SANS Digital Forensics and Incident Response Blog

Webcast Summary: New SANS Cheat Sheet: A Guide to Eric Zimmerman's Command Line Tools

 

Thank you for attending the SANS New Cheat Sheet: "A Guide to Eric Zimmerman's Command Line Tools" webcast.

For webcast slides and recording visit: http://www.sans.org/u/raj

Capture

To download the Cheat Sheet visit: http://digital-forensics.sans.org/u/rao

To download Eric's Command line tools visit: https://ericzimmerman.github.io/

 

In this webinar, Eric covered several tools that can be used to show evidence of execution as well as document creation and opening. He also provided an overview of bstrings and Timeline Explorer and provided demonstrations of how those tools can be used to add value to investigations. Here is a webcast summary:

Timeline Explorer

Timeline Explorer allowed us to load one or more CSV or Excel files into a common interface and apply advanced sorting, filtering, and conditional formatting rules to our data.

Several useful shortcuts include:

CTRL-t: Tag or untag selected rows

CTRL-d: Bring up the Details window for super timelines

CTRL-C: Copy the selected cells (with headers) to the clipboard. Hold SHIFT to exclude the column header

Graphic 1

Evidence of execution programs

AppCompatCacheParser, AmcacheParser, and PECmd parse forensic artifacts related to evidence of execution.

AppCompatCacheParser extracts shimcache data from each ControlSet found in the SYSTEM Registry hive and exports them to CSV format.

Graphic 2

AmcacheParser extracts file and program information from the Amcache.hve hive to CSV format.

graphic 3

PECmd processes Windows prefetch files and extracts information such as the total number of times a program was run and up to the last 8 times a program was executed. Prefetch files also track the files and directories a program referenced when it was run.

Graphic 4

Lnk file internals

We started exploring lnk files by looking at the header and unpacking what each piece of the header meant and how to process it.

graphic 5

From here we looked at each of the structures present based on the data flags section of the header, including the Target Id lists. The raw target Id lists looked like this:

graphic 6

 

And once we processed and decoded each one, we end up with this:

grpahic 7

Document creation and opening programs

Now that we had a decent understanding of the internals of lnk files, we took a look at several tools to extract data from these valuable forensic artifacts.

LECmd and JLECmd process lnk files and jump lists and displays information related to the document opened such as the target documents created, modified, and last accessed time stamps, the volume serial number and type of drive, target Id lists, and more.

LECmd fully supports decoding all available structures including embedded shell items. It also added additional functionality like calculating the absolute path of the target file based on the shell items in the target Id list. Finally, LECmd resolved MAC addresses to the vendor based on an internal lookup table included with LECmd.

graphic 8

 

JLECmd provides the same data extraction capabilities as LECmd, but in the context of the lnk files being wrapping in another data structure.

In the case of custom destinations jump lists, this wrapping structure was merely a file that contained one or more concatenated lnk files. Automatic destinations jump lists used an OLE CF container to track embedded lnk files.

JLECmd allows for dumping of all embedded lnk files which in turn allows for those lnk files to be analyzed with any lnk parsing tool.

graphic 9

Other tools

Finally, we took a look at bstrings and saw many examples of how to extract email addresses, URLs, UNC paths, and more from a given file using built in regular expressions. We also discussed how to extract strings from any code page and how to limit the amount of data returned by bstrings.

graphic 10

I hope you enjoyed the webinar and get much use out of the tools in your investigations.

Thank you again for attending! Feel free to reach out via twitter for feedback or questions

About the author:

INV_EricZimmerman2017_1200x1800_cEric serves as a Senior Director at Kroll in the company's cybersecurity and investigations practice. At SANS, he teaches the FOR508: Advanced Digital Forensics, Incident Response and Threat Hunting course, and is a two-time winner of the SANS DFIR NetWars Tournament (2014, 2015). Eric is also the award-winning author of X-Ways Forensics Practitioner's Guide, and has created many world-class, open-source forensic tools free to the DFIR Community.