Feature request - Add ZimmermanTools to the SIFT

[mark-hallman]

This is a pretty simple install with just one prereq, .Net6.

1. Install DotNet6
2. Add the aliases provided below t.o the user's aliases
3. create /opt/zimmermantools
4. Download Get-ZimmermanTools.zip from here
5. Unzip Get-ZimmermanTools.zip and copy Get-ZimmermanTools.ps1 to /opt/zimmermantools
6. Run Get-ZimmermanTools, which is an alias for 'cd $ZIMMERMAN_HOME && powershell $ZIMMERMAN_HOME/Get-ZimmermanTools.ps1' All the ZimmermanTools will be downloaded, and the tools can be run with the aliases provided. The aliases provide the same experience that one would see in a Windows environment.

zimmermantools_linx_aliases.txt

[digitalsleuth]

Hi @mark-hallman , sounds interesting. I'll see if I can take a look at it tonight and see how it goes!

[mpilking]

Zimmerman tools would be a nice addition. We did it manually for FOR508. One thing to consider including is a set of aliases to make it easier to run the commands (so you can just run mftecmd -f \$MFT for example). Here are the aliases we setup:

# add aliases in /etc so they apply to both root and sansforensics users:

alias amcacheparser='dotnet /opt/zimmermantools/AmcacheParser.dll'
alias AmcacheParser='dotnet /opt/zimmermantools/AmcacheParser.dll'
alias appcompatcacheparser='dotnet /opt/zimmermantools/AppCompatCacheParser.dll'
alias AppCompatCacheParser='dotnet /opt/zimmermantools/AppCompatCacheParser.dll'
alias bstrings='dotnet /opt/zimmermantools/bstrings.dll'
alias iisGeolocate='dotnet /opt/zimmermantools/iisGeolocate.dll'
alias iisgeolocate='dotnet /opt/zimmermantools/iisGeolocate.dll'
alias jlecmd='dotnet /opt/zimmermantools/JLECmd.dll'
alias JLECmd='dotnet /opt/zimmermantools/JLECmd.dll'
alias lecmd='dotnet /opt/zimmermantools/LECmd.dll'
alias LECmd='dotnet /opt/zimmermantools/LECmd.dll'
alias mftecmd='dotnet /opt/zimmermantools/MFTECmd.dll'
alias MFTECmd='dotnet /opt/zimmermantools/MFTECmd.dll'
alias pecmd='dotnet /opt/zimmermantools/PECmd.dll'
alias PECmd='dotnet /opt/zimmermantools/PECmd.dll'
alias rbcmd='dotnet /opt/zimmermantools/RBCmd.dll'
alias RBCmd='dotnet /opt/zimmermantools/RBCmd.dll'
alias recentfilecacheparser='dotnet /opt/zimmermantools/RecentFileCacheParser.dll'
alias RecentFileCacheParser='dotnet /opt/zimmermantools/RecentFileCacheParser.dll'
alias rla='dotnet /opt/zimmermantools/rla.dll'
alias sbecmd='dotnet /opt/zimmermantools/SBECmd.dll'
alias SBECmd='dotnet /opt/zimmermantools/SBECmd.dll'
alias srumecmd='dotnet /opt/zimmermantools/SrumECmd.dll'
alias SrumECmd='dotnet /opt/zimmermantools/SrumECmd.dll'
alias sumecmd='dotnet /opt/zimmermantools/SumECmd.dll'
alias SumECmd='dotnet /opt/zimmermantools/SumECmd.dll'
alias wxtcmd='dotnet /opt/zimmermantools/WxTCmd.dll'
alias WxTCmd='dotnet /opt/zimmermantools/WxTCmd.dll'
alias sqlecmd='dotnet /opt/zimmermantools/SQLECmd/SQLECmd.dll'
alias SQLECmd='dotnet /opt/zimmermantools/SQLECmd/SQLECmd.dll'
alias recmd='dotnet /opt/zimmermantools/RECmd/RECmd.dll'
alias RECmd='dotnet /opt/zimmermantools/RECmd/RECmd.dll'
alias evtxecmd='dotnet /opt/zimmermantools/EvtxeCmd/EvtxECmd.dll'
alias EvtxECmd='dotnet /opt/zimmermantools/EvtxeCmd/EvtxECmd.dll'

[digitalsleuth]

Looks good, I'll use and test these, no sense reinventing the wheel :)

[digitalsleuth]

So there will need to be a couple of changes, but this can work. The changes I'll need to make are:

• iisGeolocate path is in a subfolder, also called iisGeolocate)
• Neither PECmd or SumECmd tools will work in a Linux environment because (as stated by these tools) Non-Windows platforms not supported due to the need to load decompression specific Windows libraries! Exiting...

Other than that, everything should work fine. @mpilking or @mark-hallman , do either of you have known-good artifacts I can use to test each of these tools to ensure that these work prior to rolling out?

[mark-hallman]

Use the aliases file that I included in my 1st post. They are Mike's aliases from 508, but they have been updated to use an environment $ZIMMERMAN_HOME to make it easier to change the install location. The most important change is that the path in the aliases has been updated to include "zimmermantools/net6". This is required to use Eric's script to update tools. These tools are updated often. If you use the steps I included, the installer will do all these things. I think it is easier to reinstall the tools using Get-ZimmermanTool alias that I added to the alias file than to try and add the net6 dir and move the files.

Happy to answer any questions etc and to test.

I check out the issues with PECmd and SUMECmd. The error message you included makes sense; modern prefetch files are compressed.

[mark-hallman]

Aliases file updated for iisGeolocate sub-dir.
zimmermantools_linx_aliases.txt

I confirmed that PECmd and SumECmd do have issues running in a non-Windows env. I'll reach out to Eric and see if he has a solution or if that is just how it is. If PECmd doesn't work, that's a real bummer, but happy to take what we can get.

[mark-hallman]

One more for the does not work on a non-Windows OS. SumECmd.

I'm wondering how to deal with this. We probably want to remove the aliases for these three. Even if we remove the exe and dll for those three, the next time that an update is run, they will get repopulated. I feel that if someone is smart enough to figure out how to run those specific tools without the alias, they should be able to deal with the messages that are returned.

Thoughts?

[mark-hallman]

Never midn about the last comment about adding SumECmd , you already had it. So there are only two tools that don't work at this point.

[digitalsleuth]

State is complete, final testing underway. I've opted for using the "wrapper" method vice the "alias" method, whereby a short bash script will be created in /usr/local/bin for each tool (mixed-case like the normal file and lower-case like in the aliases), instead of the aliases. The script is essentially:

#!/bin/bash
dotnet /opt/zimmermantools/{{ tool }}.dll ${*}

The reasoning behind this is that, when writing to a universal /etc/ aliases file (eg /etc/profile.d/10-aliases.sh or the like), it could become more challenging to update / modify the alias should something change, and it avoids collision with an existing aliases file if the user is installing SIFT alongside another tool-set in the same VM, or if the user has already customized their aliases files.

This method will also make the tools available to the root user, and other new users down the road, without additional modification of the aliases file.

If you believe the aliases method is a better option, please let me know! I'm all about making sure we get the best product in the end. :)

[digitalsleuth]

So, I've been trying for an hour or two, and I can't complete an accurate test, due to some ongoing internet connectivity issues I'm having with my ISP. Rest assured, the state is ready to go, but until I can complete an accurate test, I won't be able to push it as a PR. Hopefully this isn't an issue tomorrow.

[mpilking]

The wrapper seems like the better approach. It also probably has the benefit that it works better inside other shell scripts. I created a bash script for some automation recently and tried to use the mftecmd alias, but it failed. It wasn't big deal. I just put the full command in the script. But if this wrapper works in scripts, even better.

Thanks for your help!

[salty4n6]

So far I've tested a couple of the zimmerman apps on SIFT and I'm really liking it, but I ran into another app that is cranky but wasn't called out as one that has issues on Linux.

When I run SrumECmd I get this message.
Non-Windows platforms not supported due to the need to load ESI specific Windows libraries! Exiting...

~Salty