Tuesday, October 06, 2015

Tools, Links - ESEDB, etc.

CapLoader - This looks like an interesting tool...and another one...for carving packets from memory dumps.  I'm not clear as to how this tool differs from the Volatility modules, in particular netscan and Jamaal's ethscan, but it does seem interesting.  If you were curious as to how to install Rekall on Windows systems, see this blog post.

SAMParser.py - I'm not entirely sure how this Python script differs from RegRipper's samparse.pl plugin, but it does offer an interesting alternative, if you're looking for one.  The output does appear similar to what samparse.pl produces.

MFT Parsers
Mari posted an excellent blog article based on her review of several MFT parsing tools.  One of the key factors to Mari's post is that she understands what it is she's looking at (MFT records), so she's able to evaluate the various tools for her own use, rather than simply running them and not questioning the output.

This is the sort of thing that the DFIR community would benefit from greatly, if more practitioners engaged in it, or if more practitioners responded to it.  Honestly evaluating tools can be of significant benefit to the community, particularly when they're evaluated in light of a particular practitioner's analysis process.  It's even more beneficial if that process is shared, so that others can determine the usefulness of the tools for themselves, and decide if those tools can/should be incorporated into their own analysis process.

Yara is a tool that's been available for some time, and is worth mentioning again.  A while back, Corey Harrell asked a question via social media regarding how to detect the presence of web shells on a system, using only the HTTP access logs.  Shortly thereafter, Aaron Shelmire posted this article to the ThreatStream blog.  In the article, Aaron mentions a couple of methods for detecting web shells using only the HTTP access logs, in accordance with Corey's question, and his suggestions are very valuable.  One method of detection he mentioned, as well, was using a change control and inventory process, or a file system monitoring tool, to detect new pages being added to web directories.  Aaron also mentions that searching for patterns within files can produce false positives, but if you use something like Yara, you can reduce those false positives.  Yara can be used by sysadmins who want to keep ahead of things or those who want to perform hunting, as well as by analysts and responders engaged in DFIR analysis.

An excellent resource for web shell rules can be found here.

ESEDB Databases
Windows systems utilize ESE format databases more and more, and as such, it's imperative that analysts be able to identify the databases, as well as extract data for incorporation into their analysis processes.

An example of an ESE format database includes the IE10+ WebCacheV01.dat web history database. Also, Brent Muir recently posted regarding Windows 10 Cortana Notification Center Forensics.

A note on Brent's post...I have a Windows 10 laptop that was upgraded from Win7; I opened the notification center as he described towards the end of the post.  Even after rebooting the system, the value containing the timestamp does not exist in my NTUSER.DAT.  However, I'm also not running Cortana, as this is an older laptop, so that may have an impact as to whether or not the value gets created.

There's also the Search Index database; reading through the post responses, you can see how the contents of this database can be useful to a forensic analyst.  One of the response lists tools that can be used to parse the database.

So, at this point, that's three databases that use the ESE format, all of which can provide significant value to a forensic analyst.

Parsing Tools
WoanWare ESEDBViewer - deprecated, but still a good visual tool.

libesedb - needs to be compiled for the Windows platform; most of the web sites that I've found that mention the tool don't provide a compiled copy

esentutl - native tool that lets you copy and/or recover an ESEDB file.  While one method of obtaining a copy of an ESEDB file for analysis might be to create a VSC and copy the file in question from the shadow copy, this option might not always be available.  As such, this native tool may be of significant use to an analyst.

pyesedbwebcache2.py - It looks as if Jon Glass has updated his Python script for parsing the WebCacheV01.dat file.

Addendum, 7 Oct: I found this post over at Sanderson Forensics this morning...if you're analyzing Windows systems, you want to be sure to read the post and include the tool in your toolkit...

1 comment:

JimmyWeg said...

For quick access to ESEs, Nirsoft's viewer is quite handy: http://www.nirsoft.net/utils/ese_database_view.html It doesn't provide much in the way of analysis or queries, but it can access the current, locked Win10/Edge database, which is very handy for testing.