Forensic Blogs

An aggregator for digital forensics blogs

by

Leveraging PowerShell & Python MUS 2019

Leveraging PowerShell & Python for Incident Response & Live Investigation With Chet Hosmer

Recently, I had the great opportunity to attend the 2019 Magnet User Summit hosted by Magnet Forensics in Nashville, Tennessee. Presenters at the Magnet User Summit dedicate their time to presenting new research, demonstrating new techniques, and teaching users in the fields of digital forensics and investigation. There were many great presentations and labs that I attended and learned so much from!

As someone who uses Windows PowerShell and Python for scripting, I took notice in a presentation called “Leveraging PowerShell & Python for Incident Response & Live Investigations” presented by Chet Hosmer, founder of Python Forensics. I was excited to find new ways to expand my knowledge of PowerShell and Python and increase my proficiency.

PowerShell and Python

Windows PowerShell is a command shell and scripting language created by Microsoft. It provides more features and functionalities than Windows basic command line. System and network administrators use PowerShell for automation and also forensic investigators. PowerShell excels at automation and acquiring evidence and artifacts from the system. It has recently been made available for other operating systems including Linux and OSX. Making it even more powerful and useful. Python is an object oriented scripting and programming language. It’s a simple language that’s easy for beginners but still powerful enough for the more experienced users. It’s been integrated into many popular tools for digital forensics, cybersecurity, and incident response.

One point that Hosmer highlighted is that Microsoft’s PowerShell really excells at evidence and artifact acquisition, while Python is good at analysis and examination of data. Therefore, combining these two programs would create a powerful platform for DFIR. To accomplish this, he has created two methods of integration between the two programs.

Image taken from Chet Hosmer

Integrating PowerShell and Python

The first method involves creating a Python script that would accept PowerShell parameters as input, launch PowerShell, and pass those parameters to a PowerShell script. That would then read, analyze and present the results. The second method begins with a PowerShell script. The PowerShell script would launch Python and run through the PowerShell scripts, piping its results to a Python script for it to analyze and organize the data. Both methods will work equally, but if one is more experienced in PowerShell, they may want to use the second method and vice versa. Using the ‘subprocess’ command in Python allows for variables to pass through a PowerShell script. PowerShell can input to Python using a standard pipe, like “| & $Python $Script”. Users can then use he piped data with “stdin” in Python.

With the rise of cloud infrastructure and international use, Hosmer also demonstrated that PowerShell is capable of interacting with and accessing Microsoft Azure logs. Azure is Microsoft’s cloud platform created for large businesses and enterprise. Cloud has become a large source of data and potential evidence for digital investigators, but is often harder to access and difficult to integrate into programs. In order to interact with azure, the user installs a PowerShell module called ‘AzureRM’  using the ‘Install-Module’ cmdlet in PowerShell. Once installed, PowerShell will have access to thousands of more powerful cmdlets dedicated to Azure.

Conclusion

Over my two days at Magnet User Summit, I met with many professionals and had a great time attending presentations on new technologies and techniques. I also learned how to use the tools created by Magnet and improve my forensics skills. While I really did learn a lot from the summit and had plenty of fun too. I am glad I got this great opportunity to learn and network with industry professionals. Thank you to both the Leahy Center for Digital Investigation and Magnet Forensics for giving me this great opportunity.

 

Blog written by Champlain College sophomore Chris Mathieson

Be sure to check us out on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @Champlainforensics to see other important information pertaining to our project!

The post Leveraging PowerShell & Python MUS 2019 appeared first on The Leahy Center for Digital Investigation.

by

SIFT Update 3

Introduction

As we are coming to an end working at the Senator Leahy Center for Digital Investigation, we are closer to completing our final report. Our last post was about recovering artifacts and keyword searches. Due to time issues and inexperience, our team couldn’t recover deleted files.

Experience

Throughout the semester, working at the LCDI with the SIFT-workstation has been a refreshing challenge. Coming into the Center has always been a fun and engaging experience. We’ve learned vital information, especially in regards to digital forensics. We’ve even been exposed to the Linux Command Line.

Researching the SIFT-workstation from SANS  also exposed us to quite a bit of information about SANS. The more we have learned, the more we have realized how exciting the digital forensics field can be. From a first year student’s perspective, technical jargon and new information can be daunting. With the amount of easy-to-read information that SANS has put out, our team agrees that learning becomes simpler.

In regards to the Linux Command Line, our team was subjected to the experience of learning syntax, system commands, and other programs. Both my partner and I have heard from our professors that these skills are integral as investigators. Having that experience is important to us as aspiring students.

Since we are nearing the end of our time on this project, our team has focused on learning how to generate timelines and search clusters. We’ve also looked into bulk extraction and learned that these are typical and required tasks in this field.

Conclusion

In the end, our experience at the LCDI has been overwhelmingly positive and beneficial. We were exposed to and learned from largely important topics which is an opportunity we’ll always be grateful for. Although our team didn’t meet every expectation we had, we still experienced much more than we expected out of the internship.

The post SIFT Update 3 appeared first on The Leahy Center for Digital Investigation.

by

Automated Network Scanner! The Final Blog

Testing Our Script

Automated Network Scanning ! team has successfully completed their project by capping off the testing phase. The testing phase was divided into four phases. As we had configured our script to execute on boot, we would start each cycle by rebooting the Raspberry Pi. To implement this, we enabled auto-login on boot with the raspi-config command. In the process of booting to command line, Raspbian runs the commands stored in the .bashrc file. We used the .bashrc to start a bash script on boot. This bash script uses the cat command to read a file in the system that contained the network’s connectivity status and launched the scan when appropriate, moving our test cycle to the next step.

Flowchart of scan cycles

Once our team entered the scan running portion of the scanning cycle, our team would log into the Raspberry Pi with PuTTY, an SSH client. SSH clients allow remote control of computers through a command line. Although interacting solely through a command line may be considered an inconvenience, we were quite comfortable with the Linux Command line. To check if our scan was running, we used htop, a command line process viewer. Our team would inspect the htop window for a python3 process running our script and an nmap process. If both were present, as shown below, we could be sure that our script was running.

htop, a process manager service operated from the command line on our Raspberry Pi

Once our script finished, the report was automatically sent to an email address, alerting our team, no matter where they were, that the scan had finished. Our team would read through the report and would then move onto changing the scanner’s settings on the Raspberry Pi. Through PuTTY we were able to remotely interface with the Raspberry Pi. Once we finished this, we rebooted the Pi to start the cycle again.

 

Conclusion

Throughout this iterative cycle, we became intimately familiar with the function of an SSH client, and learned about several tools that allow operating Linux systems through command line to become easier, such as htop, a process manager, and ranger, a file explorer.  Overall, in this semester, we learned much more about the process of maintaining security on a network through mapping the network.

The post Automated Network Scanner! The Final Blog appeared first on The Leahy Center for Digital Investigation.