Whenever I can, I like to use PowerShell for DFIR tasks – it’s ubiquitous presence usually means less headaches when deploying tools in client environments. To that end, exploring what is available from an open-source perspective leads most people to a few options when it comes to common DFIR tasks and automations:
- https://github.com/davehull/Kansa
- https://github.com/Invoke-IR/PowerForensics
- https://github.com/orlikoski/CyLR
- https://github.com/Velocidex/velociraptor
Let’s talk about each of these first.
Kansa is a highly-modular framework written in PowerShell that provides Incident Response teams the capability to easily query for common artifacts as well as perform some level of analysis on the results. It can be extended by writing custom PowerShell modules to retrieve evidence as required – unfortunately, it relies on PowerShell Remoting which in turn relies on Windows Remote Management (WinRM) – a feature that, in my experience, is frequently not enabled for Desktop endpoints in corporate environments.
PowerForensics is a library written in PowerShell and C# that exposes functionality allowing for users to, in their own tools, easily gather artifacts directly through parsing of the NTFS/FAT file system artifacts such as the $MFT. This is particularly useful when analyzing dead disks or otherwise locked data – it is not intended as a ‘live’ triage tool.
CyLR is a C# tool designed to aid front-line responders in the collection of common artifacts from live systems – unfortunately, the artifact selection is hard-coded into the tool rather than available via a configuration of any type. This makes it’s usefulness relatively limited in scope.
Finally, I would be remiss if I did not discuss Velociraptor – this awesome tool is great at helping teams gain visibility into endpoints at scale and comes packed with community-contributed modules for collecting evidence. Velociraptor is ALSO capable of generating offline evidence collection packages but these must be configured ahead of time via the GUI – often this can be overkill, especially if you are not already used to the tool or don’t have it deployed in an easily accessible location.
There are some other common closed-source tools such as KAPE but these are typically not allowed to be used in paid engagements or third-party networks unless an enterprise license is obtained, making it less useful for smaller teams that cannot afford such a license.
Each of these tools is great in their own right – but I felt a need to create something to fill what I perceived as a gap – a standalone evidence collection (and parsing) tool with flexible evidence specification based on easy to read and create JSON files.
Introducing, RetrievIR [https://github.com/joeavanzato/RetrievIR] – a PowerShell script capable of parsing JSON configuration files in order to collect files, registry key/values and command outputs from local and remote hosts. At it’s core, RetrievIR is relatively simple – it will hunt for files that match specified patterns, registry keys that match provided filters and execute commands either in-line or from a specified file. Additionally, I’ve created a follow-up script called ParseIR which is designed to parse RetrievIR output using common tools such as the Eric Zimmerman set of parsers as well as some custom utilities that are still evolving.
One of the main goals in creating this was to help provide DFIR teams the capability to specify exactly what evidence they want to collect along with tagging and categorizing evidence – this means that one or more configuration files can be used in multiple ways as the operator can tell RetrievIR to only collect evidence that contains a specific tag or is part of a specified category rather than always collecting everything in the configuration file. Evidence specification does not require an individual to know how to program – everything is based in the JSON configuration including what paths to search, recursiveness, what files to filter on, what commands to execute, what registry keys to inspect and so-on.
RetrievIR is intended for use in assisting the live triage of endpoints – it collects raw evidence that is typically then processed into machine-readable information which can then be fed into centralized data stores for investigation (Elastic, Splunk, SQL, etc). RetrievIR configurations are described as JSON objects with different properties available depending on whether the target is the filesystem, the registry or a command execution. An example of each type of configuration is shown below.
{
"files": {
"Avast": {
"category": "AntiVirus",
"filter": ["*.log"],
"recursive": false,
"paths": [
"%HOMEDRIVE%\\ProgramData\\Avast Software\\Avast\\Log\\*",
"%HOMEDRIVE%\\ProgramData\\Avast Software\\Avast\\Chest\\*",
"%HOMEDRIVE%\\Users\\*\\Avast Software\\Avast\\Log\\*"
],
"tags": ["sans_triage"]
}
},
"commands": {
"CommandLineConsumers": {
"category": "WMI",
"command": "Get-WmiObject CommandLineEventConsumer -Namespace root\\subscription -ErrorAction SilentlyContinue | Select-Object * | Export-Csv -NoTypeInformation -Path '#FILEPATH#'",
"output": "CommandLineEventConsumers.csv",
"tags": ["sans_triage", "light"],
"type": "WMI-CommandlineConsumers",
"parser": "CSVOutputCollector"
}
},
"registry": {
"DefenderExclusions": {
"category": "Antivirus",
"paths": [
"HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions"
],
"recursive": true,
"keys": ["*"],
"store_empty": true,
"tags" : ["sans_triage"]
}
}
}This example configuration will tell RetrievIR to do three distinct things:
- Look for any file ending in ‘.log’ non-recursively at the 3 specified paths.
- Execute the provided command and output it to the File Name specified in ‘output’.
- Examine the provided registry path recursively and record any key:value stored in any path, including the current.
There are some other things going on but at it’s core, this is all that is required to use RetrievIR effectively and obtain evidence to help your team analyze systems. I’ll be writing more advanced articles covering tagging, parsing and additional properties available – but hopefully this has been enough to pique your interest and maybe help your team more rapidly triage live systems!
Link: https://github.com/joeavanzato/RetrievIR
Please check it out and provide feedback so I can make it better!
Common Commandlines
Capture the standard ‘SANS Triage’ collection of artifacts as outlined in KAPE target files.
.\RetrievIR.ps1 -tags sans_triage
After evidence collection is complete, assuming default options were used – parse the evidence!
.\ParseIR.ps1
Capture artifacts relating to browsers and anti-virus tools
.\RetrievIR.ps1 -categories antivirus,browsers
Identify available categories or tags for use with -categories and -tags.
.\RetrievIR.ps1 (-tagscan | -categoryscan)
Attacker's Mindset 