Threat Level: green Handler on Duty: Renato Marinho

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

New tool: mac-robber.py

Published: 2017-09-19
Last Updated: 2017-09-19 17:36:01 UTC
by Jim Clausing (Version: 1)
0 comment(s)

On a recent forensic investigation where we couldn't take the Linux system down to image the disks, I was forced to do live response. Fortunately, I was able to get a memory image, but I also wanted a filesystem timeline. I first went to my old friend fls from The SleuthKit (TSK), but for some reason, it failed. So, I tried mac-robber (also from TSK) and it, too, failed. Not one to give up easily, I decided to write my own version of mac-robber in Python. Like the TSK mac-robber, it outputs the data in body file format (so that it can be fed into mactime or elasticsearch). Like the TSK version, by default, it does not hash the files (so it doesn't modify access times), so the "MD5" column defaults to 0. In this case, though, I had reason to believe that there might be multiple copies of some potential malware scattered around the filesystem, so I really wanted to grab hashes, too. So I included the capability in the tool (in my next diary, I'll explain the trick I used to grab hashes without modifying access times). A couple of other notes on the tool. It only hashes "regular" files, it doesn't attempt to hash soft-links, block or character device files, pipes, or sockets. It also skips /proc/kcore which to os.stat() looks like a regular file, but on my dev box is 128TB (a little more than I want to hash). At the moment, it uses MD5 as the hash because that is what fls uses, but I could easily be talked into substituting SHA256 (or SHA3 of whatever length, though in Python < 3.6 this requires pip-installing the pysha3 module). Also, due to a limitation in Python's os.stat(), it only give MAC times, not B time (even if available in the filesystem in question). The tool should work just fine on Linux/Unix, Mac OS X, or Windows with a standard install of Python 2.7 or later though it has not been extensively tested on anything other that Linux to date. Another feature that I added to mine was the ability to add or remove prefixes to the path and to exclude specific directories of files. The -m switch behaves just like the corresponding switch in fls and allows you to prefix the path with a system name or drive letter. The -r switch allows you to remove a prefix (for example, when the directory in question has been mounted on /mnt, but you want your report to show the actual path on the system in question). The -x option actually needs more work, at present, it isn't as flexible as I'd like, but if you want to skip a specific directory or file you can.

The tool can be downloaded from my docker-forensics github and is distributed under the BSD 3-clause license. I hope you find it useful. If you have any questions, comments, suggestions, or bug fixes, please let me know via the comments here, our contact form, or create an issue (or pull request) on github.

References:

[1] https://github.com/att/docker-forensics/blob/master/mac-robber.py

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

 

Upcoming Courses Taught By Jim Clausing

 

Type Course / Location Date

Community SANS
 
FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques
Community SANS Ottawa FOR610 Ottawa, ON
Dec 4, 2017 -
Dec 9, 2017
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Getting some intelligence from malspam
Sep 18th 2017
1 day ago by Xme (3 comments)

rockNSM as a Incident Response Package
Sep 17th 2017
3 days ago by Guy (0 comments)

Another webshell, another backdoor!
Sep 14th 2017
5 days ago by Xme (0 comments)

No IPv6? Challenge Accepted! (Part 1)
Sep 13th 2017
6 days ago by Rob VandenBrink (0 comments)

Microsoft Patch Tuesday September 2017
Sep 13th 2017
6 days ago by Johannes (9 comments)

View All Diaries →

Latest Discussions

Placement of MSSP accessible log collector
created Sep 12th 2017
1 week ago by Anonymous (0 replies)

Placement of MSSP accessible log collector?
created Sep 12th 2017
1 week ago by Anonymous (0 replies)

Emsisoft Anti-Malware & Emsisoft Internet Security 2017.8 released
created Sep 2nd 2017
2 weeks ago by Anonymous (0 replies)

Strange validation attempts on DSHIELD project
created Aug 31st 2017
2 weeks ago by DrGreen (0 replies)

DShield Sensor
created Aug 21st 2017
4 weeks ago by Thomas (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
2 months ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
1 month ago by Johannes (12 comments)

Maldoc with auto-updated link
Aug 17th 2017
1 month ago by Xme (2 comments)

OAUTH phishing against Google Docs ? beware!
May 3rd 2017
4 months ago by Bojan (6 comments)

Microsoft Patch Tuesday August 2017
Aug 8th 2017
1 month ago by Johannes (6 comments)