Last Update: 14-Nov-2014
I’ve decided to pick up on the BlackBagTool project, which is an attempt at a program/framework to find interesting information on a mounted hard drive. The end-goal is an application that allows an investigator to gather a 2-minute summary of the information on the drive and act as a springboard for the overall investigation. This is an attempt at nailing down a spec.
The layout consists of a series of Python modules and small scripts (installed to /usr/bin) that can be used in conjunction with each other. I’m debating whether or not to include an optional prefix on the command names for namespacing reasons.
The small, individual scripts can then be piped together or included in shell scripts to automate the discovery process. The python modules can also be imported into scripts or used in the REPL.
I’m also aiming to build an application around this set of tools that fully automates the task of:
- Take the mount directory as an argument
- Determine the operating system (based on files/paths/etc)
- Gather relevant OS files (/etc/shadow, ~/.bash_history, recent documents, etc)*
- Determine what applications are installed, and possibly which versions
- Gather relevant application data (recent files, configuration/settings, history, cookies, etc)
- Parse data according to known formats and process fields against known patterns (dates, email addresses, etc)
Interesting email addresses can be found in browser history Title fields.
- dbxplorer – A module for automatically gathering information about databases on a computer (db files, tables, raw data). Working on support for MySQL and SQLite now.
- fsxplorer – A module for filesystem scanning.
- bbtutils – A utility module for gathering information in a consistent way
- skypedump – A utility for dumping skype information (contacts, chat history, etc)
- chromedump – A utility for dumping browser information from Google Chrome (history, downloads, favorites, cookies, autofill data, etc)