DFIR – Page 19 – Baker Street Forensics

QuickPcap – Capturing a PCAP with PowerShell

Earlier today I was asked for a ‘quick and easy’ PowerShell to grab a packet capture on a Windows box. I didn’t have anything on hand so I set off to the Google and returned with the necessary ingredients.

The star of the show is netsh trace, which is built into Windows. If we wanted to capture for 90 seconds, start the trace, wait 90 seconds, and stop it the syntax would be:

netsh trace start capture=yes IPv4.Address=192.168.1.167 tracefile=c:\temp\capture.etl
Start-Sleep 90
netsh trace stop

Note there are 3 lines (the first may wrap depending on windows size)

Like Wireshark, you need to specify what interface you want to capture traffic from. In the example above 192.168.1.167 is the active interface I want to capture. But what if I want to use this for automation and won’t know in advance what the active IP address will be?

We can grab the local IPv4 address and save it as a variable.

#Get the local IPv4 address
$env:HostIP = (
    Get-NetIPConfiguration |
    Where-Object {
        $_.IPv4DefaultGateway -ne $null -and
        $_.NetAdapter.Status -ne "Disconnected"
    }
).IPv4Address.IPAddress

Now putting the two together:

$env:HostIP = (
    Get-NetIPConfiguration |
    Where-Object {
        $_.IPv4DefaultGateway -ne $null -and
        $_.NetAdapter.Status -ne "Disconnected"
    }
).IPv4Address.IPAddress
netsh trace start capture=yes IPv4.Address=$env:HostIP tracefile=c:\temp\capture.etl
Start-Sleep 90
netsh trace stop

Perfect. Automated packet capture without having to install Wireshark on the host. The only item you should need to adjust will be the capture (sleep) timer.

But wait, the request was for a pcap file. Not a .etl. Lucky for us there’s an easy conversion utility etl2pcapng. Execution is as simple as giving the exe the source and destination files.

./etl2pcapng.exe c:\temp\capture.etl c:\temp\capture.pcap

That’s it. We’re now able to collect a packet capture on Windows hosts without adding any additional tools. We can then take those collections and convert them with ease to everyone’s favorite packet analyzer.

I’ve combined everything above into QuickPcap.ps1 available on my GitHub site.

In this case the capture and conversion are running as one contiguous process, but it’s easy to imagine them as separate automation elements being handled through scripting by different processes. After all, we all build our Lego’s differently, don’t we?

Post-update

Since this continues to be one of the most searched for topics, be sure to check out detonaRE, a malware detonation and capture utility that uses the same pcap functionality.

detonaRE initiates packet capture and process monitor, detonates the malware, ends pcap collection, completes evidence capture with Magnet RESPONSE. PCAP, Zip, and CSV outputs.

blog: https://bakerstreetforensics.com/2023…

GitHub: https://github.com/dwmetz/detonaRE

Using WSL Profiles for Frequent Applications

DFIR, PowerShell

Windows Subsystem for Linux (WSL) adds a lot of capability and convenience for running DFIR applications on a Windows host. Previously I wrote about how to add a SIFT/REMnux Ubuntu distribution to WSL.

Another tip I’d like to share with you is setting up separate profiles for frequently used applications.

Volatility is one of the applications I’m in frequently, whether for work or lab(work). Sure, I can open a command window and then navigate to the appropriate application path; but why not make it a one-click option.

To begin, open Windows Terminal, and go to the Settings menu.

On the bottom left choose select ‘Add a new profile.’

PowerShell (Core) is my default shell environment. I’ll select this as the profile to duplicate.

After you hit ‘Duplicate’ you’ll be presented with a copy of the profile.

Update the Name and Starting directory to reflect the application path.

You can customize the Icon and Tab title. Under the Appearance tab you can assign a custom background for the WSL profile. Be sure to click Save when you’ve made your changes.

Now when I want to open a Volatility session, it’s right there on the drop down in WSL.

If you have WSL parked on the Taskbar, you can select the new profile (or any other profile) with a right-click.

If you want to have your WSL instances in separate windows, versus the default tabbed layout, right clicking from the taskbar will open the selected session in a new window.

CSIRT-Collect USB

DFIR, Forensic Imaging, PowerShell, RAM, USB

CSIRT-Collect USB can be found in the main repository for CSIRT-Collect. CSIRT-Collect is a PowerShell script to collect memory and (triage) disk forensics for incident response investigations.

CSIRT-Collect USB is designed to run directly from a USB device. While a network deployment certainly supports automation, as an Incident Responder I can think of several examples where that wouldn’t be an option:

An air-gapped manufacturing environment
Hospital/Medical Environments
Ransomware incidents when the assets have been detached from the network

Preparation is the first phase of the Incident Response lifecycle. (PICERL) Once you’ve tested and/or adapted the collection for your environment, consider prepping a handful of drives and having them pre-deployed to sites where you’re likely to need them.

The Setup

First off you’re going to need a high-capacity USB device. Larger sized flash drives will work. Personally I’m a fan of Samsung (T series) SSD drives, both for their size and their write speeds during acquisitions.

On the root of the USB device:

A (initially empty) folder named ‘Collections’
KAPE directory from default KAPE installation
EDD.exe in \KAPE\Modules\bin\EDD (Encrypted Disk Detector)
CSIRT-Collect_USB.ps1
MRC.exe (Magnet RAM Capture)

Launch

To run the script, open an elevated PowerShell prompt and browse to the USB device. Then simply

.\CSIRT-Collect_USB.ps1

What it Captures

The first process the script runs is Magnet RAM Capture. Once the RAM has been captured, the windows build (profile) is captured. The RAM image and the build info are named to reflect the asset hostname being collected.

The next process is the KAPE Triage collection. Host artifacts are acquired and then assembled as a .vhdx (portable hard disk) image. After the KAPE Targets portion completes, KAPE calls the Encrypted Disk Detector module which checks the local physical drives on a system for TrueCrypt, PGP, VeraCrypt, SafeBoot, or Bitlocker encrypted volumes. This information is saved into the Collections directory, as well as displayed to the responder to identify other volumes that may need to be collected while the system is live.

Lastly, if BitLocker is enabled for the OS drive the script will capture that information as well and back-up the recovery key.

Collection Contents

Inside the Collections folder, a subfolder will be created for each asset collected. The size of the USB device will determine how many collections can be captured before the results need to be offloaded.

The \Collections\%hostname% directory will include:

Console log capturing all KAPE targets activity
.vhdx of the host artifacts
collection complete date/time .txt
Memory acquisition .raw
Windows profile (build information) .txt

In the \Collections\%hostname%\Decrypt folder you will find

console log for KAPE modules (EDD)
recovery key for BitLocker (C) volume .txt
Live Response directory with the output of EDD .txt

###

https://github.com/dwmetz/CSIRT-Collect

###

Adding RAM collections to KAPE Triage

DFIR, PowerShell, RAM

If you’re utilizing KAPE to collect triage collections, are you also collecting a RAM image with the operating system artifacts?
Included in the Modules section of KAPE there are three modules that can create a RAM image. The modules for DumpIt and Winpmem have been available for a while. (I wrote the DumpIt module and Eric Capuano wrote the Winpmem module.) Now you also have the option of using Magnet Ram Capture as an option. As with any of the KAPE modules if you’re calling an executable, you need to ensure the .exe is present in the \modules\bin directory. KAPE does not distribute any 3rd party executables so you need to bring your own. You can download Magnet Ram Capture from the Magnet Free Tools site at Free Tools – Magnet Forensics.

Speaking of Magnet, I should say that I am, as of recent, an employee of Magnet Forensics. All views here, demented and otherwise, are my own and don’t reflect the views or opinions of my employer. Now that all the lawyers are smiling, let’s continue.

When utilizing KAPE you can either run the Memory collection module by itself…

Or more likely, as part of a triage collection so you can get the necessary artifacts, as well as a RAM dump.

KAPE Triage Collection along with Magnet Ram Capture

While this does work to get both the artifacts and RAM capture, there are a couple issues with the process.

Best practices for forensics suggest imaging the RAM before making any other changes to the target
KAPE executes the Targets first and then proceeds to Modules (RAM collection)
After the KAPE memory collection completes the memory image will be included in the specified KAPE output (zip).
A copy of the memory image (raw) file stays on the computer, even if KAPE is transferring the data off to a remote location. This appeared to be the case regardless of which memory capture utility is used.

CSIRT-Collect is a PowerShell script that I wrote to automate to collection of a RAM image as well as a KAPE triage collection. I wanted to preserve the order of volatility and capture the RAM before any other artifact collection occurs. Version 3 by default leverages Magnet Ram Capture to collect the memory. You can utilize Winpmem or DumpIt with a minor code modification.

CSIRT-Collect
Prerequisites:

Network share location with “Collections” folder. Within ‘Collections’, 2 subdirectories:

Memory, containing Magnet Ram Capture (MRC.exe) and command line version of 7zip (7za.exe)
KAPE (default directory as installed)

The script will:

map a drive to the “Collections” share, (update the script to reflect the network share for your environment)
capture a memory image with Magnet Ram Capture,
capture a triage collection with KAPE,
transfer the output back to the network share,
create a text flag when the process has completed.

Beginning of script. Temp directory on host is empty. Memory and KAPE folder available on Collections share.

Tools copied from server. RAM collection initiated.

Once the RAM Capture is completed, the script captures the Windows build info to a text file, and then zips up that with the raw image file to memdump (7zip).

The memdump zip file containing the RAM and build info is renamed to reflect the hostname of the target. The zip file is transferred to the network into a folder named for the target.

After the zipped memory image (seen here as 18GB compressed to 4.2GB) is transferred to the network, the KAPE triage collection is initiated. Note the C:\Temp\IR directory is gone and collection artifacts saved to C:\Temp\KAPE.

At the end of the KAPE collection, the artifacts are saved to a VHDX file and then compressed as a zip.

Script completes with zipped VHDX and KAPE console logs, transferred to server location.

The zipped memory collection with the windows build text file.

Windows build info in text file. Use this value to assist in selecting Windows profile for processing with Volatility. (Save the long time required when running kdbgscan).

At the very end of the script a “transfer complete” text file is written to the directory. This is an easy way to know that all the collection activity has completed. If being used for automation, the presence of this file can be used as a trigger to initiate further automation activities.

And that’s it. One script to capture RAM, capture a triage image, and then transfer the collections back to the network.

CSIRT-Collect can be initiated on the endpoint manually, invoked by EDR tools, as well as larger collection scenarios where the script can be pushed out via Group Policy.

Grab your copy of CSIRT-Collect here: