Axiom – Page 2 – Baker Street Forensics

Group collections from O365 with PowerShell

If you’re working in or responding to an O365 environment, there’s plenty of opportunities where you need to search and collect from multiple O365 custodians at the same time. While the experience of the Security & Compliance Center has improved over the years, I still find it inefficient for creating larger collections – especially when each custodian has to be searched for and added one at a time.

I created a handful of PowerShell scripts that automate the creation of searches for a group of custodians (provided via .txt file). I’ve used these methods countless times for both eDiscovery and IR cases.

There are different scripts to address the collection of:

O365 Mailbox – will capture email, calendar, tasks, contacts, MS Teams*.
Microsoft Teams – either for a single custodian or for a group.
Microsoft OneDrive – collect the O365 OneDrive for Business for a group of custodians.
When Legal says “get it all” – All O365 mailbox contents, including Teams, and OneDrive.

Once the collection has been generated you will still need to log on to https://protection.office.com to retrieve the search results.

Prerequisites:

ExchaneOnlineManagment PowerShell Module
Microsoft.Online.SharePoint.PowerShell Module

O365 Mailbox Collections: MSExchangeGroupSearch.ps1

<# MS Exchange Security & Compliance Search 
version 2.0
https://github.com/dwmetz/Axiom-PowerShell
Author: @dwmetz
Function:
    Collect an O365 mailbox search for group of custodians.
    Note this script requires previous installation of the ExchangeOnlineManagement PowerShell module
    See https://docs.microsoft.com/en-us/powershell/exchange/connect-to-scc-powershell?view=exchange-ps for more information.
      
This PowerShell script will prompt you for the following information:
    * Your user credentials                                          
    * The pathname for the text file that contains a list of user email addresses
    * The name of the Content Search that will be created
    * The search query string
The script will then:
    * Create and start a Content Search using the above information

Updates:
    17.November.2022 - updated ExchangeOnlineManagement connection, Security & Compliance Center (IPPSSession)

#>
# New Auth
Import-module ExchangeOnlineManagement
Connect-IPPSSession
# Get other required information
$inputfile = read-host "Enter the file name of the text file that contains the email addresses for the users you want to search"
$searchName = Read-Host "Enter the name for the new search"
$searchQuery = Read-Host "[Optional] Enter the search query you want to use"
$emailAddresses = Get-Content $inputfile | Where-Object {$_ -ne ""}  | ForEach-Object{ $_.Trim() }
Write-Host "Creating and starting the search"
$search = New-ComplianceSearch -Name $searchName -ExchangeLocation $emailAddresses -ContentMatchQuery $searchQuery
# Finally, start the search and then display the status
if($search)
{
    Start-ComplianceSearch $search.Name
    Get-ComplianceSearch $search.Name
} 
Write-Host "Search initiated"-ForegroundColor Blue
Write-Host "Proceed to https://protection.office.com/ to download the results."-ForegroundColor Blue

O365 Mailboxes and OneDrives: MS-ExchangeODGroupSearch.ps1

Note: you will get 2 authentication prompts as you are logging on to Security & Compliance Center as well as the Sharepoint Admin panel.

<# MS Exchange & OneDrive Security & Compliance Search 
version 2.0
https://github.com/dwmetz/Axiom-PowerShell
Author: @dwmetz

Function: This script will generate a Security and Compliance Search to capture O365 Email and OneDrive for a list of custodians.

This PowerShell script will prompt you for the following information:
    * Your user credentials                                          
    * The pathname for the text file that contains a list of user email addresses
    * The name of the Content Search that will be created
    * The search query string (optional. mastering the search query cmd is a dark art.)
 The script will then:
    * Find the OneDrive for Business site for each user in the text file
    * Create and start a Content Search using the above information
#>
Import-module ExchangeOnlineManagement
Import-Module Microsoft.Online.SharePoint.PowerShell
Connect-SPOService -Credential $creds -Url https://magdev-admin.sharepoint.com -ModernAuth $true -AuthenticationUrl https://login.microsoftonline.com/organizations
Connect-IPPSSession
# Get other required information
$script:inputfile = read-host "Enter the file name of the text file that contains the email addresses for the users you want to search"
$searchName = Read-Host "Enter the name for the new search"
$tempDir = "C:\Temp"
New-Item $tempDir\ODUrls.txt
ForEach ($emailAddress in Get-Content $script:inputfile)
{
    $OneDriveURL = Get-SPOSite -IncludePersonalSite $true -Limit all -Filter "Owner -like $emailAddress" | Select-Object -ExpandProperty Url 
    if ($null -ne $OneDriveURL){ 
        Add-content $tempDir\ODUrls.txt $OneDriveURL
        Write-Host "$emailAddress => $OneDriveURL"
    } else {
        Write-Warning "Could not locate OneDrive for $emailAddress"
    }
}
$emailAddresses = Get-Content $inputfile | Where-Object {$_ -ne ""}  | ForEach-Object{ $_.Trim() }
$urls = Get-Content $tempDir\ODUrls.txt | Where-Object {$_ -ne ""}  | ForEach-Object{ $_.Trim() }
Write-Host "Creating and starting the search"
# Collect OneDrive & Email
$search = New-ComplianceSearch -Name $searchName -ExchangeLocation $emailAddresses -SharePointLocation $urls -ContentMatchQuery $searchQuery
# Finally, start the search and then display the status
if($search)
{
    Start-ComplianceSearch $search.Name
    Get-ComplianceSearch $search.Name
} 
Remove-Item $tempDir\ODUrls.txt

MS One Drive: MSOneDriveSearch.ps1

Note: you will get 2 authentication prompts as you are logging on to Security & Compliance Center as well as the Sharepoint Admin panel.

<# MS OneDrive Security & Compliance Search 
version 2.0
https://github.com/dwmetz/Axiom-PowerShell
Author: @dwmetz
Function:

Function: This script will generate a Security and Compliance Search to capture OneDrive for a list of custodians.

This PowerShell script will prompt you for the following information:
    * Your user credentials                                          
    * The pathname for the text file that contains a list of user email addresses
    * The name of the Content Search that will be created
    * The search query string (optional. mastering the search query cmd is a dark art.)
 The script will then:
    * Find the OneDrive for Business site for each user in the text file
    * Create and start a Content Search using the above information
#>
Import-module ExchangeOnlineManagement
Import-Module Microsoft.Online.SharePoint.PowerShell
Connect-SPOService -Credential $creds -Url https://magdev-admin.sharepoint.com -ModernAuth $true -AuthenticationUrl https://login.microsoftonline.com/organizations
Connect-IPPSSession
# Get other required information
$script:inputfile = read-host "Enter the file name of the text file that contains the email addresses for the users you want to search"
$searchName = Read-Host "Enter the name for the new search"
$tempDir = "C:\Temp"
New-Item $tempDir\ODUrls.txt
ForEach ($emailAddress in Get-Content $script:inputfile)
{
    $OneDriveURL = Get-SPOSite -IncludePersonalSite $true -Limit all -Filter "Owner -like $emailAddress" | Select-Object -ExpandProperty Url 
    if ($null -ne $OneDriveURL){ 
        Add-content $tempDir\ODUrls.txt $OneDriveURL
        Write-Host "$emailAddress => $OneDriveURL"
    } else {
        Write-Warning "Could not locate OneDrive for $emailAddress"
    }
}
$urls = Get-Content $tempDir\ODUrls.txt | Where-Object {$_ -ne ""}  | ForEach-Object{ $_.Trim() }
# Collect OneDrive 
$search = New-ComplianceSearch -Name $searchName -SharePointLocation $urls -ContentMatchQuery $searchQuery
# Finally, start the search and then display the status
if($search)
{
    Start-ComplianceSearch $search.Name
    Get-ComplianceSearch $search.Name
} 
Remove-Item $tempDir\ODUrls.txt

*Microsoft Teams

There are 2 scripts here for Microsoft Teams. Note – by default a Mailbox .pst file that contains Teams data, will not show that Teams data when the .pst is viewed with Outlook. Magnet AXIOM easily parses the Teams content, whether integrated as part of a mailbox collection, or from collections where just MS Teams data is captured.

MS Teams – single custodian: MSTeamsSearch.ps1

<# MS Teams Security & Compliance Search 
version 2.0
https://github.com/dwmetz/Axiom-PowerShell
Author: @dwmetz
Function:
    Collect an O365 mailbox search for MS Teams communications.
    Note this script requires previous installation of the ExchangeOnlineManagement PowerShell module
    See https://docs.microsoft.com/en-us/powershell/exchange/connect-to-scc-powershell?view=exchange-ps for more information.
    
Updates:
    25.October.2022 - updated ExchangeOnlineManagement connection, Security & Compliance Center (IPPSSession)
    
#>
    Import-module ExchangeOnlineManagement
    Connect-ExchangeOnline
    [string]$aname = Read-Host -Prompt 'Enter your account name'
    Connect-IPPSSession -UserPrincipalName $aname
    [string]$name = Read-Host -Prompt 'Enter a name for the search'
    [string]$email = Read-Host -Prompt 'Enter the users email address'
    new-compliancesearch -name $name -ExchangeLocation $email -ContentMatchQuery 'kind=microsoftteams','ItemClass=IPM.Note.Microsoft.Conversation','ItemClass=IPM.Note.Microsoft.Missed','ItemClass=IPM.Note.Microsoft.Conversation.Voice','ItemClass=IPM.Note.Microsoft.Missed.Voice','ItemClass=IPM.SkypeTeams.Message'
    Start-ComplianceSearch $name
    Get-ComplianceSearch $name
    Write-Host "Search initiated."-ForegroundColor Cyan
    Write-Host "Proceed to https://protection.office.com/ to download the results."-ForegroundColor Cyan

MS Teams – group of custodians: MSTeamsGroupSearch.ps1

<# MS Teams (Group) Security & Compliance Search 
version 1.0
https://github.com/dwmetz/Axiom-PowerShell
Author: @dwmetz
Function:
    Collect MS Teams for group of custodians in O365.
    Note this script requires previous installation of the ExchangeOnlineManagement PowerShell module
    See https://docs.microsoft.com/en-us/powershell/exchange/connect-to-scc-powershell?view=exchange-ps for more information.
      
This PowerShell script will prompt you for the following information:
    * Your user credentials                                          
    * The pathname for the text file that contains a list of user email addresses

The script will then:
    * Create and start a Content Search using the above information

Updates:
    17.November.2022 - ExchangeOnlineManagement connection, Security & Compliance Center (IPPSSession)

#>
# New Auth
Import-module ExchangeOnlineManagement
Connect-IPPSSession
# Get other required information
$inputfile = read-host "Enter the file name of the text file that contains the email addresses for the users you want to search"
$searchName = Read-Host "Enter the name for the new search"
$emailAddresses = Get-Content $inputfile | Where-Object {$_ -ne ""}  | ForEach-Object{ $_.Trim() }
Write-Host "Creating and starting the search"
$search = New-ComplianceSearch -Name $searchName -ExchangeLocation $emailAddresses -ContentMatchQuery 'kind=microsoftteams','ItemClass=IPM.Note.Microsoft.Conversation','ItemClass=IPM.Note.Microsoft.Missed','ItemClass=IPM.Note.Microsoft.Conversation.Voice','ItemClass=IPM.Note.Microsoft.Missed.Voice','ItemClass=IPM.SkypeTeams.Message'
# Finally, start the search and then display the status
if($search)
{
    Start-ComplianceSearch $search.Name
    Get-ComplianceSearch $search.Name
} 
Write-Host "Search initiated."-ForegroundColor Cyan
Write-Host "Proceed to https://protection.office.com/ to download the results."-ForegroundColor Cyan

All of the scripts above can be downloaded from my Axiom-PowerShell GitHub repo. You can grab all the scripts at once by going to the latest releases file.

Magnet 2022 CTF – iOS15

CTF, DFIR

One of the evidence items during the 2022 Magnet User Summit CTF was a full file system extraction of an iPhone running iOS 15. Recently the CTF creators made the evidence (and corresponding challenge questions) available at CyberDefenders.org. You can register for a free account and then download the evidence. There’s several recommended tools listed in the challenge summary. For me the tools used were:

Magnet Axiom Cyber – [request a free trial]
iLEAPP
Decode
Unfurl
Excel (yup, an old friend returns)

Once you’re registered, process the evidence with Magnet and iLEAPP. The other tools we’ll touch on coming up.

WARNING: SPOILERS AHEAD

Don’t read ahead if you’re still working on the challenges. If you get stuck and want to see how I chose to solve it… then read on friend.

Continue reading →

AXIOM, YARA, GitHub – Oh My!

DFIR, PowerShell, yara

Version 6 of Magnet Axiom added support for YARA rules. By default the installation ships with the free Open-Source YARA rules from Reversing Labs. These YARA rules may be updated within Axiom periodically. In addition to the included rules, AXIOM supports adding your own YARA source folders.

If you need to update the included rules on demand, you can do so with a PowerShell script and the GitHub CLI. The script below can be used to update the included rules, as well as other YARA sources you may be using within Axiom.

Prerequisites:

Prior to running the script you’ll need to install GitHub CLI
Once installed run gh auth login to establish authentication with GitHub
When running the script you will need to run as an Administrator in order for the file-copy to ~\ProgramFiles to be successful

Set the working directory to the local git repository for the YARA rules

Set-Location C:\GitHub\reversinglabs-yara-rules\

Sync the repository; requires github CLI https://cli.github.com/

gh repo sync

Create local archive directory

mkdir C:\Archives -Force

Backup the existing YARA rules in Axiom

Get-ChildItem -Path "C:\Program Files\Magnet Forensics\Magnet AXIOM\YARA" | Compress-Archive -DestinationPath C:\Archives\AxiomYARA.zip

Variable for date/time

$timestamp = Get-Date -Format o | ForEach-Object { $_ -replace ":", "." }

Set the working directory to the Archives location

Set-Location "C:\Archives"

Rename the archive with timestamp

Get-ChildItem -Filter 'AxiomYARA' -Recurse | Rename-Item -NewName {$_.name -replace 'AxiomYARA', $timestamp }

Copy new YARA rules to Axiom

robocopy /s C:\GitHub\reversinglabs-yara-rules\yara "C:\Program Files\Magnet Forensics\Magnet AXIOM\YARA\ReversingLabs"

Now let’s run it all together in a single script:

Set-Location C:\GitHub\reversinglabs-yara-rules\ gh repo sync mkdir C:\Archives -Force Get-ChildItem -Path "C:\Program Files\Magnet Forensics\Magnet AXIOM\YARA" | Compress-Archive -DestinationPath C:\Archives\AxiomYARA.zip $timestamp = Get-Date -Format o | ForEach-Object { $_ -replace ":", "." } Set-Location "C:\Archives" Get-ChildItem -Filter 'AxiomYARA' -Recurse | Rename-Item -NewName {$_.name -replace 'AxiomYARA', $timestamp } robocopy /s C:\GitHub\reversinglabs-yara-rules\yara "C:\Program Files\Magnet Forensics\Magnet AXIOM\YARA\ReversingLabs"

That’s all there is to it. If you’ve got multiple repositories to sync, just add lines to cd (Set-Location) into those directories and repeat the gh repo sync command.

Feel free to copy the code above, or you can download directly from my GitHub.

Are you utilizing YARA rules within AXIOM? If so, leave a comment on what are some that you’ve found useful.

CSIRT-Collect

DFIR, Forensic Imaging, PowerShell

A PowerShell script to collect memory and (triage) disk forensics for incident response investigations

There’s a number of tools that support a one-to-many remote operation capability. However, not all organizations have that level of capability. I’ve also seen that in some large organizations how things are designed to work with remote assets, and how they actually work, may not be the same. What I wanted was a repeatable pre-defined collection mechanism, that could scale out to be supported by non-forensics team members to participate in forensic evidence collection for incident response examinations. The intent is that the collection process can be distributed among remote team members, be it site support or Security Operations Center (SOC). The script can also be integrated into SOAR and EDR platforms.

CSIRT-Collect was written to fill that role.

https://github.com/dwmetz/CSIRT-Collect

CSIRT-Collect leverages a network share, from which it will access and copy the required executables and subsequently upload the acquired evidence to the same share post-collection.

Permission requirements for said directory will be dependent on the nuances of the environment and what credentials are used for the script execution (interactive vs. automation). In the demonstration code, a network location of \\Synology\Collections can be seen. This should be changed to reflect the specifics of your environment.

The Collections folder will need to include:
– subdirectory KAPE; copy the directory from any existing install
– subdirectory MEMORY; 7za.exe command line version of 7zip and winpmem.exe

CSIRT-Collect Operations:

Maps to existing network drive –
Subdir 1: “Memory” – Winpmem and 7zip executables
Subdir 2: ”KAPE” – directory (copied from local install)
Creates a local directory on asset
Copies the Memory exe files to local directory
Captures memory with Winpmem
When complete, ZIPs the memory image
Renames the zip file based on hostname
Documents the OS Build Info (no need to determine profile for Volatility)
Compressed image is copied to network directory and deleted from host after transfer complete
New temp Directory on asset for KAPE output
KAPE !SANS_Triage collection is run using VHDX as output format [$hostname.vhdx] **
VHDX transfers to network
Removes the local KAPE directory after completion
Writes a “Process complete” text file to network to signal investigators that collection is ready for analysis.

** Note: you can build different KAPE collection profiles by modifying just one line of code. Profiles can be chosen to support the requirements of the investigation.

CSIRT-Collect_USB

This is a separate script that performs essentially the same functionality as CSIRT-Collect.ps1 with the exception that it is intended to be run from a USB device. There is no need for a temporary host directory as the information is written direct to the USB device. The extra compression operations on the memory image and KAPE .vhdx have also been omitted. There is a slight change noted below to the folder structure for the USB version. On the root of the USB:

CSIRT-Collect_USB.ps1
folder (empty to start) titled ‘Collections’
folders for KAPE and Memory – same as above
Execution: -Open PowerShell as Adminstrator -Navigate to the USB device -Execute ./CSIRT-Collect_USB.ps1

To see a demonstration of CSIRT-Collect in action please register for my talk this Thursday, PowerShell Tools for IR Forensics Collection as part of the Enterprise Pulse lecture series hosted by Magnet Forensics.

Q&A will be live on Discord during the event.