dfirtriage

Digital forensic acquisition tool for Windows-based incident response.

How to Use

To run, drop dfirtriage.exe on the target or connected USB drive and execute with admin rights, -h for help.

---

DFIRTriage v6.0 User's Manual

Description

This document outlines the functionality and proper use of the DFIRtriage tool. Also included is detailed information to help with analysis of the output. The goal is to equip the Incident Responder with the tools needed to gather and analyze data quickly.

About

DFIRtriage is an incident response tool designed to provide the Incident Responder with rapid host data. Upon execution, select host data and information will be gathered and placed into the execution directory. DFIRtriage may be ran from a USB drive or executed remotely on the target host.

What’s new in v6.0?

Output restructure

• Reorganized the output files and directories in a more logical manner

Logging total run time

• added total run time to the run log file (runlog.txt)

Bug fixes

• non-zero exit status 1 when ntuser.dat is missing from a user profile directory
• now only attempts to pull locked files from user profile directories where an ntuser.dat file exists

Added arguments for individual system artifacts

• breaking up the system file acquisition option into individual artifacts cuts down on the total file size when you are only wanting one and not all 3. -sdb, --srumdb (srum database), -hf, --hiberfil (hiberfil.sys), -p, --pagefile (pagefile.sys)

Improved executable file hashing capabilites

• Hashes all .dll and .exe files on the OS drive. Recommended to disable A/V realtime scanning when using the hash arguments.

Running process details

• improved the running process information to include PID, PPID, process name, command executed to launch the process, and files opened by the process.

Bitlocker key dump

• to dump OS drive bitlocker key information you can now pass the -bl or --bitlocker argument on the command line

Memory acquisition no longer default action

• to acquire memory you must pass the -m or --memory argument on the command line

User prompt removed from end of execution

• no longer need to designate the -hl or --headless argument to bypass the ending user prompt, script will run to completion, clean up, and exit with no user intervention.

Windows firewall

• dumping Windows firewall configuration
• default parsing of key firewall events
• pulling full firewall event log (EVTX) with -elf argument

Improved user account report

• creating a more detailed user account report that includes account SIDs and last logon time.

dtfind - admin requirement removed

• removed the requirement for admin permissions to run dtfind

3rd party tools update

• core.ir toolset has been updated with current tool versions

External IP

• Grabs endpoint external IP address

PowerShell

• Now acquires Powershell history for commands ran by SYSTEM
• Full Powershell EVTX file is now pulled with -elf, --evtlogfiles argument

System Information

• New system and networked data collected in WLAN report

Event Logs

• Acquires virtual drive (VHD) drive mount events from VHD operations event log
• New event log events added to default collection.
• Pulling full Powershell and Firewall event logs with -elf, --evtlogfiles argument

Application event log

• WER events for application crashes only (1001)
• User logging on with temporary profile (1511)
• Cannot create profile using temporary profile (1518)
• Application error events, similar to WER/1001. These include full path to faulting EXE/Module (1000)
• Application crash/hang events, similar to WER/1001. These include full path to faulting EXE/Module (1002)

Security event log

• Replay attack (4649)
• Kerberos TGT request (4768)
• Kerberos service ticket requested (4769)
• Kerberos service ticket renewal (4770)
• Kerberos pre-authentication failed (4771)
• Workstation locked (4800)
• Workstation unlocked (4801)
• Screensaver was invoked (4802)
• Screensaver was dismissed (4803)
• An attempt was made to change an account's password (4723)
• A user account was disabled (4725)
• A user account was deleted (4726)
• Group creations (4727, 4731, 4754)
• Group member removals (4729, 4733, 4757)
• Group changes (4735, 4737, 4755, 4764)
• A user account was locked out (4740)
• A computer account was created (4741)
• A computer account was changed (4742)
• A computer account was deleted (4743)
• SID history (4765, 4766)
• A user account was unlocked (4767)
• ACL set on accounts (4780)
• System time was changed (4616)
• Kerberos service ticket was denied (4821)
• NTLM authentication failed (4822, 4823)
• Kerberos pre-authentication failed (4824)
• Certificate Services received a certificate request (4886)
• Certificate Services approved a certificate request (4887)
• A Certificate Services template was updated (4899)
• Certificate Services template security was updated (4900)
• Kerberos policy was changed (4713)
• An operation was performed on an object (4662)

Powershell event log

• PowerShell executes block activity (4103)
• Remote Command (4104)

Windows Firewall event log

Local Modifications (Levels 0, 2, 4) (2004, 2005, 2006, 2009, 2033)

Dependencies

The tool repository contains the full toolset required for proper execution and is packed into a single a single file named core.ir. This .ir file is the only required dependency of DFIRtriage when running in Python and should reside in a directory named data, (ie. ./data/core.ir). The compiled version of DFIRtriage has the full toolset embedded and does not require the addition of the ./data/core.ir file.

Operation

DFIRtriage acquires data from the host on which it is executed. Behind the keyboard executions are best conducted from a USB device. For acquisitions of remote hosts, the DFIRtriage files will need to be copied to the target, then executed via remote shell. (ie. SSH or PSEXEC)

PSEXEC Usage

WARNING: Do not use PSEXEC arguments to pass credentials to a remote system for authentication. Doing so will send your username and password across the network in the clear.

The following steps should be taken for proper usage of PSEXEC

1. Map a network drive and authenticate with an account that has local administrative privileges on the target host.

You can used this mapped connection to copy DFIRtriage to the target.

2. We can now shovel a remote shell to the target host using PSEXEC.

   psexec \\target\_host cmd

3. You now have a remote shell on the target. All commands executed at this point are done so on the target host.

Usage

1. Once the remote shell has been established on the target you can change directory to the location of the extracted DFIRtriage.exe file and execute.

2. Memory acquisition does not occur by default. To dump memory, pass the following argument: -m, --memory

3. DFIRtriage must be executed with Administrative privileges.

OUTPUT ANALYSIS

Once complete, press enter to cleanup the output directory. If running the executable, the only data remaining with be a zipped archive of the output as well as DFIRtriage.exe. If running the Python code directly only DFIRtriage python script and a zipped archive of the output are left.

OUTPUT FOLDER

The output folder name includes the target hostname and a date/time code indicating when DFIRtriage was executed. The date/time code format is YYYYMMDDHHMMSS.

ARTIFACTS LIST

The table below provides a general listing of the type of information and artifacts gathered by DFIRtriage v6.0.

| | | |---|---| |Artifacts|Description| |Memory|Raw image acquisition| |System information|Build, version, installed patches, bitlocker & shadow copy info, etc.| |Current date and time|Current system date and time| |Prefetch|Collects and parses prefetch data| |PowerShell command history|Gathers PowerShell command history for all users including the SYSTEM account| |User activity|HTML report of recent user activity| |File hash|Calculates an MD5, SHA-1, or SHA-256 hash of all EXE and DLL files on the OS partition| |Network information|Network configuration, routing tables, connections, etc.| |DNS cache entries|List of complete DNS cache contents| |ARP table information|List of complete ARP cache contents| |NetBIOS information|Active NetBIOS sessions, transferred files, etc.| |Windows Update Log|Gathers update information and builds Windows update log| |Windows Event Logs|Gathers and parses multiple Windows Event logs| |Process information|Processes, PID, image path, and full command line| |List of remotely opened files|Files on target system opened by remote hosts| |List of hidden directories|List of all hidden directories on the system partition| |Alternate Data Streams|List of files containing alternate data streams| |Complete file listing|Full list of all files on the system partition| |List of scheduled tasks|List of all configured scheduled tasks| |Hash of all collected triage data|SHA-256 hash of all data collected by DFIRtriage| |Local & domain user account information|Usernames, profile paths, account SID, etc.| |Autorun information|All autorun locations and content| |Logged on users|All users currently logged on to target system| |Registry hives|Pulls down all registry hives| |USB artifacts|Collects data needed to parse USB usage info| |Browser History|Aggregated report of browser history| | SRUM database | System usage information collected by SRUM (System Usage Resource Monitor) |

OUTPUT REFERENCE

This section of the manual is provided to offer guidance during analysis of the DFIRtriage output.  The below information is only provided as a guideline as it would not be practical to detail every possible use of this data. The bulk of analysis will depend on context and the analysis skill