Present State of Affairs
We have been teaching forensics and network incident analysis for quite a while. We have investigated into a reputable number of cases and we are not the only doing so. Hence, one would expect a certain degree of automation in analysis. However, the high frequency of software release cycles somehow leads to the development of a myriad of scripts and tools.
If you are into e-discovery or economic and physical crime investigation you are usually well off with Relativity, Guidance and Nuix. However, if you are being asked for the very detail on the latest OS version, face new file systems, some exotic setup or software you quickly realize you move in a world where the feature lag of forensic suites hits hard, pretty UX is no requirement and the command completion feature is your friend. The same applies when you investigate into cyber breaches. Be it some Internet facing systems, refurbished Trojans or more of the targeted and internally spreading sort of code.
There is software to dump memory, carve slack space, access shadow copies, extract event logs, open and dump OS specific database formats, collect configurations – you name it. Large enterprises maintain infrastructure to remotely pull evidence and hunt their mostly homogeneous fleet. However, for the majority of the SME’s and their varied environments we maintain a cram-full toolbox of software with incredibly various levels of quality that produce all sorts of outputs you can think of …and even can’t think of.
IT’s DRIVING US NUTS.
Challenging the Status Quo
That said, we are in continuous search for alternatives, substitutes and improved versions to find remedy and work towards more automation and collaboration during investigations.
Plaso and Timesketch[1] first caught my attention at Swiss Cyber Storm in 2015[2] and they kept revisiting[3]. I am very thankful my DFIR colleague, Silas Bärtsch, took the time to come up with a little lesson learned on the current capabilities of the tool suite which we would like to share with you.
The table roughly follows the SANS Windows artifact poster[4] topics which is slightly enriched and tailored to our needs. For each of the topics there is a statement whether Plaso is considered to effectively support analysis.
File Download Capabilities
Topic | Supported | Timesketch and Kibana Queries, Notes |
---|---|---|
Mail Attachements | NO | There is just no parser for mail attachments but this is a case where analysts are usually well off with a commercial forensic suite. |
Skype History | YES | parser:”skype” |
Browser Artifacts | YES | source_short:”WEBHIST” |
Downloads | YES | parser:”firefox_downloads” OR parser:”msiecf” Note that msiecf contains general browsing artifacts and is not limited to file downloads only. |
ADS Zone.Identifier | NO | |
Open/Save MRU | CLAIMED | MRU parsers pose to be some sort of jungle yet. Plaso has a total of six different MRU list parsers[5]. Unfortunately, it is not documented which one parses which artifact. Even though they have different names, it is hard to guess which artifact they get and one definitely cannot get around digging into the source code. However, empirical tests of the six MRU list parsers did not include the NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU registry items that contains the Open/Save MRU artifacts. |
Program Execution Analysis
Topic | Supported | Timesketch and Kibana Queries, Notes |
---|---|---|
UserAssist | YES | parser:”userassist” |
Last-VisitedMRU | YES | “\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedPidlMRU” OR “\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedMRU” |
SystemBoot Autostart Progs. | YES | parser:”windows_run” |
SystemBoot Autostart Svcs. | YES | parser:”windows_services” |
AppCompatCache/ Shimcache | PARTIAL | parser:”appcompatcache” The parser gets the executable which is the most important artifact. However, the shimcache would also include other information such as file size, last modification time,last update time as well as the execution flag. The parser would need to be improved to get the supplement information as well. |
RecentApps | YES | “\\Software\\Microsoft\\Windows\\CurrentVersion\\Search\\RecentApps” |
Prefetch | YES | parser:”prefetch” |
LastCommands Executed | YES | “\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU” OR “\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Policies\\RunMRU” parser:”mrulist_string” AND “\\CurrentVersion\\Explorer\\RunMRU” |
Amcache.hive / RecentFile-Cache.bcf | PARTIAL | parser:”amcache” This parser was run against a Windows 10 image and it was not capable to parse events. This parser is likely to be buggy. In general, event parsing seems to be tricky as we noticed event parser to fail for various reasons. |
SRUM | CLAIMED | parser:”srum” Make sure to configure the SRUM artifact files in your filter.conf file. With our setup, log2timeline had troubles to extract the /Windows/System32/SRU folder from the image and Plaso failed to properly parse it. Thus, manually extracting the folder and running the parser will yield results. |
BAM/DAM | YES | “\\Services\\bam\\UserSettings\\” OR “\\Services\\dam\\UserSettings\\” |
Deleted Files or File Knowledge
Topic | Supported | Timesketch and Kibana Queries, Notes |
---|---|---|
Thumbnails | NO | log2timeline/Plaso is a tool designed to extract meta information from files. Thus, it will collect timestamps from images but for analyzing media artifacts such as pictures, music or video it is recommended to rely on a commercial forensics suite. |
Thumbcache | NO | See above. |
WordWheelQuery | YES | “\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery”>br> parser:”mrulistex_string” AND “\\WordWheelQuery” |
RecycleBin | YES | parser:”recycle_bin” |
Network Activity and Physical Locations
Topic | Supported | Timesketch and Kibana Queries, Notes |
---|---|---|
Network History | YES | parser:”networks” |
Shares, offline caching | YES | “\\Services\\lanmanserver\\Shares” |
MappedDrives | YES | parser:”winreg/network_drives” |
WLANEvent Log | YES | parser:”winevtx” AND (event_identifier:”11000″ OR event_identifier:”8001″ OR event_identifier:”8002″ OR event_identifier:”8003″ OR event_identifier:”6100″) |
File/Folder Opening
Topic | Supported | Timesketch and Kibana Queries, Notes |
---|---|---|
UserAssist | YES | parser:”userassist” |
Last-VisitedMRU | YES | “\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedPidlMRU” OR “\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedMRU” |
SystemBoot Autostart Progs. | YES | parser:”windows_run” |
SystemBoot Autostart Svcs. | YES | parser:”windows_services” |
AppCompatCache/ Shimcache | PARTIAL | parser:”appcompatcache” The parser gets the executable which is the most important artifact. However, the shimcache would also include other information such as file size, last modification time,last update time as well as the execution flag. The parser would need to be improved to get the supplement information as well. |
RecentApps | YES | “\\Software\\Microsoft\\Windows\\CurrentVersion\\Search\\RecentApps” |
Prefetch | YES | parser:”prefetch” |
LastCommands Executed | YES | “\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU” OR “\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Policies\\RunMRU” parser:”mrulist_string” AND “\\CurrentVersion\\Explorer\\RunMRU” |
Amcache.hive / RecentFile-Cache.bcf | PARTIAL | parser:”amcache” This parser was run against a Windows 10 image and it was not capable to parse events. This parser is likely to be buggy. In general, event parsing seems to be tricky as we noticed event parser to fail for various reasons. |
SRUM | CLAIMED | parser:”srum” Make sure to configure the SRUM artifact files in your filter.conf file. With our setup, log2timeline had troubles to extract the /Windows/System32/SRU folder from the image and Plaso failed to properly parse it. Thus, manually extracting the folder and running the parser will yield results. |
BAM/DAM | YES | “\\Services\\bam\\UserSettings\\” OR “\\Services\\dam\\UserSettings\\” |
Account Usage
Topic | Supported | Timesketch and Kibana Queries, Notes |
---|---|---|
RDP | YES | parser:”winevtx” AND (event_identifier:”4778″ OR event_identifier:”4779″) |
ServiceEvents | YES | parser:”winevtx” AND (event_identifier:”7034″ OR event_identifier:”7035″ OR event_identifier:”7036″ OR event_identifier:”7040″ OR event_identifier:”7045″ event_identifier:”4097″) |
LogonTypes | YES | parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>2/” parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>3/” parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>4/” parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>5/” parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>7/” parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>8/” parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>9/” parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>10/” parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>11/” parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>12/” parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>13/” |
AuthenticationEvents | YES | parser:”winevtx” AND (event_identifier:”4776″ OR event_identifier:”4768″ OR event_identifier:”4769″ OR event_identifier:”4771″) |
Success/FailLogons | YES | parser:”winevtx” AND (event_identifier:”4624″ OR event_identifier:”4625″ OR event_identifier:”4634″ OR event_identifier:”4647″ OR event_identifier:”4648″ OR event_identifier:”4672″ OR event_identifier:”4720″) |
External Devices, Storage
Topic | Supported | Timesketch and Kibana Queries, Notes |
---|---|---|
IDs, First/LastTime Use | PARTIAL | parser:”windows_usb_devices”parser:”windows_usbstor_devices”but the connection times are missing. These parsers get some information out of the registry such as which USB devices were connected. But the parsers do not analyze the setupapi.dev.log file which also includes some information. Currently, the the Plaso parser give some information about USB stick usage but this definitely needs improvement. |
User | YES | ListGUIDs: “SYSTEM\\MountedDevices” Users:”\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2″ |
PnPEvents | YES | parser:”winevtx” AND event_identifier:”20001″ |
SerialNumbers | NO | |
DriveLetters and Vol. Names | NO | |
AuditRemovable Storage | YES | parser:”winevtx” AND event_identifier:”4663″ |
Browser Usage
Topic | Supported | Timesketch and Kibana Queries, Notes |
---|---|---|
SearchTerms | YES | source_short:”webhist” parser:”opera_typed_history” OR parser:”file_history” OR parser:”safari_history” OR parser:”chrome_27_history” OR parser:”chrome_8_history” OR parser:”firefox_history” Mind that queries need some fine tuning with the URL search parameter i.e. AND “search” AND “q=” |
History | YES | source_short:”webhist” |
Cookies | YES | parser:”binary_cookies” OR parser:”chrome_cookies” OR parser:”firefox_cookies” OR parser:”msie_webcache” |
Cache | YES | Query:parser:”chrome_cache” OR parser:”firefox_cache” OR parser:”msie_webcache” |
Flash& Super Cookies | NO | No parser but not very relevant |
SessionRestore | NO | No parser but would be nice to have one |
Conclusion
The table is a long read and indicates short comings. Some obvious things such as mail and image analysis are missing. However, for most of the topics we were able to put a YES and only few things are broken or lag behind recent versions. We compiled a little list with the potential for improvement:
- No Thumbnail support as log2timeline and Timesketch are not made to view images.
- No OST/PST support. A plugin that extracts email attachments and produces hashes would be a nice thing.
- No ADS support. Currently this needs to be done manually on a file by file case.
- No Browser session restore. A plugin would be nice.
- No Flash and Super Cookies extraction but this is not too relevant in our opinion
- Application Compatibility Cache / Shimcache / Amcache / SRUM needs proper configuration and extraction seem to be buggy
- “System Boot Autostart Programs” only checks a small set of locations. Same is likely to be true for the services.
- Some USB artifacts are not ideally parsed such as drive letters and volume names. A parser would need to handle the binary entries in the registry. However, there is a plugin that gets some USB actions at least.
Besides that, working with Plaso is a pleasore 😊 – pleasure and sometimes sore as it produces quite some noise when a search is performed. Compared to Eric Zimmermann’s KAPE[6] (Kroll Artifact Parser and Extractor) we consider working with Plaso a bit laborious and error prone. Luckily, Plaso stores its data in an ElasticSearch instance and thus, we decided to spend some time on Kibana dashboards to help focus on the relevant data.
To sum this up, Plaso is considered extremely capable and we are keen to hear from your experience and efforts related to digital forensics and incident response with Plaso. Comment the post, shoot us an e-mail or tweet your opinion @compasssecurity !
References
[1] The Plaso Documentation, https://plaso.readthedocs.io/en/latest/index.html
[2] A case study in new generation timelining tools, Plaso and Timesketch, Daniel White (Google), https://2015.swisscyberstorm.com/res/presentations/daniel_white.pdf
[3] Plaso SQLite Plugin Scaffolder, Bachelor Thesis at HSR Hochschule Rapperswil, Claudia Saxer, supervised by Jürg Jucker (HSR) in collaboration with Martin Suess (Google), https://eprints.hsr.ch/607/1/TechnischerBericht.pdf
[4] SANS DFIR Windows Forensic Analysis Poster, https://www.sans.org/security-resources/posters/windows-forensics-evidence-of/75/download
[5] Plaso MRU Parser List, https://plaso.readthedocs.io/en/latest/sources/user/Parsers-and-plugins.html
[6] KAPE (Kroll Artifact Parser and Extractor), https://binaryforay.blogspot.com/2019/02/introducing-kape.html
Leave a Reply