In digital forensics, we’re frequently trying to separate the signal from the noise. When examining operating systems – including mobile, it can be helpful to know what files came with the operating system. By filtering those out we can concentrate on what’s new on the device as we start looking for activity.
The National Software Reference Library (NSRL) is designed to collect software from various sources and incorporate file profiles computed from this software into a Reference Data Set (RDS) of information. The RDS can be used by law enforcement, government, and industry organizations to review files on a computer by matching file profiles in the RDS. This will help alleviate much of the effort involved in determining which files are important as evidence on computers or file systems that have been seized as part of criminal investigations.
Recently I came across a site that, among other capabilities, has the option of doing an NSRL lookup using curl from the command line.
Me being Mr. PowerShell I wanted to see what the syntax would be to do the same lookup with PowerShell. So where did I turn? No, not to Jeffrey Snover. I went to ChatGPT. I’d heard quite about how services like these, while not trustworthy for anything of historical accuracy, are pretty good at translating code.
Sure enough it returned functional code to do the same operation in PowerShell. What I really appreciated though is the detailed information beneath that explains the parallel functions between the two, and what the different values represent. I could see myself using ‘explain this code to me’ in the future.
PowerShell NSLR Query Syntax:
Invoke-RestMethod -Uri 'https://hashlookup.circl.lu/lookup/sha1/3f64c98f22da277a07cab248c44c56eedb796a81' -Headers @{accept='application/json'} -Method GET
I also asked it to convert the curl command to Python which it handled equally well, and once again the same level of explanation of what’s going on beneath the code.
Of the three, I prefer the output of the PowerShell command as the output is the most readable. In the screenshot above, four queries were run. For the first two there wasn’t a matching hash detected, so we can’t confirm whether those were included with the operating system. For the second two queries, which happen to be for executable names that are frequently misused by bad actors, we see that the hashes queried do match the published NSRL.
If you’re working in or responding to an O365 environment, there’s plenty of opportunities where you need to search and collect from multiple O365 custodians at the same time. While the experience of the Security & Compliance Center has improved over the years, I still find it inefficient for creating larger collections – especially when each custodian has to be searched for and added one at a time.
I created a handful of PowerShell scripts that automate the creation of searches for a group of custodians (provided via .txt file). I’ve used these methods countless times for both eDiscovery and IR cases.
There are different scripts to address the collection of:
O365 Mailbox – will capture email, calendar, tasks, contacts, MS Teams*.
Microsoft Teams – either for a single custodian or for a group.
Microsoft OneDrive – collect the O365 OneDrive for Business for a group of custodians.
When Legal says “get it all” – All O365 mailbox contents, including Teams, and OneDrive.
Once the collection has been generated you will still need to log on to https://protection.office.com to retrieve the search results.
<# MS Exchange Security & Compliance Search
version 2.0
https://github.com/dwmetz/Axiom-PowerShell
Author: @dwmetz
Function:
Collect an O365 mailbox search for group of custodians.
Note this script requires previous installation of the ExchangeOnlineManagement PowerShell module
See https://docs.microsoft.com/en-us/powershell/exchange/connect-to-scc-powershell?view=exchange-ps for more information.
This PowerShell script will prompt you for the following information:
* Your user credentials
* The pathname for the text file that contains a list of user email addresses
* The name of the Content Search that will be created
* The search query string
The script will then:
* Create and start a Content Search using the above information
Updates:
17.November.2022 - updated ExchangeOnlineManagement connection, Security & Compliance Center (IPPSSession)
#>
# New Auth
Import-module ExchangeOnlineManagement
Connect-IPPSSession
# Get other required information
$inputfile = read-host "Enter the file name of the text file that contains the email addresses for the users you want to search"
$searchName = Read-Host "Enter the name for the new search"
$searchQuery = Read-Host "[Optional] Enter the search query you want to use"
$emailAddresses = Get-Content $inputfile | Where-Object {$_ -ne ""} | ForEach-Object{ $_.Trim() }
Write-Host "Creating and starting the search"
$search = New-ComplianceSearch -Name $searchName -ExchangeLocation $emailAddresses -ContentMatchQuery $searchQuery
# Finally, start the search and then display the status
if($search)
{
Start-ComplianceSearch $search.Name
Get-ComplianceSearch $search.Name
}
Write-Host "Search initiated"-ForegroundColor Blue
Write-Host "Proceed to https://protection.office.com/ to download the results."-ForegroundColor Blue
O365 Mailboxes and OneDrives: MS-ExchangeODGroupSearch.ps1
Note: you will get 2 authentication prompts as you are logging on to Security & Compliance Center as well as the Sharepoint Admin panel.
<# MS Exchange & OneDrive Security & Compliance Search
version 2.0
https://github.com/dwmetz/Axiom-PowerShell
Author: @dwmetz
Function: This script will generate a Security and Compliance Search to capture O365 Email and OneDrive for a list of custodians.
This PowerShell script will prompt you for the following information:
* Your user credentials
* The pathname for the text file that contains a list of user email addresses
* The name of the Content Search that will be created
* The search query string (optional. mastering the search query cmd is a dark art.)
The script will then:
* Find the OneDrive for Business site for each user in the text file
* Create and start a Content Search using the above information
#>
Import-module ExchangeOnlineManagement
Import-Module Microsoft.Online.SharePoint.PowerShell
Connect-SPOService -Credential $creds -Url https://magdev-admin.sharepoint.com -ModernAuth $true -AuthenticationUrl https://login.microsoftonline.com/organizations
Connect-IPPSSession
# Get other required information
$script:inputfile = read-host "Enter the file name of the text file that contains the email addresses for the users you want to search"
$searchName = Read-Host "Enter the name for the new search"
$tempDir = "C:\Temp"
New-Item $tempDir\ODUrls.txt
ForEach ($emailAddress in Get-Content $script:inputfile)
{
$OneDriveURL = Get-SPOSite -IncludePersonalSite $true -Limit all -Filter "Owner -like $emailAddress" | Select-Object -ExpandProperty Url
if ($null -ne $OneDriveURL){
Add-content $tempDir\ODUrls.txt $OneDriveURL
Write-Host "$emailAddress => $OneDriveURL"
} else {
Write-Warning "Could not locate OneDrive for $emailAddress"
}
}
$emailAddresses = Get-Content $inputfile | Where-Object {$_ -ne ""} | ForEach-Object{ $_.Trim() }
$urls = Get-Content $tempDir\ODUrls.txt | Where-Object {$_ -ne ""} | ForEach-Object{ $_.Trim() }
Write-Host "Creating and starting the search"
# Collect OneDrive & Email
$search = New-ComplianceSearch -Name $searchName -ExchangeLocation $emailAddresses -SharePointLocation $urls -ContentMatchQuery $searchQuery
# Finally, start the search and then display the status
if($search)
{
Start-ComplianceSearch $search.Name
Get-ComplianceSearch $search.Name
}
Remove-Item $tempDir\ODUrls.txt
MS One Drive: MSOneDriveSearch.ps1
Note: you will get 2 authentication prompts as you are logging on to Security & Compliance Center as well as the Sharepoint Admin panel.
<# MS OneDrive Security & Compliance Search
version 2.0
https://github.com/dwmetz/Axiom-PowerShell
Author: @dwmetz
Function:
Function: This script will generate a Security and Compliance Search to capture OneDrive for a list of custodians.
This PowerShell script will prompt you for the following information:
* Your user credentials
* The pathname for the text file that contains a list of user email addresses
* The name of the Content Search that will be created
* The search query string (optional. mastering the search query cmd is a dark art.)
The script will then:
* Find the OneDrive for Business site for each user in the text file
* Create and start a Content Search using the above information
#>
Import-module ExchangeOnlineManagement
Import-Module Microsoft.Online.SharePoint.PowerShell
Connect-SPOService -Credential $creds -Url https://magdev-admin.sharepoint.com -ModernAuth $true -AuthenticationUrl https://login.microsoftonline.com/organizations
Connect-IPPSSession
# Get other required information
$script:inputfile = read-host "Enter the file name of the text file that contains the email addresses for the users you want to search"
$searchName = Read-Host "Enter the name for the new search"
$tempDir = "C:\Temp"
New-Item $tempDir\ODUrls.txt
ForEach ($emailAddress in Get-Content $script:inputfile)
{
$OneDriveURL = Get-SPOSite -IncludePersonalSite $true -Limit all -Filter "Owner -like $emailAddress" | Select-Object -ExpandProperty Url
if ($null -ne $OneDriveURL){
Add-content $tempDir\ODUrls.txt $OneDriveURL
Write-Host "$emailAddress => $OneDriveURL"
} else {
Write-Warning "Could not locate OneDrive for $emailAddress"
}
}
$urls = Get-Content $tempDir\ODUrls.txt | Where-Object {$_ -ne ""} | ForEach-Object{ $_.Trim() }
# Collect OneDrive
$search = New-ComplianceSearch -Name $searchName -SharePointLocation $urls -ContentMatchQuery $searchQuery
# Finally, start the search and then display the status
if($search)
{
Start-ComplianceSearch $search.Name
Get-ComplianceSearch $search.Name
}
Remove-Item $tempDir\ODUrls.txt
*Microsoft Teams
There are 2 scripts here for Microsoft Teams. Note – by default a Mailbox .pst file that contains Teams data, will not show that Teams data when the .pst is viewed with Outlook. Magnet AXIOM easily parses the Teams content, whether integrated as part of a mailbox collection, or from collections where just MS Teams data is captured.
MS Teams – single custodian: MSTeamsSearch.ps1
<# MS Teams Security & Compliance Search
version 2.0
https://github.com/dwmetz/Axiom-PowerShell
Author: @dwmetz
Function:
Collect an O365 mailbox search for MS Teams communications.
Note this script requires previous installation of the ExchangeOnlineManagement PowerShell module
See https://docs.microsoft.com/en-us/powershell/exchange/connect-to-scc-powershell?view=exchange-ps for more information.
Updates:
25.October.2022 - updated ExchangeOnlineManagement connection, Security & Compliance Center (IPPSSession)
#>
Import-module ExchangeOnlineManagement
Connect-ExchangeOnline
[string]$aname = Read-Host -Prompt 'Enter your account name'
Connect-IPPSSession -UserPrincipalName $aname
[string]$name = Read-Host -Prompt 'Enter a name for the search'
[string]$email = Read-Host -Prompt 'Enter the users email address'
new-compliancesearch -name $name -ExchangeLocation $email -ContentMatchQuery 'kind=microsoftteams','ItemClass=IPM.Note.Microsoft.Conversation','ItemClass=IPM.Note.Microsoft.Missed','ItemClass=IPM.Note.Microsoft.Conversation.Voice','ItemClass=IPM.Note.Microsoft.Missed.Voice','ItemClass=IPM.SkypeTeams.Message'
Start-ComplianceSearch $name
Get-ComplianceSearch $name
Write-Host "Search initiated."-ForegroundColor Cyan
Write-Host "Proceed to https://protection.office.com/ to download the results."-ForegroundColor Cyan
MS Teams – group of custodians: MSTeamsGroupSearch.ps1
<# MS Teams (Group) Security & Compliance Search
version 1.0
https://github.com/dwmetz/Axiom-PowerShell
Author: @dwmetz
Function:
Collect MS Teams for group of custodians in O365.
Note this script requires previous installation of the ExchangeOnlineManagement PowerShell module
See https://docs.microsoft.com/en-us/powershell/exchange/connect-to-scc-powershell?view=exchange-ps for more information.
This PowerShell script will prompt you for the following information:
* Your user credentials
* The pathname for the text file that contains a list of user email addresses
The script will then:
* Create and start a Content Search using the above information
Updates:
17.November.2022 - ExchangeOnlineManagement connection, Security & Compliance Center (IPPSSession)
#>
# New Auth
Import-module ExchangeOnlineManagement
Connect-IPPSSession
# Get other required information
$inputfile = read-host "Enter the file name of the text file that contains the email addresses for the users you want to search"
$searchName = Read-Host "Enter the name for the new search"
$emailAddresses = Get-Content $inputfile | Where-Object {$_ -ne ""} | ForEach-Object{ $_.Trim() }
Write-Host "Creating and starting the search"
$search = New-ComplianceSearch -Name $searchName -ExchangeLocation $emailAddresses -ContentMatchQuery 'kind=microsoftteams','ItemClass=IPM.Note.Microsoft.Conversation','ItemClass=IPM.Note.Microsoft.Missed','ItemClass=IPM.Note.Microsoft.Conversation.Voice','ItemClass=IPM.Note.Microsoft.Missed.Voice','ItemClass=IPM.SkypeTeams.Message'
# Finally, start the search and then display the status
if($search)
{
Start-ComplianceSearch $search.Name
Get-ComplianceSearch $search.Name
}
Write-Host "Search initiated."-ForegroundColor Cyan
Write-Host "Proceed to https://protection.office.com/ to download the results."-ForegroundColor Cyan
All of the scripts above can be downloaded from my Axiom-PowerShell GitHub repo. You can grab all the scripts at once by going to the latest releases file.
Baker Street Forensics 