DFIR Command Line Analysis - Moving from Bash to Powershell

Windows has become a more compelling platform for CLI enthusiasts with Powershell and the release of Windows 10. Add to that the recent controversial Apple hardware choices (no physical escape key, USB-C all the things!) and you have a number of powerusers and infosec professionals moving more work to Windows. Obviously we supplement with virtual machines regardless, but your base OS is generally where you want to do your heavy lifting. 

One of the main use cases that has kept me on a *Nix platform is my time investment in learning the Bash terminal, sed/awk/grep/cut/wc/etc. This post is my first attempt to replicate common analysis workflows in Powershell. Please comment or reach out to me @securitymustard if you have better ways or anything to add.

For this post I'll create a CSV timeline from the evidence on my "Baud.. James Baud" exercise using Plaso. First I mounted the roger_image.ad1 image from the "Baud James Baud" forensics CTF using FTK imager. Make sure to select "File System / Read Only" when mounting to ensure any tools you want to run against the mounted image will work.

log2timeline.exe C:\Users\Username\Desktop\baud.plaso D:\   
(D is the drive letter FTK assigned the mounted image).

A logical next step is to run "pinfo.exe" from the Plaso toolkit to show what events were processed.

pinfo.exe C:\Users\Username\Desktop\baud.plaso

Finally to complete a CSV timeline we run "psort.exe" to create a CSV from the Plaso database in Eastern Standard Time.

psort.exe -o l2tcsv -z EST -w C:\Users\Username\Desktop\baud.csv C:\Users\Username\Desktop\baud.plaso

The end result is a CSV file containing ~320,000 rows. On a Linux or OSX box in Bash we'd easily verify exactly how many using "wc -l baud.csv". How do we do this in Powershell?

gc .\baud.csv | measure-object -Line

Returns the line count of 323365 minus 1 line for headers and 323364 rows.

In Bash we'd likely size up the data by viewing the first 10 rows with the head command. "head -n10 .\baud.csv". The equivalent command in Powershell would be:

gc .\baud.csv | select -first 10

Looking at the first line, we see that the 5th column is the "Source". In Bash we'd likely run "cut -d',' -f5 baud.csv | sort | uniq -c | sort -n" to see the distribution of the timeline. 

gc .\baud.csv | %{$_.split(',')[4]} | group-object -noelement

Our Powershell equivalent above shows the number of records for each source type. The next logical move is to start using grep to filter this list based upon what questions we're trying to answer. Unfortunately we don't have grep - but we do have "Select-String" which in this case will do just fine.
As far as questions we're trying to answer - lets focus in on the malware that was run in the "Baud, James Baud" scenario (file information, execution, surrounding events). There was a file named "conneryhaters.hta" so "conneryhaters" is a good first search.

Select-String -pattern "conneryhaters" .\baud.csv

This quickly shows us the time that the user downloaded the file from "http://128.199.170.85/conneryhaters.hta" and the file was written to "Users\RogerMoore\AppData\Local\Microsoft\Windows\INetCache\Low\IE\DT34KEU7\conneryhaters[1].hta". Looks like the user chose to "Run" rather than simply save.

Excellent Resources on moving from Bash to Powershell:

• http://cecs.wright.edu/~pmateti/Courses/233/Labs/Scripting/bashVsPowerShellTable.html
• http://five.agency/powershell-tips-for-bash-users/
• http://windowsitpro.com/powershell/powershell-basics-sorting-measuring-objects

Forensic CTF: Baud.. James Baud ANSWERS

Here are the answers to the Forensic CTF. The main idea behind this scenario was to analyze a memory image that doesn't seem to work with any Volatility profile (it's 32 bit Windows 10 - who uses that?). Most of the answers can be retrieved through string searching, coreutils and pivoting off of each piece of data you get. Please send me feedback on Twitter @securitymustard. Thanks and Merry Christmas!

1. Whose computer is this evidence from? Roger Moore

2. Who is the other actor? Sean Connery

3. What email service are they using (include TLD)?  protonmail.com

4. What makes this email service difficult to analyze? encryption

5. What is the email address of the user? notroger@protonmail.com

6. What email address does he correspond with? notconnery@protonmail.com

7. What type of file is the payload? html application .hta

8. What is the first Google search the user made about the other individual? sean connery is a fake

9. What is the second Google search the user made about the other individual? sean connery scandal

10. What is the third Google search the user made about the other individual? compromising photo sean connery

11. What IP address was used by the attacker for C2? 128.199.170.85

12. What is the exact name of the payload? conneryhaters[1].hta or conneryhaters.hta

13. What is the first time the user logged into their email (MM/DD/YYYY H:MM:SS AM/PM)? 10/29/2016 10:05:47 PM

14. What is the mail server name used to send these messages?mail.protonmail.ch

15. What is the UTC time of the initial email (as stated in the email header)? October 30, 2016 2:11 AM

16. What is the email subject of the first threatening email sent by the user? 24 HOURS UNTIL THE WORLD KNOWS THE TRUTH

17. What insult does the other individual use in his response? rather cheeky fearlash bashtard