Inquisitor - forensics artifacts collector by f4d0

Introduction


I have developed a forensics artifacts collection tool for Windows OS, which I named Inquisitor and that can be found here: https://github.com/nrrpinto/inquisitor. and can be downloaded directly from here. It is part of my final master thesis in Cybersecurity (master from Deloitte and IMF). The purpose of this post is to present the tool to the community. My hope is that the community helps me to improve Inquisitor and that newbies can learn from it.

First things first, let's start by the name, why Inquisitor?? Well, this job was developed in Spain, and Spain was one of the countries where inquisition was more severe in the middle ages. Inquisitors were actors that use to inquire in search for "heresis". Inquisitor tool objectives are to inquire the system, identifying "heresies" aka malicious activities and gather enough information to help to eliminate "demons/witches" aka malicious actors/malware presence.

Before I start to talk about the program, it is important to underline that the program is very young in maturity, it has 7 months of development time by one person that also as a main job. So, it is expected to be buggy, some of the bugs are already identified and in the to-do list. I expect the community to engage using the tool and help me to identify further ones. I'll be completely open to all the opinions, development prepositions and flaws identification. For that, I kindly ask all who desire to contribute to use inquisitor's github issues.

Context

One of the reasons why tools like Inquisitor are needed is because while Incident Response professionals need to fast contain, eradicate and recover with minimal impact, digital forensics need to meticulously seek who, why and how.

As Mike Sheward says on his book Hands-on Incident Response and Digital Forensics:
"Imagine, a scene in your favourite television crime drama in which the crime scene technician is meticulously dusting for fingerprints, while bullets from an ongoing shootout with the police continue to fly around them."

Other reasons for the need of tools like inquisitor might be just because IR wants to be faster. Collecting artifacts with an automated tool, not only is much faster as also reduced the flaws in the collection.

What is Inquisitor?

Inquisitor is a digital forensics artifacts collector for windows operating systems. It is developed for Windows 10, but also works well in Windows 7 and 8.x with best effort for Windows XP.
Inquisitor was developed in PowerShell and uses .NET libraries. It has both CLI and GUI which I'll dig in later.

When I first thought about Inquisitor, the objective was just to collect artifacts using third-party tools. Then it changed to collect and parse artifacts using third party tools. And finally, it became to collect and parse artifacts without third party tools. At the moment, it does a little of everything, being the collection with third-party tools the norm, but the collection and parsing without third party tools is the ultimate goal, even though I have no idea how to get there in this exact moment.

 

Third party tools

Inquisitor in its actual version relies heavily in third party tools as can be seen below:


SQLite3 is missing in that table, because was added after the above graphic was created.

I'll leave an exhaustive explanation about each of the tools for a future post. On the other hand, experienced forensics already know each of this tools.

Inquisitor GUI

There are two ways to start inquisitor in Graphic User Interface (GUI):
  • Using the CLI with parameter "-GUI":
    1. Start PowerShell in administration mode.
    2. Navigate to Inquisitor folder.
    3. execute ".\inquisitor.ps1 -GUI".
  • Using the ".bat" file:
    1. Navigate to Inquisitor folder using Windows Explorer.
    2. Right click the "inquisitor.bat" file.
    3. Select option "Run as administrator".
Using the GUI is very user-friendly and straight forward, as can be seen below:

Steps:
  1. Select the Source, it can be a live unit or a mounted unit. 
  2. Select the Destiny, it can be a unit or a folder.
  3. Select if the Destiny should be formatted.
  4. Select if the collected files should be hashed, and which type of hashing should be calculated.
  5. It is possible to use Collection Type to quick select the desired artifacts to collect.
  6. Adjust the artifacts that are to be collected by using the check-boxes.
  7. Click "Execute" 

Inquisitor CLI

To get information about the options of Inquisitor using the command line, the following command should be executed:
          PS> Get-Help .\Inquisitor.ps1


Everything is very well documented; using the parameters "-examples", "-detailed" or/and "-full" from the Get-Help cmdlet will provide all the information necessary to execute Inquisitor on the CLI.


Artifacts Collected/Parsed/Decrypted

This is an huge topic, so I'll just enumerate the artifacts that are collected. I'll leave details (how to collect, tools used, resulting files, what is it useful for, further analysis...) of each artifact for future blog posts.

Live systems:

  • RAM memory
  • Network Information
    • TCP and UDP
    • NetBIOS
    • Net Session and Net File
    • Network Configuration
    • DNS and ARP cache
    • WiFi network
  • Services and Processes
  • Scheduled Taks
  • PowerShell command line history
  • Installed software
  • Users and Groups
  • Persistence
    • Registry Run Keys
    • Shell Folders
    • Winlogon Helper DLL
    • Time Providers
    • SIP and Trust Provider Hijacking
    • Security Support Provider
    • Port Monitors
    • Office Application Startup
    • Change Default File Association
    • AppInit DLLs
    • AppCert DLLs
  • USB Info
  • PnP Devices Info
  • Firewall Configuration
  • Most Recent Used (MRUs)
    • MUICache
    • Recent Docs
    • Open/Saved Files MRU
    • UserAssist
    • Shellbags
    • CIDSizeMRU
    • Last-Visited MRU
    • RUN DialogBox MRU
    • AppcompatCache / Shimcache
    • Recent Applications
  • BAM - Background Activity Modetator
  • System Info
  • Last Activity
  • All Autorun Files

Live/Offline Artifacts:

  • HIVE files
  • EVTX files
  • ETW & ETL - Event Trace Files
  • Files Lists
  • Dangerous Extensions
  • Prefetch
  • Windows Search
  • Jump Lists
  • Thumb and Icon cache
  • File System Files ($MFT, $UsnJrnl and $LogFile)
  • Memory Support Files (Hiberfil.sys, Pagefile.sys and Swapfile.sys)
  • Timeline History
  • Text Harvester
  • SRUM - System Resource Usage Monitor
  • Credentials Manager
  • Skype
  • Email Files
  • Browsers:
    • Chrome
    • Firefox
    • Internet Explorer
    • EDGE
    • Safari
    • Opera
    • TOR
  • Cloud clients:
    • One Drive
    • Google Drive
    • Dropbox
  • Signed files


Advantages of Inquisitor

Inquisitor has some advantages regarding other IR tools in the market. And those are:

  • Persistence from Mitre ATT&CK - most IR tools consider just autoruns and not much more as persistence. When developing inquisitor I've implemented all the identified tactics of persistence identified by Mitre ATT&CK.
  • Firewall rules - this seams something obvious, as malicious actors will open doors if they can, but I was not able to see this collection in most of the tools I've tested.
  • Powershell command line history - this information is very useful for LotL activities.
  • Collection and Parsing of cloud client logs.
  • Collection and Parsing of Windows credentials manager.
  • Iterates through logged users (HKU) and not from current user(HKCU). - Most of the tools, if not all, iterate through HKCU. What is there is a malicious actor logged in with another account on the moment of the extraction of data?
  • Collection and Parsing of Thumbcache and Iconcache.
  • Easy GUI Interface.


Future Developments

Below some developments in the actual to-do list. The quick wins are developments that do not need a big effort to achieve, while the further developments require more effort to complete.

Quick wins:

  • Artifacts collection according to incident type (e.g.: malware, DoS, data exfiltration, phishing, ...).
  • Parse HIVE files.
  • Parse EVTX files and correlate events.
  • Parse $MFT, $UsnJrnl and $LogFile.
  • Use Yara Rules with Hiberfil.sys, Pagefile.sys and Swapfile.sys.
  • ZIPthe collection and send it by SFTP.
  • Deliver all files in CSV format.

Further Developments:

  • Check all IPs with abuseipdb.com
  • Volume Shadow Copies extraction.
  • Implement multi-threading.
  • Capture traffic parallel to the execution.
  • Be independent of third-party tools.
  • Parse email files collected:
    • Check attachments with yara.
    • Check with VT and Sanbox.
  • Fileless execution.

Comentarios

Publicar un comentario

Entradas populares de este blog

OSCP my journey

Imagen
This will be the first post in my blog, in fact my first article in the web since forever. So, please forgive my English, possible grammatical faults or illogical structure of the text. A lot of people in the internet share their journey about their OSCP Certification , I did read a lot, while I was practicing and most of them I have enjoyed to read as they help, encourage and increase moral, so, I decided to share mine to help people to get motivated too, also because I want the moment to be registered. Context:  It was February 2018, and the only commands I knew from Linux was 'ls', 'cd', and not much more, I was with 9 years experience work in the fenestration software business, which from those, the last 5 years were mostly about sales and other not technical stuff(at least not hacking level technical), 1.5 years of sales in the textile area and had spent from September 2017 to January 2018 programming a structural calculation software. I did have m...
Leer más