2014/09/08

Foremost Automator Script

by Destruct_Icon
Categories: Analysis, Coding, Host Forensics, Python
Tags: , ,
Comments: Leave a Comment

Formost Automator Script

A small project that we were working on involved using Foremost as an automated triage tool to run in the background as we were performing other analysis during incidents. The Foremost Automator Script was birthed from this project. If you are not familiar with Foremost, please check out our previous post at http://malwerewolf.com/2014/03/physical-memory-analysis/.

Download the script: https://github.com/MalWerewolf/ForemostAutomator

Download an infected memory sample: http://digital-forensics.sans.org/blog/2014/02/08/apt-memory-and-malware-analysis-solution

Watch the tutorial:

DIFASapikey1

Requirements:

  • Python
  • Foremost
    • MD5
  • Virustotal API Key
    • Every Virustotal account allows access to an API key. The only restriction is you may only use the key four times per minute. In order to get around this limitation, the script sleeps for 25 seconds after every request.

 

 

Step 1: Run the python script.

DIFASpython2

 

 

 

Step 2: Point the script to the file location of the image. [APT.img]

DIFASpython3After entering the location of your file, foremost will run against the image. When it completes, it will remove everything but the DLLs and executables to speed up the triage. MD5 will then run against the location and you should see a similar batch of files as below.

 

 

DIFASfolder4

Step 3:  You will be prompted for your Virustotal api key. We will show you later on where to hard code the key in order to skip this step.

DIFASpython5

After you have entered your API key. Virustotal will be queried for every md5 that is sitting in the “MD5Text.txt” file. Let’s take a quick look at what’s inside MD5Text.

DIFASmd5text6

Keep note of the format of this file as, when we have identified malicious files through Virustotal, we will have to return to this file and identify the artifact in question.

Now that the script has kicked off and is attempting to triage all of the MD5s of the files carved from Foremost, you will begin seeing a lot of activity in your CLI. The script will run in a verbose mode so you will be able to see all of the benign, not-available and malicious hits. Most of the time you will be seeing the response of “*MD5* is not in VT”. If the file returns as benign, you will receive the response of “*MD5* is not malicious.” Lastly, you will see “*MD5* is malicious.” when a file has been caught by Virustotal and labeled as a threat. Also, the file “MaliciousFiles.txt” will be populated with the output of the hit as seen below.

DIFASmalicious7

The information provided by “MaliciousFiles.txt” includes the link to Virustotal, the MD5 and the scanners which identified the file as malware. This is where we can jump back into the “MD5Text” file and correlate the MD5 to the file in question from the output directory. Although this is a very slow process due to the limitation of four scans per minute, there is value to the automation as you can kick this off while doing other analysis such as running Volatility against the image.

The last thing we wanted to show you is where in the python script you can hard code your Virustotal api key. Jump to around line 74 and you should see where the raw input prompt is noted. Simply replace the raw input line with y = ‘your api key’ and you should no longer have to repeatedly input your key each time the script is ran.

DIFASapikey8

Future Development

We would like to thank everyone who finds our scripts useful. I will be doing more development on this script as I find time and if you have any requests, suggestions and/or feedback, please let me know at destruct_icon@malwerewolf.com.


Leave a Reply

Your email address will not be published. Required fields are marked *



Today is Monday
2017/10/23