Accelerating the collection, processing, analysis and outputting of digital forensic artefacts.

Table of Contents

• About
  • Related Projects
• Configuration
  • SIFT-elrond (recommended)
  • Self-build
  • Updating
• Usage
• Artefacts
  • Windows
  • Linux
  • macOS
  • Notices
• Acknowledgements

About

elrond has been created to help fellow digitial forensicators with the identification, extraction, collection, processing, analysis and outputting of forensic artefacts from (up to 20 paritions for) Windows E01 or VMDK, macOS DMG/E01 or VMDK, Linux dd or VMDK disk images as well as raw memory images and previously collected artefacts which can all be outputted into Splunk. I have spent many an incident repeating the same processes by mounting, collecting (mainly Windows) forensic artefacts and then attempting to correlate them together with other data sources and artefacts. Thus, as mentioned above elrond has been built to consolidate those seperate processes into one single script helping to accerlate and automate these otherwise repetitive, tedious and often occasionally-referenced commands. As elrond outputs the artefact information as either CSV or JSON, they can be processed by many commonly-used log file analysis tools, consequently, elrond does have the capability to stand up a local Splunk (with acompanying app) or elastic instance, whereby the artefacts are automatically assigned and aligned with the MITRE ATT&CK® Framework. In addition, elrond can also populate a local ATT&CK Navigator instance providing a visual representation of potential attack techniques leveraged as part of said incident.
Additional features include image and file hashing, metadata extraction, file recovery and carving, AV scanning, IOC extraction, keyword searching and timelining.

It is important to note that elrond utilises many existing tools which have been built by other developers. elrond does do custom structuring of the outputted data but the conversion of the data is done by the other aforementioned toolsets.

Wild West Hackin' Fest 2023

I presented elrond, at Wild West Hackin' Fest 2023 as part of the Toolshed Talks.

• Slidedeck
  

Related Projects

elrond is responsible for the analysis-side of digital forensics, but what about acquisition? An acompanying script called gandalf can be deployed (locally or remotely) on either Windows (using PowerShell), Linux, or macOS (using Python or [bash]()) hosts to acquire forensic artefacts.

Configuration

Initial Configuration

SIFT-elrond (recommended)

Download the respective elrond OVA; the latest version of SIFT (20.04) or Ubuntu (22.04) with all of the elrond software packages, pre-installed.

• For x64, download SIFT-elrond OVA (20.04)
• sansforensics:forensics
• For ARM, download elrond archive (22.04)
• elrond:elrond Neither OVA contains the NSRL dataset; execute nsrl.sh and follow instructions to download.
  

It is recommended to run /opt/elrond/update.sh which will download and configure the latest version of elrond onto your existing system.

Self-build

Download Virtual Machine

There are several software package required for using elrond. Almost all of them are contained within the SANS SIFT Worksation virtual machine OVA. For the software which is not included (make.sh) installs and configures the additional software required for all potential functionality leveraged by elrond (volatility3, apfs-fuse, ClamAV etc.).

• For x64 download SANS SIFT Workstation (20.04 LTS)
• For ARM download Ubuntu 22.04

Configure

Follow instructions in CONFIG.md

You will only need to run the make.sh script once, per 'elrond VM' instance; if you encounter errors with CONFIG.md, individual scripts for each of the software packages are contained in .../elrond/elrond/tools/config/scripts/

Usage

python3 elrond.py <case_id> <directory> [<output_directory>] [-h] [-AaBCcDEGIiMmNnPQqRSsTtUuVXZ] [-K <keyword_file>] [-Y <yara_dir>] -F (include|exclude):[<include/exclude_file>]

Collect (-C)

Examples

• Invoking DBM (-B) flag (instead of using -acINoPQqUVv), Process (-P) index artefacts in Splunk (-S) and conduct File Collection (-F) with inclusion list
  

python3 elrond.py case_name /path/to/disk/images -BCPS -F include:./include_file.txt

• Automatically (-a) and super-quietly (-Q) Collect (-C), Process (-P), Analyse (-A) and index artefacts (including memory (-M)) in Splunk (-S)
  

python3 elrond.py case_name /path/to/disk_and_memory/images -aqQvVMCPAS

• Very verbosely (-V), automatically (-a), super-quietly (-Q) Collect (-C), Process (-P) and conduct IOC Extraction (-I)
  

python3 elrond.py case_name /path/to/disk/images -avVqQCPI

Gandalf (-G)

Examples

• Automatically (-a) and superquietly (-Q) Process (-P), Analyse (-A) and index artefacts in Splunk (-S) (acquired using gandalf)
  

python3 elrond.py case_name /path/to/disk/images -aqvVGPAS

• Invoking DBM (-B) flag (instead of using -acINoPQqUVv), Process (-P) index artefacts in Splunk (-S) and conduct Keyword Searching (-K )
  

python3 elrond.py case_name /path/to/disk/images -BGPS -K keywords.txt

Reorganise (-R)

Examples

• Automatically (-a) and quietly (-q) Process (-P), Analyse (-A) and index artefacts in Splunk (-S) (reorganise previously collected disk artefacts (-R))
  

python3 elrond.py case_name /path/to/disk/images -aqvVRPAS

• Invoking DBM (-B) flag (instead of using -acINoPQqUVv), Process (-P) index artefacts in Splunk (-S) and conduct Yara Searching (-Y )
  

python3 elrond.py case_name /path/to/disk/images -BRPS -Y <directory/of/yara/files>

Support

See SUPPORT.md for a list of commands and additional third-party tools to help with preparing images or data for elrond.

Artefacts

Below is a list of all the artefacts collected and processed from the respective operating systems.

Windows

• C:\$MFT
• C:\$LogFile
• C:\$ObjId
• C:\$Recycle.Bin
• C:\$Reparse
• C:\$UsnJrnl
• C:\Windows\AppCompat\Programs\RecentFileCache.bcf
• C:\Windows\AppCompat\Programs\Amcache.hve
• C:\Windows\inf\setupapi.dev.log
• C:\Windows\Prefetch\*.pf
• C:\Windows\System32\config\SAM
• C:\Windows\System32\config\SAM.LOG
• C:\Windows\System32\config\SAM.LOG1
• C:\Windows\System32\config\SAM.LOG2
• C:\Windows\System32\config\SECURITY
• C:\Windows\System32\config\SECURITY.LOG
• C:\Windows\System32\config\SECURITY.LOG1
• C:\Windows\System32\config\SECURITY.LOG2
• C:\Windows\System32\config\SOFTWARE
• C:\Windows\System32\config\SOFTWARE.LOG
• C:\Windows\System32\config\SOFTWARE.LOG1
• C:\Windows\System32\config\SOFTWARE.LOG2
• C:\Windows\System32\config\SYSTEM
• C:\Windows\System32\config\SYSTEM.LOG
• C:\Windows\System32\config\SYSTEM.LOG1
• C:\Windows\System32\config\SYSTEM.LOG2
• C:\Windows\System32\winevt\Logs\*.evt(x)
• C:\Windows\System32\wbem\Repository\
• C:\Windows\System32\LogFiles\WMI\
• C:\Windows\System32\LogFiles\
• C:\Users\%USERPROFILE%\NTUSER.DAT
• C:\Users\%USERPROFILE%\UsrClass.DAT
• C:\Users\%USERPROFILE%\AppData\Local\ConnectedDevicesPlatform\ActivitiesCache.db
• C:\Users\%USERPROFILE%\AppData\Local\ConnectedDevicesPlatform\ActivitiesCache.db-shm
• C:\Users\%USERPROFILE%\AppData\Local\ConnectedDevicesPlatform\ActivitiesCache.db-wal
• C:\Users\%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\
• C:\Users\%USERPROFILE%\AppData\Local\Microsoft\Edge\User Data\Default\History
• C:\Users\%USERPROFILE%\AppData\Local\Microsoft\Windows\UsrClass.dat
• C:\Users\%USERPROFILE%\AppData\Local\Microsoft\Windows\History\Content.IE5
• C:\Users\%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5
• C:\Users\%USERPROFILE%\AppData\Local\Microsoft\Windows\History\Low\
• C:\Users\%USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files\
• C:\Users\%USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\
• C:\Users\%USERPROFILE%\AppData\Local\Mozilla\Firefox\Profiles\
• C:\Users\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\
• C:\Users\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\
• C:\Users\%USERPROFILE%\Documents\Outlook Files\
• C:\Users\%USERPROFILE%\*
  

Linux

• /.Trashes
• /etc/passwd
• /etc/shadow
• /etc/group
• /etc/hosts
• /etc/crontab
• /etc/security
• /etc/systemd
• /etc/modules-load
• /home/%USERPROFILE%/
• /home/%USERPROFILE%/.bash_aliases
• /home/%USERPROFILE%/.bash_history
• /home/%USERPROFILE%/.bash_logout
• /home/%USERPROFILE%/.bashrc
• /home/%USERPROFILE%/.bash_session
• /home/%USERPROFILE%/.config/autostart/
• /home/%USERPROFILE%/.config/google-chrome/%DIR%/History
• /home/%USERPROFILE%/.local/share/Trash/files
• /home/%USERPROFILE%/.local/share/keyrings/
• /home/%USERPROFILE%/.local/share/recently-used.xbel
• /home/%USERPROFILE%/.mozilla/firefox/%DIR%/places.sqlite
• /home/%USERPROFILE%/.ssh
• /home/%USERPROFILE%/.thunderbird/.default
• /home/%USERPROFILE%/.thunderbird/global-messages-db.sqlite
• /home/%USERPROFILE%/.thunderbird/places.sqlite
• /home/%USERPROFILE%/.thunderbird/downloads.sqlite
• /home/%USERPROFILE%/.thunderbird/panacea.dat
• /root/.bash_aliases
• /root/.bash_history
• /root/.bash_logout
• /root/.bashrc
• /root/.bash_session
• /root/.local/share/keyrings/
• /root/.ssh
• /tmp/*
• /usr/lib/systemd/user/*.service
• /usr/lib/systemd/user/*.target
• /usr/lib/systemd/user/*.socket
• /var/cache/cups/job.*
• /var/cups/job.*
• /var/log
• /var/vm/sleepimage
• /var/vm/swapfile
  

macOS

• /.Trashes
• /Library/Logs
• /Library/Preferences
• /Library/LaunchAgents
• /Library/LaunchDaemons
• /Library/StartupItems
• /System/Library/Preferences
• /System/Library/LaunchAgents
• /System/Library/LaunchDaemons
• /System/Library/StartupItems
• /Users/%USERPROFILE%/
• /Users/%USERPROFILE%/.bash_aliases
• /Users/%USERPROFILE%/.bash_history
• /Users/%USERPROFILE%/.bash_logout
• /Users/%USERPROFILE%/.bashrc
• /Users/%USERPROFILE%/.bash_session
• /Users/%USERPROFILE%/.ssh
• /Users/%USERPROFILE%/.Trash/
• /Users/%USERPROFILE%/Library/keychains/.keychain-db
• /Users/%USERPROFILE%/Library/Mail/*.plist
• /Users/%USERPROFILE%/Library/Preferences/*.plist
• /Users/%USERPROFILE%/Library/Safari/*.plist
• /Users/%USERPROFILE%/Library/Safari/History.db
• /Users/%USERPROFILE%/Library/Application Support/Google/Chrome/Default/
• /Users/%USERPROFILE%/Library/Application Support/Firefox/Profiles/
• /etc/passwd
• /etc/shadow
• /etc/group
• /etc/hosts
• /etc/crontab
• /etc/security
• /tmp/*
• /var/log
  
  

Notices

If you notice 'nixCommand' or 'nixProcess' in files processed from a Windows OS, this is somewhat intentional. I debated with myself whether to try and change these to 'WinCommand' and 'WinProcess', respectively but also considered the situation of Windows Subsystem for Linux (WSL) being installed. As a result, I have left them as they are. If you know of a way to identify whether a file belongs inside the Linux element of WSL based on file path, file type, file content etc. please raise an issue and let me know.

Acknowledgements

• Joff Thyor
• alexandercarruthers
• SANS
• Harbingers LLC
  
  
• Tooling
  • joachimmetz
  • Harlan Carvey
  • @JRick_3
  • williballenthin
  • dkovar
  • Richard Penman
  • harelsegev
  • KStrike
  • srum-dump
  • mnrkbys
  • The Volatility Foundation
  • AVML
  • Jonathon Poling
  • @binaryz0ne
  • JPCERTCC
  • John - Python Awesome
    
    
• Documentation
  • Best-README-Template
  • hatchful
  • Image Shields
    
    
• Theme & Artwork
  • J.R.R. Tolkien
  • Peter Jackson
  • ASCII Text Generator
  • ASCII Art Generator
  • ASCII Art
  • SIFT-elrond Desktop background
  • lómi