There are two means by which to ingest Microsoft Teams information into Magnet Axiom for processing. The first approach uses Axiom Process. If you’re collecting in this manner you will need to have the credentials of the user you are collecting from. Axiom will use those credentials to log into O365 and retrieve the user’s data. Depending on the conditions of the investigation, you may have the option of resetting the password to gain access.
Magnet Axiom Cyber Teams Collection
If you don’t have the user’s credentials, but you do have administrative access to the Exchange environment, you can run a search from the Microsoft Security and Compliance center. Once the search completes you can export/download the results as a PST. To ingest the PST into Axiom just ‘add evidence’ , ‘files & folders’ and then browse to the PST file.
To speed up the process, I’ve written a small PowerShell script to build and run the Compliance Center search. The script depends on the ExchangeOnlineManagment module being installed. In this script we’re connecting to Security & Compliance PowerShell using MFA and modern authentication.
TeamsSearch.ps1
The script prompts for:
the identity (admin ID) of the investigator
a name to save the Compliance search
the email address of the user to collecting
Once this information is provided the script will build and run the Compliance Search in O365. From this point you can log into Compliance Center, navigate to the search and then export the contents as a PST.
<# MS Teams Security & Compliance Search
author: Doug Metz https://github.com/dwmetz
Note this script requires previous installation of the ExchangeOnlineManagement PowerShell module
See https://docs.microsoft.com/en-us/powershell/exchange/connect-to-scc-powershell?view=exchange-ps for more information.#>
[string]$user = Read-Host -Prompt 'Exchange Credentials'
Connect-IPPSSession -UserPrincipalName $user
[string]$name = Read-Host -Prompt 'Enter a name for the search'
[string]$email = Read-Host -Prompt 'Enter the users email address'
new-compliancesearch -name $name -ExchangeLocation $email -ContentMatchQuery 'kind=microsoftteams','ItemClass=IPM.Note.Microsoft.Conversation','ItemClass=IPM.Note.Microsoft.Missed','ItemClass=IPM.Note.Microsoft.Conversation.Voice','ItemClass=IPM.Note.Microsoft.Missed.Voice','ItemClass=IPM.SkypeTeams.Message'
Start-ComplianceSearch $name
Get-ComplianceSearch $name
New-ComplianceSearchAction -SearchName $name -Export
Write-Host "Search initiated"-ForegroundColor Blue
Write-Host "Proceed to https://protection.office.com/ to download the results."-ForegroundColor Blue
Either copy the code from here, or download from my GitHub repository.
Recently my session on PowerShell Tools for IR Forensics Collection was re-broadcast by Magnet Forensics. During the event there were a few questions and I thought I’d share my responses here.
If you missed the presentation, just look to the previous post and you’ll find a link for YouTube.
Does the CSIRT script check for sufficient available space for the temp files before running? I’ve run into this issue with KAPE collections that get a lot of event logs.
No it doesn’t. Depending on the artifact collection type, the output sizes can vary greatly. Once you have a collection script that you want to use as your default, I’d measure what the average size is. In all my collection processes I like to make sure I have 1.5x available free space for what I anticipate collecting. A WMI ‘check’ could be built into the script to verify the freespace vs. expected collection needs.
This will present the available free space on any fixed disks attached to the system.
The best utilization of free space I could come up with was to grab the memory first, compress it, ship it off and then repeat the collection, compression and transfer with KAPE. This minimizes the amount of disk space needed on the remote host. Both processes have a clean-up operation where all local data is deleted from the endpoint once the network transfer has successfully completed.
With memory sizes so big lately, is it possible to configure the script to collect the important artifacts from memory, rather than the entire memory (e.g. process listing, network connections, etc.)?
It would be possible to generate that information on the endpoint using a series of PowerShell commands and write the output to a text file (Get-Process, Get-NetTCPConnection, etc.). This is certainly useful from an IR perspective, but the only artifact that would be returned back would be the output file. Depending on the circumstances of the investigation you may still need/want the full memory image as evidence.
Do we have the list of artifacts that are being collected here?
In the example presented we’re leveraging the SANS Triage KAPE collection target. The specific collection template used by the CSIRT-Collect script can be adjusted by changing the KAPE command options in the script. You can view the details for any KAPE target by either double-clicking the entry in the KAPE gui, or by viewing the corresponding .tkape file in the program directory (use your text editor of choice). For the SANS Triage collection, the following artifacts are gathered:
# Event Logs
# Evidence of Execution
Name: Prefetch
Name: RecentFileCache
Name: Amcache
Name: Amcache transaction files
Name: Syscache
Name: Syscache transaction files
Name: PowerShell Console Log
# File System
Name: $MFT
Name: $LogFile
Name: $J
Name: $Max
Name: $SDS
Name: $Boot
Name: $T
# LNK Files and JumpLists
Name: Lnk files from Recent
Comment: Also includes automatic and custom jumplist directories
Name: Lnk files from Microsoft Office Recent
Name: Lnk files from Recent (XP)
Name: Desktop lnk files XP
Name: Desktop lnk files
Name: Restore point lnk files XP
# Recycle Bin and Recycler
Name: $Recycle.Bin
Name: RECYCLER WinXP
# System Registry Files
Name: SAM registry transaction files
Name: SECURITY registry transaction files
Name: SOFTWARE registry transaction files
Name: SYSTEM registry transaction files
Name: SAM registry hive
Name: SECURITY registry hive
Name: SOFTWARE registry hive
Name: SYSTEM registry hive
Name: RegBack registry transaction files
Name: SAM registry hive (RegBack)
Name: SECURITY registry hive (RegBack)
Name: SOFTWARE registry hive (RegBack)
Name: SYSTEM registry hive (RegBack)
Name: SYSTEM registry hive (RegBack)
Name: System Profile registry hive
Name: System Profile registry transaction files
Name: Local Service registry hive
Name: Local Service registry transaction files
Name: Network Service registry hive
Name: Network Service registry transaction files
Name: System Restore Points Registry Hives (XP)
# User Registry Files
Name: ntuser.dat registry hive XP
Name: ntuser.dat registry hive
Name: ntuser.dat registry transaction files
Name: ntuser.dat DEFAULT registry hive
Name: ntuser.dat DEFAULT transaction files
Name: UsrClass.dat registry hive
Name: UsrClass.dat registry transaction files
# System Level Artifacts
# Scheduled Tasks
Name: at .job
Name: at SchedLgU.txt
Name: XML
Name: SRUM
Name: Thumbcache DB
# USB Devices Logs
Name: Setupapi.log XP
Name: Setupapi.log Win7+
Name: WindowsIndexSearch
Name: WBEM
# User Communication
# Outlook PST and OST files
Name: PST XP
Name: OST XP
Name: PST
Name: OST
# Skype
Name: main.db (App <v12)
Name: skype.db (App +v12)
Name: main.db XP
Name: main.db Win7+
Name: s4l-[username].db (App +v8)
Name: leveldb (Skype for Desktop +v8)
# Web Browser Artifacts
Name: Chrome bookmarks XP
Name: Chrome Cookies XP
Name: Chrome Current Session XP
Name: Chrome Current Tabs XP
Name: Chrome Favicons XP
Name: Chrome History XP
Name: Chrome Last Session XP
Name: Chrome Last Tabs XP
Name: Chrome Preferences XP
Name: Chrome Shortcuts XP
Name: Chrome Top Sites XP
Name: Chrome Visited Links XP
Name: Chrome Web Data XP
Name: Chrome bookmarks
Name: Chrome Cookies
Name: Chrome Current Session
Name: Chrome Current Tabs
Name: Chrome Favicons
Name: Chrome History
Name: Chrome Last Session
Name: Chrome Last Tabs
Name: Chrome Preferences
Name: Chrome Shortcuts
Name: Chrome Top Sites
Name: Chrome Visited Links
Name: Chrome Web Data
Name: Chrome Extension Files
Name: Chrome Extension Files XP
Name: Edge folder
Name: WebcacheV01.dat
Name: Firefox Places
Name: Firefox Downloads
Name: Firefox Form history
Name: Firefox Cookies
Name: Firefox Signons
Name: Firefox Webappstore
Name: Firefox Favicons
Name: Firefox Addons
Name: Firefox Search
Name: Firefox Places (XP)
Name: Firefox Downloads (XP)
Name: Firefox Form history (XP)
Name: Firefox Cookies (XP)
Name: Firefox Signons (XP)
Name: Firefox Webappstore (XP)
Name: Firefox Favicons (XP)
Name: Firefox Addons (XP)
Name: Firefox Search (XP)
Name: Index.dat History
Name: Index.dat History subdirectory
Name: Index.dat temp internet files
Name: Index.dat cookies (XP)
Name: Index.dat UserData (XP)
Name: Index.dat Office XP
Name: Index.dat Office
Name: Local Internet Explorer folder
Name: Roaming Internet Explorer folder
Name: IE 9/10 History
Name: IE 9/10 Cache
Name: IE 9/10 Cookies
Name: IE 9/10 Download History
Name: IE 11 Metadata
Name: IE 11 Cache
Name: IE 11 Cookies
# Windows Timeline
Name: ActivitiesCache.db
Name: ActivitiesCache.db-shm
Name: ActivitiesCache.db-wal
Thanks to everyone who participated. If you have further questions feel free to post them here or on the GitHub site https://github.com/dwmetz/CSIRT-Collect
If you missed my presentation for Magnet Forensics Enterprise Pulse: PowerShell Tools for IR Forensics Collection, (or if you’d like to re-watch the presentation) – it’s now available on YouTube.
A PowerShell script to collect memory and (triage) disk forensics for incident response investigations
There’s a number of tools that support a one-to-many remote operation capability. However, not all organizations have that level of capability. I’ve also seen that in some large organizations how things are designed to work with remote assets, and how they actually work, may not be the same. What I wanted was a repeatable pre-defined collection mechanism, that could scale out to be supported by non-forensics team members to participate in forensic evidence collection for incident response examinations. The intent is that the collection process can be distributed among remote team members, be it site support or Security Operations Center (SOC). The script can also be integrated into SOAR and EDR platforms.
CSIRT-Collect leverages a network share, from which it will access and copy the required executables and subsequently upload the acquired evidence to the same share post-collection.
Permission requirements for said directory will be dependent on the nuances of the environment and what credentials are used for the script execution (interactive vs. automation). In the demonstration code, a network location of \\Synology\Collections can be seen. This should be changed to reflect the specifics of your environment.
The Collections folder will need to include: – subdirectory KAPE; copy the directory from any existing install – subdirectory MEMORY; 7za.exe command line version of 7zip and winpmem.exe
CSIRT-Collect Operations:
Maps to existing network drive –
Subdir 1: “Memory” – Winpmem and 7zip executables
Subdir 2: ”KAPE” – directory (copied from local install)
Creates a local directory on asset
Copies the Memory exe files to local directory
Captures memory with Winpmem
When complete, ZIPs the memory image
Renames the zip file based on hostname
Documents the OS Build Info (no need to determine profile for Volatility)
Compressed image is copied to network directory and deleted from host after transfer complete
New temp Directory on asset for KAPE output
KAPE !SANS_Triage collection is run using VHDX as output format [$hostname.vhdx] **
VHDX transfers to network
Removes the local KAPE directory after completion
Writes a “Process complete” text file to network to signal investigators that collection is ready for analysis.
** Note: you can build different KAPE collection profiles by modifying just one line of code. Profiles can be chosen to support the requirements of the investigation.
CSIRT-Collect_USB
This is a separate script that performs essentially the same functionality as CSIRT-Collect.ps1 with the exception that it is intended to be run from a USB device. There is no need for a temporary host directory as the information is written direct to the USB device. The extra compression operations on the memory image and KAPE .vhdx have also been omitted. There is a slight change noted below to the folder structure for the USB version. On the root of the USB:
CSIRT-Collect_USB.ps1
folder (empty to start) titled ‘Collections’
folders for KAPE and Memory – same as above
Execution: -Open PowerShell as Adminstrator -Navigate to the USB device -Execute ./CSIRT-Collect_USB.ps1
To see a demonstration of CSIRT-Collect in action please register for my talk this Thursday, PowerShell Tools for IR Forensics Collection as part of the Enterprise Pulse lecture series hosted by Magnet Forensics.
Baker Street Forensics 