In certain scenarios, it may be necessary to collect artifacts from target machines in an offline mode, ensuring minimal alteration or contamination of the digital environment. Various tools are available for this purpose, designed to extract information discreetly and effectively. These tools enable forensic investigators to gather crucial data without compromising the integrity of the evidence.
Importing an offline collection can be done via the Server.Utils.ImportCollection artifact. This artifact will inspect the zip file from a path specified on the server and import it as a new collection (with a new collection ID) into either a specified client or a new randomly generated client.
Using the KAPE GUI to analyze the artifacts
Instead of the velociraptor GUI, you can use the KAPE GUI to analyze and process all the artifacts.
If you are running it locally, the "Module Source" should be the folder where the artifacts obtained are. 😎
Next, you can use "TimeLine Explorer " to analyze the result.
KAPE Agent Collector
KAPE agent can be used to collect also the data.
The GUI can be used to select what kind of collection we want to do:
For collecting the artifacts on the remote machine, you just need to use the kape.exe collector with the Modules and Targets folder. See below:
To execute it, open a new command line with administrator rights, and paste the command obtained from step 4 on the GUI.
or accessing the target machine, mount the kape server folder, and run it remotely without touch with the binary on disk.
net use k: \\kape-server-vm\triage /user:kape-server-vm\analyst
k:\kape\kape.exe --tsource C --target RegistryHives --tdest k:\kape_out\tdest --vss
Building your agent collector
By developing an agent, you can collect also the raw files from the target Windows machine. This can be very useful for post-analysis in a depth way.
Next, see some of the raw artifacts collected.
Example of the content of the "amcache directory":
Full disk image
In order to obtain a complete snapshot of the target machines the following tools can be used:
FTK IMAGER
Disk2vhd
More details on how to use it can be found here:
chntpwn
Also the usage of chntpwn to change Windows local administration passwords before executing an analysis.
Autopsy
TestDisk & PhotoRec
This tool can be used to recover files from damaged devices.
Velociraptor Analysis
After getting the ZIP files with all the artifacts, the file must be imported into the GUI.
Importing an offline collection can be done via the Server.Utils.ImportCollection artifact. This artifact will inspect the zip file from a path specified on the server and import it as a new collection (with new collection id) into either a specified client or a new randomly generated client.
After that, click on "Search" and select the target machine ID you want to analyze.
After that, select the artifacts FLOWID, click on Notebook, and all the data is presented! 👍
In addition, you can also create a new hunting and add the notebook logs into the hunting process. This is just a way how to split the results to perform a better analysis.
$ ./chainsaw analyse srum --software ./SOFTWARE ./SRUDB.dat -o ./output.json
██████╗██╗ ██╗ █████╗ ██╗███╗ ██╗███████╗ █████╗ ██╗ ██╗
██╔════╝██║ ██║██╔══██╗██║████╗ ██║██╔════╝██╔══██╗██║ ██║
██║ ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║
██║ ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║
╚██████╗██║ ██║██║ ██║██║██║ ╚████║███████║██║ ██║╚███╔███╔╝
╚═════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝ ╚═══╝╚══════╝╚═╝ ╚═╝ ╚══╝╚══╝
By WithSecure Countercept (@FranticTyping, @AlexKornitzer)
[+] ESE database file loaded from "/home/user/Documents/SRUDB.dat"
[+] Parsing the ESE database...
[+] SOFTWARE hive loaded from "/home/user/Documents/SOFTWARE"
[+] Parsing the SOFTWARE registry hive...
[+] Analysing the SRUM database...
[+] Details about the tables related to the SRUM extensions:
+------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
| Table GUID | Table Name | DLL Path | Timeframe of the data | Expected Retention Time |
+------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
| {5C8CF1C7-7257-4F13-B223-970EF5939312} | App Timeline Provider | %SystemRoot%\System32\eeprov.dll | 2022-03-10 16:34:59 UTC | 7 days |
| | | | 2022-03-10 21:10:00 UTC | |
+------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
| {B6D82AF1-F780-4E17-8077-6CB9AD8A6FC4} | Tagged Energy Provider | %SystemRoot%\System32\eeprov.dll | No records | 3 days |
+------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
| {D10CA2FE-6FCF-4F6D-848E-B2E99266FA86} | WPN SRUM Provider | %SystemRoot%\System32\wpnsruprov.dll | 2022-03-10 20:09:00 UTC | 60 days |
| | | | 2022-03-10 21:09:00 UTC | |
+------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
| {D10CA2FE-6FCF-4F6D-848E-B2E99266FA89} | Application Resource Usage Provider | %SystemRoot%\System32\appsruprov.dll | 2022-03-10 16:34:59 UTC | 60 days |
| | | | 2022-03-10 21:10:00 UTC | |
+------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
| {FEE4E14F-02A9-4550-B5CE-5FA2DA202E37} | Energy Usage Provider | %SystemRoot%\System32\energyprov.dll | No records | 60 days |
+------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
| {FEE4E14F-02A9-4550-B5CE-5FA2DA202E37}LT | Energy Usage Provider (Long Term) | %SystemRoot%\System32\energyprov.dll | No records | 1820 days |
+------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
| {973F5D5C-1D90-4944-BE8E-24B94231A174} | Windows Network Data Usage Monitor | %SystemRoot%\System32\nduprov.dll | 2022-03-10 16:34:59 UTC | 60 days |
| | | | 2022-03-10 21:10:00 UTC | |
+------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
| {7ACBBAA3-D029-4BE4-9A7A-0885927F1D8F} | vfuprov | %SystemRoot%\System32\vfuprov.dll | 2022-03-10 20:09:00 UTC | 60 days |
| | | | 2022-03-10 21:10:00 UTC | |
+------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
| {DA73FB89-2BEA-4DDC-86B8-6E048C6DA477} | Energy Estimation Provider | %SystemRoot%\System32\eeprov.dll | No records | 7 days |
+------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
| {DD6636C4-8929-4683-974E-22C046A43763} | Windows Network Connectivity Usage Monitor | %SystemRoot%\System32\ncuprov.dll | 2022-03-10 16:34:59 UTC | 60 days |
| | | | 2022-03-10 21:10:00 UTC | |
+------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
[+] SRUM database parsed successfully
[+] Saving output to "/home/user/Documents/output.json"
[+] Saved output to "/home/user/Documents/output.json"
DeepBlueCLI & WELA & APT-Hunter
These tools are also useful to collect pieces of evidence from eventx. For example, WELA can detail authentication on the machine by user and their types.
Manual Analysis with ericzimmerman Tools
Each facet of analysis is delineated into subsections accessible through the navigation menu on this page.
The files under analysis are:
Timeline Explorer, EZViewer, and Hasher are proficient tools for concurrently examining all artifacts.
Timeline Explorer
Opening all the CSV files post-normalization tailored by the specific tools.
EZViewer
Opening single files (docx, csv, pdf, etc).
Hasher
Hash everything.
Dissect
Dissect is an incident response framework build from various parsers and implementations of file formats. Tying this all together, Dissect allows you to work with tools named target-query and target-shell to quickly gain access to forensic artefacts, such as Runkeys, Prefetch files, and Windows Event Logs, just to name a few!
And the best thing: all in a singular way, regardless of underlying container (E01, VMDK, QCoW), filesystem (NTFS, ExtFS, FFS), or Operating System (Windows, Linux, ESXi) structure / combination. You no longer have to bother extracting files from your forensic container, mount them (in case of VMDKs and such), retrieve the MFT, and parse it using a separate tool, to finally create a timeline to analyse. This is all handled under the hood by Dissect in a user-friendly manner.
If we take the example above, you can start analysing parsed MFT entries by just using a command like target-query -f mft <PATH_TO_YOUR_IMAGE>!
