Thursday, April 17, 2014

Final Reflections


After many months of working on this project, I believe I have reached its endpoint, where I feel comfortable demonstrating its functionality to the public. In the end I was able to design a tool that will automatically image the logical volume, physical disk and physical memory off of any Windows machine.


Overall this was very challenging, but also rewarding project.  I learned a large amount about the functionality of F-Response Enterprise edition, and I came across first -hand the many of the advantages and limitations that come with writing entire script using only windows powershell. Many of these issues are due to a lack of an easy way to send data between my main script and the many background jobs that I am required to run. 

One of my later decisions in the design process was to add progress bars to the Graphical user interface. While I liked the original output, I felt that a gradually filling bar would be much clearer to the user, also much of the output text is still reported and saved within a log file specified by the user. I also performed a variety of speed tests to ensure that my script was indeed faster than other popular forensic tools. When putting up F-Response and X-ways up against Encase. X-ways was able image the target drive in nearly half the time. These findings where consistent when automating X-Ways through my script.


I believe that this tool has the potential to become a valuable tool in any digital examiner’s arsenal. It would excel highly in an environment in which you would need to image a large amount of machines quickly and somewhat covertly. There is very little indication that the images are occurring on the target machines while the script is running. In the end, x-ways forensics with F-Response work exceptionally well together, and I believe the automation of these large imaging processes is a significant and time-saving addition that any digital examiner should be aware of. 

Thursday, March 13, 2014

F-Response Automation Update

For my first update on the state of my senior project, I will going over the progress that I have made in the past weeks, along with some of my struggles, as well as where I am planning on focusing my time on next. 

Getting Started 

 I was able to set up a simple testing environment with VMware workstation using a variety of virtual machines, giving myself a sandbox to tinker with firewall and registry settings. I use a variety of editors during the of writing my script, I started of simply using notepad and notepad ++, then, I graduated on to using the PowerShell Integrated Scripting Environment that is built into Windows 7, finally, I settled on using the third-party editor PowerGUI, this program seemed be the easiest to use, as well as having the most sophisticated debugging capabilities, allowing my to easily test sections of my script line by line  


 My first major hurdle for this project occurred while I was initially creating the core process for my script. At the start of this project, I was not able to get F-Response to connect to any of the target virtual machines that I had set up. In the end this problem turned out to simply be an error with the firewall settings on my host and target machines. 

F-Response primarily maintains two connections in order to carry out its services. The first is and ISCSI connection that it uses to connect to and read the disks on a target system. When f-Response has made a connection to a computer, the targets on that computer can be viewed both through f-Response and the Microsoft ISCSI initiator 
Targets seen through F-response
Targets seen through Microsoft's ISCSI Initiator




The second is a connection with the F-Response license server, which is used to validate the software and ensure that the F-Response License dongle is attached at all times.  I was able to find the specific firewall exceptions that are needed to properly connect itself to a target machine on the F-Response Website. Once these exceptions where put in place, my script worked as planned


The Core Process

The core process of my script that interacts with PowerShell, works rather simply. The first thing this script does is read two files on the host system. The first of these files is a text file with a list of Ip addresses of the computers that the user would like to examine. Each of these IP addresses must be separated by a line break, for example: 

192.168.1.50
192.168.1.24

The second file that this script reads lists the User name and Password (and optionally the domain) that is used to log into the target system. These credentials come in the form of a CSV file.

From here I am able to leverage the F-Response COM control to begin to interact with the program using the data that is read from the files. specifically I use the FEMC object which contains functions to interact with most of the core functionality of the F-Response program. 

When the target machine’s IP address and proper credentials are fed into F-Response the script will attempt to make a connection with the target, when these functions occur 
F-Response will receive a list of target drives on that machine that the program can access. by default the two targets listed are the Logical and Physical disks on that computer, however if the user manually changes the F-Response configuration themselves, then physical memory can also be acquired. 
Methods used to install and start F-Response on target

When F-Response has been deployed on the target machine, my script logs into all target devices on that machine and displays the disk name, the disk type and the Physical disk mapping. for a windows machine with physical memory it returns the following. 



The disk name of this target uses the ISCSI Qualified Name Format (IQN) which contains the Hostname of the target computer , followed by the type of disk that the target it using, in the above example the Hostname is win-h87mfons7jd and the type of disk is "pmem" (Physical Memory).  The disk type can also be used to figure out the the type of target:

Disk Types
1 = physical disk
2 = logical volume
3 = Physical Memory

All this information is critical to interacting with the X-ways to image these targets. 

Designing a GUI

I have reached a point in this project where I am comfortable with moving on to design a simple Graphical user interface to help with guiding the User through running my script. I was able to make this GUI through PowerShell using the Windows Forms module built into Windows.  My initial design for this GUI was to create a simple window that allowed the user to specify the path where they stored the target IP file, the credentials, and the directory where they would want to log their progress. The current state of the GUI can be seen below 
Current design of the Graphical User Interface
Where to go from here...

My next step is quite simple, incorporate X-Ways into my script. This part has been taking me longer than expected, this is mainly because I have not been able to get access to the correct version of X-Ways forensics.  Later versions of the program have added a command line tool to easily automate the imaging of disks. This is only I minor setback, and I should be receiving the correct version within the next few days. Once I have gotten this program I will be just about done with this script and can try testing it on a large scale operation with numerous computers. 


I will be sure to post another update in the next week or so when I have received the correct version of X-ways. I will also provide a further in-depth look at the code and methods of my script

Thursday, January 23, 2014

Introduction.


Hello everyone and welcome to my forensics blog. My name is Sean Kelly and I am a senior Computer and Digital Forensics student at Champlain College.  The initial purpose of this blog will be to document my progress on my senior Capstone project. Periodically over the next few months I will be updating blog and showing how my project changes and evolves. My project will use two well known forensic tools.

1cf50ca98b3238ae62bedc868070974f.png
source
F-response is a powerful incident response tool that that was made to be deployed and used in conjunction with nearly any existing forensic utilities. F-response sets itself apart by giving the analyst the ability to connect and gain read-only access to the physical disk of almost any computer via a network.  

X-Ways forensics is an analysis tool built off of the WinHex disk editor, this tool markets itself by being much less resource intensive and less costly than competing analysis products.X-Ways offers a robust set of features that rival the functionality of other Forensic software.


Both of these tools have recently added the ability automate many of  their functions through scripting and command line tools. This is where my Capstone comes in.  I want to expand on and integrate  functionality of these two products. My project goal is to write a  script with Windows PowerShell that will allow the user to connect to a large number computers through a network connection via f-response and and gather and verify disk images from those machines.

My first step, apart from researching the documentation on these products,  is to focus on f-response and work on scripting the programs remote connection process, once I have accomplished this, I will move on to implementing x-ways, then I will move on to to testing and creating a clean User Interface.
If you are interested, I hope that you follow this blog as I document my progress!