Start-ImageParsing.ps1

Earlier this year, I was able to take the SANS FOR500 course.  I’ve really never enjoyed any training more.  I took the OnDemand course which I think allows you to soak up the material at a reasonable pace. In addition to the course labs, I found it very easy to apply the topics being covered to my daily work.

For most of the artifacts covered in the course, SANS tries to present one commercial tool and one open source tool that can be used to process the data.  The tools by Eric Zimmerman get a lot of coverage in this course.  If you aren’t familiar with these, you should definitely check out Eric’s blog.  There is a good mix of GUI and command line applications which allow you to parse things like shell items, registry hives, the Master File Table ($MFT) and even mount Volume Shadow Copies. I plan to cover these in more detail and discuss how I use them in my workflow in a future blog post.

I really like the simplicity of running these tools and find they present information very quickly which allows me to identify areas to focus my investigation.  The only downside is if you want to run each application against an entire image or multiple images.  This can get a little time-consuming, particularly if the image you are working on has multiple profiles or VSCs.

This need led me to create Start-ImageParsing.ps1 which is a PowerShell script that executes against a mounted image and runs the tools against all profiles.   I created this script a few months ago and it’s been a big time saver for me.  Eric recently released VSCMount.exe which mounts any available Volume Shadow Copies. I’ve updated my script to run VSCMount and then execute the other tools against each shadow copy.  I also added two other applications – Hindsight, which does an outstanding job of parsing Chrome artifacts, and BrowsingHistoryView by NirSoft which shows History for Chrome, Firefox, Edge, Internet Explorer, etc.

TL;DR – Eric’s tools are awesome. I’ve got a script that automates their execution.

So how do you get started?

  1. Download Eric’s tools. These can be manually downloaded from EZToolshttps://ericzimmerman.github.io/.  Note they can also be installed using Chocolatey but the path it places each file in causes issues with my script. So my recommendation is to download each of the files and extract them into the same subdirectory.  (Update 10/12/18 – you can now use the Get-ZimmermanTools.ps1 script in my Github to download these tools.) When you are done you should see these files in the same folder. The default setup in the script is to run the tools from “C:\Forensic Program Files\Zimmerman”.  I’ll show you how to change this shortly.
  2. If you want to parse browser history, we need Hindsight and BrowsingHistoryView.  Download these and extract them.  Two notes about Hindsight.  If you download it from Github there are a lot of files that allow you to run this in Python. We are really only using the Hindsight.exe file located in the ‘dist’ folder.  My script currently only parses the Default Chrome profile so keep this in mind if there are other profiles on the image. So using the same folder structure as earlier we have:
    C:\Forensic Program Files\Nirsoft\BrowsingHistoryView.exe
    C:\Forensic Program Files\Hindsight\Hindsight.exe
  3. Download my PowerShell script: https://github.com/grayfold3d/POSH-Triage
    Save this file and extract the contents anywhere. If you saved your tools to a different location than the one specified above, right-click Start-ImageParsing.ps1 and select Edit to open the script in the PowerShell ISE.  Update the path parameters for each tool with the location you saved the files and save your changes when done.  Note $hindsightPath points to the executable while the others use the directory.PSToolEditIf you aren’t familiar with PowerShell, there are a couple of things that need to be done for the script to execute. First, right-click Start-ImageParsing.ps1, go to Properties and select Unblock.  Next, we need to modify the execution policy on the system to allow scripts to run. We will set the policy to RemoteSigned which will allow local scripts to run but anything from the internet will need to be signed or unblocked like we just did.  This can be done by typing the following at the PowerShell prompt:
    Set-ExecutionPolicy -executionpolicy RemoteSigned
  4. Mount an image. You can use Arsenal, FTK Imager, or even mount it in SIFT Workstation and access the mount over the network.  There are a couple caveats to each method. My script will attempt to detect your mounting method and alert you as to what may be missing.
    • Arsenal Image Mounter: This is my favorite option as it allows us to access Volume Shadow Copies.   Its downside is that it doesn’t allow access to the $MFT without extracting it using another tool. Also, there are only certain versions of Arsenal which give access to the Volume Shadow Copies. Harlan Carvey had a recent post about this here.  **Make sure you select the Write Temporary option when mounting!**
    • FTK Imager: FTK works well for the most part. You get the $MFT parsing that Arsenal doesn’t have but lose the Volume Shadow capability. There can also be an issue parsing Shellbags if the hive is dirty and parsing Chrome artifacts with Hindsight. The Shellbags issue can be bypassed by holding SHIFT down while the script executes.
    • SIFT Mount: Currently not parsing Shellbags due to an issue with SIFT not recognizing reparse points in Windows which causes SBECmd.exe to loop endlessly. So, for now, I’ve got it excluded if the script detects a UNC path in the mount. SIFT also doesn’t offer VSCMount.exe the ability to mount volume shadow copies. You can manually mount these in SIFT and run the script against each mounted VSC but it doesn’t do all of them automatically like Arsenal.So what should you pick? I typically use Arsenal and then I grab the $MFT and parse it on its own using MFTECmd.exe
  1. Launch PowerShell as Administrator, change directory to the location of Start-ImageParsing.ps1 and type the script name and parameters.

Example 1:
.\Start-ImageParsing.ps1 -imagepath f: -outpath G:\cases\Dblake -vsc

Executes the script against an Arsenal mounted image ‘f:’ and saves the output into G:\Cases\Dblake. The -vsc switch parameter forces the Volume Shadow Copies to be mounted and parsed.  Since the -toolPath, -hindsightPath, and $nirsoftPath parameters are not specified, the default locations will be used.

Example 2:
.\Start-ImageParsing.ps1 –imagepath g:\[root] -toolPath g:\tools\Zimmerman -hindsightPath g:\tools\hindsight.exe -nirsoftPath c:\tools\nirsoft –outpath G:\cases\Dblake

In this example, we are running against a drive mounted in FTK.  We are also explicitly stating the location of our tools to be used in the parsing.  As stated before, you are better off setting these in the script so you don’t have to do it this way, but it’s an option if needed. No -vsc switch parameter is used as that’s not an option with FTK mounted images.

My Github has more examples and there is some help built into the script.  Just type:

Get-Help Start-ImageParsing.ps1 -examples

  1. Review Output:   ScriptOutput

Looking at the screenshot above, we can see how the output is organized.

  • Any tools that process artifacts for an individual user will save their output in the respective folder for that user. The two exceptions to this are SBECmd.exe and BrowsingHistoryView.exe which both save into the root output folder.
  • The Mounted_VSC_* folder contains the mounted Volume Shadow Copies should you need to perform additional actions on them.  An important note on this is that you will not be able to navigate this folder structure completely using Windows Explorer. Command line or PowerShell work great though.
  • The Processed_VSC folder contains a subdirectory for each VSC found in the image and the parsed output from each tool can be seen in these.
  • The other files I’d like to point out are the log files:
    Start-ImageParsing_Detailed.log will display the output streams for each tool.
    Start-ImageParsing_Commands.log  will display the command and any arguments executed by the script. If an artifact is not found, this will be listed as well.

CommandsLog

So that’s it.  Hopefully, you’ll find this as useful as I have. It’s a work in progress and I’m hoping in the next update to add a couple RegRipper parsers and then combine and dedupe the output from the primary image with the VSCs.

Thanks for reading.  If you have any comments, suggestions or questions feel free to let me know.

Advertisement

One thought on “Start-ImageParsing.ps1

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s