30 11 2012
Browser Artifact Recovery Forensic Framework – BARFF
Hello all, I wanted to take a few minutes and let you know that I am releasing some code I have been working on over the past couple weeks.
I blogged awhile back about how I wanted to learn more about Python while also learning about digital forensics. Well, I finally got around to it with everything else going on these days.
It’s not really a framework, but i’m thinking about turning it into one. I needed another letter F so I could call it BARFF so I just decided to add the word framework.
It’s going to be called Browser Artifact Recovery Forensic Framework (BARFF).
So yeah, here are some examples:
Note: The formatting on the examples got messed up somehow. There are no spaces between output results.
$ python barff.py -h
Browser Artifact Recovery Forensic Framework (BARFF)
Google Chrome History: -b Chrome -p history
Google Chrome Visited Count: -b Chrome -p count
Google Chrome Cookies: -b Chrome -p cookie
Google Chrome Downloads: -b Chrome -p downloads
Firefox Bookmarks: -b Firefox -p mozbookmark
Firefox Visit Count: -b Firefox -p mozcount
Firefox Cookie: -b Firefox -p mozcookie
Google Drive Cloud Entry: -b Drive -p cloudentry
Google Drive Local Entry: -b Drive -p localentry
Skype Main DB User Profile: -b Skype -p skypeprofile
Skype Main DB Messages: -b Skype -p skypemessage
Google Chrome History
$ python barff.py -b Chrome -d ../db/ -p history |more
Visit Time URL Page Title
2012-09-28 09:01:35 | http://www.malwaredomainlist.com/ | MDL
2012-10-01 00:46:46 | http://www.malwaredomainlist.com/ | MDL
Google Chrome Count
$ python barff.py -b Chrome -d ../db/ -p count |more
Last Visited URL Visit Count
2012-11-28 02:52:37 | http://google.com/ | 108
2012-11-28 02:52:37 | https://www.google.com/ | 108
2012-11-28 02:52:37 | http://www.google.com/ | 108
2012-11-27 03:15:42 | http://edition.cnn.com/ | 100
2012-11-26 22:49:31 | http://www.amazon.com/ | 64
2012-11-26 22:49:31 | http://amazon.com/ | 53
2012-11-28 02:22:30 | http://blogger.com/ | 50
2012-11-28 02:21:25 | http://twitter.com/ | 44
Google Chrome History
$ python barff.py -b Chrome -d ../db/ -p cookie |more
2012-11-28 02:57:04 | 2022-11-26 02:57:04 | www.google.com | gv |DQAAAM
2012-11-28 01:52:21 | 2022-11-26 01:52:21 | .docs.google.com | WRITELY_SID | DQ
Google Chrome Downloads
$ python barff.py -b Chrome -d ../db/ -p downloads |more
Start Time URL Download Path
2012-11-28 02:47:25 | http://jaist.dl.sourceforge.net/project/sqlitebrowser
Mozilla Firefox Bookmarks
$ python barff.py -b Firefox -d ../db/ -p bookmark |more
2012-11-22 20:58:53 | Help and Tutorials | http://www.mozilla.com/en-US/firefox/help/ | 0
2012-11-22 20:58:53 | Customize Firefox | http://www.mozilla.com/en-US/firefox/
Mozilla Firefox Visit Count
$ python barff.py -b firefox -d ../db/ -p mozcount |more
Mozilla Firefox Cookies
$ python barff.py -b firefox -d ../db/ -p mozcookie |more
google.co.kr|PREF|ID=4c80f4a849e:FF=0:NW=1:TM=135635:LM=135635:S=D qgfdbvN_r7Qfdfev.google.co.kr|2012-11-22 20:59:10|2014-11-22 20:59:10
Google Drive Local Entry
$ python barff.py -b Drive -d ../db/ -p localentry |more
hexplorer.dll | 2012-11-01 09:51:08 | 47b25e7043c0a3398594a7178122a4b2
ntfsstreams.dll | 2012-11-01 09:51:08 | 8a929ead66540292cdc212ceddacecd0
free.hexdwc | 2012-04-05 12:48:59 | c21484fd0e9d0014b81744e385cb9644
Tool Window Layouts | 2012-11-26 02:33:14 | None
\\?\C:\Users\malware\Google Drive | None | None
Zappos.com Free Shipping.pdf | 2012-11-26 03:47:31 | 4ef09f3681c74c85d89433cfff
Google Drive Cloud Entry
$ python barff.py -b Drive -d ../db/ -p cloudentry |more
root | None | None | None | 0 | None | None
googlegeoip.py | 2010-08-15 20:20:28 | 2012-11-26 14:19:51 | 1 | 0 | 11f3220938
42e2bf73cb9cc4ded8024b | https://docs.google.com/file/d/0B6hVqVMWS
avsubmit.py | 2010-09-13 13:17:30 | 2012-11-26 14:19:42 | 1 | 0 | 7f983896d2774fc0333d260c5a8edf3d | https://docs.google.com/file/d/0B6hVqVMWS3
I removed the names here for “privacy” reasons.
$ python barff.py -b skype -d ../db/ -p skypemessage |more
$ python barff.py -b skype -d ../db/ -p skypeprofile |more
|Patrick|I am currently living in Seoul.|US|Seoulemail@example.com
Just a heads up. I have only tested this on Windows machine and within my PythonAnywhere.com account. My python anywhere account is running Python 2.7. I switched over to Chromebox and i’m running Chrome OS while I explore more about cloud forensics. So please let me know if there are any issues on the systems you use. It should be pretty straight forward. If it doesn’t work check the version of SQLite on your system and make sure it’s updated. It will be my intent to get this up and running on SIFT, DEFT, etc. so it can be packaged with all the other forensic tools out there. That’s assuming of course that it’s useful for you all.
And yes, I know I have some commenting to do. I’ll also work on getting the prints to work so you have headers on the output. I figured with the weekend coming up I would like to get some feedback so I can work on fixing it over the weekend while i’m traveling.
So yeah, that’s all the “plugins” I have for now. I’ll build some more over the next couple weeks, and then i’ll start on parsing the binary files, pull some registry keys as well (TypedURL, etc.) so it can act as a “internet artifact” collector. I’ll also look at getting Safari, Opera, and IE integrated as well. I’m not a good coder yet so it will take me awhile to get all this.
If you would like to see some features please leave comments below.
Code Location: http://code.google.com/p/barff/
Source Code: http://code.google.com/p/barff/source/browse/Trunk/barff.py
I would also like to thank some people.
1. Andrew Case @attrc from the Volatility crew. He helped me format some things and gave me some pointers. He is a great resource for the community and willing to help out when I asked some questions.
2. Google Search – I don’t think I need to mention much about this one.
3. Bucky Roberts Python Videos, Coursera.org and codeacademy.com
4. The people who take the time to answer questions on Stackoverflow. People really do appreciate your responses.