This set of scripts is designed to gather a wide range of information from an endpoint considered contaminated, to facilitate the incident response course of. This information shouldn’t be thought-about to be a full forensic information assortment, however does seize a lot of helpful forensic data.
If you’d like true forensic information, you need to actually seize a full reminiscence dump and picture the whole drive. That isn’t inside the scope of this toolkit.
How you can use
The script have to be run on a stay system, not on a picture or different forensic information retailer. It doesn’t strictly require root permissions to run, however it will likely be unable to gather a lot of the meant information with out.
Information can be collected in two kinds. First is within the type of abstract recordsdata, containing output of shell instructions, information extracted from databases, and the like. For instance, the browser
module will output a browser_extensions.txt
file with a abstract of all of the browser extensions put in for Safari, Chrome, and Firefox.
The second are full recordsdata collected from the filesystem. These are saved in an artifacts
subfolder inside the gathering folder.
Syntax
The script could be very easy to run. It takes just one parameter, which is required, to go in a configuration script in JSON format:
./pict.py -c /path/to/config.json
The configuration script describes what the script will acquire, and the way. It ought to look one thing like this:
This specifies the trail to retailer the collected information in. It may be an absolute path or a path relative to the consumer’s house folder (by beginning with a tilde). The default path, if not specified, is /Customers/Shared
.
Information can be collected in a folder created on this location. That folder may have a reputation within the type PICT-computername-YYYY-MM-DD
, the place the pc identify is the identify of the machine laid out in System Preferences > Sharing and date is the date of assortment.
all_users
If true, collects information from all customers on the machine each time attainable. If false, collects information just for the consumer working the script. If not specified, this worth defaults to true.
collectors
PICT is modular, and may simply be expanded or decreased in scope, just by altering what Collector modules are used.
The collectors
information is a dictionary the place the hot button is the identify of a module to load (the identify of the Python file with out the .py
extension) and the worth is the identify of the Collector subclass present in that module. You possibly can add extra entries for customized modules (see Writing your personal modules), or can take away entries to stop these modules from working. One simple option to take away modules, with out having to search for the precise names later if you wish to add them once more, is to maneuver them right into a top-level dictionary named unused
.
settings
This dictionary supplies international settings.
keepLSData
specifies whether or not the lsregister.txt
file – which may be fairly giant – ought to be stored. (This file is generated mechanically and is used to construct output by another modules. It incorporates a wealth of helpful data, however may be effectively over 100 MB in dimension. When you do not want all that information, or do not wish to take care of that a lot information, set this to false and it will likely be deleted when assortment is completed.)
zipIt
specifies whether or not to mechanically generate a zipper file with the contents of the gathering folder. Notice that the method of zipping and unzipping the information will change some attributes, equivalent to file possession.
moduleSettings
This dictionary specifies module-specific settings. Not all modules have their very own settings, but when a module does enable for its personal settings, you possibly can present them right here. Within the above instance, you possibly can see a boolean setting named collectArtifacts
getting used with the browser
module.
There are additionally international module settings which are maintained by the Collector class, and that may be set individually for every module.
collectArtifacts
specifies whether or not to gather the file artifacts that may usually be collected by the module. If false, all artifacts can be omitted for that module. This can be wanted in circumstances the place space for storing is a consideration, and the collected artifacts are giant, or in circumstances the place the collected artifacts might characterize a privateness challenge for the consumer whose system is being analyzed.
Writing your personal modules
Modules should include a file containing a category that’s subclassed from Collector (outlined in collectors/collector.py
), and so they have to be positioned within the collectors
folder. A brand new Collector module may be simply created by duplicating the collectors/template.py
file and customizing it on your personal use.
def __init__(self, collectionPath, allUsers)
This methodology may be overridden if crucial, however the tremendous Collector.init() should be referred to as in such a case, ideally earlier than your customized code executes. This offers the article the possibility to get its properties arrange earlier than your code tries to make use of them.
def printStartInfo(self)
This can be a quite simple methodology that can be referred to as when this module’s assortment begins. Its intent is to print a message to stdout to offer the consumer a way of progress, by offering suggestions about what is occurring.
def applySettings(self, settingsDict)
This offers the module the possibility to use any customized settings. Every module can have its personal self-defined settings, however the settingsDict must also be handed to the tremendous, in order that the Assortment class can deal with any settings that it defines.
def acquire(self)
This methodology is the core of the module. That is referred to as when it’s time for the module to start assortment. It will probably write as many recordsdata because it must, however ought to confine this exercise to recordsdata inside the path self.collectionPath
, and may use filenames that aren’t already taken by different modules.
When you want to acquire artifacts, do not strive to do that by yourself. Merely add paths to the self.pathsToCollect
array, and the Collector class will handle copying these into the suitable subpaths within the artifacts
folder, and sustaining the metadata (permissions, prolonged attributes, flags, and so forth) on the artifacts.
When the strategy finishes, remember to name the tremendous (Collector.acquire(self)
) to offer the Collector class the possibility to deal with its obligations, equivalent to accumulating artifacts.
Your acquire
methodology can use any information collected within the basic_info.txt
or lsregister.txt
recordsdata discovered at self.collectionPath
. These are collected at the start by the pict.py
script, and may be assumed to be obtainable to be used by some other modules. Nevertheless, you shouldn’t depend on output from some other modules, as there isn’t a assure that the recordsdata can be obtainable when your module runs. Modules might not run within the order they seem in your configuration JSON, since Python dictionaries are unordered.
Credit
Due to Greg Neagle for FoundationPlist.py, which solved a number of issues with studying binary plists, plists containing date information sorts, and so forth.