Forensics Product Pack

We demonstrate Tachyon integration with a number of forensic frameworks, including the Rekall memory forensic framework. Running processes are retrieved and we note that terminated processes are also listed, a capability that would not be available by using conventional Win32 or WMI queries.

Scenario

We demonstrate Tachyon integration with a number of forensic frameworks, including the Rekall memory forensic framework. Running processes are retrieved and we note that terminated processes are also listed, a capability that would not be available by using conventional Win32 or WMI queries.

We then also demonstrate the retrieval of loaded DLLs and their association with processes, again using in-memory forensics.

Other frameworks are also demonstrated, including the Windows 10 SRU database, the OSQuery subsystem and the FTK Imager toolset.

Product Pack Notes

Instructions

Questions

  • Forensics: List Processes
  • Forensics: List Loaded Dlls
  • Forensics: Show SRU ProcessDetail table where Application contains %ApplicationName% and user name contains %UserName%
  • Forensics: Show SRU WindowsNetworkDataUsageMonitor table where Application contains %ApplicationName% and user name contains %UserName%
  • Forensics: Show SRU ApplicationResourceUsageProvider table where Application contains %ApplicationName% and user name contains %UserName%
  • Forensics: Using OSQuery, list running processes
  • Forensics: Using OSQuery. what Chrome browser extensions are installed?
  • Forensics: List FTK Imager available drives
  • Forensics: FTK Imager – show drive info for drive %driveNumber%
  • Forensics: FTK Imager – take forensic snapshot of drive %driveNumber%
  • Forensics: Show all files matching pattern %filePattern% which contain alternate data streams or extended attributes matching pattern %attrPattern%
Notes

The forensics product pack demonstrates Tachyon integration with a number of forensic subsystems.
The first two questions use the Google Rekall framework.
Some background material on Rekall can be found at the link below

Rekall – The Missing Manual

Only Windows devices are currently supported, but Rekall does have a Debian port – this has not yet been tested.

Asking either Rekall-based question will automatically download and install the Rekall framework on the target device. This will not be reinstalled or downloaded if it is already present. It is left installed after the question has been answered.

As far as I am aware, the framework is not capable of being used as a weapon, but it may be desirable to uninstall Rekall after use – this might be best done with a separate action, if the user wants the option of preserving it for a while.

The SRU questions access the Windows 10 SRU database.

The Windows 10 SRU database is an Extensible Storage Engine database which stores forensic information on historical application activity. More information can be found here:-

https://isc.sans.edu/forums/diary/System+Resource+Utilization+Monitor/21927/

The SRU-based questions can return a large amount of data. Currently the data per table per device is capped at 1,000 rows to ensure that excessive network traffic does not occur if a large number of endpoints are inadvertantly queried. You can filter the results by application and user in order to obtain more precise information if desired.

The OSQuery questions utilise the OSQuery subsystem to report on running processes and Chrome browser extensions. OSQuery supports a huge range of queries and these questions are intended as samples to be extended, rather than a definitive set.

For more information on OSQuery, see

https://osquery.io/

The FTK imager questions use the FTKImager tool to retrieve forensic information. For more information, see

https://accessdata.com/product-download/ftk-imager-version-4.2.0

The file match question uses a modified version of the fast file find utility that now supports both NTFS Alternate Data Streams and Extended Attributes. These are potential malware vectors. This question searches any files on all drives that match the search pattern regex (default = .* or all files) and which contain either ADSs or EAs or both which match the EA/ADS search pattern regex (default = .* or any ADS/EA).

Resources

For the Rekall questions:-

The Rekall framework installer (EXE)

A batch file to run Rekall. This is a very simple one-line file which is used to get around difficulties with PowerShell process launching and parameter passing, where PowerShell may alter parameters in ways which unfortunately cause the launched process to run improperly.

Two PowerShell scripts, one for each question. These are very similar to each other and basically run Rekall, perform the appropriate query and then re-shape the results into a suitable JSON format for consumption by Tachyon

For the SRU questions:-

A CAB file containing the required .NET executable and supporting DLLs to extract information from the SRU database. Note that there are some additional tables in this database that can be queried, however, the three tables here appear to be the most useful. You can view the source for the .NET executable in the TFS research project tree as ESEReader.

For the FTK questions:-

A CAB file containing the ftkimager tool

For the OSQuery questions:-

The osqueryi.exe utility, as a resource

For the file search question

The findfiles.exe utility, as a resource (latest version, supporting EAs)

The CAB file for the SRU questions contains a .NET utility, ESEReader. You can invoke this directly from the command line to read SRU tables directly, if desired. The syntax is

ESEReader  [-a ] [-u ]

The -a and -u flags and associated patterns are optional. If not specified, up to 1,000 rows are returned in JSON format from the specified table. The patterns are valid regexes. e.g

-a .* -u .*

would match all applications and users. (as would be the default if not specified)

If an empty quoted regex is specified e.g -a “” -u “”, then the result is identical (all rows returned)

Otherwise the regex filters the results. If both -a and -u patterns are specified, then the results are the logical AND of both pattern matches i.e both patterns must match for a row to be returned.

Note that a single asterisk (*) is not a valid regex. Specifying * instead of .* will cause pattern matches to fail and no results will be returned. Sorry – that’s just how it is with regexes. Note that the default values in the Tachyon explorer are already filled in for you as “.*” to ensure correct behaviour.

The tables in the ESE database are mostly named with opaque GUIDs. However each table has a logical function. The utility maps a logical table name to a physical table name internally. You can specify any of the following logical table names

The tables are not well documented unfortunately and in one case appear to be completely undocumented.

You must log in to submit a review.Click here to login.

Details

Author

1E Product Pack Creator

Published

Downloads

9

Categories

,

Compatible Versions