Being socked in by the weather, I thought it would be a good time to throw a couple of things out there...
Mounting an Image
Folks...in order to test or make use of the Forensic Scanner, you first need to have an image. If you don't have an image available, you can download sample images from a number of locations online. Or you can image your own system, or you can use virtual machine files (FTK Imager will mount a .vmdk file with no issues). However, the Forensic Scanner was not intended to be run against your local, live system.
Once
you have an image to work with, you need to mount it as a volume in
order to run the Forensic Scanner against it. If you have a raw/dd
image, a .vmdk or .vhd file, or a .E0x file, FTK Imager will allow you to mount any of these in read-only format.
If you have a raw/dd format image file, you can use vhdtool
to add a footer to the file, and then use the Disk Manager to attach
the VHD file read-only. If you use this method, or if you mount your image file as VMWare virtual machine,
you will also be able to list and mount available VSCs from within the
image, and you can run the Scanner against each of those.
If
you have any version of F-Response, you can mount a remote system as a
volume, and run the Forensic Scanner against it. Don't take my word for
it...see what Matt, the founder of F-Response, says about that!
If you have issues with accessing the contents of the mounted
image...Ken Johnson recently tried to access a mounted image of a
Windows 8 system from a Windows 7 analysis system...you may run into
issues with permissions. After all, you're not accessing the image as a
logical volume...so, you might try mounting the image as "File
System/Read-Only", rather than the default "Block Device/Read-Only", or
you may want to run the Scanner using something like RunAsSystem in order to elevate your privileges.
If
your circumstances require it, you can even use FTK Imager (FTK Imager Lite v3.x is now available and supports image mounting) to access an
acquired image, and then use the export function to export copies of
all of the folders and files from the image to a folder on your analysis
system, or on a USB external drive, and then run the scanner against
that target.
Okay, but what about stuff other than
Windows as your target? Say that you have an iDevice (or an image
acquired from one...)...the Forensic Scanner can be updated (it's not
part of the current download, folks) to work with these images, courtesy
of HFSExplorer.
Caveat: I haven't tested this yet, but from the very beginning, the
Forensic Scanner was designed to be extensible in this manner.
Again,
if you opt to run the Forensic Scanner against your local drive (by
typing "C:\Windows\system32" into the tool), that's fine. However, I
can tell you it's not going to work, so please don't email me telling me
that it didn't work. ;-)
Forensic Scanner Links
Forensic Scanner Links - links where the Forensic Scanner is mentioned:
F-Response Blog: F-Response and the ASI Forensic Scanner
Grand Stream Dreams: Piles o' Linkage
SANS Forensics Blog: MiniFlame, Open Source Forensics Edition
Apparently, Kiran Vangaveti likes to post stuff that other people write...oh, well, I guess that imitation really is the sincerest form of flattery! ;-)
Observables
The good folks over at RSA have had some interesting posts of late to their "Speaking of Security" blog, and the most recent one by Branden Williams is no exception. In the post, Branden mentions "observables", as well as Locard's Exchange Principle...but what isn't explicitly stated is the power of correlating various events in order to develop situational awareness and context, something that we can do with timeline analysis.
An example of this might be a failed login attempt or a file modification. In and of themselves, these individual events tell us something, but very little. If we compile a timeline using the data sources that we have available, we can begin to see much more with regards to that individual event, and we go from, "...well, it might/could be..." to "...this is what happened."
SANS Forensic Summit 2013
The next SANS #DFIR Summit is scheduled for July 2013 (in Austin, TX) and the call for speakers is now open.
Prefetch Analysis
Adam posted recently regarding Prefetch file names and UNC paths, and that reminded me of my previous posts regarding Prefetch Analysis. The code I currently use for parsing Prefetch files includes parsing of paths that include "temp" anywhere in the path (via grep()), and provides those paths separately at the end of the output (if found). Parsing of UNC paths (any path that begins with two back slashes, or begins with "\Device") can also be included in that code. The idea is to let the computer extract and present those items that might be of particular interest, so that the analyst doesn't have to dig through multiple lines of code.
5 comments:
You know, I've never seen you and Kiran in the same place at the same time... LOL
I did a short test run with the Forensic Scanner prior to my surgery and am very impressed. I'm hoping my shoulder starts feeling better soon and I can do some more testing with the scanner and other tools/techniques.
KP
Ken,
I hope your surgery went well.
I have been hoping to get more than just, "...works great..." or "...doesn't work...", but I guess maybe that's just a pipe dream...
Give me some time and I hope to provide more feedback for you. Right now, just typing is a challenge with one arm in a sling.
Well, my hope was for one of the other 781 ppl who'd downloaded it to provide something...
Nothing yet?
Post a Comment