Forensic Blogs

An aggregator for digital forensics blogs

by

Triage Collection and Timeline Generation with KAPE

As a follow up to my SANS webcast, I wanted to post detailed instructions on how to use KAPE to collect triage data and generate a mini-timeline from the data collected. As much as I hate to say "push button forensics", once you get KAPE up and running, it really is only a matter of a couple of clicks and you are off to the races.

I won't go into detail here on the benefits of collecting triage data or timelining (of which there are many!), but instead focus on how to set up KAPE to do it. If you would like more details on the above, please watch my webcast.

To get the timelining to work in KAPE you will need to do three things to get it set up. These will each be detailed in this post:

1) Download/Upgrade KAPE
2) Grab the timeline Targets and Modules
3) "Install" the executables called by the KAPE modules I wrote

As KAPE gets updated, I expect step #2 to drop off as it will be rolled out with the newer versions.

KAPE Basics
KAPE (Kroll Artifact Parser and Extractor) is a free tool written by Eric Zimmerman, and available for download on the Kroll website. From the website: "KAPE is a multi-function program that primarily: 1) collects files and 2) processes collected files with one or more programs. KAPE reads configuration files on the fly and based on their contents, collects and processes relevant files. This makes KAPE very extensible in that the program’s author does not need to be involved to add or expand functionality"To this end, I have written a target that defines what files to collect to create a timeline, and about 20 modules that tell KAPE how to process the data - AKA - make a timeline.
In order to do this, you will need to grab the new target and timeline modules and the binary files that the modules call.
Step 1 - Download/Update KAPEIf you don't have KAPE, download KAPE from here.
If you already have KAPE, you will need to have version 0.8.6.3 or greater. To update KAPE, run the Get-KAPEUpdate.ps1 PowerShell script in the root of the KAPE directory.
Step 2 - Grab the Timeline Modules and TargetsThe Targets in KAPE define what files will be collected. The Modules define what executable will be ran against the files that are collected. 
To grab the latest Targets and Module from github, run gkape.exe and click the "Synch with GitHub" at the very bottom of KAPE. This will get you the latest Targets and Modules.

The timeline modules I created should be in the \Modules\timelining subfolder. If you do not have this folder after syncing (Eric was working on implement the syncing of module subfolders at the time of this blog post) you will need to grab the timelining folder directly from github: https://github.com/EricZimmerman/KapeFiles/tree/master/Modules
Step 3 - Grab the executablesThe timelining modules will call specific executable to run against the targets. For example, if we want to parse out the eventlogs,  the program EvtxEcmd.exe is called by KAPE to parse the artifact. The executables are placed in the KAPE bin folder:


For the timeline modules, here are the executable you will need to download, and the locations where they go under the bin folder:
MFTeCmdPurpose: Parse $MFT fileDownload: https://ericzimmerman.github.io/Instructions: should already be in \modules\bin. Tested with version 0.4.4.4
EvtxECmd.exePurpose: Parse out *.evtx event logsDownload: https://ericzimmerman.github.io/Instructions: should already be in \modules\bin\EvtxECmd folder. Make sure you have version 0.5.1.0 or newer as the older version will not work for timelining.

Regripper v 2.8Purpose: Run regripper plugins against various registry hivesDowonload: https://github.com/keydet89/RegRipper2.8Instructions: Make folder \modules\bin\regripper. Place rip.exe , "p2x5124.dll" and the plugins folder in the regripper folder:



Harlan Carvey Timeline ToolsPurpose: parse event logs, timeline registry hives, convert timeline formats, etc.Download: https://github.com/keydet89/Tools/tree/master/exeInstructions: Create the folder \modules\bin\tln_tools. Place bodyfile.exe, evtparse.exe, parse.exe, regtime.exe and p2x5124.dll in the \tln_tools folder.
Mari DeGrazia Timeline ToolsPurpose: Convert between file formatsDownload: https://github.com/mdegrazia/KAPE_Tools/tree/master/executablesInstructions: Place in the tln_tools folder created previously


Step 4 Generate that timeline!Once you have the the targets,modules and executables set up, you can generate a timeline. First, run the Target options in KAPE to grab the triage data. This can be done on a mounted image, or an external USB drive attached to the system of interest. You could even use something like F-Response to run KAPE to do a remote collection.
Check "Use Target Options"Target Source: The drive letter you want to collect the files from. On a mounted image, this would be the drive letter that the image is mounted as. For a live collection, this would most likely be C:Target Destination: This would be where you want the files copied to. Most likely an external drive for a live collection, or a folder on your analysis computer for a mounted image.Targets: Select MiniTimelineCollectionHit execute when ready:


KAPE will now copy all the required files and place them into the Target Destination folder.
Now that the targets are collected, the modules will need to be run against the collected files. 
Select "Use Module Options"Module Source: This will be where the files were copied to by KAPE Module Destination: The will be where the resulting timeline will be createdModules: Select Mini_Timeline and if desired, Mini_Timeline_Slice_by_Daterange. The daterange will give you a smaller timeline with a specified date range.Variables: Add two variable by using the Key and Value fields. computerName and dateRange. computerName will be the name of the system you are analyzing. The dateRange will be the dateRange you want the smaller timeline to have. This has to be in the format mm/dd/yyyy-mm/dd/yyyy.Once completed, select execute:



After running, you will have two timelines created in CSV format. The other files created are temporary working files created during the process. These CSV files can be opened using a text editor, TimelineExplorer, Excel, or any other CSV tool of your choice. If you want some more details on how to do the timeline analysis, and where to get started with analysis of these files watch my webex towards the end. 


I highly recommend reading Harlan Carvey's blog posts on timelineing, as KAPE is just a way to automate this process.
Here is a detailed breakdown of what the timeline targets and modules I created are doing:

Targets collect the following files:
$MFT
Registy hives (SAM,SECURITY, SOFTWARE, SYSTEM, NTUSER.DAT, UsrClass.dat)
Event logs (*.evt, *.evtx)

Timeline Modules will include the following in the timeline:
File MACB timestamps
Last write times of the above registry hive's keys
ReRipper plugins ran: muicache, userassist, AppCompatCache, Services
Event Logs with Event ID and descriptions


For more detailed information on KAPE, including how to write modules and targets, check out the KAPE documentation.

by

Program Execution…Or Not

Over the years, different means have been used to discuss the DFIR analysis process, and one of those has been artifact categories.  This is where categories are created and artifacts placed in the various columns, as they relate to those categories.  One such example is the SANS IR poster, which provides a great visual reminder for folks looking to employ this approach.  Honestly, it is a good way to approach analysis...looking at even a single system image, artifacts have grown over the years as the versions of Windows have progressed from XP to Win7, through to Win10, and as such, it benefits a large portion of the community to have a repeatable approach to analysis.

However, when using approaches such as this, we need to keep in mind the context of the category titles.  Yes, the artifacts of "program execution" provide an indication of applications that were launched on a system, but what does that mean?

At this point, I can guess what you're thinking...wait, what?? And believe me, I get it.  "Program execution" means exactly that...that a program was executed.  End of story.  But wait...is that what it really means?

Consider this for a second...someone unfamiliar with a program or application might "open" it on their first try, to see what it does.  Command line tools, for example, often contain information about their usage, which we can see by either typing the name of the program at the command prompt (no arguments), or by adding "/?" or "-h" ("--help" for Linuxphiles).  This causes the program to run, but not in the sense that the functionality of the program is actually used.

As an example, I opened a command prompt, and changed directories to the C:\Windows\Prefetch folder.  Most analysts who've been in the industry for some time are familiar with the application prefetch files, often referred to as simply "Prefetch". Specifically, these are files are widely known as an artifact of "program execution".

I first typed "dir ftp*.pf" to see if there were any Prefetch files that appeared to point to the use of ftp.exe, and got the expected result: File Not Found.  Next, I typed "ftp /?" at the prompt, which displayed the usage syntax of the application.

I then retyped (actually, I hit the up arrow twice...) the 'dir' command, and this time, I found that there was a file named FTP.EXE-7BA637EA.pf, which was 2,685 bytes in size.

So, what happened?  I ran the program, but only to the point where I could read the usage syntax. I didn't actually use the program to transfer files or exfil data in any way.  However, the artifacts of program execution were populated.

Now, the same thing applies to GUI applications, maybe even more so.  You can launch a GUI application, look around at the interface, maybe click a few of the options to see what functionality is available, and then close the UI without ever having employed the functionality provided by the application.

Case in point...consider this analysis of the DefCon 2018 CTF file server image.  Other publicly available write-ups addressed the question of interest (which application was used to delete forensic artifacts?) with various findings.  One was the result of the itempos.pl RegRipper plugin; not an artifact normally associated with program execution, but rather that the application was resident on the desktop.  The two other write-ups went with the UserAssist artifacts, widely associated with program execution; however, there was no verification that the application was actually used to, as stated in the CTF question, delete forensic artifacts.  As such, the GUI application could have been launched, closed, and then something else could have been used to take the specified actions. In fact, the actions in question were never verified.

As such, something to consider going forward is, when artifacts of program execution are found, what do they really mean?

Finally, a question...there is a way to make use of the FTP protocol on Windows workstations (XP, 7, 8, 10) that does not leave the 'normal' artifacts of program execution (i.e., Prefetch file, UserAssist entry) that does not involve disabling any default functionality.  What is it, and how would you determine/verify it?

Addendum, 18 Aug: So far, there's only been one attempt to answer the final question.  I know that there's more out there...check the comments to see the answer, but there's at least one more, and maybe even more than one!