SANS Digital Forensics and Incident Response Blog

Mass Triage: Retrieve Interesting Files Tool (RIFT) Part 1

Our story so far...


Frank, a security analyst, is reviewing network traffic and notes that the VP of Merger and Acquisitions' machine has transmitted a 2 gig encrypted RAR file to http://doggydaycareforvps.com. Frank notifies management and managments gets Bob, the VP, to contact Frank regarding the file. Later, Frank learns that Bob did not upload the file nor has Bob visited the site the file was sent to. Frank requests that Bob drop off his laptop to the company's satellite site near the hotel that he is stay at so that they can pull some files.


Bob drops off his laptop to the desktop support staff at the satellite site. Where Tony picks it up and calls Frank to see what he needs to do with the machine. Frank asks him to run the RIFT tool on it and upload the files to the SFTP server after it is finished.


In the course of an incident incident responders will have to retrieve files from a machine in a forensically sound manner. RIFT copies files from a subject machine in a forensically sound manner using the Sleuthkit toolset. By simply running RIFT with a regex list of file names or directories, specific files and folders are targeted for extraction. For each match, icat is then used to copy the file or folder to a drive/share other than the C drive.


The customizable regex list file, called getfileslist.txt, consists of a list of file names or directories to pull from the machine RIFT is run on. Below is subset of the file that comes with RIFT:


#Get the system hive
system32\/config\/SYSTEM$
#Get the software hive
system32\/config\/SOFTWARE$
#Get the contents of the Prefetch directory
\/Windows\/prefetch\/

RIFT will ignore any lines starting with a # symbol as comments. The lines containing SYSTEM and SOFTWARE are examples of getting a single file. The last example containing prefetch directory will retrieve the entire contents of the prefetch directory. The directory structure is recreated on the destination as the files and directories are copied over. Lastly, the output from fls is saved to the destination drive/share.


To run, all the user needs to do is run rift.exe with the savedrive argument as shown in the figure:


rift_in_action


RIFT can be downloaded at: https://github.com/chaoticmachinery/fate/tree/master/frac_rift


In Part 2, I'll discuss using FRAC to pull files network wide for mass triage.


Keven Murphy works for the RSA Incident Response team working on APT to commodity incidents.


2 Comments

Posted October 26, 2016 at 6:10 PM | Permalink | Reply

Preston Coleman

I see a lot of value in this! Since the uses TSK, does it now, or can it be modified to, run on either an image file or live?

Posted October 27, 2016 at 1:23 PM | Permalink | Reply

Keven Murphy

RIFT is open source. Your free to modify it to as needed.
To answer your question in regards to live: RIFT was meant to run on a live system.
In regards to image file: I use FATE (another tool I've developed) for dead forensics. I'll be talking about that later this year. :)
Regards,
K Murphy