System Forensics

All your artifacts are belong to us.

30 11 2012

Browser Artifact Recovery Forensic Framework – BARFF

sysforensics | BARFF, Browser Malware, parse chrome, parse firefox, parse google drive

Hello all, I wanted to take a few minutes and let you know that I am releasing some code I have been working on over the past couple weeks.

I blogged awhile back about how I wanted to learn more about Python while also learning about digital forensics. Well, I finally got around to it with everything else going on these days.

It’s not really a framework, but i’m thinking about turning it into one. I needed another letter F so I could call it BARFF so I just decided to add the word framework. :)

It’s going to be called Browser Artifact Recovery Forensic Framework (BARFF).

So yeah, here are some examples:

UPDATED: 6DEC12

Note: The formatting on the examples got messed up somehow. There are no spaces between output results.

BARFF Help

$ python barff.py -h

Browser Artifact Recovery Forensic Framework (BARFF)

barff.py “-d”, “–directory” “-b”, “–browser “-p”, “–plugin”
Plugins supported:
Google Chrome History:            -b Chrome -p history
Google Chrome Visited Count:   -b Chrome -p count
Google Chrome Cookies:           -b Chrome -p cookie
Google Chrome Downloads:       -b Chrome -p downloads
Firefox Bookmarks:                   -b Firefox -p mozbookmark
Firefox Visit Count:                    -b Firefox -p mozcount
Firefox Cookie:                          -b Firefox -p mozcookie
Google Drive Cloud Entry:         -b Drive -p cloudentry
Google Drive Local Entry:          -b Drive -p localentry
Skype Main DB User Profile:      -b Skype -p skypeprofile
Skype Main DB Messages:         -b Skype -p skypemessage 

Google Chrome History

$ python barff.py -b Chrome -d ../db/ -p history |more

Visit Time URL Page Title
2012-09-28 09:01:35 | http://www.malwaredomainlist.com/ | MDL
2012-10-01 00:46:46 | http://www.malwaredomainlist.com/ | MDL 

Google Chrome Count

$ python barff.py -b Chrome -d ../db/ -p count |more

Last Visited URL Visit Count
2012-11-28 02:52:37 | http://google.com/ | 108
2012-11-28 02:52:37 | https://www.google.com/ | 108
2012-11-28 02:52:37 | http://www.google.com/ | 108
2012-11-27 03:15:42 | http://edition.cnn.com/ | 100
2012-11-26 22:49:31 | http://www.amazon.com/ | 64
2012-11-26 22:49:31 | http://amazon.com/ | 53
2012-11-28 02:22:30 | http://blogger.com/ | 50
2012-11-28 02:21:25 | http://twitter.com/ | 44

Google Chrome History

$ python barff.py -b Chrome -d ../db/ -p cookie |more

2012-11-28 02:57:04 | 2022-11-26 02:57:04 | www.google.com | gv |DQAAAM
2012-11-28 01:52:21 | 2022-11-26 01:52:21 | .docs.google.com | WRITELY_SID | DQ

Google Chrome Downloads

$ python barff.py -b Chrome -d ../db/ -p downloads |more 

Start Time URL Download Path
2012-11-28 02:47:25 | http://jaist.dl.sourceforge.net/project/sqlitebrowser 

Mozilla Firefox Bookmarks

$ python barff.py -b Firefox -d ../db/ -p bookmark |more

2012-11-22 20:58:53 | Getting Started | http://www.mozilla.com/en-US/firefox/central/ | 0
2012-11-22 20:58:53 | Help and Tutorials | http://www.mozilla.com/en-US/firefox/help/ | 0
2012-11-22 20:58:53 | Customize Firefox | http://www.mozilla.com/en-US/firefox/ 

Mozilla Firefox Visit Count

$ python barff.py -b firefox -d ../db/ -p mozcount |more

Visit Date|URL|Visit Count
2012-11-22 20:59:22|http://www.google.com/|2 

Mozilla Firefox Cookies

$ python barff.py -b firefox -d ../db/ -p mozcookie |more

Domain|Name|Value|Host|Create|Expire
google.co.kr|PREF|ID=4c80f4a849e:FF=0:NW=1:TM=135635:LM=135635:S=D qgfdbvN_r7Qfdfev.google.co.kr|2012-11-22 20:59:10|2014-11-22 20:59:10

Google Drive Local Entry

$ python barff.py -b Drive -d ../db/ -p localentry |more

hexplorer.dll | 2012-11-01 09:51:08 | 47b25e7043c0a3398594a7178122a4b2
ntfsstreams.dll | 2012-11-01 09:51:08 | 8a929ead66540292cdc212ceddacecd0
free.hexdwc | 2012-04-05 12:48:59 | c21484fd0e9d0014b81744e385cb9644
Tool Window Layouts | 2012-11-26 02:33:14 | None
\\?\C:\Users\malware\Google Drive | None | None
Zappos.com Free Shipping.pdf | 2012-11-26 03:47:31 | 4ef09f3681c74c85d89433cfff 

Google Drive Cloud Entry

$ python barff.py -b Drive -d ../db/ -p cloudentry |more 

root | None | None | None | 0 | None | None
googlegeoip.py | 2010-08-15 20:20:28 | 2012-11-26 14:19:51 | 1 | 0 | 11f3220938
42e2bf73cb9cc4ded8024b | https://docs.google.com/file/d/0B6hVqVMWS
avsubmit.py | 2010-09-13 13:17:30 | 2012-11-26 14:19:42 | 1 | 0 | 7f983896d2774fc0333d260c5a8edf3d | https://docs.google.com/file/d/0B6hVqVMWS3 

Skype Messages
I removed the names here for “privacy” reasons.

$ python barff.py -b skype -d ../db/ -p skypemessage |more

Friendly Name|Author|From Display Name|Timestamp|Dialog Partner
<name_removed>|<name_removed>||2012-08-18 09:18:57|<name_removed>
<name_removed>|<name_removed>|<name_removed>|2012-08-18 09:18:57|<name_removed>
<name_removed>|<name_removed>|<name_removed>|2012-08-18 09:18:57|<name_removed> 

Skype Profile

$ python barff.py -b skype -d ../db/ -p skypeprofile |more

Skypename|Fullname|About|Country|City|Email
|Patrick|I am currently living in Seoul.|US|Seoul|@gmail.com 

TESTING:

Just a heads up. I have only tested this on Windows machine and within my PythonAnywhere.com account. My python anywhere account is running Python 2.7. I switched over to Chromebox and i’m running Chrome OS while I explore more about cloud forensics. So please let me know if there are any issues on the systems you use. It should be pretty straight forward. If it doesn’t work check the version of SQLite on your system and make sure it’s updated. It will be my intent to get this up and running on SIFT, DEFT, etc. so it can be packaged with all the other forensic tools out there. That’s assuming of course that it’s useful for you all.

And yes, I know I have some commenting to do. I’ll also work on getting the prints to work so you have headers on the output. I figured with the weekend coming up I would like to get some feedback so I can work on fixing it over the weekend while i’m traveling.

SUMMARY:

So yeah, that’s all the “plugins” I have for now. I’ll build some more over the next couple weeks, and then i’ll start on parsing the binary files, pull some registry keys as well (TypedURL, etc.) so it can act as a “internet artifact” collector. I’ll also look at getting Safari, Opera, and IE integrated as well. I’m not a good coder yet so it will take me awhile to get all this.

If you would like to see some features please leave comments below.

Code Location: http://code.google.com/p/barff/

Source Code: http://code.google.com/p/barff/source/browse/Trunk/barff.py

Tweet

I would also like to thank some people.

1. Andrew Case @attrc from the Volatility crew. He helped me format some things and gave me some pointers. He is a great resource for the community and willing to help out when I asked some questions.
2. Google Search – I don’t think I need to mention much about this one.
3. Bucky Roberts Python Videos, Coursera.org and codeacademy.com
4. The people who take the time to answer questions on Stackoverflow. People really do appreciate your responses.

, , , ,

Comments are currently closed.

One thought on “Browser Artifact Recovery Forensic Framework – BARFF

Take the red pill and follow….

Recent Posts

Archives