Open Source Forensic Tools

Dear Readers,

We’re proud to present our first free edition in a long time!  You were totally in love with our Open Source Tools and Their Developers from 2018, so we decided to revisit the topic of open source forensic tools.

Just like last time, we invited tool developers to prepare tutorials that explain how their tools work and what they can do! You can easily add these open source tools and programs to your toolbox, and learn plenty of new, interesting things. And what’s awesome - you can do it for free! Every tool presented can be found on GitHub.

We would also want to thank all authors, developers, reviewers, and proofreaders for contributing to this edition. Without further ado, download the issue and have fun!

Regards,

Dominika Zdrodowska

and the eForensics Magazine Editorial Team

This magazine is free to download, just register as a free user and enjoy your reading! 

---

TABLE OF CONTENTS

---

TSURUGI LINUX

by Giovanni 'sug4r' Rattaro, Marco 'blackmoon' Giorgi, and Davide 'rebus' Gabrini 

The Tsurugi Linux project is a new open source project that was officially presented in November 2018 at AvTokyo security conference in Japan and this is one of the main reasons for the Japanese name Tsurugi (剣) that refers to a legendary Japanese double-bladed sword used by ancient Japan monks.The project is mainly focused on DFIR (Digital Forensics & Incident Response) but it’s also possible to perform OSINT (Open Source INTelligence) activities, malware analysis and Computer Vision investigations and has been built by a team composed of a bunch of Backtrack and Deft Linux veterans, professionals united by the idea of developing a new DFIR Operating System.

This project is and will be totally free, independent without involving any commercial brand. Our main goal is to share knowledge and "give back to the community".

CryKeX – Linux Memory Cryptographic Keys Extractor

by Maksym Zaitsev

Nowadays, cryptography is almost everywhere, but not so long ago it was considered a weapon in some countries. Historically, there were some limitations for the key length and encryption algorithms, but now, due to the Kerckhoffs's principle, you can use almost any type of cipher you would like, keeping only the key in secret. Those keys, however, should be well protected, which, unfortunately, isn’t the case for most modern software and this article will show how to obtain those keys without much effort.

Toss a coin to your… Toolkit

by Denis O’Brien

Have you ever analysed a document and wondered what that binary blob means, or maybe wanted to deobfuscate embedded data without pulling out your hair, or perhaps just to determine how risky it will be to open that document on a computer? This article introduces you to an online service that does all of that and more.

MwMon - Malware Monitoring

by Vlad Ioan Topan

Malware behavior analysis has been done to death by this point - not just by professionals employed by AV companies, as the case used to be some 15 years ago, but even as an enjoyable Saturday afternoon by security hobbyists, and everybody in-between. From the rather terse, few and far between malware descriptions of the past, which usually lumped together samples into “families” and focused almost exclusively on file-infectors (the original viruses), nowadays a plethora of websites provide in-depth descriptions of malware behavior, almost always inferred from monitoring the OS API calls of a sample automatically inside a controlled (and usually virtualized) environment. Off the shelf complete environments have been created for hobbyists and “professionals” alike (the most popular among them being Cuckoo Sandbox).

A Python tool for Robust Detection on Advanced Digital Image Copy-Move Attack by using a Modification of Two Algorithms

by Rahmat Nazali

We will introduce two algorithms taken from a previous work: the first one is titled duplication detection method [4], while the second one is titled simply robust detection method [3]. For the sake of simplicity, let’s just say first algorithm and second algorithm. The first algorithm was effective to be used on a normal Copy-Move attack, meaning it ran fast but only detected a simple attack, and it will likely turn false positive when run on an advanced attack. While the second algorithm was effective to be used on an advanced Copy-Move attack, meaning the run time is much slower, it will be likely more reliable to detect an advanced copy-move attack. Our proposed algorithm combines those two algorithms, up to certain cases with a certain tolerance, and able to adapt towards its input condition. Therefore, the image preprocess stage is no longer needed, with a trade-off in a slightly longer run time than the first algorithm, but as robust as the second algorithm. For this proposed algorithm, we have created a simple tool that implements that exact logic.

ARTHIR - ATT&CK Remote Threat Hunting Incident Response tool

by Michael Gough 

ATT&CKTM Remote Threat Hunting Incident Response (ARTHIR) is an update and fork of the older KANSA (2) incident response framework utilizing PowerShell. KANSA was originally developed by Dave Hull in 2014 and released on GitHub in 2015 but he stopped development in 2016 after going to work for a company that makes a competing product. There are a couple articles on KANSA referenced on the KANSA Github page for more background. There is also a video from the 2015 SECKC security conference of Dave discussing KANSA’s design and purpose available on YouTube (5). There have been some recent updates to KANSA to add some changes to ingest output into a logging solution, but for the most part, there has been very little work on KANSA modules since 2016.

pwnedOrNot - OSINT Tool for Finding Passwords of Compromised Email Accounts

By Lohitya Pushkar (thewhiteh4t)

Querying one or two email addresses is fine but what if we need to check official email addresses of a complete organisation; that is not possible manually. To save time and effort, I created pwnedOrNot, an automated OSINT tool for finding critical information.

Velociraptor - Digging deeper

by Mike Cohen 

Velociraptor was released in 2019. Similar to GRR, Velociraptor also allows for hunting across many thousands of machines. Inspired by OSQuery, Velociraptor implements a new language dubbed VQL (Velociraptor Query Language), which is similar to SQL but extends it in a more powerful way. Velociraptor also emphasizes ease of installation and very fast efficient operation and scalability.

HookCase, An Open Source Tool for Reverse Engineering macOS and its Applications

by Steven Michaud

HookCase is an open-source tool for reverse engineering and debugging macOS (aka OS X), and the applications that run on it. It re-implements and extends Apple's DYLD_INSERT_LIBRARIES functionality, while avoiding all of Apple's restrictions. It can be used to hook any function in almost any module. I'm the author and maintainer of this tool, and in the following, I'll show how I used HookCase to resolve a particularly difficult bug in Mozilla's Firefox browser, which turned out to be caused by a macOS bug.

Deep Learning for Digital-Image-Forensics

by Akash Nagaraj, Bishesh Sinha, Mukund Sood, Vivek Kapoor and Yash Mathur

The primary issue faced during investigations of criminal activity with respect to video evidence, is determining the credibility of the video and ascertaining that the video is unedited. As of today, one of the most crucial ways to authenticate images or footage is to identify the camera that the image was taken on. A very common way to do this is by using image metadata which can easily be falsified itself, or by splicing together content from two different cameras. Many solutions have been proposed in the past, however, this was a problem yet to be solved to a reliable extent. Our intention was to build a system that identifies the camera model used to capture an image from traces intrinsically left in the image - a digital fingerprint of sorts. Solving this problem has a big impact on the verification of evidence in criminal and civil trials and even news reporting.