Compass Security Blog

Offensive Defense

Windows Forensics with Plaso

Present State of Affairs

We have been teaching forensics and network incident analysis for quite a while. We have investigated into a reputable number of cases and we are not the only doing so. Hence, one would expect a certain degree of automation in analysis. However, the high frequency of software release cycles somehow leads to the development of a myriad of scripts and tools.

If you are into e-discovery or economic and physical crime investigation you are usually well off with Relativity, Guidance and Nuix. However, if you are being asked for the very detail on the latest OS version, face new file systems, some exotic setup or software you quickly realize you move in a world where the feature lag of forensic suites hits hard, pretty UX is no requirement and the command completion feature is your friend. The same applies when you investigate into cyber breaches. Be it some Internet facing systems, refurbished Trojans or more of the targeted and internally spreading sort of code.

There is software to dump memory, carve slack space, access shadow copies, extract event logs, open and dump OS specific database formats, collect configurations – you name it. Large enterprises maintain infrastructure to remotely pull evidence and hunt their mostly homogeneous fleet. However, for the majority of the SME’s and their varied environments we maintain a cram-full toolbox of software with incredibly various levels of quality that produce all sorts of outputs you can think of …and even can’t think of.

IT’s DRIVING US NUTS.

Challenging the Status Quo

That said, we are in continuous search for alternatives, substitutes and improved versions to find remedy and work towards more automation and collaboration during investigations.

Plaso and Timesketch[1] first caught my attention at Swiss Cyber Storm in 2015[2] and they kept revisiting[3]. I am very thankful my DFIR colleague, Silas Bärtsch, took the time to come up with a little lesson learned on the current capabilities of the tool suite which we would like to share with you.

The table roughly follows the SANS Windows artifact poster[4] topics which is slightly enriched and tailored to our needs. For each of the topics there is a statement whether Plaso is considered to effectively support analysis.

File Download Capabilities

TopicSupported Timesketch and Kibana Queries, Notes
Mail Attachements  NO There is just no parser for mail attachments but this is a case where analysts are usually well off with a commercial forensic suite.
Skype History YES parser:”skype”
Browser Artifacts YES source_short:”WEBHIST”
Downloads YES parser:”firefox_downloads” OR parser:”msiecf”

Note that msiecf contains general browsing artifacts and is not limited to file downloads only.
ADS Zone.Identifier  NO  
Open/Save MRUCLAIMED MRU parsers pose to be some sort of jungle yet. Plaso has a total of six different MRU list parsers[5].

Unfortunately, it is not documented which one parses which artifact. Even though they have different names, it is hard to guess which artifact they get and one definitely cannot get around digging into the source code.

However, empirical tests of the six MRU list parsers did not include the NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU registry items that contains the Open/Save MRU artifacts.

Program Execution Analysis

Topic Supported  Timesketch and Kibana Queries, Notes
UserAssist YES parser:”userassist”
Last-VisitedMRU YES“\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedPidlMRU” OR “\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedMRU”
SystemBoot Autostart Progs. YES parser:”windows_run”
SystemBoot Autostart Svcs. YES parser:”windows_services”
AppCompatCache/  Shimcache PARTIAL parser:”appcompatcache”

The parser gets the executable which is the most important artifact. However, the shimcache would also include other information such as file size, last modification time,last update time as well as the execution flag. The parser would need to be improved to get the supplement information as well.
RecentApps YES “\\Software\\Microsoft\\Windows\\CurrentVersion\\Search\\RecentApps”
Prefetch YES parser:”prefetch”
LastCommands Executed YES “\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU” OR “\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Policies\\RunMRU” parser:”mrulist_string” AND “\\CurrentVersion\\Explorer\\RunMRU”
Amcache.hive / RecentFile-Cache.bcf PARTIAL parser:”amcache”

This parser was run against a Windows 10 image and it was not capable to parse events. This parser is likely to be buggy. In general, event parsing seems to be tricky as we noticed event parser to fail for various reasons.
SRUM CLAIMED parser:”srum”

Make sure to configure the SRUM artifact files in your filter.conf file. With our setup, log2timeline had troubles to extract the /Windows/System32/SRU folder from the image and Plaso failed to properly parse it. Thus, manually extracting the folder and running the parser will yield results.
BAM/DAM YES “\\Services\\bam\\UserSettings\\” OR “\\Services\\dam\\UserSettings\\”

Deleted Files or File Knowledge

Topic Supported  Timesketch and Kibana Queries, Notes
Thumbnails NO log2timeline/Plaso is a tool designed to extract meta information from files. Thus, it will collect timestamps from images but for analyzing media artifacts such as pictures, music or video it is recommended to rely on a commercial forensics suite.
Thumbcache NO See above.
WordWheelQuery  YES “\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery”>br>
parser:”mrulistex_string” AND “\\WordWheelQuery”
RecycleBin YES parser:”recycle_bin”
     

Network Activity and Physical Locations

Topic Supported  Timesketch and Kibana Queries, Notes
Network History   YES parser:”networks”
Shares, offline caching YES “\\Services\\lanmanserver\\Shares”
MappedDrives    YES parser:”winreg/network_drives”
WLANEvent Log YES parser:”winevtx” AND (event_identifier:”11000″ OR event_identifier:”8001″ OR event_identifier:”8002″ OR event_identifier:”8003″ OR event_identifier:”6100″)

File/Folder Opening

Topic Supported  Timesketch and Kibana Queries, Notes
UserAssist YES parser:”userassist”
Last-VisitedMRU YES“\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedPidlMRU” OR “\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedMRU”
SystemBoot Autostart Progs. YES parser:”windows_run”
SystemBoot Autostart Svcs. YES parser:”windows_services”
AppCompatCache/  Shimcache PARTIAL parser:”appcompatcache”

The parser gets the executable which is the most important artifact. However, the shimcache would also include other information such as file size, last modification time,last update time as well as the execution flag. The parser would need to be improved to get the supplement information as well.
RecentApps YES “\\Software\\Microsoft\\Windows\\CurrentVersion\\Search\\RecentApps”
Prefetch YES parser:”prefetch”
LastCommands Executed YES “\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU” OR “\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Policies\\RunMRU” parser:”mrulist_string” AND “\\CurrentVersion\\Explorer\\RunMRU”
Amcache.hive / RecentFile-Cache.bcf PARTIAL parser:”amcache”

This parser was run against a Windows 10 image and it was not capable to parse events. This parser is likely to be buggy. In general, event parsing seems to be tricky as we noticed event parser to fail for various reasons.
SRUM CLAIMED parser:”srum”

Make sure to configure the SRUM artifact files in your filter.conf file. With our setup, log2timeline had troubles to extract the /Windows/System32/SRU folder from the image and Plaso failed to properly parse it. Thus, manually extracting the folder and running the parser will yield results.
BAM/DAM YES “\\Services\\bam\\UserSettings\\” OR “\\Services\\dam\\UserSettings\\”

Account Usage

Topic Supported  Timesketch and Kibana Queries, Notes
RDP YES parser:”winevtx” AND (event_identifier:”4778″ OR event_identifier:”4779″)
ServiceEvents YES parser:”winevtx” AND (event_identifier:”7034″ OR event_identifier:”7035″ OR event_identifier:”7036″ OR event_identifier:”7040″  OR event_identifier:”7045″ event_identifier:”4097″)
LogonTypes YES parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>2/”
parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>3/”
parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>4/”
parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>5/”
parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>7/”
parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>8/”
parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>9/”
parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>10/”
parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>11/”
parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>12/”
parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>13/”
AuthenticationEvents YES parser:”winevtx” AND (event_identifier:”4776″ OR event_identifier:”4768″ OR event_identifier:”4769″ OR event_identifier:”4771″)
Success/FailLogons YES parser:”winevtx” AND (event_identifier:”4624″ OR event_identifier:”4625″ OR event_identifier:”4634″ OR event_identifier:”4647″ OR event_identifier:”4648″ OR event_identifier:”4672″ OR event_identifier:”4720″)

External Devices, Storage

Topic Supported  Timesketch and Kibana Queries, Notes
IDs, First/LastTime Use PARTIAL parser:”windows_usb_devices”parser:”windows_usbstor_devices”but the connection times are missing.  These parsers get some information out of the registry such as which USB devices were connected. But the parsers do not analyze the setupapi.dev.log file which also includes some information. Currently, the the Plaso parser give some information about USB stick usage but this definitely needs improvement.
User YES ListGUIDs: “SYSTEM\\MountedDevices” Users:”\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2″
PnPEvents YES parser:”winevtx” AND event_identifier:”20001″
SerialNumbers NO  
DriveLetters and Vol. Names NO  
AuditRemovable Storage YES parser:”winevtx” AND event_identifier:”4663″

Browser Usage

TopicSupported Timesketch and Kibana Queries, Notes
SearchTermsYESsource_short:”webhist”
parser:”opera_typed_history” OR parser:”file_history” OR parser:”safari_history” OR parser:”chrome_27_history” OR parser:”chrome_8_history” OR parser:”firefox_history”

Mind that queries need some fine tuning with the URL search parameter i.e. AND “search” AND “q=”
HistoryYESsource_short:”webhist”
CookiesYESparser:”binary_cookies” OR parser:”chrome_cookies” OR parser:”firefox_cookies” OR parser:”msie_webcache”
CacheYESQuery:parser:”chrome_cache” OR parser:”firefox_cache” OR parser:”msie_webcache”
Flash& Super CookiesNONo parser but not very relevant
SessionRestore NONo parser but would be nice to have one

Conclusion

The table is a long read and indicates short comings. Some obvious things such as mail and image analysis are missing. However, for most of the topics we were able to put a YES and only few things are broken or lag behind recent versions. We compiled a little list with the potential for improvement:

  • No Thumbnail support as log2timeline and Timesketch are not made to view images.
  • No OST/PST support. A plugin that extracts email attachments and produces hashes would be a nice thing.
  • No ADS support. Currently this needs to be done manually on a file by file case.
  • No Browser session restore. A plugin would be nice.
  • No Flash and Super Cookies extraction but this is not too relevant in our opinion
  • Application Compatibility Cache / Shimcache / Amcache / SRUM needs proper configuration and extraction seem to be buggy
  • “System Boot Autostart Programs” only checks a small set of locations. Same is likely to be true for the services.
  • Some USB artifacts are not ideally parsed such as drive letters and volume names. A parser would need to handle the binary entries in the registry. However, there is a plugin that gets some USB actions at least.

Besides that, working with Plaso is a pleasore 😊 – pleasure and sometimes sore as it produces quite some noise when a search is performed. Compared to Eric Zimmermann’s KAPE[6] (Kroll Artifact Parser and Extractor) we consider working with Plaso a bit laborious and error prone. Luckily, Plaso stores its data in an ElasticSearch instance and thus, we decided to spend some time on Kibana dashboards to help focus on the relevant data.

To sum this up, Plaso is considered extremely capable and we are keen to hear from your experience and efforts related to digital forensics and incident response with Plaso. Comment the post, shoot us an e-mail or tweet your opinion @compasssecurity !

References

[1] The Plaso Documentation, https://plaso.readthedocs.io/en/latest/index.html

[2] A case study in new generation timelining tools, Plaso and Timesketch, Daniel White (Google), https://2015.swisscyberstorm.com/res/presentations/daniel_white.pdf

[3] Plaso SQLite Plugin Scaffolder, Bachelor Thesis at HSR Hochschule Rapperswil, Claudia Saxer, supervised by Jürg Jucker (HSR) in collaboration with Martin Suess (Google), https://eprints.hsr.ch/607/1/TechnischerBericht.pdf

[4] SANS DFIR Windows Forensic Analysis Poster, https://www.sans.org/security-resources/posters/windows-forensics-evidence-of/75/download

[5] Plaso MRU Parser List, https://plaso.readthedocs.io/en/latest/sources/user/Parsers-and-plugins.html

[6] KAPE (Kroll Artifact Parser and Extractor), https://binaryforay.blogspot.com/2019/02/introducing-kape.html

2 Comments

  1. Ann@example.com

    March 26, 2019 at 08:00

    Can you share more details about your tests? Versions used, test data?

    Did you reach out to the project about the short comings?

    Your post now reads as a way to discredit the tool not as an objective review!

    • Cyrill Brunschwiler

      April 2, 2019 at 09:24

      Dear ‘Ann’

      Thank you for your feedback. It was not our intention to discredit log2timeline. In fact we believe it is a valuable tool and it does a very good job. If this were not the case we would not use it in our incident response engagements. Our tests were performed with versions 20181219 and 20190131. For the test data set we used various images from the SANS FOR 500 course. Regarding the behavior when analyzing SRUM artifacts an issue was opened https://github.com/log2timeline/plaso/issues/2387.

      Regards,
      Cyrill

Leave a Reply to Cyrill Brunschwiler Cancel reply

Your email address will not be published. Required fields are marked *