Introducing FastIR Artifacts

We are happy to release our brand new open source project: FastIR Artifacts, a forensic artifacts collector that can be used on a live host.

SEKOIA Team
Sep 30 · 5 min read

FastIR Artifacts is focused on artifact collection, there is no parsing or analysis of the collected artifacts. It is cross-platform: there is one code base that can run on GNU/Linux, Windows or Mac OS X.

It leverages the Digital Forensics Artifact Repository for artifact definitions (the Digital Forensics Artifact Repository is a free, community-sourced, machine-readable knowledge base of digital forensic artifacts). It also leverages the Sleuth Kit library if the file system is supported.

Why another collector?

The main reason is simplicity. FastIR Artifacts does not do any format parsing. This is easier to maintain: if a new artifact is discovered, the only thing to do is to add its definition to a YAML file. There is no change in the code.

FastIR Collector (our previously developed collector) created a mix of hundreds of files: CSV, ZIP, TXT, EVTX… On the other hand, we can count on the fingers of one hand the number of files created by FastIR Artifacts.

Additionally, FastIR Artifacts output can be processed with existing tools like plaso.

Running FastIR Artifacts

By default, FastIR Artifacts collects a selection of artifacts from the ForensicArtifacts library that are supported by the operating system, but it is possible to select artifacts at a more granular level with command line switches:

C:\Users\sekoia\Desktop\fastir_artifacts>fastir_artifacts.exe -h
usage: fastir_artifacts.exe [-h] [-i INCLUDE] [-e EXCLUDE]
[-d DIRECTORY [DIRECTORY …]] [-l] [-m MAXSIZE]
[-o OUTPUT] [-s]
FastIR Artifacts — Collect ForensicArtifacts Args that start with ‘ — ‘ (eg.
-i) can also be set in a config file
(C:\Users\sekoia\Desktop\fastir_artifacts\fastir_artifacts.ini). Config file
syntax allows: key=value, flag=true, stuff=[a,b,c] (for details, see syntax at
https://goo.gl/R74nmi). If an arg is specified in more than one place, then
commandline values override config file values which override defaults.
optional arguments:
-h, — help show this help message and exit
-i INCLUDE, — include INCLUDE
Artifacts to collect (comma-separated)
-e EXCLUDE, — exclude EXCLUDE
Artifacts to ignore (comma-separated)
-d DIRECTORY [DIRECTORY …], — directory DIRECTORY [DIRECTORY …]
Directory containing Artifacts definitions
-l, — library Keep loading Artifacts definitions from the
ForensicArtifacts library (in addition to custom
directories)
-m MAXSIZE, — maxsize MAXSIZE
Do not collect file with size > n
-o OUTPUT, — output OUTPUT
Directory where the results are created
-s, — sha256 Compute SHA-256 of collected files

For instance, to collect only the NTFSMFTFiles artifact on a Windows host we can use the — include NTFSMFTFiles command line switch:

C:\Users\sekoia\Desktop\fastir_artifacts>fastir_artifacts.exe — include NTFSMFTFiles
2019–07–02 10:18:12,395 — PROGRESS — Loading artifacts …
2019–07–02 10:18:13,686 — PROGRESS — Collecting artifacts from 1 sources …
2019–07–02 10:18:30,499 — PROGRESS — Finished collecting artifacts

Two files were created, a zip file and a log file:

C:\Users\sekoia\Desktop\fastir_artifacts>dir /B 20190702101812-DESKTOP-SEKOIA
DESKTOP-SEKOIA-files.zip
DESKTOP-SEKOIA-logs.txt

The zip file contains $MFTand $MFTMirr files:

C:\Users\sekoia\Desktop\fastir_artifacts>”c:\Program Files\7-Zip\7z.exe” l 20190702101812-DESKTOP-SEKOIA\DESKTOP-SEKOIA-files.zip7-Zip 19.00 (x64) : Copyright © 1999–2018 Igor Pavlov : 2019–02–21Scanning the drive for archives:
1 file, 76470756 bytes (73 MiB)
Listing archive: 20190702101812-DESKTOP-SEKOIA\DESKTOP-SEKOIA-files.zip--
Path = 20190702101812-DESKTOP-SEKOIA\DESKTOP-SEKOIA-files.zip
Type = zip
WARNINGS:
Headers Error
Physical Size = 76470756
Date Time Attr Size Compressed Name
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
1980–01–01 00:00:00 ….. 631504896 76470013 C\$MFT
1980–01–01 00:00:00 ….. 4096 497 C\$MFTMirr
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
1980–01–01 00:00:00 631508992 76470510 2 files
Warnings: 1

It is also possible to set those arguments from the fastir_artifacts.ini configuration file, for instance to collect NTFSMFTFiles, WindowsSystemRegistryFiles, WindowsUserRegistryFiles, and WindowsUserRecentFiles artifacts:

include = NTFSMFTFiles,WindowsSystemRegistryFiles,WindowsUserRegistryFiles,WindowsUserRecentFiles

You can then launch FastIR Artifacts by double-clicking on it.

FastIR Artifacts output

Collected files are stored in a zip file. These artifacts can be processed with your favorite tools (plaso, RegRipper, analyzeMFT, PECmd…), for instance: Launch log2timeline.py on the zip file, use win7 preset and exclude filestat parser (we don’t care about timestamps of the zip file):

$ log2timeline.py — process_archives — parsers win7,\!filestat DESKTOP-SEKOIA.plaso DESKTOP-SEKOIA-files.zip

Extract $MFT, process it with analyseMFT.py and add it to the timeline with log2timeline.py:

$ unzip DESKTOP-SEKOIA-files.zip C/\$MFT
$ analyzeMFT.py — bodyfull -b MFT.bodyfile -f C/\$MFT
$ log2timeline.py — parsers mactime DESKTOP-SEKOIA.plaso MFT.bodyfile
$ psort / timesketch…

Commands and WMI queries outputs are stored in a json file.

Those files can be read with your favorite text editor, a json processor or processed with a custom tool:

$ jq -c ‘.”WMIProcessList”.”SELECT * from Win32_Process” | .[] | {desc: .”Description”, path:.”ExecutablePath”, pid:.”ProcessId”, ppid:.”ParentProcessId”}’ DESKTOP-SEKOIA-wmi.json | head -20
{“desc”:”System Idle Process”,”path”:null,”pid”:0,”ppid”:0}
{“desc”:”System”,”path”:null,”pid”:4,”ppid”:0}
{“desc”:”Registry”,”path”:null,”pid”:120,”ppid”:4}
{“desc”:”smss.exe”,”path”:null,”pid”:660,”ppid”:4}
{“desc”:”csrss.exe”,”path”:null,”pid”:756,”ppid”:744}
{“desc”:”wininit.exe”,”path”:null,”pid”:884,”ppid”:744}
{“desc”:”csrss.exe”,”path”:null,”pid”:904,”ppid”:876}
{“desc”:”services.exe”,”path”:null,”pid”:960,”ppid”:884}
{“desc”:”lsass.exe”,”path”:”C:\\WINDOWS\\system32\\lsass.exe”,”pid”:976,”ppid”:884}
{“desc”:”svchost.exe”,”path”:”C:\\WINDOWS\\system32\\svchost.exe”,”pid”:780,”ppid”:960}
{“desc”:”fontdrvhost.exe”,”path”:”C:\\WINDOWS\\system32\\fontdrvhost.exe”,”pid”:716,”ppid”:884}
{“desc”:”svchost.exe”,”path”:”C:\\WINDOWS\\system32\\svchost.exe”,”pid”:96,”ppid”:960}
{“desc”:”WUDFHost.exe”,”path”:”C:\\Windows\\System32\\WUDFHost.exe”,”pid”:956,”ppid”:960}
{“desc”:”svchost.exe”,”path”:”C:\\WINDOWS\\system32\\svchost.exe”,”pid”:1124,”ppid”:960}
{“desc”:”svchost.exe”,”path”:”C:\\WINDOWS\\system32\\svchost.exe”,”pid”:1172,”ppid”:960}
{“desc”:”winlogon.exe”,”path”:”C:\\WINDOWS\\system32\\winlogon.exe”,”pid”:1260,”ppid”:876}
{“desc”:”fontdrvhost.exe”,”path”:”C:\\WINDOWS\\system32\\fontdrvhost.exe”,”pid”:1320,”ppid”:1260}
{“desc”:”WUDFHost.exe”,”path”:”C:\\Windows\\System32\\WUDFHost.exe”,”pid”:1384,”ppid”:960}
{“desc”:”dwm.exe”,”path”:”C:\\WINDOWS\\system32\\dwm.exe”,”pid”:1440,”ppid”:1260}
{“desc”:”svchost.exe”,”path”:”C:\\WINDOWS\\System32\\svchost.exe”,”pid”:1516,”ppid”:960}
```

Extending FastIR Artifacts with new artifact definitions

The artifacts definitions are YAML-based. Source types include COMMAND, FILE, REGISTRY_KEY, REGISTRY_VALUE and WMI (the last three are for Windows hosts only).

Artifact definition format is described at https://github.com/ForensicArtifacts/artifacts/blob/master/docs/Artifacts%20definition%20format%20and%20style%20guide.asciidoc

The three examples below give a better understanding:

1 — Definition of the LinuxLoaderSystemPreloadFile artifact, contributed by SEKOIA to the Digital Forensics Artifact Repository:

name: LinuxLoaderSystemPreloadFile
doc: Linux dynamic linker/loader system-wide preload file (ld.so.preload).
sources:
- type: FILE
attributes: {paths: [‘/etc/ld.so.preload’]}
labels: [Configuration Files]
supported_os: [Linux]
urls: [‘http://man7.org/linux/man-pages/man8/ld.so.8.html']
```
This artifact has a FILE source, it takes the contents of files. The list of file paths that can be collected has one member, `/etc/ld.so.preload`.

2 — Definition of the WMINetTCPConnections artifact, also contributed by SEKOIA to the Digital Forensics Artifact Repository:

name: WMINetTCPConnections
doc: TCP connections via Windows Management Instrumentation (WMI).
sources:
- type: WMI
attributes: {query: SELECT * from MSFT_NetTCPConnection, base_object: ‘winmgmts:\root\StandardCimv2’}
conditions: [os_major_version >= 6 AND os_minor_version >= 2]
labels: [Network]
supported_os: [Windows]
urls: [‘https://docs.microsoft.com/en-us/previous-versions/windows/desktop/nettcpipprov/msft-nettcpconnection']

This artifact has a WMI source, it takes the output of Windows Management Instrumentation queries. The query retrieves MSFTNetTCPConnections instances from the \root\StandardCimv2 namespace.

3 — Definition of the ListProcessesPsCommand artifact:

name: ListProcessesPsCommand
doc: Full process listing via the ‘ps’ command.
sources:
- type: COMMAND
attributes:
args: [‘-ef’]
cmd: /bin/ps
supported_os: [Linux]
urls: [‘https://gitlab.com/procps-ng/procps']

This artifact has a COMMAND source, it takes the output of a command. In this case, /bin/ps -ef is used to list processes.

Download

Source code of FastIR Artifacts is available on GitHub.

You can also find binaries for Windows, GNU/Linux and Mac OS X on the release page.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade