/\w.]+

Email: [A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}

You can find some other Regex expressions on the SANS blog however the regex expression for IP addresses matches items like 999.999.999.999, which we know is not a valid IP address.

There's a nice post by geek00l listed at the bottom of the SANS post which links to other interesting posts.

Other references of interest:

Regular-Expressions.info
Regex Reference

What would you like to add to the list?