Month: February 2016

Extracting Data with Bulk Extractor

When it comes to forensics, styles and methodologies may vary from person to person (or organization). Some methods take longer than others and results may vary. One tool/ technique that I lean to time and time again is using Bulk Extractor. Bulk Extractor is a program that enables you to extract key information from digital media. Its usage is valuable no matter the type of case you may be working. A list of the type of information it can extract is depicted on their webpage at https://github.com/simsong/bulk_extractor/wiki/Testing.

There is a Windows and Linux variant of the program both capable of running from the command line or GUI. It is 4-8 times faster than other tools like EnCase or FTK due to its multi-threading. The program is capable of handling image files, raw devices, or directories. After it completes, it outputs its findings to an .xml file, which can be read back into Bulk Extractor for analysis. The output will look similar to below.

Bulk_Extractor

The scanners that you selected to run against your image file have will out to a report in the reports column. Not all scanners generate their own report as they may bucket the information that they find with another report. The chart above can help you determine where a scanner will output. Also, when a selected scanner doesn’t return any suitable data, you will not see a report for it. When you do select a report, it will output its findings to the middle column. From there you can type in strings to search for our just scroll down to view the data. If you want to go further into it data, just click on one of the findings in the middle column and more output will appear in the image column all the way to the right. The image column by default will display the text and the location of the data in the image file. There is an option though to change the image output from text to hex.

(more…)

Analyzing Memory in the Wonderful World of Redline

Redline is one of a few memory capture/analyzer programs that I keep in my toolkit. How it works is that the software needs to only be installed on the system that you will be analyzing the data on and from there, you would configure the options you want to include grabbing a copy of live memory and save the custom script from Redline. With said script in hand, you would then run it on the system from which memory will be captured. The output will be saved to the location from where the script ran from. With the output data in hand, you would then take it back to you analyst system and import the data into Redline.

Upon importing the data, you will be presented with a few options to aid you in your investigation and after that, you will be presented with a gui of said data. Redline will also provide an MRI (Malware Risk Index) score based on a multiple factors and if it considers it to be bad or very suspicious, it will have a red circle next to it as seen below.

redline

Redline has the ability to analyze memory captures for Memoryze and other captures in the format of .img. I have tried other memory capture formats with 50/50 results.