Autopsy Python YARA Scan Module

YARA is a great tool to help with the identification of malware that can be found at: https://plusvic.github.io/yara/.  You can write your own rules or here is a super nice prebuilt repository that can be used at: http://yararules.com.  I needed a fast way to search through some disk images thus decided it was time to build a quick Autopsy Python YARA Scan Module found for download at: https://github.com/jblukach/AutopsyModules.

Setup required dropping the YARA executable in the Autopsy Python Module folder.  I also created a centralized YARA Rule File containing the following: include “rules-master\antidebug.yar” statements for the list as an example.   

You can easily change the following two lines of code if you want to use a different storage location.

What is the objective of your YARA Scan?  The search syntax uses SQLite thus in this example %.doc is looking for any word documents.  There are no path dependencies as it is set with the percentage sign a.k.a. %.

If you wanted to find any executable files that were located in a temporary folder the line of code could be changed to the following.  Any files that are marked as KNOWN by Hash Analysis will be excluded from the YARA Scan.

files = fileManager.findFiles(dataSource, “%.exe”, “%temp%”)

These two lines can be commented out with the pound sign a.k.a. # to get the quantity and listing of files that will be processed.  First line exports the file to the Temporary folder inside the case directory structure.  The second line runs the YARA scan against the exported file.  Windows Defender on my investigation machine also examines the files during extraction that may identify some very low hanging fruit too. 

The report will overwrite the YARA.txt file every time the module is run.  The file is located in the Reports folder inside the case directory structure.  You may need to update the report name depending on changes to your search requirements.   

Once the YARA Scan module completes, Autopsy will fire an alert showing the number of files scanned.
Under Reports, the generated text file will be linked so that you can double click and review the results.  Top line is the YARA results and the bottom line shows where the file is located in the Autopsy interface. 



Hopefully this helps your hunting too!

John

Continue reading Autopsy Python YARA Scan Module

Autopsy Python YARA Scan Module

YARA is a great tool to help with the identification of malware that can be found at: https://plusvic.github.io/yara/.  You can write your own rules or here is a super nice prebuilt repository that can be used at: http://yararules.com.  I needed a fast way to search through some disk images thus decided it was time to build a quick Autopsy Python YARA Scan Module found for download at: https://github.com/jblukach/AutopsyModules.

Setup required dropping the YARA executable in the Autopsy Python Module folder.  I also created a centralized YARA Rule File containing the following: include “rules-master\antidebug.yar” statements for the list as an example.   

You can easily change the following two lines of code if you want to use a different storage location.

What is the objective of your YARA Scan?  The search syntax uses SQLite thus in this example %.doc is looking for any word documents.  There are no path dependencies as it is set with the percentage sign a.k.a. %.

If you wanted to find any executable files that were located in a temporary folder the line of code could be changed to the following.  Any files that are marked as KNOWN by Hash Analysis will be excluded from the YARA Scan.

files = fileManager.findFiles(dataSource, “%.exe”, “%temp%”)

These two lines can be commented out with the pound sign a.k.a. # to get the quantity and listing of files that will be processed.  First line exports the file to the Temporary folder inside the case directory structure.  The second line runs the YARA scan against the exported file.  Windows Defender on my investigation machine also examines the files during extraction that may identify some very low hanging fruit too. 

The report will overwrite the YARA.txt file every time the module is run.  The file is located in the Reports folder inside the case directory structure.  You may need to update the report name depending on changes to your search requirements.   

Once the YARA Scan module completes, Autopsy will fire an alert showing the number of files scanned.
Under Reports, the generated text file will be linked so that you can double click and review the results.  Top line is the YARA results and the bottom line shows where the file is located in the Autopsy interface. 



Hopefully this helps your hunting too!

John

Continue reading Autopsy Python YARA Scan Module

Autopsy Python File Marker Module

Repetitively, I need the file system, registry, event logs and prefetch artifacts from end points.  So I created a script to mark files as interesting just to save time digging through the folder hierarchy.  The File Marker module can be downloaded from GitHub at: https://github.com/jblukach/AutopsyModules

File Marker Module
Listed the marked files with some of my favorite tools for parsing the artifacts too.    

Memory: pagefile.sys, hiberfil.sys and MEMORY.DMP

·             bulk_extractor – https://github.com/simsong/bulk_extractor

·             Volatility – http://www.volatilityfoundation.org

File System: $MFT, $LogFile and $UsnJrnl:$J

·             Triforce ANJP Free Edition – https://www.gettriforce.com

Registry: SYSTEM, SECURITY, SOFTWARE, SAM, NTUSER.DAT, UsrClass.dat and Amcache.hve

·             Registry Explorer – http://binaryforay.blogspot.com

·             RegRipper – https://github.com/keydet89/RegRipper2.8

Event Logs: *.evtx

·             python-evtx – https://github.com/williballenthin/python-evtx

Prefetch: *.pf

Please comment and share additional disk artifacts or tools that you use for triage!

File Marker Output

Continue reading Autopsy Python File Marker Module

Autopsy Python File Marker Module

Repetitively, I need the file system, registry, event logs and prefetch artifacts from end points.  So I created a script to mark files as interesting just to save time digging through the folder hierarchy.  The File Marker module can be downloaded from GitHub at: https://github.com/jblukach/AutopsyModules

File Marker Module
Listed the marked files with some of my favorite tools for parsing the artifacts too.    

Memory: pagefile.sys, hiberfil.sys and MEMORY.DMP

·             bulk_extractor – https://github.com/simsong/bulk_extractor

·             Volatility – http://www.volatilityfoundation.org

File System: $MFT, $LogFile and $UsnJrnl:$J

·             Triforce ANJP Free Edition – https://www.gettriforce.com

Registry: SYSTEM, SECURITY, SOFTWARE, SAM, NTUSER.DAT, UsrClass.dat and Amcache.hve

·             Registry Explorer – http://binaryforay.blogspot.com

·             RegRipper – https://github.com/keydet89/RegRipper2.8

Event Logs: *.evtx

·             python-evtx – https://github.com/williballenthin/python-evtx

Prefetch: *.pf

Please comment and share additional disk artifacts or tools that you use for triage!

File Marker Output

Continue reading Autopsy Python File Marker Module

Autopsy Python File Marker Module

Repetitively, I need the file system, registry, event logs and prefetch artifacts from end points.  So I created a script to mark files as interesting just to save time digging through the folder hierarchy.  The File Marker module can be downloaded from GitHub at: https://github.com/jblukach/AutopsyModules

File Marker Module
Listed the marked files with some of my favorite tools for parsing the artifacts too.    

Memory: pagefile.sys, hiberfil.sys and MEMORY.DMP

·             bulk_extractor – https://github.com/simsong/bulk_extractor

·             Volatility – http://www.volatilityfoundation.org

File System: $MFT, $LogFile and $UsnJrnl:$J

·             Triforce ANJP Free Edition – https://www.gettriforce.com

Registry: SYSTEM, SECURITY, SOFTWARE, SAM, NTUSER.DAT, UsrClass.dat and Amcache.hve

·             Registry Explorer – http://binaryforay.blogspot.com

·             RegRipper – https://github.com/keydet89/RegRipper2.8

Event Logs: *.evtx

·             python-evtx – https://github.com/williballenthin/python-evtx

Prefetch: *.pf

Please comment and share additional disk artifacts or tools that you use for triage!

File Marker Output

Continue reading Autopsy Python File Marker Module