Thursday, April 25, 2013

EnCase EnScript to send data directly to SPLUNK for IR, Investigations & Timelines

This EnScript was original designed to aid in the triage and processing of multiple hosts by multiple examiners while conducting Incident Response & Investigations and quickly collate all the data together. This can also be used to create simple timelines.

Imagine you work for a medium to large company and you have an incident that requires some immediate triage. "Triage" in this sense means that responders are going to need to connect, examine and evaluate several hosts to determine what is going on or what has happened. During this triage, it is likely that the examiner(s) are going to come across files/folders of interest that may need to be remembered, compared to other files found on other hosts and/or documented later.

This EnScript was designed to allow the examiner to simply "tag" those files/folders and send the data directly to Splunk. To make this simple, you can easily setup your own IR/Investigative instance of Splunk that can digest up to 500MB of data daily, for free. The idea is to let each examiner dig through images/drives and quickly tag things of interest. All the data is sent to Splunk so it can easily be overlaid on top of other data and shown in relation to other hosts. This allows analysts to query and build real-time reports in Splunk while the triage is still happening.

To make this illustration as simple as possible and assuming you don't already have an instance of Splunk up and running , I downloaded the SANS SIFT virtual workstation and downloaded the Debian Splunk installer package from this link. Once downloaded, simply double-clicked on the package in the Nautilus GUI to install it. Once installed, you will need to start the Splunk service as root (sudo splunk start).

Once started, you will need to tell Splunk via the "Manager" link on the top-right that you will be sending it data over a TCP port from EnCase. To do this, you define a TCP data input and select a TCP port that you want Splunk to listen on to accept this data.

In this example, I defined a TCP port in Splunk to listen on port 9100 and provided a source name override of "EnCase". The source type is "CSV".

Next, you will need to explain to Splunk the type of data you will be sending it and how its formatted. To do this, you can create two files in the /opt/splunk/etc/system/local folder (assuming to installed Splunk in the default location) named props.conf & transforms.conf.

MAX_DAYS_AGO = 10000
TZ =  America/Los_Angeles
REPORT-EnCase = EnCase_Format
TIME_PREFIX = Timestamp..

FIELDS="Timestamp","Type","CaseName","Filename","Path","Extension","LogicalSize","INode","MD5","ExamHostname","Examiner", "Notes"

(note: each field should be defined and reside on its own separate line. The above data may appear wrapped depending on your browser).

The first file (props.conf) defines a stanza for a source named "EnCase" (which we provided as a source override when we setup the TCP data input in the Splunk GUI). The MAX_DAYS_AGO is important because if you encounter files with old timestamps, they may be skipped and not recorded unless you tell Splunk that you will be sending it data with old timestamps (very important if timestomping is suspected). The "TZ" field defines what time zone the data is adjusted for. The "REPORT" field refers to the Stanza we will define in the transforms.conf file. The last field defines a REGEX that tells Splunk what to look for immediately preceding the timestamp that it will use as the timestamp reference to affirmatively grab the correct timestamp.

The second file (transforms.conf) defines the delimiter and the fields used by the EnScript as the data is sent to the TCP socket.

Once setup, just ensure the SIFT virtual machine (now with a Splunk server installed) is reachable via the network by all EnCase examination machines that will be sending data to it. By default the SIFT virtual machine is setup to use NAT networking on the host machine, which means it will only be reachable by the host machine. Use bridged networking if other machines will be running EnCase and sending it data via the EnScript.

Since in this use case you are not using the Splunk instance as a heavy forwarder or indexer and sending thousands of events to it every second, I have not found any performance issues running it in a virtual environment as described above. If you were running the Splunk instance and sending data to it from hundreds of hosts or forwarders, then you would probably want to have a non-virtual dedicated instance with some optimized networking.

In EnCase, create a tag named "SendToSplunk". Tag any files you come across that are of interest and you want to send to Splunk.

Once you have tagged all the files of interest, run the EnScript and you are presented with the following dialog:


The examiner's name is automatically pulled from the "Examiner Name" data value in the case, if set:

The examiner's hostname is also automatically pulled from the local machine running EnCase. This is for tracking purposes once the data is sent to Spunk so you can validate and link the data back to the examiner's machine that sent it.

Set the Splunk server IP to the IP address of the SIFT workstation or wherever your Splunk instance is installed and the port you defined in Splunk when you setup the TCP data input (9100 in the example above).

Once run, the data will appear in Splunk with the fields already extracted for searching:


Each tagged file is sent to Splunk for each timestamp that is available. This is normally four times if the file is not deleted, five if there is a deleted timestamp. Each time the file metadata is sent to Splunk the timestamp used in that particular record is defined using the "type" field.

Download Here (EnCase v7)
Download Here (EnCase v6)

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles