Page |1 Acknowledgements Apache Lucene.Net™ is a high performance, full-featured text search engine written in C#.NET. More information on Lucene.NET can be located at http://lucene.apache.org/, distributed under the Apache License. Be.HexEditor by Berhard Elbl is located at http://www.sourceforge.net/projects/hexbox and distributed under the MIT license. DocToText by Silvercoders is located at http://silvercoders.com/en/products/doctotext/ and distributed under the GNU General Public License v2. LibPST is part of the Outlook to MBOX converter (ol2mbox) project located at http://ol2mbox.sourceforge.net/ written by Dave Smith, distributed under the GNU General Public License. PDFsharp by empira Software GmbH is located at http://www.pdfsharp.net/?AspxAutoDetectCookieSupport=1 and distributed under the MIT license. RegDump by Ladislav Nevery is located at http://www.codeproject.com/Articles/24415/How-to-readdump-compare-registry-hives and distributed under the Code Project Open License 1.02. SharpCompress lead by Adam Hackcock is located at http://sharpcompress.codeplex.com/ and is distributed under the Microsoft Public License (Ms-PL). Page |2 Table of Contents Contents Acknowledgements....................................................................................................................................... 2 Table of Contents .......................................................................................................................................... 3 Overview ....................................................................................................................................................... 5 Requirements................................................................................................................................................ 6 Installation .................................................................................................................................................... 6 Features ...................................................................................................................................................... 13 Collector .................................................................................................................................................. 13 Simple Collection ................................................................................................................................ 13 Advanced Collection ........................................................................................................................... 15 Collection ............................................................................................................................................ 24 Reporter .................................................................................................................................................. 36 Report Title ......................................................................................................................................... 37 Description .......................................................................................................................................... 37 Report Data Source ............................................................................................................................. 37 Fields Included in Report .................................................................................................................... 39 Grouping ............................................................................................................................................. 39 Sorting ................................................................................................................................................. 39 Filter .................................................................................................................................................... 39 Limit Row Count .................................................................................................................................. 39 Remove Duplicate Rows ..................................................................................................................... 40 Reports ................................................................................................................................................ 40 Investigator ............................................................................................................................................. 43 Panel Overview ................................................................................................................................... 45 Opening an Evidence Locker ............................................................................................................... 46 Navigation Panel ................................................................................................................................. 47 Case Manager ..................................................................................................................................... 52 Evidence ID Finder .............................................................................................................................. 52 Database Manager .................................................................................................................................. 53 Registry Privacy Database ................................................................................................................... 55 Page |3 Configuration ...................................................................................................................................... 55 Searching Regular Expressions............................................................................................................ 55 Web Page Patterns.............................................................................................................................. 55 Report Sources .................................................................................................................................... 55 Modifying Databases .......................................................................................................................... 55 Update Tool ............................................................................................................................................ 56 Appendix A: Report Data Sources .............................................................................................................. 58 Appendix B: Script Language Specification ................................................................................................ 60 Primitives ................................................................................................................................................ 60 Data Types............................................................................................................................................... 60 Variables ................................................................................................................................................. 60 Labels ...................................................................................................................................................... 61 Appendix C: Language Primitives ............................................................................................................... 61 Page |4 Overview Absolution is a computer forensics tool that searches files for identifiable patterns and critical information to help simplify an investigation. The easiest way to conceptual Absolution is shown in Figure 1, where bulk information readable from some form of electronic media is processed by Absolution to create a set of indexed, searched, and categorized data that is human understandable. Figure 1: Absolution Abstract Machine Why is this useful? This is the most convenient and comprehensive way of examining a set of data taken from a computer to determine what parts are important. Absolution has many processes and investigations that it performs, including finding information about what a person has been searching for, where a person has been, files that have been tampered or accessed, web sites that have been browsed, etc. Law Enforcement, Legal Counsel, Detectives, Corporate Management, Anti-Malware Forensic Teams, Information Technology Management, Security Professionals, and Compliance Officers need and use tools to conduct these investigations. Absolution has several useful features: High Performance All-In-One Examination Simple to Use Comprehensive Extensible Open Source These features make Absolution ideal for improving the speed in which an investigation is performed as well as reducing the workload required by investigators. Page |5 The Forensics Process encapsulates the steps required by forensic examiners to investigate a computer system’s data. The five steps are creating a forensics plan, acquiring the evidence in a way that preserves it, extracting the data from the evidence, analyzing the evidence, and reporting on what was discovered. Absolution focuses on the Analysis and Reporting phases of the Forensics Process. Further analysis and reporting are expected from the investigator, but Absolution attempts to perform the most tedious and time consuming tasks automatically. Requirements Absolution will use all resources that are available on the system it runs on to perform the examinations as quickly as possible. Still, the program requires a significant amount of time to complete for large amounts of data. This is reflected in the requirements. Absolution requires: Microsoft Windows Vista, Windows 7, Windows 8, or Windows Server 2013 4 Gigabytes of RAM (8 recommended) 2.0+ GHz 64-bit capable Dual Core Processor (3.0Ghz Quad Core or greater recommended) 10 gigabytes or more of available storage space Microsoft .NET 4.5 Installation Absolution is distributed using a self-extracting setup package from http://www.sourceforge.net/projects/absolution. When running the package installer, the Absolution Setup Wizard will appear: Page |6 When you are ready to install Absolution, click “Next”: Page |7 The GNU General Public License version 3 License distributed with Absolution allows for free distribution of the source code and the binaries of the program. It also explains that there are no warrantees of any kind. If you accept the agreement and select “Next”, the program will continue installing. The information page will provide some basic information about the current release of Absolution. Typically, it will include what new features have been added in this code branch or release. Select “Next” to continue installing the software. Page |8 Select the directory that Absolution will be installed to and select “Next” to continue installation. Page |9 Select where you want to have the program shortcuts installed into and select “Next”. If you want a desktop icon, check the box. If not, uncheck the box. Select “Next” to continue. P a g e | 10 This display shows what changes will be made during the installation. Press “Install” to complete the installation. P a g e | 11 The progress bar shows the installation progress. P a g e | 12 If you wish to review the Quick Welcome or the README, check the boxes. When you press Finish, the selected documents will be opened. When the Installation Wizard box closes, Absolution will be done installing. Features Absolution consists of several tools that aide in the collection, analysis and reporting of the important facts collected from an arbitrary set of raw data. Absolution has five primary utilities: Collector Reporter Investigator Database Manager Update Tool Collector The Absolution Collector performs the indexing of the data, performs analysis, generates reports, and exfiltrates data. The Collector is started by either using the Simple Collection Wizard or the Advanced Collection Wizard. The Simple Collection provides a “normal for most users” configuration. The Advanced Collection allows for collection options to be changed. Note: Exfiltration is only available with the Advanced Collection option. The directory that all of the indexes, reports, and exfiltrated data are stored in is called the Evidence Locker. The Evidence Locker for each run is located in the My Documents/Absolution directory by default. Important Concept: Evidence Locker. An Evidence Locker is a directory that contains all of the results of a collection, including exfiltrated data and reports. Important Concept: Exfiltration. Copies files of a specific type into a directory in the Evidence Locker. Typically, files of any given type are bundled with files of other types, arranged in directories that categorize them. For example, documents may have pictures embedded in them. For an investigator, having all files of a similar nature collected together speeds the investigation process. Simple Collection The Simple Collection Wizard presents just a single panel of information for the user to adjust and otherwise selects the standard searching criteria that would be useful for the majority of people needing or learning Absolution. The Simple Collection Wizard can be activated by selecting Collection from the Main Menu and then the Simple Collection button. P a g e | 13 The Simple Scan Wizard Dialog box will appear topmost and in the center screen for the user to fill out the basic information. XML Output Directory is the location of the Evidence Locker, defaults to My Documents\Absolution on the primary drive. This usually does not need changing. Report Identifier is a name to give the report. This can be anything such as “Investigation 12356” or “Old Infected Computer”. This is for informative reasons only and has no bearing on the results of the investigation. Operator is the name of the person running the report, this can be anyone that you would like or even an identification number. This is for tracking reasons only and has no bearing on the results of the investigation. Scanning Targets are all the locations that are going to be scanned. By default, all of the potential targets are listed. Usually, only one target is selected by an investigator. Also, each of the default listings refer to drives and not directories, so if a directory is preferred to scan rather than a drive, use the Add Target button to select a directory. Scan this system / Live Investigation means that the computer being examined is the computer Absolution is running on. The registry of the running system will be included in the examination. If the examination is for a device or data removed from a different computer, then you will want to uncheck this option. P a g e | 14 When you are ready to being, press the “Begin Scan” button. Advanced Collection The Advanced Collection Wizard provides a way to select individual features of Absolution to be included or excluded from the examination. This can increase or decrease the duration of time necessary to perform the investigation. Although more information could be collected if all the features are turned on, this is not advised because it could cause the duration of the examination to increase dramatically, making a day or two of investigation take weeks or months. As a general rule, select what you need. The Advanced Collection Wizard can be launched by selecting Collection -> Advanced Collection from the main menu. P a g e | 15 Once selected, a dialog box containing the Advanced Scan Wizard will appear topmost and on center screen: P a g e | 16 A template is a file that contains the settings from a previous Advanced Collection run. Any time you want to create a template, you will save the template after using the settings. When you run the Advanced Collector Wizard again, you can import those settings from this menu. You do not need to import a template to continue. Press “Forward” when ready. XML Output Directory is the location of the Evidence Locker, defaults to My Documents\Absolution on the primary drive. This usually does not need changing. Report Identifier is a name to give the report. This can be anything such as “Investigation 12356” or “Old Infected Computer”. This is for informative reasons only and has no bearing on the results of the investigation. Operator is the name of the person running the report, this can be anyone that you would like or even an identification Scanning Targets are all the locations that are going to be scanned. By default, all of the potential targets are listed. Usually, only one target is selected by an investigator. Also, each of the default listings refer to drives and not directories, so if a directory is preferred to scan rather than a drive, use the Add Target button to select a directory. P a g e | 17 “Scan this system / Live Investigation” is an option that means that the computer being investigated is the computer running Absolution. This will enable features that include searching the machine being currently used, such as the live registry. Hash Check files is a step used to determine which files on the system are publicly known and not unique content to this computer system. This was once considered an important step to forensic investigations but now is optional. The primary reason for this is to reduce searching time on the host by not including known files in the search. P a g e | 18 Metadata is data which describes information, such as “Title”, “Author”, and “Creation Date” is all metadata for a Word Processor Document. This step extracts metadata from selected document categories. P a g e | 19 Live Registry Search means that the registry data on the live computer will be searched. Turn this option off if you are investigating data that came from a different computer. Most forensic investigators will want this option turned off. Registry Hive Search will extract data and use information from any Windows hive files found during the investigation. P a g e | 20 Keyword search is an important part of tailoring the investigation by looking for known information that is expected to exist on the system, such as a name, phone number, or whatever else might be crucial. All keywords can be added from this tab. Keywords can also be a simple regular expression. P a g e | 21 File Exfiltration means that any time a file of a certain type is discovered, it is copied into the evidence locker. Any category of file that is selected will be copied. Please note, filenames may be altered in the course of exfiltration. Adjustments to filenames are recorded in the exfiltration log file. P a g e | 22 Absolution comes with a database of regular expressions that can be used for searching. All files will be searched using the regular expressions that are enabled from this menu. Please be aware, some are necessary for other investigations to take place, such as the HTML Header regex must be present for the web page scanner to work. WARNING: Enabling too many regular expressions will greatly harm performance. You will want to use only the required regular expressions for the examination in order to optimize examination performance. P a g e | 23 Pressing the Done button will cause the system to immediately start collecting. Collection The collection is a series of staged examinations and procedures used to narrow down the investigation. At first, the examination is broad, examining each file and trying to determine basic information about it. Anything that is identified can be sent to a proper handler in a later stage to attempt to extract more details from the file, alert on the importance of the file, copy the file, or other appropriate forensics steps. The collection involves the following steps: File Scan Live Registry Scan (Optional) Browser Scan Web Page Scan Registry Hive Scan (Optional) Analysis Metadata Extraction Exfiltration Building Master Index Report Generation P a g e | 24 File Scan The File Scan searches all of the files in all of the targets, as can be seen in the screenshot below. The following examinations are performed during the File Scan stage: Identification of Files by extension, magic byte, contents Decompression of Files for Examination Search of each file for matching regular expressions Finding Hash Matches for Files Live Registry Scan The Live Registry Scan performs a regular expressions search of all keys accessible in the live registry. P a g e | 25 Browser Scan The Browser scan attempts to identify any critical files that were used by web browsers to store web browsing information. This information can be user names, URLs, history, favorites, cookies, and even web page contents. P a g e | 26 Web Page Content Scan The contents of web pages contain clues to the nature of the page, for example, it could be a page from FaceBook or Gmail. The Web Page Content Scan searches for web pages that are from known popular web sites. Some information can be retrieved from the structure of some of these sites, such as known contacts, e-mail, etc. P a g e | 27 Registry Hive File Scan Whenever a Windows Registry Hive is located on the system, it may be possible to enumerate all of the contents and search them. The Registry Hive File Scan performs a key-by-key examination of all of the Registry Hive’s contents using the standard searching regular expressions. P a g e | 28 Analysis Analysis is a catch-all category for the scripts executed by Absolution’s internal programming language. The scripts perform a variety of functions such as performing ‘final confirmation’ on file types, looking for specific registry key entries, and checking system configurations. P a g e | 29 Metadata Extraction Metadata is data that describes the contents of a file, such as who, what, when, and where. The author of a file, for example, is metadata. Metadata is highly useful when trying to determine who or when a file was authored. The metadata extraction phase also indexes both data and metadata. P a g e | 30 Exiltrator In same cases, it is helpful for the examiner to bundle together all files of a specific type for examination, rather than searching for them in individual directories. The Exfiltrator, if provided instruction to do so, will copy the files into their individual category folder inside of the evidence locker. P a g e | 31 Build Master Index The Master Index is useful for navigation although not a forensic examination. All files are cross referenced with found evidence, such as search matches, and used by the Absolution Investigator for navigation using a directory tree. This simplifies the examination process. P a g e | 32 Generating Reports Absolution generates reports dynamically. The Generating Reports phase will attempt to generate all enabled reports available. These are stored inside of the evidence locker. Both an HTML and XML copy of the reports are saved. P a g e | 33 Collection Completed At the end of the investigation, the user is given the options of “View Report” or “Open Investigator”. If the user selects “View Report”, the default web browser will be launched to the index page of the report. If “Open Investigator” is selected, the Investigator will be opened using the collected Evidence Locker. P a g e | 34 P a g e | 35 Reporter The purpose of the Reporter is to define and generate reports. The reporter can be accessed from the main menu with options Tools -> Report Center. The Report Center is navigated by a tree menu of reports located on the left side of the screen. The details of each report are visible on the right side of the screen. Information is not saved until the user specifies that they wish to save the data. If the user navigates away from a screen with changed data, they will be prompted to save or discard the changes. P a g e | 36 When a report is selected in the report menu, the details of the report and the options selected appear on the right. A description of each of the options is as follows: Report Title This is a short, single line description of the title of the report. All reports must have a title. Description This is a longer description of the report. Good information to include would be what information is collected, any standards the report references, and why it may be important. Report Data Source This selects where the information included in the report comes from inside of the Evidence Locker. Key Concept: Report Data Source. All information collected by Absolution is stored in XML files located inside of the evidence locker. The filenames of these files and the data within them are Report Data Sources. For example, “File Data” is the Report Data Source for all file information collected during the investigation. P a g e | 37 Select the data source that you would like to use for your report. If you want to define a new source, select the Define New Source button. Generally speaking, you won’t need to define a new data source unless you are actively developing for Absolution. A new Data Source requires a name, short description, file name, and an example of the output for the autoschema. This assumes that the person creating the new data source has already seen output from their mod to Absolution and simply wants to import the data structure for the report. P a g e | 38 Names- A name must include a * (asterisk) at a point to determine its iteration value. The iteration may increase on a data source if you perform multiple collections on the same set of data. An example would be “My Data Source.*.xml” Typically, the * goes between two periods and the xml extension. A name may also include a # value if more than one file makes up the data source. This is typical with search data and file data. For example: “File_Data-#.*.xml” would appears as “File_Data-1.1.xml”, “File_Data-2.1.xml”, “File_Data-3.1.xml”, etc. Fields Included in Report These are the fields that will be included in the report as a table column. They will appear in order of how they are selected. Grouping Bundles results of all matches for a single column result. For Example: Fruit Vegetable Vegetable Fruit Grape Carrot Tomato Orange Purple Orange Red Orange Becomes: Fruit Vegetable Grape Orange Carrot Tomato Purple Orange Orange Red There can be up to three levels of grouping, and yes we know a tomato is a fruit. Sorting Sorting will sort data in each of the selected columns. Please note, the sorting order is first to last in order of how they appear in the Sorting selection. Filter Filter allows for the setting of criteria of what to include or not include in the report. For example, if you want only files to appear that have the confirmed value of “.JPG” then you would add a filter that specifies that the CONFIRM field must be .JPG to be included in the report. Limit Row Count The row limit will print only a fixed number of items in order of how they would appear in the report. This is best for “Top 10” lists and such. P a g e | 39 Remove Duplicate Rows Check this box if you want to ensure that any rows that are duplicates of any other rows are not included. This is show unique entries in a particular field. Reports Reports are in HTML format and have different types: Index Generated Reports Failed Reports Collection Log Report Index The Report Index is a general report that provides hyperlinks to all the reports generated for the collection, they are located inside of the Evidence Locker. P a g e | 40 Generated Reports All Generated Reports are tubular in structure and appear as an individual HTML file as well as a data set in XML. Failed Reports Report The Failed Reports Report shows all reports that were not shown in the Index. This is usually because no data was available, but there may be other reasons. P a g e | 41 Investigation Log Report The Investigation Log is an HTML conversion of a flat text file used to hold the error messages generated by Absolution during the collection. Important Concept: Logging Errors. Absolution expects to encounter errors and be talkative, rather than expects to be error free or silent about some event failing. Investigations of raw data are going to encounter types of files that misbehave, are broken, or look like different kinds of data. Absolution is designed to “fail noisy”, and let the investigator examine the error logs for potential areas of concern. P a g e | 42 Investigator The Absolution Investigator is a set of tools useful to help search an Evidence Locker for relevant details. A standard collection may generate an Evidence Locker containing gigabytes of results, still far too much for an investigator to use by reading the raw output. The Investigation Tool can be launched from the Absolution main menu by selecting Tools -> Investigation Tool. P a g e | 43 An empty Investigator screen will appear. If the Investigator does not currently have an active Evidence Locker selected, it will have a very limited number of options. Before selecting an Evidence Locker, the manual will describe the components of the Investigator briefly. P a g e | 44 Panel Overview The Investigator consists of three main panels, each working in conjunction with each other: Navigation Panel Display Panel Case Panel The Investigator panels are arranged by workflow, so information at the far LEFT panel refers to larger quantities of general data. The MIDDLE panel has the information narrowed down to a specific entry, table, or display item. The far RIGHT panel contains information that was dragged-and-dropped from the middle panel that the examiner considers important. The Display Panel may have a single display panel or a SPLIT SCREEN panel. The split screen panel will consist of the Data Table and the Record Table. The Data Table shows the data selected from the raw data as if it were in a spreadsheet. The Record Table is used to show the details of any row selected from the Data Table. P a g e | 45 The panels can be hidden by using options under the View menu: Opening an Evidence Locker If an evidence locker is available, it can be opened by selecting File -> Open Locker. A dialog box will appear that contains all available Evidence Lockers that can be used by the Investigator. Double clicking any locker or selecting the locker and then selecting the OK button will open the locker. P a g e | 46 Navigation Panel The Navigation Panel is a set of tabs that each reference a high level view of the data in the Evidence Locker. The navigation tabs are: Search Timeline Master Index Reporting Raw Data Search Tab The Search Tab allows for simple search terms to be used to locate critical information that has been collected from documents and metadata. The user types the terms they want to search for in the text box at the top of the tab and press the search button (looks like a magnifying glass) to the right of the text box. The results will appear in the table beneath the text box. The ranking of the search will appear on the leftmost column with the score for the search in the column directly to the right. Selecting any of the items will display the information where the data was found in the Display Panel. Search terms will be highlighted by color. P a g e | 47 Timeline Tab The Timeline Tab displays a UTC time-based index of collected data based on timestamps. The information is displayed directly to the Record Panel. Please note: Absolution’s ability to properly construct a timeline is based on accuracy of the time data it collects. It doesn’t necessary have any awareness of time zones when processing data, the investigator will need to account for the possibility that the times are inaccurate. P a g e | 48 Master Index The Master Index is a useful tool for visualizing where important information was discovered in the file system being examined. The navigation tool looks like a directory tree, although any files that have matches or connections to other evidence can be expanded to see references to collected evidence. This is helpful if a single piece of evidence was noticed for a file, but there may be more evidence that could be difficult to connect to that file that wasn’t present on the report/index/search that originally found it. The Master Index ties together discovered evidence and specific files. The Master Index only displays evidence in the Record Table. P a g e | 49 Reporting All data generated by the Reporting system is stored in XML format that can be used by the Investigator. This panel provides shortcuts to the files. Selecting any of the items in the list will cause the table to be viewed in the Data Table. Although limited, report data is an excellent place to start an investigation if the examiner is looking for general information and trying to determine if anything is amiss. Please note, any report that does not contain an EvidenceId field cannot have the data dragged-anddropped into the Case Manager in the Case Panel. P a g e | 50 Raw Data The Absolution Collector generates data in a form referred to as Raw Data, which means that it’s collected as the program progresses and left in the Evidence Locker in this unprocessed state. For example, all search matches are contained in the FileSearchMatches files; however, a report may select only the only the entries that refer to HTML documents. The Raw Data is complete, and therefore of great value to forensic examiners. Information may be present that does not appear in a report. Please note: Raw data should be associated with a Data Source, although not always. If a forensic examiner creates their own scripts to store data but does not define a data source, the new data files will still appear in the raw data. P a g e | 51 Case Manager Evidence ID Finder All Evidence is tagged with a unique ID number which may be referenced by one or more entries within the Evidence Locker. The Evidence ID Finder can locate all instances of a particular Evidence ID number within all Data Sources. The Evidence ID Finder can be launched by selecting Tools -> Evidence ID Finder from the main menu. Important Concept: Evidence ID Numbers. All records collected by Absolution are tagged with a unique identifier called the Evidence ID number. P a g e | 52 Database Manager The Database Manager is a special tool used to manage the contents of the XML databases included with Absolution. Generally speaking, a regular user would not need to modify the databases but there are some activities such as adding new regular expressions for searching where modifying the databases are useful. Because the data stored in Absolution isn’t a traditional database, rather a text file structured in XML, manipulation of the data inside can be a bit challenging. This is the reason why the Database Manager exists. The Database Manager can be accessed from the main menu by selecting Tools -> Database Manager. P a g e | 53 By default, the Database Manager provides a list of databases that are standard for Absolution. Activating any item in the list will pull up that database. The File menu will allow the opening of any other type of XML file located on the system. The databases distributed by default are: P a g e | 54 Registry Privacy Database Configuration Searching Regular Expressions Web Page Patterns Report Sources Registry Privacy Database The Registry Privacy Database contains information about select keys that, if they exist and can be accessed, contain security or privacy critical information. Configuration The Configuration Database is a general data store for Absolution’s configuration. Searching Regular Expressions This Searching Database contains regular expressions that are used to search all of the files on the collection target. Web Page Patterns The Web Page Patterns database contains regular expressions used to identify specific kinds of web pages. Report Sources The Report Sources database contains the current set of Report Sources for use by the Reporting System. Report Sources are files that contain data obtained during the collection. Modifying Databases A database may be modified by clicking in any cell and changing the contents. A cell must be exited in order for the contents to be changed. When finished, the user must select File -> Save from the main menu in order to write the file. P a g e | 55 Update Tool Absolution contains an update tool that will be able to update “soft code” and databases, such as scripts and the standard database set, with the most recent versions. To perform an update, select Help -> Check for Updates. P a g e | 56 Absolution will contact one of the update sites, typically http://absolution.sourceforge.net/ , and request a copy of latest manifests to determine if an update is required. If so, it will begin the process of downloading all of the needed updates. As part of the Update process, Absolution will download the current NSRL hash database (this can be larger than a gigabyte of data.) A progress bar will show the state of the download. The download has resume support if the user wishes to cancel the download. P a g e | 57 Appendix A: Report Data Sources Source Cookies Critical Events Exfiltrated Files File Data File Search Matches Hardware and Performance Hash Matches Hive Scan Matches HTML File List Identified Web Pages Interesting Facts Metadata Most Recently Used Operating System Partition Information Password Search Registry Access Denied Filename Cookies.*.xml Description Collected cookies from all identified web browsers. Log Entries.*.xml Critical Events as identified from log and event files. Exfiltration List.*.xml List of all Exfiltrated Files and their new filenames. File_Data-#.*.xml Information about all files discovered during the collection. FileSearchMatches-#.*.xml All search matches found in files. Hardware and Performance.*.xml Hardware and performance information. Hashmatched.*.xml All files that have been successfully hash matched. HiveFileRegistryScanMatches.*.xml All search matches for keys found in hive files. Html_list.*.xml All files that contain HTML headers. Identified_pages.*.xml All web pages that have been identified as being associated with a particular web site. InterestingFacts.*.xml Out-of-band information that highlights an interesting fact the investigator will probably want to know about. Metadata.*.xml Extracted metadata from documents, images, e-mail, multimedia, etc. Recently Used.*.xml Most Recently Used lists collected from files or registry key entries. System Information.*.xml Information that could be about the operating system that produced these files or running on the system doing the collection (if scanning itself.) Partition.*.xml Information about the partition of the drive being searched (if a full drive is selected.) Password References.*.xml Any password reference on the system. Registry_accessdenied.*.xml All registry keys that rejected P a g e | 58 Registry Scan Matches LiveRegistryScanMatches.*.xml Search Engines Search Engines.*.xml Security Account Manager SAM.*.xml URL Summary URL Summary.*.xml being examined. All search matches that were discovered in live registry keys (if scanning itself.) All URL entries that pertain to search engines. If a SAM file is encountered during the investigation, this file contains information extracted from the SAM file. A summary of all URLs discovered on the system from any source. P a g e | 59 Appendix B: Script Language Specification Absolution uses a primitive based language that has a structure similar to BASIC or Assembler language for those that know either of these languages. It was not meant to be robust, simply good enough for performing investigations within a sandbox. The primary design goal of this language is to prevent the data being examined from controlling the execution of Absolution (i.e., compromising the host) during the collection phase. Primitives Each line may consist of either a comment or a single command. Comments always begin with the hash (#) symbol. Comment Example: # This is a comment Command Example: Log “Log is this command” Commands can: A single word or string of characters without whitespace May have any amount of whitespace before them May have zero or more arguments Data Types The basic data types are: String Integer Dynamic List of Strings Important Concept: Dynamic. This is a special structure that is a tree node made of strings and other dynamics. It looks like the standard allowable XML data structure, except represented as an internal data object. This may sound confusing at first, but the idea is that this allows for interaction with XML data. Variables All variables in the language are pre-named and predefined. The programmer cannot create any more than what are defined. This is intentionally limiting, although there should be more than enough to be able to create a full featured examination. Variable Type Internal Variable Names P a g e | 60 Strings Integers Dynamics A, B, C, D, Result, Comparator W, X, Y, Z Query1, Query2, Query3, Query4, dyn1, dyn2, dyn3, dyn4 List1, list2, list3, list4 Lists of Strings Labels A single string followed by a “:” forms a label. A label can be used by the GOTO command to jump to that section of code. Appendix C: Language Primitives Primitive Add Clear Combine Compare Cconcat Concat Clear Description Adds numbers, adds a string to a list, or adds a property to a dynamic value. Appends a string to a list. Returns the character in a string located at a number value Clears all variables and flags Compare any any Compares two variables Concat string string Constant Contant string constant Contains Contains string string Copy Copy any any Count Divide Count list Count dynamic Count string Divide value value value Concatenates two or more strings together. Copies the value of a constant to a specified string. Sets the comparator to true if string is in string. Copies values from one variable to another. Counts the number of items in the specified variable. Endfor Endif Endfor Endif EndSection EndSection Append Charat Format Add int int Add list string Add dynamic string string Append list string Charat string string value Divide puts the resulting number in value from value divided by value. Marks the end of the for loop. Marks the end of the if condition. Declares the end of a section, so any errors in the previous code will jump to this point. P a g e | 61 EndWhile Exists EndWhile Exists string FindNode FindNode dynamic string FindNode dynamic value Filenamer Filenamer string string For Goto If For Goto label If true or if false Instring Instring string string IsLetter IsLetter string IsNumber IsNumber string IsSymbol IsSymbol string IsWhiteSpace IsWhiteSpace string Load Load dynamic string Log Log string string Multiply Multiple value value Replace Replace string string string Rot13 Ro13 string string Run Run string RunIf Run string Save Save dynamic string Search SearchFilesForType Set Set any any ShowState ShowState Marks the end of the while loop. Checks for the existence of the file contained in string. Finds a node in a dynamic query matching the string or array value. Acquires a generalized filename and puts it in string from the reference string. For loop Jumps to a user defined label. Execute code depending on the state of the comparator. Sets comparator to true if string is inside of string. If the first letter in string is a letter, set comparator to true. If the first letter in a string is a number, set comparator to true. If the first letter in a string is a symbol, set comparator to true. If the first letter in a string is whitespace, set comparator to true. Loads a dynamic with XML data from filename located in in string. Records a log entries with the contents of string with subsystem name string Multiplies first value by second value Replaces occurrences of string in string with string Performs a ROT13 command on the specified string. Runs a specified script with the provided filename. If the comparator is set to true, run the program. Saves dynamic (query) into a specified filename. Sets a variable to a specified value. Dumps the interpreter state to P a g e | 62 Sort Split Sort list Split list string string Status Status string Stop Stop SubString Subtract Substring string string value Substring string string value value Subtract value value UrlDetails UrlDetails dynamic string While While the log file. Sorts elements in a list Splits a string into a list of string by separator string. Changes the display status label to the specified string. Stops execution of the current script. Extracts a substring of a string starting at value or between value and value. Subtracts second value from first value. Extracts details from a URL contained in string. Repeats as long as comparator is true. P a g e | 63