SlideShare a Scribd company logo

OSIT fall in-person meet up - october 3, 2018

Download as PPTX, PDF
D
Doug Koster

Processing PST files with Open Source & Freeware tools

Data & Analytics
1 of 40
z Processing PST files with Open Source / Freeware Tools OSIT In-Person Fall Meeting – October 3, 2018 NOTE: Opinions and view on products, services and/or resources expressed in this presentation are mine alone and do not necessarily reflect the views of my employer.
z Goals  Describe two open source / Freeware tools that can be used to process PST files  Stress importance of automation  Not waste your time
z Origin of Presentation  Didn't want to be a lurker  Original idea for a topic didn't pan out  Looked at my personal pain points for inspiration  As always....looked for ways to automate away pain
z Data Exfil via Email  Very common  Costly Analysis Options: Encase, Intella, Axiom, Nuix etc.  Expensive tools that don't lend themselves to workflow automation  Free is good – especially as a backup  Dongles break  Dongle servers go down...right when you have a high priority case
z Poll Time  What commercial tools are used to process PST within community:  Encase  NUIX  AXIOM  Intella  Others - ????
z PST Files  Many large corporations use Microsoft Outlook as email client  Outlook stores email in PST files  From Wikipedia: Personal Storage Table (.pst) is an open proprietary file format used to store copies of messages, calendar events, and other items within Microsoft software such as Microsoft Exchange Client, Windows Messaging, and Microsoft Outlook. The open format is controlled by Microsoft who provide free specifications and free irrevocable technology licensing.  Office365 -> PST files reside in the cloud and must be pulled down to review  Live systems will have OST files
z M57 Jean Scenario  Naval Post Graduate School Disk Image  Data exfil scenario  Corporate information is found on competitors website  Email with that information was sent from Jean@m57.biz to Alison@m57.biz  Spreadsheet containg this information was m57biz.xls  Full Disk image is provided
z Option 1: Autopsy  Freeware forensics tool from Basis Technology  Brian Carrier literally wrote the book on file system forensics  Autopsy has been around since 2000  It keeps getting updated & improved
z Autopsy – additional info  Utilizes hash sets – custom and NSRL  Basis Technology is very responisve to user input / questions  Has timeline feature  Full text indexing  Scriptable – write your own module or leverage the generosity of the open source community  https://wiki.sleuthkit.org/index.php?title=Autopsy_3rd_Party_Modules  https://github.com/markmckinnon/Autopsy-Plugins
z Audience Poll  Raise your hand if you love Linux
z Free is GOOD! Name readpst - convert PST (MS Outlook Personal Folders) files to mbox and other formats Synopsis readpst [-D] [-M] [-S] [-V] [-b] [-c format] [-d debug-file] [-e] [-h] [-j jobs] [-k] [-o output-directory] [-q] [-r] [-t output-type-codes] [-u] [-w] pstfile Description readpst is a program that can read an Outlook PST (Personal Folders) file and convert it into an mbox file, a format suitable for KMail, a recursive mbox structure, or separate emails. Copyright Copyright © 2002 by David Smith <dave.s@earthcorp.com>. XML version Copyright © 2008 by 510 Software Group <carl@five-ten-sg.com>. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version.
z Example command to run readpst  readpst -o ~/ArchivedMessages -D -j 4 -r -tea -u -w -M -e ./Outlook.pst
z MantaRay  Set of Python modules that automate a number of open source forensic tools  Written and designed by forensic analysts (KISS)  Allows examiner to select multiple tools, set options for each, click go and walk away  Designed to work with SIFT 3.0  Code is on GitHub:  → https://github.com/mantarayforensics
z Triage Steps Automated by MantaRay  PST Processing (NEW)  Creating a Super Timeline  Running Bulk_Extractor  Extracting Registry Hives & running RegRipper  Extracting EXIF Data  Carving Unallocated space  Scanning for high entropy files  Review RAM using Volatility  Extract GPS data from JPEGs and create .KML file  Extract Jumplist data  Extract NTFS system files  Process user selected .plist files  Perform Static Malware Analysis (SIFT + REMnux)  Anti-Virus Scanning
z Workflow Tweaks  MantaRay bucketizes all the sent emails but you still have to work through the emails to find the one you want  Option 1 – load emails from bucket of interest into Autopsy as a folder and then after they process you can do a keyword search  Option 2 – use the power of Linux (grep –nr 'm57biz.xls')
z Extending PST Processor module  Adding in capability to automatically search the bucketized folders for keywords  Write script to watch a folder...when config file is dropped in containing path to PST and emails of interest then script runs and automatically processes the PST  Sample Code: http://timgolden.me.uk/python/win32_how_do_i/watch_dir ectory_for_changes.html
z MantaRay & SIFT  Getting SIFT updated with all the tools that MantaRay calls can be difficult....at least for me  I have a fully built out VM on Google Drive  Shoot me an email and I will send you the link
z Contact Info  Dougkoster@hotmail.com  LinkedIn: https://www.linkedin.com/in/dougkoster/

Recommended

An Efficient Search Engine for Searching Desired File
An Efficient Search Engine for Searching Desired FileAn Efficient Search Engine for Searching Desired File
An Efficient Search Engine for Searching Desired FileIDES Editor
 
Comparison Study of Lossless Data Compression Algorithms for Text Data
Comparison Study of Lossless Data Compression Algorithms for Text DataComparison Study of Lossless Data Compression Algorithms for Text Data
Comparison Study of Lossless Data Compression Algorithms for Text DataIOSR Journals
 
File Type Extn
File Type ExtnFile Type Extn
File Type ExtnSMKB
 
Python-Introduction-slides-pkt
Python-Introduction-slides-pktPython-Introduction-slides-pkt
Python-Introduction-slides-pktPradyumna Tripathy
 
Python Assignment Help
Python Assignment HelpPython Assignment Help
Python Assignment HelpJacob William
 
Msr2012 chen
Msr2012 chenMsr2012 chen
Msr2012 chenSAIL_QU
 
HLT 2013 - Triaging Foreign Language Documents for MEDEX by Brian Carrier
HLT 2013 - Triaging Foreign Language Documents for MEDEX by Brian CarrierHLT 2013 - Triaging Foreign Language Documents for MEDEX by Brian Carrier
HLT 2013 - Triaging Foreign Language Documents for MEDEX by Brian CarrierBasis Technology
 
Evaluate a Health WebsiteName Click here to enter text.Course Cli.docx
Evaluate a Health WebsiteName Click here to enter text.Course Cli.docxEvaluate a Health WebsiteName Click here to enter text.Course Cli.docx
Evaluate a Health WebsiteName Click here to enter text.Course Cli.docxSANSKAR20
 

Recommended

An Efficient Search Engine for Searching Desired File
An Efficient Search Engine for Searching Desired FileAn Efficient Search Engine for Searching Desired File
An Efficient Search Engine for Searching Desired FileIDES Editor
 
Comparison Study of Lossless Data Compression Algorithms for Text Data
Comparison Study of Lossless Data Compression Algorithms for Text DataComparison Study of Lossless Data Compression Algorithms for Text Data
Comparison Study of Lossless Data Compression Algorithms for Text DataIOSR Journals
 
File Type Extn
File Type ExtnFile Type Extn
File Type ExtnSMKB
 
Python-Introduction-slides-pkt
Python-Introduction-slides-pktPython-Introduction-slides-pkt
Python-Introduction-slides-pktPradyumna Tripathy
 
Python Assignment Help
Python Assignment HelpPython Assignment Help
Python Assignment HelpJacob William
 
Msr2012 chen
Msr2012 chenMsr2012 chen
Msr2012 chenSAIL_QU
 
HLT 2013 - Triaging Foreign Language Documents for MEDEX by Brian Carrier
HLT 2013 - Triaging Foreign Language Documents for MEDEX by Brian CarrierHLT 2013 - Triaging Foreign Language Documents for MEDEX by Brian Carrier
HLT 2013 - Triaging Foreign Language Documents for MEDEX by Brian CarrierBasis Technology
 
Evaluate a Health WebsiteName Click here to enter text.Course Cli.docx
Evaluate a Health WebsiteName Click here to enter text.Course Cli.docxEvaluate a Health WebsiteName Click here to enter text.Course Cli.docx
Evaluate a Health WebsiteName Click here to enter text.Course Cli.docxSANSKAR20
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierBasis Technology
 
IEEE ISM 2008: Kalman Graffi: A Distributed Platform for Multimedia Communities
IEEE ISM 2008: Kalman Graffi: A Distributed Platform for Multimedia CommunitiesIEEE ISM 2008: Kalman Graffi: A Distributed Platform for Multimedia Communities
IEEE ISM 2008: Kalman Graffi: A Distributed Platform for Multimedia CommunitiesKalman Graffi
 
BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year?
BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year? BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year?
BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year? panagenda
 
A fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP SpainA fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP SpainChristian Martorella
 
Introduction to Plone (November 2003)
Introduction to Plone (November 2003)Introduction to Plone (November 2003)
Introduction to Plone (November 2003)Kiran Jonnalagadda
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windowsguest66dc5f
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaCTIN
 
File compression sunzip (huffman algorithm)
File compression sunzip (huffman algorithm)File compression sunzip (huffman algorithm)
File compression sunzip (huffman algorithm)mini_61
 
Big Data Management Analytics And Management Essay
Big Data Management Analytics And Management EssayBig Data Management Analytics And Management Essay
Big Data Management Analytics And Management EssayAmy Alexander
 
Introduction to python
Introduction to pythonIntroduction to python
Introduction to pythonMohammed Rafi
 
State of the art literature review on ...
State of the art literature review on ...State of the art literature review on ...
State of the art literature review on ...dutra2009
 
File Handling In C++(OOPs))
File Handling In C++(OOPs))File Handling In C++(OOPs))
File Handling In C++(OOPs))Papu Kumar
 
Flexor Muscle Exercise
Flexor Muscle ExerciseFlexor Muscle Exercise
Flexor Muscle ExerciseChristina Padilla
 
Utilizing the natural langauage toolkit for keyword research
Utilizing the natural langauage toolkit for keyword researchUtilizing the natural langauage toolkit for keyword research
Utilizing the natural langauage toolkit for keyword researchErudite
 
Data Science Process.pptx
Data Science Process.pptxData Science Process.pptx
Data Science Process.pptxWidsoulDevil
 
Leveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of MalwareLeveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of Malwaretmugherini
 
Digital Forensics in the Archive
Digital Forensics in the ArchiveDigital Forensics in the Archive
Digital Forensics in the ArchiveGarethKnight
 
Lab 1 Essay
Lab 1 EssayLab 1 Essay
Lab 1 EssayMelissa Moore
 
[IJET V2I3P7] Authors: Muthe Sandhya, Shitole Sarika, Sinha Anukriti, Aghav S...
[IJET V2I3P7] Authors: Muthe Sandhya, Shitole Sarika, Sinha Anukriti, Aghav S...[IJET V2I3P7] Authors: Muthe Sandhya, Shitole Sarika, Sinha Anukriti, Aghav S...
[IJET V2I3P7] Authors: Muthe Sandhya, Shitole Sarika, Sinha Anukriti, Aghav S...IJET - International Journal of Engineering and Techniques
 
Jayse farrell resume
Jayse farrell resumeJayse farrell resume
Jayse farrell resumeJayse Farrell
 
RadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdfRadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdfgstagge
 
Ukraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICSUkraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICSAishani27
 

More Related Content

Similar to OSIT fall in-person meet up - october 3, 2018

OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierBasis Technology
 
IEEE ISM 2008: Kalman Graffi: A Distributed Platform for Multimedia Communities
IEEE ISM 2008: Kalman Graffi: A Distributed Platform for Multimedia CommunitiesIEEE ISM 2008: Kalman Graffi: A Distributed Platform for Multimedia Communities
IEEE ISM 2008: Kalman Graffi: A Distributed Platform for Multimedia CommunitiesKalman Graffi
 
BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year?
BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year? BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year?
BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year? panagenda
 
A fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP SpainA fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP SpainChristian Martorella
 
Introduction to Plone (November 2003)
Introduction to Plone (November 2003)Introduction to Plone (November 2003)
Introduction to Plone (November 2003)Kiran Jonnalagadda
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windowsguest66dc5f
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaCTIN
 
File compression sunzip (huffman algorithm)
File compression sunzip (huffman algorithm)File compression sunzip (huffman algorithm)
File compression sunzip (huffman algorithm)mini_61
 
Big Data Management Analytics And Management Essay
Big Data Management Analytics And Management EssayBig Data Management Analytics And Management Essay
Big Data Management Analytics And Management EssayAmy Alexander
 
Introduction to python
Introduction to pythonIntroduction to python
Introduction to pythonMohammed Rafi
 
State of the art literature review on ...
State of the art literature review on ...State of the art literature review on ...
State of the art literature review on ...dutra2009
 
File Handling In C++(OOPs))
File Handling In C++(OOPs))File Handling In C++(OOPs))
File Handling In C++(OOPs))Papu Kumar
 
Utilizing the natural langauage toolkit for keyword research
Utilizing the natural langauage toolkit for keyword researchUtilizing the natural langauage toolkit for keyword research
Utilizing the natural langauage toolkit for keyword researchErudite
 
Data Science Process.pptx
Data Science Process.pptxData Science Process.pptx
Data Science Process.pptxWidsoulDevil
 
Leveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of MalwareLeveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of Malwaretmugherini
 
Digital Forensics in the Archive
Digital Forensics in the ArchiveDigital Forensics in the Archive
Digital Forensics in the ArchiveGarethKnight
 
Jayse farrell resume
Jayse farrell resumeJayse farrell resume
Jayse farrell resumeJayse Farrell
 

Similar to OSIT fall in-person meet up - october 3, 2018 (20)

OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
 
IEEE ISM 2008: Kalman Graffi: A Distributed Platform for Multimedia Communities
IEEE ISM 2008: Kalman Graffi: A Distributed Platform for Multimedia CommunitiesIEEE ISM 2008: Kalman Graffi: A Distributed Platform for Multimedia Communities
IEEE ISM 2008: Kalman Graffi: A Distributed Platform for Multimedia Communities
 
BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year?
BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year? BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year?
BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year?
 
A fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP SpainA fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP Spain
 
Introduction to Plone (November 2003)
Introduction to Plone (November 2003)Introduction to Plone (November 2003)
Introduction to Plone (November 2003)
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
 
File compression sunzip (huffman algorithm)
File compression sunzip (huffman algorithm)File compression sunzip (huffman algorithm)
File compression sunzip (huffman algorithm)
 
Big Data Management Analytics And Management Essay
Big Data Management Analytics And Management EssayBig Data Management Analytics And Management Essay
Big Data Management Analytics And Management Essay
 
Introduction to python
Introduction to pythonIntroduction to python
Introduction to python
 
State of the art literature review on ...
State of the art literature review on ...State of the art literature review on ...
State of the art literature review on ...
 
File Handling In C++(OOPs))
File Handling In C++(OOPs))File Handling In C++(OOPs))
File Handling In C++(OOPs))
 
Flexor Muscle Exercise
Flexor Muscle ExerciseFlexor Muscle Exercise
Flexor Muscle Exercise
 
Utilizing the natural langauage toolkit for keyword research
Utilizing the natural langauage toolkit for keyword researchUtilizing the natural langauage toolkit for keyword research
Utilizing the natural langauage toolkit for keyword research
 
Data Science Process.pptx
Data Science Process.pptxData Science Process.pptx
Data Science Process.pptx
 
Leveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of MalwareLeveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of Malware
 
Digital Forensics in the Archive
Digital Forensics in the ArchiveDigital Forensics in the Archive
Digital Forensics in the Archive
 
Lab 1 Essay
Lab 1 EssayLab 1 Essay
Lab 1 Essay
 
[IJET V2I3P7] Authors: Muthe Sandhya, Shitole Sarika, Sinha Anukriti, Aghav S...
[IJET V2I3P7] Authors: Muthe Sandhya, Shitole Sarika, Sinha Anukriti, Aghav S...[IJET V2I3P7] Authors: Muthe Sandhya, Shitole Sarika, Sinha Anukriti, Aghav S...
[IJET V2I3P7] Authors: Muthe Sandhya, Shitole Sarika, Sinha Anukriti, Aghav S...
 
Jayse farrell resume
Jayse farrell resumeJayse farrell resume
Jayse farrell resume
 

Recently uploaded

RadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdfRadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdfgstagge
 
Ukraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICSUkraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICSAishani27
 
Spark3's new memory model/management
Spark3's new memory model/managementSpark3's new memory model/management
Spark3's new memory model/managementakshesh doshi
 
Data Science Jobs and Salaries Analysis.pptx
Data Science Jobs and Salaries Analysis.pptxData Science Jobs and Salaries Analysis.pptx
Data Science Jobs and Salaries Analysis.pptxFurkanTasci3
 
Schema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfSchema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfLars Albertsson
 
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...Sapana Sha
 
Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Customer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptxCustomer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptxEmmanuel Dauda
 
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Serviceranjana rawat
 
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /WhatsappsBeautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsappssapnasaifi408
 
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service AmravatiVIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service AmravatiSuhani Kapoor
 
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfKantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfSocial Samosa
 
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...Jack DiGiovanna
 
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service BhilaiLow Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service BhilaiSuhani Kapoor
 
RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998YohFuh
 
Brighton SEO | April 2024 | Data Storytelling
Brighton SEO | April 2024 | Data StorytellingBrighton SEO | April 2024 | Data Storytelling
Brighton SEO | April 2024 | Data StorytellingNeil Barnes
 

Recently uploaded (20)

RadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdfRadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdf
 
Ukraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICSUkraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICS
 
Spark3's new memory model/management
Spark3's new memory model/managementSpark3's new memory model/management
Spark3's new memory model/management
 
Data Science Jobs and Salaries Analysis.pptx
Data Science Jobs and Salaries Analysis.pptxData Science Jobs and Salaries Analysis.pptx
Data Science Jobs and Salaries Analysis.pptx
 
Deep Generative Learning for All - The Gen AI Hype (Spring 2024)
Deep Generative Learning for All - The Gen AI Hype (Spring 2024)Deep Generative Learning for All - The Gen AI Hype (Spring 2024)
Deep Generative Learning for All - The Gen AI Hype (Spring 2024)
 
Schema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfSchema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdf
 
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
 
Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝
 
Customer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptxCustomer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptx
 
VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
 
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
 
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /WhatsappsBeautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
 
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service AmravatiVIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
 
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
 
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfKantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
 
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
 
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service BhilaiLow Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
 
RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998
 
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in KishangarhDelhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
 
Brighton SEO | April 2024 | Data Storytelling
Brighton SEO | April 2024 | Data StorytellingBrighton SEO | April 2024 | Data Storytelling
Brighton SEO | April 2024 | Data Storytelling
 

OSIT fall in-person meet up - october 3, 2018

  • 1. z Processing PST files with Open Source / Freeware Tools OSIT In-Person Fall Meeting – October 3, 2018 NOTE: Opinions and view on products, services and/or resources expressed in this presentation are mine alone and do not necessarily reflect the views of my employer.
  • 2. z Goals  Describe two open source / Freeware tools that can be used to process PST files  Stress importance of automation  Not waste your time
  • 3. z Origin of Presentation  Didn't want to be a lurker  Original idea for a topic didn't pan out  Looked at my personal pain points for inspiration  As always....looked for ways to automate away pain
  • 4. z Data Exfil via Email  Very common  Costly Analysis Options: Encase, Intella, Axiom, Nuix etc.  Expensive tools that don't lend themselves to workflow automation  Free is good – especially as a backup  Dongles break  Dongle servers go down...right when you have a high priority case
  • 5. z Poll Time  What commercial tools are used to process PST within community:  Encase  NUIX  AXIOM  Intella  Others - ????
  • 6. z PST Files  Many large corporations use Microsoft Outlook as email client  Outlook stores email in PST files  From Wikipedia: Personal Storage Table (.pst) is an open proprietary file format used to store copies of messages, calendar events, and other items within Microsoft software such as Microsoft Exchange Client, Windows Messaging, and Microsoft Outlook. The open format is controlled by Microsoft who provide free specifications and free irrevocable technology licensing.  Office365 -> PST files reside in the cloud and must be pulled down to review  Live systems will have OST files
  • 7. z M57 Jean Scenario  Naval Post Graduate School Disk Image  Data exfil scenario  Corporate information is found on competitors website  Email with that information was sent from Jean@m57.biz to Alison@m57.biz  Spreadsheet containg this information was m57biz.xls  Full Disk image is provided
  • 8. z Option 1: Autopsy  Freeware forensics tool from Basis Technology  Brian Carrier literally wrote the book on file system forensics  Autopsy has been around since 2000  It keeps getting updated & improved
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19. z Autopsy – additional info  Utilizes hash sets – custom and NSRL  Basis Technology is very responisve to user input / questions  Has timeline feature  Full text indexing  Scriptable – write your own module or leverage the generosity of the open source community  https://wiki.sleuthkit.org/index.php?title=Autopsy_3rd_Party_Modules  https://github.com/markmckinnon/Autopsy-Plugins
  • 20. z Audience Poll  Raise your hand if you love Linux
  • 21. z Free is GOOD! Name readpst - convert PST (MS Outlook Personal Folders) files to mbox and other formats Synopsis readpst [-D] [-M] [-S] [-V] [-b] [-c format] [-d debug-file] [-e] [-h] [-j jobs] [-k] [-o output-directory] [-q] [-r] [-t output-type-codes] [-u] [-w] pstfile Description readpst is a program that can read an Outlook PST (Personal Folders) file and convert it into an mbox file, a format suitable for KMail, a recursive mbox structure, or separate emails. Copyright Copyright © 2002 by David Smith <dave.s@earthcorp.com>. XML version Copyright © 2008 by 510 Software Group <carl@five-ten-sg.com>. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version.
  • 22. z Example command to run readpst  readpst -o ~/ArchivedMessages -D -j 4 -r -tea -u -w -M -e ./Outlook.pst
  • 23. z MantaRay  Set of Python modules that automate a number of open source forensic tools  Written and designed by forensic analysts (KISS)  Allows examiner to select multiple tools, set options for each, click go and walk away  Designed to work with SIFT 3.0  Code is on GitHub:  → https://github.com/mantarayforensics
  • 24. z Triage Steps Automated by MantaRay  PST Processing (NEW)  Creating a Super Timeline  Running Bulk_Extractor  Extracting Registry Hives & running RegRipper  Extracting EXIF Data  Carving Unallocated space  Scanning for high entropy files  Review RAM using Volatility  Extract GPS data from JPEGs and create .KML file  Extract Jumplist data  Extract NTFS system files  Process user selected .plist files  Perform Static Malware Analysis (SIFT + REMnux)  Anti-Virus Scanning
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 33.
  • 34.
  • 35.
  • 36. z Workflow Tweaks  MantaRay bucketizes all the sent emails but you still have to work through the emails to find the one you want  Option 1 – load emails from bucket of interest into Autopsy as a folder and then after they process you can do a keyword search  Option 2 – use the power of Linux (grep –nr 'm57biz.xls')
  • 37. z Extending PST Processor module  Adding in capability to automatically search the bucketized folders for keywords  Write script to watch a folder...when config file is dropped in containing path to PST and emails of interest then script runs and automatically processes the PST  Sample Code: http://timgolden.me.uk/python/win32_how_do_i/watch_dir ectory_for_changes.html
  • 38.
  • 39. z MantaRay & SIFT  Getting SIFT updated with all the tools that MantaRay calls can be difficult....at least for me  I have a fully built out VM on Google Drive  Shoot me an email and I will send you the link
  • 40. z Contact Info  Dougkoster@hotmail.com  LinkedIn: https://www.linkedin.com/in/dougkoster/