Where Irregulars are part of the Game
Just in time for the 2022 Magnet User Summit and my presentation on FREE Tools for DFIR Triage Collections, an updated release (v3.1) of CSIRT-Collect. Special thanks to Kevin Pagano for contributing.
You can register for my talk Free Tools for DFIR Triage Collections here.
I’ve got an abundance of equipment in my home office/lab. I’d been contemplating doing a rack setup for a while but all of the options I was looking at were above budget for what I wanted to spend. Also, while I liked the idea of the functionality of a rack I wasn’t too keen on how a tower of metal would go with the décor. Then I stumbled across the “Lack Rack.”
Here’s what I used: (All in it was about $110.)
Depending on how many tiers you want to do you can adjust the number of tables. Remember you’ll need one extra for the base.
The Plan:
There’s the expression, “Measure twice, cut once.” With me it’s more like measure 4 times. Measure the components you plan to include, adding in room for the rack shelves as well.
Assembly:
Secure the casters to the bottom of one of the tabletops. Casters should be about 3/4 inch from the corners. Center them over where the mounting holes for the legs are.
For the lowest level, I used the full length of the table legs. So just build the table as per the instructions (screw in the legs).
Next, start stacking. I used a little bit of Gorilla glue on the bottom of the legs and attached it to the wheeled base. 4 steel braces were also used to secure the legs to the base.
The next set of legs are going to be cut shorter. Wrapping the area where you’re cutting with painters tape helps the edges from getting brittle. Power saw is probably easier but in this case a hack saw sufficed.
Add the shortened legs to the next top. Attach the short table to the previous level with steel braces. Note due to the legs being hollow at the bottom there is no glue securing the upper tiers.
Secure the metal rack shelves to the legs of below the table tops. You’ll want to keep them pretty close to the top as only about the top 2″ of the legs are solid to drill into.
Stack and secure.
Add another table stack to the top and it’s all done.
Here it is all loaded up. There’s a lot of space to add components still. There’s a switch on one of the shelves between the tiers. Also, though not currently utilized as such, all the shelves can support full 19″ network/rack hardware so as resources grow, I’ll have plenty of room to accommodate.
January 2020, the last time I had work related travel, seems like an eon ago. Later that year I had planned my first attendance at the Magnet User Summit in Nashville. Then COVID entered the scene and every event going forward for me was remote only. Don’t get me wrong, I’m an introvert and being able to work from home in my fortress of solitude the past few years has been great. I even managed to present at Magnet Enterprise Pulse and the HTCIA International Summit, both remotely. Fast forward to the present and events are starting to open back up.
The Magnet User Summit in April will be supporting in-person and virtual attendance. After two years as virtual participant I’ll finally be able to attend in person. As it turns out I’ll be presenting at the conference as well! It’s taken me a few years to get here, but now I get to attend as a speaker (and and employee!)
You can register for the Magnet User Summit (in person or virtual) here:
I hope to see you there, be it virtual or in person. And feel free to track me down for Baker Street Forensics stickers if you’re there.
Earlier today I was asked for a ‘quick and easy’ PowerShell to grab a packet capture on a Windows box. I didn’t have anything on hand so I set off to the Google and returned with the necessary ingredients.
The star of the show is netsh trace, which is built into Windows. If we wanted to capture for 90 seconds, start the trace, wait 90 seconds, and stop it the syntax would be:
netsh trace start capture=yes IPv4.Address=192.168.1.167 tracefile=c:\temp\capture.etl
Start-Sleep 90
netsh trace stopLike Wireshark, you need to specify what interface you want to capture traffic from. In the example above 192.168.1.167 is the active interface I want to capture. But what if I want to use this for automation and won’t know in advance what the active IP address will be?
We can grab the local IPv4 address and save it as a variable.
#Get the local IPv4 address
$env:HostIP = (
Get-NetIPConfiguration |
Where-Object {
$_.IPv4DefaultGateway -ne $null -and
$_.NetAdapter.Status -ne "Disconnected"
}
).IPv4Address.IPAddressNow putting the two together:
$env:HostIP = (
Get-NetIPConfiguration |
Where-Object {
$_.IPv4DefaultGateway -ne $null -and
$_.NetAdapter.Status -ne "Disconnected"
}
).IPv4Address.IPAddress
netsh trace start capture=yes IPv4.Address=$env:HostIP tracefile=c:\temp\capture.etl
Start-Sleep 90
netsh trace stopPerfect. Automated packet capture without having to install Wireshark on the host. The only item you should need to adjust will be the capture (sleep) timer.
But wait, the request was for a pcap file. Not a .etl. Lucky for us there’s an easy conversion utility etl2pcapng. Execution is as simple as giving the exe the source and destination files.
./etl2pcapng.exe c:\temp\capture.etl c:\temp\capture.pcapThat’s it. We’re now able to collect a packet capture on Windows hosts without adding any additional tools. We can then take those collections and convert them with ease to everyone’s favorite packet analyzer.
I’ve combined everything above into QuickPcap.ps1 available on my GitHub site.
In this case the capture and conversion are running as one contiguous process, but it’s easy to imagine them as separate automation elements being handled through scripting by different processes. After all, we all build our Lego’s differently, don’t we?
Since this continues to be one of the most searched for topics, be sure to check out detonaRE, a malware detonation and capture utility that uses the same pcap functionality.
detonaRE initiates packet capture and process monitor, detonates the malware, ends pcap collection, completes evidence capture with Magnet RESPONSE. PCAP, Zip, and CSV outputs.
Baker Street Forensics 