Roll Call
You may have read my introductory post about using Python scripts with encase. You may have also read my part 2 follow-up, which put a GUI on top of Didier Stevens’ pdf-parser. Did you also read Kevin Breen’s post? He wrote about using EnScript to call out to David Kovar’s analyzemft script using EnScript. Then Chip wrote a post about sending data out to get parsed by parser-usnjrnl.
Here comes another one to add to the list of #en2py projects. This time the scripts are parsing data from Windows Phone 8 evidence. Adrian Leong wrote a few Python scripts to get SMS, Call History, and Contacts and blogged them to the world a few days ago.
Scenario
These caught my attention because of a case (weirdly, several cases lately) at my task force that involved a Windows 8 phone. There aren’t a lot of options for acquiring Windows phones, so our resident JTAG expert worked his magic and coerced the device into giving it up. With this dd image, we could now see the partitions and file systems from the inside out. The problem now was in getting readable data out.
If you haven’t done any research for Windows phone tools on your own, let me save you some effort – there aren’t many. EnCase was able to see all the files, but has no data parsing tools. Several other tool companies have recently released some Windows phone tools, but they couldn’t parse the data from this phone, either. We found a Python script that was able to do some work on it, but ran into errors part way through the data and choked. We patched up the Python script and got it limping along enough to get the SMS needed.
Fast-forward a couple weeks and I stumble on Adrian’s post with the tools mentioned. Wow! What a great tool to rip this data out! I thought, “Why don’t I put an EnScript in front of these to automate the work?” So, here we are. This is a bonus since it will run three Python scripts for one EnScript. Can’t beat that deal!
EnScript Breakdown
I went straight for the GUI version since I already gave the basics earlier. I started off with the same structure as the EnScript I used to put a GUI over the pdf-parser. Not much to the GUI on this one since there aren’t any options in the Python scripts behind this. I am making bookmarks of the files being parsed as the EnScript moseys along its way. Checkbox at the bottom has EnCase open Windows Explorer at the output folder location when everything is done. Opening Explorer makes it easier to review the data instead of having to dig into the folders manually.
I am assuming that you have your Python installed at the default of c:\python27, but you can change that location on line 36 if it’s different. I have also assumed that you copied these three Python scripts into that same folder. Again, the location can be changed, if yours is different, on line 37, as follows:
Another little tidbit I started putting into my EnScripts is to have EnCase open the folder of the output files in Windows Explorer so I don’t have to dig in to find them. The GUI has a checkbox to allow user preference, and that value gets stored into a variable. Line 68 checks that variable and uses the API to open the window.
There are two files of concern here: store.vol and phone. I’m using ItemIteratorClass to loop through all of the files in the case (lines 55 and 56). Then I check first to make sure that I don’t end up processing some folder named like one of the target files (line 58). As long as it’s a file, then I check the name to see if it matches our targets (lines 59 and 60).
I took a little bit of a lazy approach on the RunParser function and copy/pasted some of the code inside. Bad form for a programmer, but then again I never claimed to be one! Lines 88, 97, and 106 each check for the filename to make sure each of the Python scripts are run against the file they expect to parse. Other than running the different Python scripts, the code is identical.
The Results
The bookmarks that result from running this EnScript aren’t very detailed. The Python scripts used here all generate their output in the form of tab-separated value (TSV) formatted files. This type of data ends up looking pretty ugly in the comments section of a bookmark. The bookmarks are really just for the purpose of documenting the files that got parsed.
You may notice in the output folder that there is a big ugly number tagged onto the name. If you did, then I applaud your observation skills! If not, work on those…
This is the MD5 hash of the file that was parsed. The idea with this EnScript is that you can just point and shoot. You can load up 20 Windows phones (have they sold this many?) into the same case and let the EnScript do the work to locate, export, and kick off the parsing for every one of them. The MD5 ensures a unique filename so they don’t overwrite each other, and it allows you to track it back to the source file.
Now it’s Time to Say Goodbye…
I hope that these Python scripts help you in your DFIR travels, should you run across a Windows 8 phone. I know they helped us (Thanks Adrian!). Perhaps this EnScript will help save you some time in not having to dig into the evidence file to find these data files. Work smart and let your tools do some of the work for you. This is what EnScript is designed to do.
Sorry I don’t have a sample evidence file for you, but perhaps someone out there has one to share? I welcome discussion in the Comments section below.
I teach techniques like this and more in our EnScript course. Come join me in one of our facilities, or bring me to your location. The more exotic the location, the better the price!*
Get the Python scripts here.
Get the EnScript here.
James Habben
@JamesHabben
* Sadly, I actually have no control over price
No comments :
Post a Comment