Something totally different - file extraction

By Anonymous

Something totally different - file extraction

by Kristinn Gudjonsson

One of the design concepts of the new tool was to make it modular, so each component could be easily integrated into other tools making the tool easily expandable.

Yesterday I had the issue of needing to extract some files from an image, both the regular files as well as files from every VSS. Since plaso does have full VSS support and we've already got the targeted collection filter discussed in the previous blog post it should be relatively simple to add a tool that simply extracts files from the image and saves it.

I created this simple one-off script for me to do just that:

import sys

from plaso.lib import collector_filter
from plaso.lib import pfile
from plaso.lib import putils
from plaso.lib import preprocess

if __name__ == '__main__':
  image = sys.argv[1]
  fscache = pfile.FilesystemCache()

  pre_obj = preprocess.PlasoPreprocess()
  pre_obj.systemroot = '/Windows/System32'
  path = '/cases/mycase/vss_evtx/'

  for store_nr in vss.GetVssStoreCount(image, 0):
    col = preprocess.VSSFileCollector(pre_obj, image, store_nr, 0)
    col_fil = collector_filter.CollectionFilter(col, '/tmp/filter_file')

     for pathspec_string in col_fil.GetPathSpecs():
      with pfile.OpenPFile(pathspec_string, fscache=fscache) as fh:
        filename = fh.name.split('/')[-1]
        putils.Pfile2File(fh, path + 'vss%d_%s' % (store_nr, filename))

This is a real one-off script, however after writing it I thought to myself perhaps someone might think this is useful and even went so far into thinking that it might be worth posting a blog post about it so I brushed it off a bit and made it a bit more modular/usable. And then followed up with this quick step-by-step on how this one-off script works.

Start off with the filter file, it uses the previously discussed content of targeted collection filter, and in this case I just needed the EVTX files from the volume so the file only contained one line:

{systemroot}/winevt/logs/.+evtx

Let's look at the code above slightly, it starts with the normal import of necessary libraries and then moves on to:
  image = sys.argv[1]


A very simple way of getting the first argument, no tests made to make sure there is an argument, since this was a one-off (could have hardcoded the path to the image just as well).


  fscache = pfile.FilesystemCache()

  pre_obj = preprocess.PlasoPreprocess()
  pre_obj.systemroot = '/Windows/System32'


First we need to define few variables needed for the API, the filesystem cache or fscache variable is unfortunately needed for various reasons that I'm not going into here, but just take my word for it. Then a preprocessing object is created and instead of really running the preprocessing library I just assign the variable that I used in the filter file with the value that I know is true for this particular image. I could have just as easily run the plugins like I do in the released version of this script but for the purpose of this one-off that was not necessary.


  path = '/cases/mycase/vss_evtx/'

This is just a simple variable with the path that I wanted to save the extracted files from.
 


for store_nr in vss.GetVssStoreCount(image, 0):

Here I indicate that I want to go through each and every VSS store in the image, since I'm dealing with a partition instead of a disk image the offset is set to zero.

    col = preprocess.VSSFileCollector(pre_obj, image, store_nr, 0)
    col_fil = collector_filter.CollectionFilter(col, '/tmp/filter_file')

To be able to find files on the image you need to create a collector, and since we are dealing with a VSS we need to create a VSSFileCollector and we only need to supply that with the pre-processing object as well as the image path, store number and offset.

Since we are then doing a targeted collection we also need to create a collection filter, using the collector we created. We can then use this collection filter to get information about all the files it finds.

     for pathspec_string in col_fil.GetPathSpecs():
      with pfile.OpenPFile(pathspec_string, fscache=fscache) as fh:
        filename = fh.name.split('/')[-1]
        putils.Pfile2File(fh, path + 'vss%d_%s' % (store_nr, filename))


And now we can go through each and every file that is found inside the image using the targeted collection filter we defined. Each discovered files is presented as a serialized EventPathSpec object, which can be passed directly to the OpenPFile method to find and open a file like object that can then be used to save the file using the Pfile2File method.

The end script is slightly more complex since that contains some argument parsing and more error checking, as well as actually running through the preprocessing plugins.


image_export.py -h
usage: image_export.py [-h] [-v] [-o OFFSET] [-w PATH] IMAGE FILTERFILE

This is a simple collector designed to export files inside an image, both
within a regular raw image as well as inside a VSS. The tool uses a collection
filter that uses the same syntax as a targeted plaso filter.

positional arguments:
  IMAGE                 The full path to the image file that we are about to
                        extract files from, it should be a raw image or
                        another image that plaso supports.
  FILTERFILE            Full path to the file that contains the collection
                        filter, the file can use variables that are defined in
                        preprocesing, just like any other log2timeline/plaso
                        collection filter.

optional arguments:
  -h, --help            show this help message and exit
  -v, --vss             Indicate to the tool that we want to extract files
                        from VSS too.
  -o OFFSET, --offset OFFSET
                        Offset in sectors into where the partition starts.
  -w PATH, --write PATH
                        The directory in which extracted files should be
                        stored in.

And that's how you export files, plaso style.


And then to run the tool:
image_export.py -v -w /cases/mycase/evtx_export /mnt/ewf/ewf1 /tmp/filter_file

And you end up with a folder filled with EVTX files, extracted from the image itself as well as every VSS.

Comments

Post a Comment

Popular posts from this blog

Parsing the $MFT NTFS metadata file

By
Background Numerous articles have been written about parsing the $MFT NTFS metadata file before. Some of these explain the technique itself [ 1 ] and others mostly focus on how to use tools. Rarely do articles mention the pros and cons of the technique from a digital forensics perspective [ 2 ].  What is $MFT parsing?  For readers not familiar with the NTFS file system, MFT stands for Master File Table. This table is stored in a file system metadata file, meaning that as far as the file system is concerned it is a file, however that the file contains file system metadata not “regular” content. The name of this file is “$MFT”.  The MFT consists of a sequence of (predetermined) fixed-size entries (or MFT entries). These entries are typically 1024 bytes in size, however the size is defined in the NTFS volume header and in a “regular” MFT entry itself.  The first 4-bytes of a “regular” MFT-entry (or record) starts with the signature “FILE”. The MFT entry can...
Read more

Incident Response in the Cloud

By
Many organizations have begun moving a majority of their services towards the cloud in recent years. As a result, attackers have shifted their focus towards the cloud. This has resulted in new techniques and methods specifically designed to compromise cloud infrastructure, like the recent SALTSTACK vulnerability that was widely exploited [ 1 ]. Therefore it is critical for these organizations to have an incident response team that understands the new risks attached to cloud and how cloud can make incident response easier or harder.  In this blog post we will walk you through each phase you may encounter in traditional incident response and highlight the differences when adopting cloud computing. It is aimed towards both those who are new to incident response and cloud computing. We’ve included insights that will benefit organizations taking that step towards cloud who want to ensure they are prepared to respond efficiently to cloud incidents.  Traditional Incident Response Be...
Read more

Container Forensics with Docker Explorer

By Anonymous
  Introduction As previous blog posts on cloud forensics have noted, applications are increasingly being deployed using container orchestration frameworks such as Kubernetes, especially in cloud environments.  Similar to traditional deployments on physical servers or virtual machines (VMs), when a containerised application has a security issue it can lead to a compromise of the underlying compute architecture. In the case of container deployments this means a compromise of the container itself, the container host, or even a wider cluster compromise via abuse of orchestration tools. Often digital forensics is required to establish what went wrong and remediate any issues. This article will provide an introduction to container forensics with Docker Explorer by working through a scenario involving a compromised container running within a Kubernetes cluster. Although Kubernetes is briefly mentioned, this article will focus on analysis of an individual container rather than the wi...
Read more