For my first update on the state of my senior project, I will going over the progress that I have made in the past weeks, along with some of my struggles, as well as where I am planning on focusing my time on next.
Getting Started
I was able to set up a simple testing environment with VMware workstation using a variety of virtual machines, giving myself a sandbox to tinker with firewall and registry settings. I use a variety of editors during the of writing my script, I started of simply using notepad and notepad ++, then, I graduated on to using the PowerShell Integrated Scripting Environment that is built into Windows 7, finally, I settled on using the third-party editor PowerGUI, this program seemed be the easiest to use, as well as having the most sophisticated debugging capabilities, allowing my to easily test sections of my script line by line
My first major hurdle for this project occurred while I was initially creating the core process for my script. At the start of this project, I was not able to get F-Response to connect to any of the target virtual machines that I had set up. In the end this problem turned out to simply be an error with the firewall settings on my host and target machines.
F-Response primarily maintains two connections in order to carry out its services. The first is and ISCSI connection that it uses to connect to and read the disks on a target system. When f-Response has made a connection to a computer, the targets on that computer can be viewed both through f-Response and the Microsoft ISCSI initiator
|
Targets seen through F-response |
|
Targets seen through Microsoft's ISCSI Initiator |
The second is a connection with the F-Response license server, which is used to validate the software and ensure that the F-Response License dongle is attached at all times. I was able to find the
specific firewall exceptions that are needed to properly connect itself to a target machine on the
F-Response Website. Once these exceptions where put in place, my script worked as planned
The Core Process
The core process of my script that interacts with PowerShell, works rather simply. The first thing this script does is read two files on the host system. The first of these files is a text file with a list of Ip addresses of the computers that the user would like to examine. Each of these IP addresses must be separated by a line break, for example:
192.168.1.50
192.168.1.24
The second file that this script reads lists the User name and Password (and optionally the domain) that is used to log into the target system. These credentials come in the form of a CSV file.
From here I am able to leverage the F-Response COM control to begin to interact with the program using the data that is read from the files. specifically I use the FEMC object which contains functions to interact with most of the core functionality of the F-Response program.
When the target machine’s IP address and proper credentials are fed into F-Response the script will attempt to make a connection with the target, when these functions occur
F-Response will receive a list of target drives on that machine that the program can access. by default the two targets listed are the Logical and Physical disks on that computer, however if the user manually changes the F-Response configuration themselves, then physical memory can also be acquired.
|
Methods used to install and start F-Response on target |
When F-Response has been deployed on the target machine, my script logs into all target devices on that machine and displays the disk name, the disk type and the Physical disk mapping. for a windows machine with physical memory it returns the following.
The disk name of this target uses the
ISCSI Qualified Name Format (IQN) which contains the Hostname of the target computer , followed by the type of disk that the target it using, in the above example the Hostname is win-h87mfons7jd and the type of disk is "pmem" (Physical Memory). The disk type can also be used to figure out the the type of target:
Disk Types
1 = physical disk
2 = logical volume
3 = Physical Memory
All this information is critical to interacting with the X-ways to image these targets.
Designing a GUI
I have reached a point in this project where I am comfortable with moving on to design a simple Graphical user interface to help with guiding the User through running my script. I was able to make this GUI through PowerShell using the Windows Forms module built into Windows. My initial design for this GUI was to create a simple window that allowed the user to specify the path where they stored the target IP file, the credentials, and the directory where they would want to log their progress. The current state of the GUI can be seen below
|
Current design of the Graphical User Interface |
Where to go from here...
My next step is quite simple, incorporate X-Ways into my script. This part has been taking me longer than expected, this is mainly because I have not been able to get access to the correct version of X-Ways forensics. Later versions of the program have added a command line tool to easily automate the imaging of disks. This is only I minor setback, and I should be receiving the correct version within the next few days. Once I have gotten this program I will be just about done with this script and can try testing it on a large scale operation with numerous computers.
I will be sure to post another update in the next week or so when I have received the correct version of X-ways. I will also provide a further in-depth look at the code and methods of my script