Saturday, June 10, 2017

CyberChef: Example DFIR Use Cases

GCHQ released CyberChef late last year which is an excellent tool for data manipulation and analysis. My perception was that this was primarily observed by the hacker and CTF community as a new must have tool for solving puzzles, but I didn't see many DFIR analysts commenting that this is now an important part of their toolbox.

The tool intends to be a Swiss army knife for encryption, compression, encoding, and string manipulation functionality for hackers and tinkerers. The majority of the time I use this tool it's out of convenience to convert Hex, Base64, or decompress data. Outside of standard conversions this tool has provided me value due to the large number of options, flexible pipeline which promotes experimental discovery, and simple interface for reviewing output.

This tool is free, lightweight, and can be easily hosted locally and shared by all analysts working a case. It's been a huge benefit to my team at work as we've analyzed cases with obfuscated Powershell commands and encryption in use.

Link to demo and download:

I'll lead with a fairly real world example of where this is useful. The following screenshot if from a Veil Evasion Powershell Meterpreter payload I just created. This is a reverse shell that utilizes an encoded and compressed Powershell command. If all you had was the payload, the way to derive useful information from it may not be clear as you need to decode and decompress the payload inline. Cyberchef makes decoding this command from Base64 and decompressing simple. It's easy to see the IP (, User agent (Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)), and port (1337) to be used by the payload using this tool.

Timezone and format conversion: It's common to work cases as a team including evidence in multiple timezones. I also believe it's common to have mistakes made with incorrect mental math converting timezones. This feature is convenient for consistent conversion of format and timezone.

Exif Extract: ExifTool is probably the most common standalone tool used by DFIR analysts to extract metadata from images but that is a standalone command line tool. If you're only concerned with Exif from a small number of files this may be a convenient option. The "Other->Extract Exif" option will pull exif data from JPEG, TIFF and audio files.

Encryption/Decryption: There are plenty of simple encrypted artifacts that we've come to expect our tools to automatically decrypt for us. It's fairly common to encounted encrypted commands, network artifacts and files during intrusion cases so this can be a very vital feature. See below the simplest example - Rot13 on a UserAssist key.

IP format conversion: Occasionally I see an analyst get tripped up by IP's in decimal format (to be fair - that was me at one point too). Have no fear.

IP subnet tasks: Occasionally I find tools that don't take a subnet and require a list of IP addresses. This feature easily prints a list of IP's from a subnet for masks 32 (lol) down to 16. Obviously this is easy to do otherwise for a /24 (bashy code: "for i in {1..255}; do echo 10.0.0.$i;done") but gets trickier to script with oddball masks. Additionally this "Networking" section works as a subnet calculator, can group a list of IP's into subnets, handle URL encoding.. Very multipurpose!

Code Beautification: This is a pretty common DFIR struggle, coming across Javascript or other code that is in one continuous block and trying to make sense of it. Many times a debugger or console is the correct answer, but sometimes just "beautifying" the code helps you find answers.

Utils tab: The "Utils" tab is useful for string manipulation. In the below example we're counting how many times the character "4" appears in a string. There's also options to diff, toUpper, toLower, reverse, sort, unique, remove whitespace, find/replace and many more! This is all great functionality that generally can be done from a CLI but sometimes this is the most convenient means.

Extract dates: This can be useful in certain types of evidence that isn't in a standard log format. For an example I used a snippet from a setupapi.log (plug and play log, generally used to show the first and last times a specific USB was connected). Chef also has a variety of other prebuilt regex extractors that could speed up your analysis including IP's, Email, URL's, File Paths, and more. You can also create your own regex based extractor so the sky is the limit.

Check Entropy: This could be useful if you're trying to make a point about a simple password, identify encrypted material, and potentially other uses I haven't come across. You might pick up that I don't use this often, but I think it's pretty cool that it's in the tool.

TL:DR - If you haven't yet, try CyberChef, the list of capabilities will likely impress you.