@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon leanpub libtsk libvshadow linux linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread updates usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier

Automating DFIR - How to series on programming libtsk with python Part 4

Hello Reader,

Make sure you have read the prior post in this series before continuing:

Part 1 - Accessing an image and printing the partition table
Part 2 - Extracting a file from an image
Part 3  - Extracting a file from a live system

Following this post the series continues:

Part 5 - Auto escalating your python script to administrator
Part 6 - Accessing an E01 image and extracting files
Part 7 - Taking in command line options with argparse to specify an image
Part 8 - Hashing a file stored in a forensic image
Part 9 - Recursively hashing all the files in an image
Part 10 - Recursively searching for files and extracting them from an image
Part 11 - Recursively searching for files and extracting them from a live system 
Part 12 - Accessing different file systems
Part 13 - Accessing Volume Shadow Copies  

             In the previous post we modified our DFIR Wizard program to run against a live system. Now this is great, but wait... what do we do if the live system we want to run it against does not have python installed?!

While we could install python and the pytsk library on every system we want to access, that's not the best idea for a couple reasons:
1. Larger impact to forensic evidence
2. Production systems tend to be quite restrictive on new program installs
3. Unintended side effects on shared libraries
4. Internal politics


So what if we could take our python script and turn it into a standalone executable? Well you can! I am going to cover the most widely used and known program to do this, py2exe.

Things you'll need to follow along with this post:


1. Py2Exe, download it from http://sourceforge.net/projects/py2exe/files/latest/download?source=files. If you are doing this on OSX or Linux you most likely will already have python installed if not look into py2app for OSX and pyInstaller for cross platform support.
2. To have your program run on systems without the required msvcr90.dll you'll also need to grab the redistributable package Microsoft provides, you can download it here http://www.microsoft.com/downloads/en/details.aspx?FamilyID=9b2da534-3e03-4391-8a4d-074b9f2bc1bf&displaylang=en

Turning your python program into a windows executable


So let's turn dfirwizard-v3.py into dfirwizard-v3.exe!

The first thing you'll need to do is install py2exe, when you are done continue on to the next step.
The second thing you'll need to do is create a new python script in the same directory where dfirwizard-v3.py is called setup.py.

The contents of setup.py will be as follows:
from distutils.core import setup
import py2exe setup(console=['dfirwizard-v3.py'])
We are dong three things in this script. The first thing are doing is importing a single function from the distutils.core package into our local namespace. This means when we call setup we don't have to say distutils.core.setup, instead we can just write setup. Distutils or distribution utilities is a library made for creating packages of python code for installing, packaging or distributing to other python users. 

The second thing we are doing is importing the py2exe library into our program. The last thing we are doing is calling the setup function and passing in the argument console which contains the name of the python script we want to turn into a windows console executable.There are other options available to make windows gui's and windows services but we can talk about that in another post.

To actually get py2exe going we now need to run the setup.py program using the following command:
python setup.py py2exe

It will create a directory called dist under the directory you ran the script in and contained in that directory will be 9 files that contain all the python libraries we need to run DFIR Wizard on a system without python installed. You'll notice that in the dist directory there is a file called dfirwizard-v3.exe if everything worked right your directory should look like the following:


Now if you noticed above under 'Things you'll need' the second point talks about a package from Microsoft that contains the file msvcr90.dll. This C++ dll is needed for our py2exe created executable to run on a system where python is not installed. Many systems have this library installed, my system has 29 occurrences of it, but just in case you should make sure to include it in your dist directory before you start deploying this package out to other systems. You can fix this by copying into your dist directory under the directory 'Microsoft.VC90.CRT'. For more about troubleshooting py2exe and dealing with systems who don't have msvcr90.dll read this: http://py2exe.org/index.cgi/Tutorial

Once you have the dll in place you can zip up the whole dist directory and push out your executable and libraries wherever it needs to be run. Just remember that at this stage our windows executable has to be run from an administrative command prompt or executed remotely with a run as administrator option. You also might want to consider powershell remoting as it won't expose your credentials to the remote system but that is a post for another day.

Making your program a single file for deployment


As an alternative to py2exe you could also try pyInstaller which allows you to bundle all of the files above into one executable. It has a lot of other features as well but that's the one that may interest you the most when pushing this out for remote execution.

First install pyInstaller with pip:
pip install pyinstaller
Next install pywin32 which is needed for the make one file option
http://sourceforge.net/projects/pywin32/files/pywin32/Build%20214/pywin32-214.win32-py2.7.exe/download


Next run pyinstaller as follows:
\python27\scripts\pyinstaller -F dfirwizard-v3.py

Where -F is telling pyinstaller to generate just one executable that all the rest of the libraries will be extracted from at run time. Your executable dfirwizard-v3.py will be located in the dist directory under the directory where dfirwizard-v3.py is located. When run as administrator your single executable will now unpack itself and run on any system you want. An added value here is that you don't have to worry about including the C++ dlls!

Now this will execute slower at first than the py2exe version above but it will only require one file to be pushed/executed. 

In the next part let's talk about how to get our program to elevate its own privileges if they are available to the logged in user and then move onto accessing E01 images. 

To grab the setup.py used in this post get it from the series Github here: https://github.com/dlcowen/dfirwizard/blob/master/setup.py


Post a Comment

[blogger][disqus][facebook][spotim]

Author Name

Contact Form

Name

Email *

Message *

Powered by Blogger.