TL;DR: If you ever write the same thing twice, especially in a console, you should automate it. MAGA (jokingly named in November 2016) automates and standardizes a lot of the command-line tools offered in the SANS FOR408 (now SANS FOR500) course.
The Problem
Not everyone loves the command line and many feel very insecure or nervous about using it. However, a lot of great tools are command-line only which creates a problem of either having to get really comfortable with the command line (the correct answer) or find a way to type as little as possible (which also minimizes mistakes). As a general rule of thumb, if you write something twice, especially if it contains half a dozen options of varying length, you should automate it.
The Solution
While taking SANS FOR408 last year, I found a lot of my fellow students fell to one degree or another into the first camp. In order to help fellow students on the final project and to standardize my own approach through labs and the final, I wrote “Make Analysis Great Again” (MAGA) a simple batch script to automate most of the initial interaction with the solid command-line tools offered on the Windows SIFT Workstation.
The goal wasn’t to have a one-click answer, but a uniform starting point that removed a LOT of typing (where mistakes could be made by messing up output formats, for example). After hitting go on this script, students could move on to other tasks and then return for the output to feed into the rest of the lab or final. It let students worry about the actual analysis, instead of fretting over messing up the time stamp format between three different runs. I still do all of my programming from the command line and am a firm believer that forensic examiners need to know it, but for the sake of getting the most out of FOR408, it was more important to me that they know what happened after hitting go.
Based on the 408.16.2 SIFT Workstation, MAGA kicks off the following tools:
- TZWorks’ Prefetch Parser to analyze prefetch files
- John Moran’s ParseRS.exe to analyze Internet Explorer recovery files
- TZWorks’ Event Log Parser to analyze event logs
- TZWorks’ Jump List Parser to analyze jump lists
- TZWorks’ Shell Bag Parser to analyze shell bags
- TZWorks’ CAFAE to analyze user account information
- Harlan Carvey’s RegRipper to analyze registry files (make sure you download the latest version, this SIFT Workstation shipped with an incredibly old one)
MAGA also copies a lot of the key files to be examined to one folder and prompts to launch Woanware’s USB Device Forensics tool at the end to standardize an initial analytic process. All of the output goes into an output directory structure that, based on forensic examiner input, creates a folder hierarchy to keep all the users ripped from a particular machine grouped together with a similar structure. These folders are what contain the output files from all the great command line tools, as well as the copied input files to let the forensic examiner dive right in to their analysis.
Conclusion
I had intended to write something about this script sooner, I just forgot to (I also forgot to submit my pull request for some additional RegRipper functionality until writing this). This is quite likely out of date now that SANS FOR500 is a thing, but I’d love to hear from someone in that course if this works on that SIFT Workstation as well. If not, it should be able to easily be adapted for that workstation and the tools loaded onto it, work I’d be happy to do!
NB: I want to stress that this tool is NOT intended to replace learning how the underlying tools work, or what the different command line options do. It is intended to be a first start that will run a good bit of the tool suite in a standard way that will allow analysts to immediately start comparing apples to apples and be able to use more tailored commands to progress their work in whatever direction the analysis takes them.