Archive for the ‘Revealer Toolkit’ Category
First of all, sorry for the lack of news and updates lately, but RVT is developed with the free and spare time of the members of the team, and I have not had a lot of that in the last months.
RVT v0.2.1 include new features and some little improvements:
- LNK files parsing
- Harlan Carvey, author of the well-known Windows Incident Response blog, has kindly provided us with brilliant Perl code to parse Windows event files (EVT extension). Thus RVT now integrates the script ‘evt’, which can output text versions of the EVT files (script evt generate); it can also generate some stats about each EVT (script evt report). We would like to sincerely thank Harlan for his support and his useful code.
- f-strings: an forensics version of Binutils strings command
- extended shell history
- and all the little changes and corrections published on this blog since v0.2
- updated User Guide
Read The Revealer Toolkit website for more information.
quick note: from SVN revision 70, “images scanall” command is no longer recognized, and is substituted for “images scan <case>”, where case can be a case number or the special word “all”, so “images scan all” is equivalent to the old “images scanall”.
This will speed up the scanning for one case, that will be critical for RWA, although it raises other problems (configuration update time) that will be solved soon.
f-strings, or Forensic Strings, is a new RVT tool that will be incorporated soon to the search engine of RVT.
You know what binutils’ strings command do: extract printable characters from a binary file. Although it supports various character sets (plain ascii, utf8, utf16, in little and big endian), only support one each time you execute it. And it is not very good with mixtures of character sets on the same file.
f-strings extracts sequences of all that seems a printable character out of a binary file, written in plain ASCII, utf8 or utf16 (little endian only). That means that usually will extract more noise than binutils’ strings, but only one execution is needed.
Moreover, f-strings translates special characters to their plain ASCII equivalents. For example, f-strings translates ‘á’, ‘Á’, ‘à’, ‘À’, ‘ä’, etc., to ‘a’. Also translates spanish and catalan special characters ( ‘ñ’ and ‘ç’ to ‘n’ and ‘c’).
Finally, it lowercases all the output.
$ cat accentuated.txt
el sinvergüenza de José es un ñoño y es del barça
$ ./f-strings accentuated.txt
el sinverguenza de jose es un nono y es del barca
f-strings is open source (GNU/GPL v2.0), and can be downloaded from the Revealer Toolkit web page (here).
Here you have the f-strings’ help as printed with ‘f-strings -h‘:
Revealer Tools, forensic strings, 09-2009
USAGE: f-strings [-t] [-n <number> ] [-f]
-t Print the location of the string in base 10
-n Locate & print any sequence of printable characters
of at least characters (default 4)
-h Display this information
f-strings get a file and prints at stdout all printable characters
like binutils' strings function, BUT:
- convert all that 'seems' latin1, UTF-8 and UTF-16, little endian
to plain ASCII
- translates some special characters. For example, accented a's are translated
to the ASCII character 'a'. All vowels, plus spanish and catalan special
characters are translated
- lowercases all printable characters
- only one file at each execution
- offset is printed only in base 10, so argument -t do not
accept subarguments, and '-t' is equivalent to '-t d' of
- \x00 characters are ignored, so in a hard disk full of zeros
with 'Hey ' at the begining and 'Ho' at the end, f-strings will
extract the string 'Hey Ho'
more information at http://code.google.com/p/revealertoolkit/
Enjoy and feedback!
Step by step, some ugly parts of the code are being rewritten and getting better. On the last SVN revision, RVT stores on a text file (morgue/case/<case>_cmdLog.txt) a log of some commands executed on that case and their subobjects. Next step will be to work on command dependences.
Also, some automatic reporting is begining to work, although will be greatly redesign in the next months. See RVT commands script report for more information.
Some other little improvements:
- greater command history (greater than one!)
- improvement of lock files (XML configuration, mainly)
- greater readpst verbosity on results
- little sketch for a web interface
support for parsing Microsoft Windows LNK files has been added to RVT. Just execute
RVT > script lnk generate <disk>
and a CSV file on output/lnk will be created with info of all LNK files of the disk (with LNK extension). This command requires other command to be executed before: script files allocfiles or an error will occur. Command dependencies is something we are working on and, I hope, will be solved in version 0.3.
This function depends also on the dumplnk.pl script adapted by Luis Gómez (RVT team member) from the original lnk-parse.pl, by Jacob Cunningham, all GNU/GPL (thanks, open source!), and distributed with RVT (look in the tools folder of the source code, or here)
A VMWare virtual machine has been created with a completely functional RVT v0.2 system, folder structure and an example case. This VMWare can easily be used also as a production system.
Due to limitations in Google Code hosting, the VMWare is hosted in sourceforge.net:
- Authentication: root / 12345 and analyst / 12345
Log in as analyst and run RVT with the command:
Finally, version 0.2 of the Revealer Toolkit is out. See more information at the project page. Code can be downloaded from:
- svn checkout http://revealertoolkit.googlecode.com/svn/branches/RVT-v0.2 RVT-v0.2-read-only
Also, User Guide has been greatly improved with examples and operational guides (see http://revealertoolkit.googlecode.com/files/RVT-userGuide.pdf ).
and finally, a Google Groups newsletter has been created and used for the community to share doubts, ideas and problems ( http://groups.google.com/group/revealertoolkit ). Do not hesitate to contact us!
Stay tunned because important improvements are planned for future versions.