Home

Awesome

dfirtriage

Digital forensic acquisition tool for Windows-based incident response.

How to Use

To run, drop dfirtriage.exe on the target or connected USB drive and execute with admin rights, -h for help.


DFIRTriage v6.0 User's Manual

Description

This document outlines the functionality and proper use of the DFIRtriage tool. Also included is detailed information to help with analysis of the output. The goal is to equip the Incident Responder with the tools needed to gather and analyze data quickly.

About

DFIRtriage is an incident response tool designed to provide the Incident Responder with rapid host data. Upon execution, select host data and information will be gathered and placed into the execution directory. DFIRtriage may be ran from a USB drive or executed remotely on the target host.

What’s new in v6.0?

Output restructure

Logging total run time

Bug fixes

Added arguments for individual system artifacts

Improved executable file hashing capabilites

Running process details

Bitlocker key dump

Memory acquisition no longer default action

User prompt removed from end of execution

Windows firewall

Improved user account report

dtfind - admin requirement removed

3rd party tools update

External IP

PowerShell

System Information

Event Logs

Application event log

Security event log

Powershell event log

Windows Firewall event log

Local Modifications (Levels 0, 2, 4) (2004, 2005, 2006, 2009, 2033)

Dependencies

The tool repository contains the full toolset required for proper execution and is packed into a single a single file named core.ir. This .ir file is the only required dependency of DFIRtriage when running in Python and should reside in a directory named data, (ie. ./data/core.ir). The compiled version of DFIRtriage has the full toolset embedded and does not require the addition of the ./data/core.ir file.

Operation

DFIRtriage acquires data from the host on which it is executed. Behind the keyboard executions are best conducted from a USB device. For acquisitions of remote hosts, the DFIRtriage files will need to be copied to the target, then executed via remote shell. (ie. SSH or PSEXEC)

PSEXEC Usage

WARNING: Do not use PSEXEC arguments to pass credentials to a remote system for authentication. Doing so will send your username and password across the network in the clear.

The following steps should be taken for proper usage of PSEXEC

  1. Map a network drive and authenticate with an account that has local administrative privileges on the target host.

You can used this mapped connection to copy DFIRtriage to the target.

  1. We can now shovel a remote shell to the target host using PSEXEC.

    psexec \\target\_host cmd

  2. You now have a remote shell on the target. All commands executed at this point are done so on the target host.

Usage

  1. Once the remote shell has been established on the target you can change directory to the location of the extracted DFIRtriage.exe file and execute.

  2. Memory acquisition does not occur by default. To dump memory, pass the following argument: -m, --memory

  3. DFIRtriage must be executed with Administrative privileges.

OUTPUT ANALYSIS

Once complete, press enter to cleanup the output directory. If running the executable, the only data remaining with be a zipped archive of the output as well as DFIRtriage.exe. If running the Python code directly only DFIRtriage python script and a zipped archive of the output are left.

OUTPUT FOLDER

The output folder name includes the target hostname and a date/time code indicating when DFIRtriage was executed. The date/time code format is YYYYMMDDHHMMSS.

ARTIFACTS LIST

The table below provides a general listing of the type of information and artifacts gathered by DFIRtriage v6.0.

ArtifactsDescription
MemoryRaw image acquisition
System informationBuild, version, installed patches, bitlocker & shadow copy info, etc.
Current date and timeCurrent system date and time
PrefetchCollects and parses prefetch data
PowerShell command historyGathers PowerShell command history for all users including the SYSTEM account
User activityHTML report of recent user activity
File hashCalculates an MD5, SHA-1, or SHA-256 hash of all EXE and DLL files on the OS partition
Network informationNetwork configuration, routing tables, connections, etc.
DNS cache entriesList of complete DNS cache contents
ARP table informationList of complete ARP cache contents
NetBIOS informationActive NetBIOS sessions, transferred files, etc.
Windows Update LogGathers update information and builds Windows update log
Windows Event LogsGathers and parses multiple Windows Event logs
Process informationProcesses, PID, image path, and full command line
List of remotely opened filesFiles on target system opened by remote hosts
List of hidden directoriesList of all hidden directories on the system partition
Alternate Data StreamsList of files containing alternate data streams
Complete file listingFull list of all files on the system partition
List of scheduled tasksList of all configured scheduled tasks
Hash of all collected triage dataSHA-256 hash of all data collected by DFIRtriage
Local & domain user account informationUsernames, profile paths, account SID, etc.
Autorun informationAll autorun locations and content
Logged on usersAll users currently logged on to target system
Registry hivesPulls down all registry hives
USB artifactsCollects data needed to parse USB usage info
Browser HistoryAggregated report of browser history
SRUM databaseSystem usage information collected by SRUM (System Usage Resource Monitor)

OUTPUT REFERENCE

This section of the manual is provided to offer guidance during analysis of the DFIRtriage output.  The below information is only provided as a guideline as it would not be practical to detail every possible use of this data. The bulk of analysis will depend on context and the analysis skills of the Incident Responder.

Output Directory RootAnalysis Notes
ForensicImages\See information below for content details.
LiveResponseData.zipCompressed triage collection data
triage_acquisition_hashlist.csvThis file contains the calculated hash value for all data collected by DFIRtriage. This information can be used to verify integrity of the output data.
<br>
ForensicImages \ hddAnalysis Notes
.E01, .dd, etcThe triage script does not acquire a file system image. This folder is here for organizational purposes should one be acquired.
<br>
ForensicImages \ memoryAnalysis Notes
memdump.rawmemdump.raw is a full raw image of volatile memory which should be acquired before a shutdown or reboot of the target machine. Multiple memory analysis tools should be used for cross-validation of findings.
<br>
ForensicImages \ system-filesAnalysis Notes
hiberfil.sysHiberfil.sys is a compressed RAM image created during a system hibernation event.
pagefile.sysPagefile.sys stores data that would normally be written to RAM when no RAM is available.
srudb.datSrudb.dat contains system usage information collected by SRUM (System Usage Resource Monitor)
<br>
LiveResponseData \ filesystemAnalysis Notes
Alternate_data_streams.txtContains all files on the target system that contain alternate data stream content. Alternate data streams can be used to easily hide information, or even entire files while remaining undetected by the user.
full_file_list.csv.zipThis report is very helpful in determining if a known folder or file is present on the target system.
List_hidden_directories.txtLog of all directories that have been hidden from the User. This log should be reviewed for suspicious hidden directories in unusual locations (e.g. in user temp folders)
psfile.txtReview information to determine if there are any files opened remotely on the target host.
shadow_files.txtProvides details on volume shadow points available on the target system.
<br>
LiveResponseData \ hashesAnalysis Notes
hash-report.csvProvides an MD5, SHA-1, or SHA-256 hash value of all accessible EXE and DLL files on the target system if an argument is passed (eg. -sha256). Data can be reviewed for suspicious filenames and hash values can be used to search IOC databases.
<br>
LiveResponseData \ logsAnalysis Notes
BrowsingHistoryView.csvOffers a quick review of browser activity. Will contain information from IE, Chrome, Firefox, and Safari if available. The -bho argument can be used when executing to force a browser history “only” acquisition.
eventlogs_key_events.csvThere are a total of 96 select events total from the application, system, security, and PowerShell event logs and this log file is generated by default.
eventlogs-all.csvContains parsed data from all events in the Application, System, Security, and Powershell event logs. Created by the “-elpa, --evtlogparseall” command line argument.
firewall_events.csvThis log contains all Windows Firewall modification events (Levels 0, 2, 4).
rdp_logon_logoff_events.csvContains all Remote Desktop logon and logoff events from the Windows Terminal Services Local Session Manager event logs.
vhd_mount_log.csvThis log will show details on image files (eg. ISO files) mounted on the system.
EVTX filesIf the “-elf, --eventlogfiles” argument is used, full copies of the Application, System, Security, Powershell, & Firewall event logs will be acquired.
powershell_command_history_<user>.txtContains Powershell command history for all users if available.
<br>
LiveResponseData \ NetworkAnalysis Notes
ARP.txtThis file contains the ARP cache from the target system. While the ARP protocol is not routable to the internet, it can help to identify additional hosts on a network that may have been compromised or that may have been used to launch the internal attack.
cports.htmlThis is a very detail report showing TCP/UDP connections on the target host. Additionally, you have information on the process that created the connection (name, PID, etc.), the Window Title (if exists), and more.
DNS_cache.txtThis is a log file of the target system DNS cache. Malware generally can connect to the network in order to do things like gathering additional exploits, join a command & control infrastructure, wait for more commands, etc. It is common for malware to be coded with domain names which must queried and resolved before it can connect. This information can be found in the DNS cache.
hosts.txtThis is a copy of the contents of the system HOSTS file
Internet_settings.txtThis is a log of the local network adapter configuration on the target host. This log should be reviewed to ensure the settings are correct and have not been altered. (E.g. Suspicious domains added to the DNS Suffix Search List)
NetBIOS_sessions.txtThis file will contain information on any current NetBIOS sessions to the target host.
NetBIOS_transferred_files.txtThis log will show if any files were transferred over the network from the target host using the “net file” command.
Open_network_connections.txtThis file also contains TCP/UDP connection information. The process PID and connection state information is also available. While it may seem redundant, it is essential to identify current and recent network activity. Some of these tools may capture information that the others miss. All findings should be validated.
routing_table.txtThis file contains the routing table of the target host. This information should be reviewed to ensure it has not been modified with additional routes or a modified gateway. Comparing this information to the routing table from a known good machine may be helpful.
Tcpvcon.txtAdditional information on network connections from target host. Contains protocol type (TCP/UDP), process name, PID, state, local address, and remote address.
<br>
LiveResponseData \ Network \ WLANAnalysis Notes
wlan-report-latest.htmlThis is a wireless network report showing all Wi-Fi events from the last three days and groups them by Wi-Fi connection sessions. It also shows the results of several network-related command line scripts and a list of all the network adapters on the endpoing.
<br>
LiveResponseData \ persistenceAnalysis Notes
autorunsc.txtThis information will show all the programs that Windows will automatically execute when starting up. This is a very common method used by malware to maintain persistence on a system. This data can be reviewed for suspicious file names and paths.
Loaded_dlls.txtThis file contains a process listing which includes all loaded DLLs for each running process. Persistence can be gained by injecting a malicious DLL into a normal Windows process. This data should be examined for suspicious DLLs. It is very helpful to have a list of loaded DLLs from a known good system to use for comparison.
scheduled_tasks.txtThis file contains all scheduled tasks found on the target system. Inserting a scheduled task into the target host is a common method used by malware to maintain persistence on the victim machine. This information should be reviewed for suspicious tasks.
services_aw_processes.txtThis file provides a list of services running on the target system, with the associated process name and PID. Rogue services are another persistence mechanism that can be utilized by malware.
<br>
LiveResponseData \ prefetchAnalysis Notes
parsed-prefetch.txtThis file contains parsed data from the prefetch files collected from the target system. Information such as file name, modified, accessed, and created times, number of times executed, last run time, and all loaded DLLs and other dependent files used during execution.
<br>
LiveResponseData \ prefetch \ rawAnalysis Notes
.pfThe “raw” subdirectory contains the raw prefetch files found on the target system. This data is collected and then parsed later in the DFIRtriage process. The filenames of the prefetch files will give you an indication of which programs where recently executed. Especially useful if you already have a binary name from an external source.
<br>
LiveResponseData \ processesAnalysis Notes
running_processes.csvThis report provides details on all processes currently running in memory. The PID and PPID information helps to determine the order in which the processes occur in memory as well as the spawning or parent process. In addition, it provides the full command line used to execute the process.
<br>
LiveResponseData \ registryAnalysis Notes
*-parsed.txtRegripper output for each of the registry hives.
<br>
LiveResponseData \ registry \ rawAnalysis Notes
NTUSER & USRCLASSA copy of the user registry hives NTUSER.dat and USRCLASS.dat are acquired for all user profiles found on the target system. These user registry files contain information on general user behavior such as recently viewed documents, typed URLs, mount points, mapped drives, local search terms, uninstalled software, and more. These files can be parsed with Regripper for easier analysis.
SAMA copy of the Security Accounts Manager registry hive (SAM) from the target system. The SAM registry file contains local user and group information such as Security Identifiers (SID) for local accounts and groups, account and group creation and deletion information. This file can be parsed with Regripper for easier analysis.
SECURITYA copy of the Security registry hive (SECURITY) from the target system. The SECURITY registry hive contains account and system security information such as local security policies, user rights assignments, password policies, and more. The SECURITY hive is linked to the SAM hive for update accuracy. This file can be parsed with Regripper for easier analysis.
SOFTWAREA copy of the Software registry hive (SOFTWARE) from the target system. The SOFTWARE registry hive contains information about installed software, uninstalled software, file extension associations, last logged on user, and more. This file can be parsed with Regripper for easier analysis.
SYSTEMA copy of the System registry hive (SYSTEM) from the target system. The SYSTEM registry hive contains information specific to the software and hardware configuration of the target system. For example, the SYSTEM registry contains system startup parameters, device driver configurations, hardware configurations, time zone settings, computer names, USB connections and pointers, and more. This file can be parsed with Regripper for easier analysis.
<br>
LiveResponseData \ systemAnalysis Notes
Bitlocker_key.txtThis file contains the bitlocker recovery keys found on the endpoint. Created by the “-bl, --bitlocker” command line argument.
firewall_config.txtAn export of all configured Windows Firewall rules
system_info.txtDetailed target system information.
Windows_codepage.txtThis file contains the active code page identifier on the target system. The typical North America EHI build should have a code page value of “437”. This is typically not an issue but modifying this value will cause data corruption.
Windows_Version.txtContains the version of Windows running on the target system.
WindowsUpdate.logThe Windows update log is no longer created by the system as of Windows 10, so we’re building it from converted event trace log (ETL) data.
<br>
LiveResponseData \ usbdevices \ usb-install-logsAnalysis Notes
setupapi.*.logThis is a copy of all device installation logs from the target system. These logs, in correlation with the SYSTEM registry hive, can be used to determine the first time a removable device (e.g. USB drive) was plugged into the system.
PsLoggedon.txtUse this information to help identify any users (local or remote) who are authenticated to target system.
<br>
LiveResponseData \ userAnalysis Notes
List_users.txtThis file simply contains a list of all local user accounts found on the target system. This file can be reviewed for suspicious local accounts.
Local_user_list.txtA list of all local user accounts.
LastActivityView.htmlAn HTML report of recent user activity.
PsLoggedon.txtUse this information to help identify any users (local or remote) who are authenticated to target system.
user_acct_report.txtProvides local & domain usernames, profile paths, account SID, etc.
<br>

EVENT ID REFERENCE

Event LogEvent IDDescription
SECURITY1102user cleared security log; this is logged regardless of audit policy
SECURITY4616System time was changed
SECURITY4624successful logon
SECURITY4625failed logon
SECURITY4634Logoff
SECURITY4647User initiated logoff
SECURITY4648RunAs usage, privilege escalation, lateral movement
SECURITY4649Replay attack
SECURITY4662An operation was performed on an object
SECURITY4672Special privileges attempted login
SECURITY4697service creation, details will contain service image name (e.g. psexec), persistence
SECURITY4698Scheduled task created, potential for persistence
SECURITY4722a user account was enabled
SECURITY4724user account password reset attempt
SECURITY4728member added to security-enabled global group
SECURITY4732user added to privileged local group
SECURITY4735security-enabled local group was changed
SECURITY4738a user account was changed
SECURITY4756a member was added to a security-enabled universal group
SECURITY4768Kerberos TGT request
SECURITY4769Kerberos service ticket requested
SECURITY4713Kerberos policy was changed
SECURITY4770Kerberos service ticket renewal
SECURITY4771Kerberos pre-auth failed
SECURITY4634, 4647successful logoff
SECURITY4672account logon with superuser rights (I.e. administrator)
SECURITY4776Domain controller validation attempt
SECURITY4778an RDP session was reconnected as opposed to a fresh logon seen by event 4624
SECURITY4688new process created (includes exe path); process exit
SECURITY4699scheduled task was deleted
SECURITY4700scheduled task was enabled
SECURITY4701scheduled task disabled
SECURITY4702scheduled task was updated
SECURITY4720an account was created
SECURITY4722A user account was enabled
SECURITY4723An attempt was made to change an account’s password
SECURITY4724An attempt was made to reset an account’s password
SECURITY4725A user account was disabled
SECURITY4726A user account was deleted
SECURITY4735, 4737, 4755, 4764Group creations
SECURITY4738A user account was changed
SECURITY4740A user account was locked out
SECURITY4741A computer account was created
SECURITY4742A computer account was changed
SECURITY4743A computer account was deleted
SECURITY4765, 4766SID history
SECURITY4767A user account was unlocked
SECURITY4776account logon success/fail, can identify auth for a mapped drive
SECURITY4779an RDP session was disconnected as opposed to a logoff seen by events 4647 or 4634
SECURITY4780ACL set on accounts
SECURITY4798a user's local group membership was enumerated
SECURITY4799a security-enabled local group membership was enumerated
SECURITY4800Workstation locked
SECURITY4801Workstation unlocked
SECURITY4802Screensaver was invoked
SECURITY4803Screensaver was dismissed
SECURITY4821Kerberos service ticket was denied
SECURITY4822, 4823NTLM authentication failed
SECURITY4824Kerberos pre-authentication failed
SECURITY4825User denied access to Remote Desktop
SECURITY4886Certificate Services received a certificate request
SECURITY4887Certificate Services approved a certificate requeset
SECURITY4899Certificate Services template was updated
SECURITY4900Certificate Services template security was updated
SECURITY5058Key file operation
SECURITY5059Key migration operation
SECURITY5140network share was accessed
SECURITY5145shared object was accessed
SECURITY7034service crashed unexpectedly
SECURITY7036service started or stopped
SECURITY7040service start type changed (boot | on request | disabled)
APPLICATION1022new MSI file installed.
APPLICATION1033program installed using MSI installer
APPLICATION1034application removal complete (success/failure status)
APPLICATION11707installation completed successfully
APPLICATION11708installation operation failed
APPLICATION11724application removal completed successfully
APPLICATION1000Application crash/hang events, like WER/1001 and include full path to faulting EXE/Module
APPLICATION1001, 1002WER events for application crashes only
APPLICATION1511User logging on with temporary profile
APPLICATION1518Cannot create profile using temporary profile
SYSTEM6new kernel filter driver possible indication of kernel-mode rootkit installation
SYSTEM104user cleared system log OR application log (note: clearing application log creates event in system log, not app log)
SYSTEM7035successful start OR stop control was sent to a service
SYSTEM7045new Windows service was installed
POWERSHELL/OPERATIONAL600Powershell command executed
POWERSHELL/OPERATIONAL4105, 4106Powershell script start/stop
POWERSHELL/OPERATIONAL4103Powershell executes block activity
POWERSHELL/OPERATIONAL4104Remote command
MICROSOFT-WINDOWS-VHDMP1Surface Disk - Shows when a virtual drive image file is mounted.  Eg. “The VHD C:\Users<USER>\AppData\Local\Temp\1\Temp1_KYC_BP12(Dec15).zip\KYC#BP12.img has come online (surfaced) as disk number 0.”
WINDOWS FIREWALL WITH ADVANCED SECURITY2004, 2005, 2006, 2009, 2033Local Modifications (Levels 0, 2, 4)