ir-rescueiscomposedoftwosisterscriptsthatcollectamyriadofforensicdatafrom32-bitand64-bitWindowssystems(ir-rescue-win)andfromUnixsystems(ir-rescue-nix).Thescriptsrespecttheorderofvolatilityandartifactsthatarechangedwiththeexecution(e.g.,prefetchfilesonWindows)andareintendedforincidentresponseuseatdifferentstagesintheanalysisandinvestigationprocess.Eacharedescribedasfollows:
ir-rescue-winisfullywritteninBatchandcanbesettoperformcomprehensiveandcustomizedacquisitionsofspecifictypesoflivedataandofhistoricaldatafromavailableVolumeShadowCopyService(VSS)copies.ir-rescue-winmakesuseofbuilt-inWindowscommandsandwell-knownthirdpartyutilitiesfromSysinternalsandNirSoft,forinstance,somebeingopen-source.PowerShellandtheWindowsManagementInstrumentation(WMI)arenotusedinordertomakeir-rescue-wintransversallycompatible.
ir-rescue-nixiswritteninBash(v4+)andmakesuseofbuilt-inUnixcommands.SomecommandsusedmightnotbePOSIX-compliantandthereforemightnotbeavailableonsomeUnix-likesystemsorvariants,especiallyonolderoperatingsystems.
ir-rescueisdesignedtogroupdatacollectionsaccordingtodatatype.Forexample,alldatathatrelatestonetworking,suchasopenfilesharesandTransmissionControlProtocol(TCP)connections,isgroupedtogether,whilerunningprocesses,servicesandtasksaregatheredundermalware.Theacquisitionofdatatypesandothergeneraloptionsarespecifiedinasimpleconfigurationfile.Itshouldbenotedthatthescriptslaunchagreatnumberofcommandsandtools,therebyleavingaconsiderablefootprint(e.g.,stringsinthememory,prefetchfiles,programexecutioncaches)onthesystem.Theruntimevariesdependingonthecomputationpower,diskwritethroughputandconfigurationsset.Diskperformanceisespeciallyimportantifsecuredeletionissetandwhendumping64-bitmemory(usually8GBinsize),whichcantakeaconsiderableamountoftime.
ir-rescuehasbeenwrittenforincidentresponseandforensicanalysts,aswellasforsecuritypractitionersalike,andisusedincompaniessuchasCisco,PepsiCo,SaskTel,PraetorianandCounteractiveSecurity.Itrepresentsanefforttostreamlinehostdatacollection,regardlessofinvestigationneeds,andtorelylessonon-sitesupportwhenremoteaccessorliveanalysisisunavailable.Itcanthusbeusedtoleveragethealreadybundledtoolsandcommandsduringforensicactivities.
DependenciesandUsageir-rescuereliesonanumberofthird-partyutilitiesforgatheringspecificdatafromhosts.Theversionsofthetoolsarelistedinthelastsectionandareprovidedwiththepackageasisand,therefore,theirlicensesanduseragreementsmustbeacceptedbeforerunningir-rescue.NotethatSysinternalsutilitiescannotberedistributedforotherstocopyaccordingtotheSysinternalsSoftwareLicenseTerms.Becauseofthis,ir-rescueisnolongerpublishedalongwithSysinternalsutilities,andsoallentriesenumeratedinsectionThird-PartyToolListandReferencesmustbedownloadedfromtheSysinternalsLiveRepositoryandmovedintotheirappropriatefoldersinorderforthescripttorun.
Thedescriptionsandorganizationofthetoolsetaregivenbelow,withboth32-bitand64-bitversionsofWindowstoolsincludedadjacently,ifapplicable:
tools-nix/:third-partytoolsfolderforir-rescue-nix:ascii/:textASCIIartfilesin*.txtformat;cfg/:configurationfiles:ir-rescue-nix.conf:mainconfigurationfileforir-rescue-nix;nonrecursive-(hidden|md5sum).txt:hiddenfilesandmd5sumnon-recursivelocations;nonrecursive.txt:non-recursivelocationsformultipletools;recursive-(exec|hidden|md5sum).txt:executables,hiddenfilesandmd5sumrecursivelocations;recursive.txt:recursivelocationsformultipletools;mem/:memorytools:AVML-0.21(64-bitELF):dumpsthememory;tools-win\:third-partytoolsfolderforir-rescue-win:activ\:parsingtoolsforuserandsystemactivityartifacts;exiftool.exe:parsesLink(LNK)files;JLECmd.exe:parsesautomaticandcustomdestinationsjumplists;LastActivityView.exe:displaysamini-timelineofuserandsystemactivitysuchaslogonsandlogoffs;rifiuti-vista[64].exe:parsesrecyclebinfiles;USBDeview[64].exe:listspreviouslyandcurrentlyconnectedUSBdevices;ascii\:textASCIIartfilesin*.txtformat;cfg\:configurationfiles:ir-rescue-win.conf:mainconfigurationfileir-rescue-win;nonrecursive-(acl|iconsext|md5deep).txt:accesschk[64].exe,iconsext.exeandmd5deep[64].exenon-recursivelocations;nonrecursive.txt:non-recursivelocationsformultipletools;recursive-(acl|iconsext|md5deep).txt:accesschk[64].exe,iconsext.exeandmd5deep[64].exerecursivelocations;recursive.txt:recursivelocationsformultipletools;cygwin\:CygwintoolsandDynamicLinkedLibraries(DLLs):tr.exe:usedtocutoutnon-printablecharacters;grep.exe:usedtofilterdatewithregularexpressions;disk\:disktools:EDD.exe:testsfordiskencryptionsoftware;evt\:Windowseventstools:psloglist.exe:extractsWindowseventlogs;fs\:filesystemtools:tsk\:TheSleuthKit(TSK)toolsandDLLs:fls.exe:walkstheMasterFileTable(MFT);mcat.exe:outputsthecontentsofapartition;mmls.exe:showsinformationaboutdiskpartitiontables(DOS,GPT);AlternateStreamView[64].exe:listsAlternateDataStreams(ADSs);ExtractUsnJrnl[64].exe:extractstheC:\$Extend\$UsnJrnl(NTFSjournal)filewithoutthesparsedzeroes;md5deep[64].exe:computesMessageDigest5(MD5)hashvalues;ntfsinfo[64].exe:showsinformationaboutNTFS;RawCopy[64].exe:extractsdataattheNTFSlevel;mal\:malwaretools:autoruns[64].exe:dumpsautorunlocationstotheautorunsbinaryformat;autorunsc[64].exe:listsautorunlocations;BrowserAddonsView[64].exe:listspluginsandadd-onsfrommultiplebrowsers;densityscout[64].exe:computesanentropy-basedmeasurefordetectingpackersandencryptors;DriverView[64].exe:listsloadedkerneldrivers;handle[64].exe:listsobjecthandles;iconsext.exe:extractsiconsfromPortableExecutables(PEs);Listdlls[64].exe:listsloadedDLLs;OfficeIns[64].exe:listsinstalledMicrosoftOfficeadd-ins;pslist[64].exe:listsrunningprocesses;PsService[64].exe:listsservices;sigcheck[64].exe:checksdigitalsignatureswithinPEs;WinPrefetchView[64].exe:displaysthecontentsofprefetchfiles;mem\:memorytools:winpmem_1.6.2.exe:dumpsthememory;net\:networktools:psfile[64].exe:listsfilesopenedremotely;tcpvcon.exe:listsTCPconnectionsandportsandUDPports;sys\:systemtools:accesschk[64].exe:listsuserpermissionsofthespecifiedlocations;logonsessions[64].exe:listscurrentlyactivelogonsessions;PsGetsid[64].exe:translatesbetweenSecurityIdentifiers(SIDs)andusernamesandvice-versa;Psinfo[64].exe:displayssystemsoftwareandhardwareinformation;psloggedon[64].exe:listslocallyloggedonusersthathavetheirprofileintheregistry;web\:webtools:BrowsingHistoryView[64].exe:listsbrowsinghistoryfrommultiplebrowsers;ChromeCacheView.exe:displaystheGoogleChromecache;IECacheView.exe:displaystheInternetExplorercache;MozillaCacheView.exe:displaystheMozillaFirefoxcache;yara\:YARAtoolsandsignatures:rules\:*.yarrulesfolder;yara(32|64).exe:YARAmainexecutable;yarac(32|64).exe:YARArulescompiler;7za.exe:compressesfilesandfolders;nircmdc[64].exe:featuresextensivefunctionality,amongofwhichtakingscreenshots;sdelete(32|64).exe:securelydeletesfilesandfolders;data\:datafoldercreatedduringruntimewiththecollecteddata:<HOSTNAME>-<DATE>\:<DATE>followstheYYYYMMDDformat:ir-rescue-win:folderforir-rescue-relateddatair-rescue-win.log:verboselogfileofstatusmessages;ir-rescue-win-global.log:globallogfilewithir-rescue-wincommandsruninthepast;screenshot-#:numberedscreenshotsforir-rescue-winonly;foldersnamedaccordingtothedatatypesetforcollection.ir-rescue-winneedstoberununderacommandlineconsolewithadministratorrightswhileir-rescue-nixneedstoberununderacommandlinewindowwithrootprivileges.Bothrequirenoargumentsandmakeuseofarespectiveconfigurationfiletosetdesiredoptions.Assuch,executingthescriptssimplyneedstheissuingofthefilesasfollows:
ir-rescue-win-v1.w.x.bat,or./ir-rescue-nix-v1.y.z.sh.Sometoolsthatperformrecursivesearchesorscansaresetonlytorecurseonspecificfolders.Thismakesthedatacollectionmoretargetedwhiletakingintoaccountruntimeperformanceasthefoldersspecifiedarelikelylocationsforanalysisduetoextensiveusebymalware.Thelocationsforrecursivesearchandnon-recursivesearchforWindowsandUnixsystemscanbechangedatwillintherespectivetextfilesundertheconfigurationfolders.Someofthetoolshavededicatedfileswithspecificlocationsinwhichtoandnottorecurse.Thesearenamedrecursive-<tool>.txtandnonrecursive-<tool>.txt,with<tool>beingchangedtothetoolname.Eachfilemusthaveonelocationasfullpathperlinewithouttrailingbackslashesorforwardslashes.
Duringruntime,allcharactersprintedtotheStandardOutput(STDOUT)andStandardError(STDERR)channelsareloggedtoUTF-8encodedtextfiles.Thismeansthattheoutputoftoolsarestoredincorrespondingfoldersandtextfiles.StatusASCIImessagesarestillprintedtotheconsoleinordertochecktheexecutionprogress.Atemporaryfoldercreatedunder%TEMP%\ir-rescue-winor/tmp/ir-rescue-nixisusedtostoreruntimedata(e.g.,memorydumpdriversandlinkstoVSScopies)andisdeleteduponcompletion.Datafoldersarecreatedasplaceholdersfordataduringinitialization.Aftercollection,emptyfoldersmaybedeletedifnodatawascollected(e.g.,emptybrowserscache).Intheend,dataiscompressedintoapassword-protectedarchiveandisaccordinglydeletedafterwards,ifsettodoso.
ConfigurationFileTheconfigurationfileofeachir-rescue-winandir-rescue-nixaremostlycomposedofsimplebinarydirectives(trueorfalse)forthegeneralbehaviourofthescripts,forwhichdatatypestocollectandforwhichadvancedtoolstorun.Linesprecededbyahashsign(#)areconsideredcomments.Theseareusedtobrieflydescribewhateachoptiondoes,toenumeratefolders,filesorregistrykeysimportanttoprovidesomecontext,aswellastolistrelevanttools.Thedescriptionsbelowappliesonlytoir-rescue-win,buttheyserveasanexampletounderstandtheoverallapproachandtheconfigurationfileofir-rescue-nix.
Forir-rescue-win,dataisgroupedintothetypesgivenbythefollowingdirectives:
activity:thisoptionsetsthecollectionofuseractivitydata;disk:thisoptionsetsthecollectionofdiskdata;events:thisoptionsetsthecollectionofWindowseventlogs;filesystem:thisoptionsetsthecollectionofdatarelatedwithNTFSandfiles;malware:thisoptionsetsthecollectionofsystemdatathatcanbeusedtospotmalware;memory:thisoptionssetsthecollectionofthememory;network:thisoptionsetsthecollectionofnetworkdata;registry:thisoptionsetsthecollectionofsystemanduserregistry;system:thisoptionsetsthecollectionofsystem-relatedinformation;web:thisoptionsetsthecollectionofbrowsinghistoryandcaches.Ontheonehand,theusageofadvancedtoolssetbythesigcheck,density,iconsextandyaraoptionsisindependentoftheconfigurationsmadetothecollectionofdatatypes.Ontheotherhand,directivesundertherespectivemainoptionsofthedatatypesaretiedtothem,meaningthattheyaredisregardedifthemainonesaresettofalse.Forexample,memory-dump=true,theoptionthatinstructsthetooltodumptheRandomAccessMemory(RAM),isignoredifmemory=false.Thesamegoesforthe<option>-alloption,whichsetsalloptionsofacertaindatatypetotrueforconvenience,except<option>-vss.ThescriptsupportsretrievingdatafromallavailableVSScopiesbycreatinghardlinkstothecopiesviatheWindowskernelnamespace,afeaturethatcanbeturnedonwithvss=true.Eachofthemainoptionshasitsown<option>-vssoption,whichenablesordisablestheacquisitionofVSSdataforthatparticulardatatype.Notethatthedatacollectedbythemalware-startupandweb-(chrome|ie|mozilla)optionsispassword-protectedtoo,withthepasswordbeing"infected"withoutquotes.Alloptionsnotfoundorcommentedintheconfigurationfilearesettofalseduringruntime,includingthepasswordforthefinalcompressedarchive.
FurthernotethattheiconsextoptionisusefultolookforbinariescompiledwithunusualframeworksthatsetPEicons(e.g.,Python).Moreover,YARArulesneedtohavea*.yarfileextensionandtobeputinthetools-win\yara\rules\folder.Theoutputofalladvancedtoolsarestoredunderthemalwareresultingfolder.
BelowisaminimalexampleoftheconfigurationfilesettingthecollectionoftheRAM,includingtheliveandhistoricalpagedmemory,thesystemregistryandWindowseventlogsintextformat,aswellasthecompressionofthefinaldatafolderwithpassword"infected"(withoutquotes).Notethatthisconfigurationskipsthecollectionofhistoricalsystemregistryfiles.
#ir-rescue-winconfigurationfile#acceptedvalues:'true'or'false'(exclusive)#generalkillself=falsesdelete=falsezip=truezpassword=infectedascii=false#modulesevents=truememory=trueregistry=truevss=true#eventsevents-all=falseevents-txt=true#memorymemory-all=falsememory-vss=truememory-dump=truememory-pagefile=true#registryregistry-all=falseregistry-vss=falseregistry-system=trueThird-PartyToolListandReferencesWindowsSysinternals:theSysinternalstoolshavebeenmostlydevelopedbyMarkRussinovichandarefreetouseundertheSysinternalsSoftwareLicenseTerms.Thefulllistoftoolsusedbyir-rescue-winisaccesschk[64].exe(v6.02),autoruns[64].exe(v13.62),autorunsc[64].exe(v13.61),handle[64].exe(v4.1),Listdlls[64].exe(v3.2),logonsessions[64].exe(v1.4),ntfsinfo[64].exe(v1.2),psfile[64].exe(v1.03),PsGetsid[64].exe(v1.45),Psinfo[64].exe(v1.78),pslist[64].exe(v1.4),psloggedon[64].exe(v1.35),psloglist.exe(v2.71),PsService[64].exe(v2.25),sdelete(32|64).exe(v2.0),sigcheck[64].exe(v2.52),andtcpvcon.exe(v3.01).
NirSoft:theNirSoftsuiteoftoolsaredevelopedbyNirSoferandarereleasedasfreewareutilities.Thefulllistoftoolsusedbyir-rescue-winisAlternateStreamView[64].exe(v1.51),BrowserAddonsView[64].exe(v1.05),BrowsingHistoryView[64].exe(v1.86),ChromeCacheView.exe(v1.67),DriverView[64].exe(v1.47),iconsext.exe(v1.47),IECacheView.exe(v1.58),LastActivityView.exe(v1.16),MozillaCacheView.exe(v1.69),nircmdc[64].exe(v2.81),OfficeIns[64].exe(v1.20),USBDeview[64].exe(v2.61),andWinPrefetchView[64].exe(v1.35).
TheSleuthKit(TSK)(v4.4.1):theTSKisanopen-sourceforensictooltoanalyzeharddrivesatthefilesystemlevel,usedbyir-rescue-wintowalktheMFTwithfls.exe,todumpdiskbootsectorswithmmcat.exeandtoshowdiskpartitiontableinformationwithmmls.exe.
winpmem_1.6.2(v1.6.2):thePmemsuiteispartoftheopen-sourceRecallmemoryanalysisframework,usedbyir-rescue-wintodumpthememory.
md5deep[64].exe(v4.4):themd5deeputilityisopen-sourceandismaintainedbyJesseKornblum.
EDD.exe(v2.0.1):theEncryptedDiskDetectorisafreetoolfromMagnetForensicsthattestsforspecificdiskencryptionsoftware.
exiftool.exe(v10.55)]:ExifToolisafreemetadataparserandeditorofseveralfileformatssuchasLNKfiles,authoredbyPhilHarvey.
JLECmd.exe(v0.9.6.1):JLECmdisanopen-source,MIT-licensedparserforautomaticandcustomdestinationsjumplistswithsupportforWindows7thruWindows10.ThisutilityisdevelopedbyEricZimmermanandrequires.NETv4.6.
RawCopy[64].exe(v1.0.0.15)andExtractUsnJrnl[64].exe(v1.0.0.3):RawCopy(essentially,acombinationofifindandicatfromTSK)andExtractUsnJrnlareopen-sourceNTFSutilitiestoextractdataandspecialfilesdevelopedbyJoakimSchicht.
rifiuti-vista[64].exe(v.0.6.1):Rifiuti2isanopen-sourceparserfortherecyclebinreleasedundertheBSDlicense.
densityscout[64].exe(build45):theDensityScoututilitytocomputeentropywaswrittenbyChristianWojnerandisreleasedundertheISClicense.
YARA(v3.5.0):YARAisanopen-sourcesignatureschemeformalwarethatcanbeusedtoperformscansofspecificindicators.
Cygwin:theCygwinprojectisopen-sourceandisusedbyir-rescue-winonlytofilteroutputswiththeGNUtr.exe(v8.24-3)andgrep.exe(v2.21)utilities,usingthe32-bitDLLs.
7za.exe(v9.20):7-Zipisanopen-sourcecompressionutilitydevelopedbyIgorPavlovandreleaseundertheGNULGPLlicense.
UnixAVML-0.21(AcquireVolatileMemoryforLinux):AVMLisanX86_64userlandvolatilememoryacquisitiontoolwritteninRust,intendedtobedeployedasastaticbinary.AVMLcanbeusedtoacquirememorywithoutknowingthetargetOSdistributionorkernelapriori.Noon-targetcompilationorfingerprintingisneeded.AVMLwascompiledasdescribed,onanUbuntu18.04.5LTSVM.Thebinaryshouldrunonmanysystemsandkernelversions.ChangeHistoryir-rescue-win-v1.4.4:movedsomefilesystemoptionstoanewdiskoptionthatalsoincludesthenewdisk-encryptionthattestsforavarietyofdiskencryptionsoftware.
ir-rescue-win-v1.4.3:processargumentsarenowfilteredfromtheoutputofmalware-dllsintoaseparatefile,replacedfilesystem-tablewithamorecomprehensiveoption(filesystem-info)thatretrievesdiskandpartitioninformation,swappedLECmd.exe(v0.9.2.0)withexiftool.exe(v10.55)forparsingLNKfiles,andaddedafewmorecommands.
ir-rescue-win-v1.4.2:removedRegRipper(registry-parse)(tooheavyandbesttopost-processregistryhives).
ir-rescue-win-v1.4.1:addedthecollectionofapplicationcrashdumps(memory-appdumps),addedthetextexportandparsingofregistryhives(registry-textandregistry-parse),addedthedumpandparsingofthebootsector(filesystem-bootandfilesystem-table),andmadesomegeneralimprovements.
ir-rescue-win-v1.4.0:restructuredthedatacollectionorderandoutput,extendedfunctionalitywithconfigurableoptions(outpath,rm-glog,vss-limitanddrives-limit),andaddedNirSoftBrowserAddonsView[64].exeandalessverbosegloballogfile.
Author@dfernan__
评论