Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request - Add ZimmermanTools to the SIFT #602

Open
mark-hallman opened this issue Jul 17, 2023 · 20 comments
Open

Feature request - Add ZimmermanTools to the SIFT #602

mark-hallman opened this issue Jul 17, 2023 · 20 comments

Comments

@mark-hallman
Copy link

This is a pretty simple install with just one prereq, .Net6.

  1. Install DotNet6
  2. Add the aliases provided below t.o the user's aliases
  3. create /opt/zimmermantools
  4. Download Get-ZimmermanTools.zip from here
  5. Unzip Get-ZimmermanTools.zip and copy Get-ZimmermanTools.ps1 to /opt/zimmermantools
  6. Run Get-ZimmermanTools, which is an alias for 'cd $ZIMMERMAN_HOME && powershell $ZIMMERMAN_HOME/Get-ZimmermanTools.ps1' All the ZimmermanTools will be downloaded, and the tools can be run with the aliases provided. The aliases provide the same experience that one would see in a Windows environment.

zimmermantools_linx_aliases.txt
@digitalsleuth
Copy link

Hi @mark-hallman , sounds interesting. I'll see if I can take a look at it tonight and see how it goes!

@mpilking
Copy link

Zimmerman tools would be a nice addition. We did it manually for FOR508. One thing to consider including is a set of aliases to make it easier to run the commands (so you can just run mftecmd -f \$MFT for example). Here are the aliases we setup:

# add aliases in /etc so they apply to both root and sansforensics users:

alias amcacheparser='dotnet /opt/zimmermantools/AmcacheParser.dll'
alias AmcacheParser='dotnet /opt/zimmermantools/AmcacheParser.dll'
alias appcompatcacheparser='dotnet /opt/zimmermantools/AppCompatCacheParser.dll'
alias AppCompatCacheParser='dotnet /opt/zimmermantools/AppCompatCacheParser.dll'
alias bstrings='dotnet /opt/zimmermantools/bstrings.dll'
alias iisGeolocate='dotnet /opt/zimmermantools/iisGeolocate.dll'
alias iisgeolocate='dotnet /opt/zimmermantools/iisGeolocate.dll'
alias jlecmd='dotnet /opt/zimmermantools/JLECmd.dll'
alias JLECmd='dotnet /opt/zimmermantools/JLECmd.dll'
alias lecmd='dotnet /opt/zimmermantools/LECmd.dll'
alias LECmd='dotnet /opt/zimmermantools/LECmd.dll'
alias mftecmd='dotnet /opt/zimmermantools/MFTECmd.dll'
alias MFTECmd='dotnet /opt/zimmermantools/MFTECmd.dll'
alias pecmd='dotnet /opt/zimmermantools/PECmd.dll'
alias PECmd='dotnet /opt/zimmermantools/PECmd.dll'
alias rbcmd='dotnet /opt/zimmermantools/RBCmd.dll'
alias RBCmd='dotnet /opt/zimmermantools/RBCmd.dll'
alias recentfilecacheparser='dotnet /opt/zimmermantools/RecentFileCacheParser.dll'
alias RecentFileCacheParser='dotnet /opt/zimmermantools/RecentFileCacheParser.dll'
alias rla='dotnet /opt/zimmermantools/rla.dll'
alias sbecmd='dotnet /opt/zimmermantools/SBECmd.dll'
alias SBECmd='dotnet /opt/zimmermantools/SBECmd.dll'
alias srumecmd='dotnet /opt/zimmermantools/SrumECmd.dll'
alias SrumECmd='dotnet /opt/zimmermantools/SrumECmd.dll'
alias sumecmd='dotnet /opt/zimmermantools/SumECmd.dll'
alias SumECmd='dotnet /opt/zimmermantools/SumECmd.dll'
alias wxtcmd='dotnet /opt/zimmermantools/WxTCmd.dll'
alias WxTCmd='dotnet /opt/zimmermantools/WxTCmd.dll'
alias sqlecmd='dotnet /opt/zimmermantools/SQLECmd/SQLECmd.dll'
alias SQLECmd='dotnet /opt/zimmermantools/SQLECmd/SQLECmd.dll'
alias recmd='dotnet /opt/zimmermantools/RECmd/RECmd.dll'
alias RECmd='dotnet /opt/zimmermantools/RECmd/RECmd.dll'
alias evtxecmd='dotnet /opt/zimmermantools/EvtxeCmd/EvtxECmd.dll'
alias EvtxECmd='dotnet /opt/zimmermantools/EvtxeCmd/EvtxECmd.dll'

@digitalsleuth
Copy link

Looks good, I'll use and test these, no sense reinventing the wheel :)

@digitalsleuth
Copy link

So there will need to be a couple of changes, but this can work. The changes I'll need to make are:

  • iisGeolocate path is in a subfolder, also called iisGeolocate)
  • Neither PECmd or SumECmd tools will work in a Linux environment because (as stated by these tools) Non-Windows platforms not supported due to the need to load decompression specific Windows libraries! Exiting...

Other than that, everything should work fine. @mpilking or @mark-hallman , do either of you have known-good artifacts I can use to test each of these tools to ensure that these work prior to rolling out?

@mark-hallman
Copy link
Author

Use the aliases file that I included in my 1st post. They are Mike's aliases from 508, but they have been updated to use an environment $ZIMMERMAN_HOME to make it easier to change the install location. The most important change is that the path in the aliases has been updated to include "zimmermantools/net6". This is required to use Eric's script to update tools. These tools are updated often. If you use the steps I included, the installer will do all these things. I think it is easier to reinstall the tools using Get-ZimmermanTool alias that I added to the alias file than to try and add the net6 dir and move the files.

Happy to answer any questions etc and to test.

I check out the issues with PECmd and SUMECmd. The error message you included makes sense; modern prefetch files are compressed.

@mark-hallman
Copy link
Author

Aliases file updated for iisGeolocate sub-dir.
zimmermantools_linx_aliases.txt

I confirmed that PECmd and SumECmd do have issues running in a non-Windows env. I'll reach out to Eric and see if he has a solution or if that is just how it is. If PECmd doesn't work, that's a real bummer, but happy to take what we can get.

@mark-hallman
Copy link
Author

One more for the does not work on a non-Windows OS. SumECmd.

I'm wondering how to deal with this. We probably want to remove the aliases for these three. Even if we remove the exe and dll for those three, the next time that an update is run, they will get repopulated. I feel that if someone is smart enough to figure out how to run those specific tools without the alias, they should be able to deal with the messages that are returned.

Thoughts?

@mark-hallman
Copy link
Author

Never midn about the last comment about adding SumECmd , you already had it. So there are only two tools that don't work at this point.

@digitalsleuth
Copy link

State is complete, final testing underway. I've opted for using the "wrapper" method vice the "alias" method, whereby a short bash script will be created in /usr/local/bin for each tool (mixed-case like the normal file and lower-case like in the aliases), instead of the aliases. The script is essentially:

#!/bin/bash
dotnet /opt/zimmermantools/{{ tool }}.dll ${*}

The reasoning behind this is that, when writing to a universal /etc/ aliases file (eg /etc/profile.d/10-aliases.sh or the like), it could become more challenging to update / modify the alias should something change, and it avoids collision with an existing aliases file if the user is installing SIFT alongside another tool-set in the same VM, or if the user has already customized their aliases files.

This method will also make the tools available to the root user, and other new users down the road, without additional modification of the aliases file.

If you believe the aliases method is a better option, please let me know! I'm all about making sure we get the best product in the end. :)

@digitalsleuth
Copy link

So, I've been trying for an hour or two, and I can't complete an accurate test, due to some ongoing internet connectivity issues I'm having with my ISP. Rest assured, the state is ready to go, but until I can complete an accurate test, I won't be able to push it as a PR. Hopefully this isn't an issue tomorrow.

@mpilking
Copy link

The wrapper seems like the better approach. It also probably has the benefit that it works better inside other shell scripts. I created a bash script for some automation recently and tried to use the mftecmd alias, but it failed. It wasn't big deal. I just put the full command in the script. But if this wrapper works in scripts, even better.

Thanks for your help!

@digitalsleuth digitalsleuth mentioned this issue Jul 26, 2023
Merged
@salty4n6
Copy link

So far I've tested a couple of the zimmerman apps on SIFT and I'm really liking it, but I ran into another app that is cranky but wasn't called out as one that has issues on Linux.

When I run SrumECmd I get this message.
Non-Windows platforms not supported due to the need to load ESI specific Windows libraries! Exiting...

~Salty

@dfir-scripts
Copy link

I have been doing some testing of the non-GUI tools to run in Linux and should be able to add most of the tools to SANS SiFT without issue.

The following tools run fine by downloading the compiled windows version and using the dotnet command and file's DLL and by compiling
AmcacheParser
AppCompatCacheParser
Bstrings
EvtxeCmd
JLECmd
LECmd
MFTECmd
RBCmd
RecentFileCacheParser
RECmd/RECmd
Rla
SBECmd

WXTCmd and SQLECmd work after applying the instructions in Linux.md for each repo and compiling

SumECmd, Srum and PECmd execute with the following errors:
SumECmd, Srum
Non-Windows platforms not supported due to the need to load ESI specific Windows libraries! Exiting...
PECmd
Non-Windows platforms not supported due to the need to load decompression specific Windows libraries! Exiting...
According to Eric Z the non-working tools have unmet Windows dependencies and are working as designed

Tested on dotnet 9, Ubuntu 22.04 and 24.04

Here is the install script I use for Siftgrab that installs PowerShell, dotnet 9, runs Get-Zimmermantools.ps1 and adds aliases
https://gist.githubusercontent.com/dfir-scripts/10034ce77b04db988dcafbbb2567a426/raw/setup-zimmerman-tools.sh

and here is a Linux-x64 compiled version of WxTCmd and SQLECmd:
https://drive.google.com/file/d/1qfiqzv3geQNYsr6R8sZaWPl7nO6NlLeu/view?usp=sharing

@digitalsleuth
Copy link

Hi @dfir-scripts , this is already on the roadmap and should be available soon. For more details, you can review the state file here.

Cheers!

@MMULLINIX1
Copy link

MMULLINIX1 commented Mar 4, 2025 via email

@mark-hallman
Copy link
Author

mark-hallman commented Mar 4, 2025 via email

@digitalsleuth
Copy link

Hi @mark-hallman , sorry just getting to see this now. The Zimmerman state I referenced above actually accomplishes all of the same things that you were looking to do in your script, with the exception of having to execute pwsh to download the files. It does however create file wrappers in /usr/local/bin for both the standard-case and lower-case versions of the names instead of aliases, which makes the management of the wrappers a bit easier than managing environment variables.

I'm open to some new ideas though if you have an approach that would streamline this further.

Cheers!

@mark-hallman
Copy link
Author

@digitalsleuth I reviewed the install script and it looks solid to me. One thing... can we use apt or apt-get to do the PowerShell install? We consistency have issues with Snap installed apps. Snap could be the default, and a cli arg could provide a different installer to use. Or, the user edit the script to use whatever. Just a suggestion. Nice work!

Something like this might work.

# Install PowerShell Core in Ubuntu

#get and add the MS GPG key
curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -

# Register the Microsoft repository

# For Ubuntu 20.04 (Focal)
# sudo sh -c 'echo "deb [arch=amd64] https://packages.microsoft.com/repos/microsoft-ubuntu-focal-prod focal main" > /etc/apt/sources.list.d/microsoft.list'

# For Ubuntu 22.04 (Jammy)
# sudo sh -c 'echo "deb [arch=amd64] https://packages.microsoft.com/repos/microsoft-ubuntu-jammy-prod jammy main" > /etc/apt/sources.list.d/microsoft.list'

# For Ubuntu 24.04 (Noble)
sudo sh -c 'echo "deb [arch=amd64] https://packages.microsoft.com/repos/microsoft-ubuntu-noble-prod noble main" > /etc/apt/sources.list.d/microsoft.list'

sudo apt-get update

sudo apt-get install -y powershell

^^^^ partially AI generated

@digitalsleuth
Copy link

We're already actually installing PowerShell, both in the current release (v7.4.1) and the upcoming release (v7.4.6). v7.4.6 and above is required for PowerShell to work in Ubuntu Noble.

However, running PowerShell for what Salt can do natively (ie download, extract) isn't computationally economical, given the amount of overhead. Additionally, the PowerShell script won't organize and generate the wrappers as we've already done.

@mark-hallman
Copy link
Author

Cool, nice to know. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@mpilking @dfir-scripts @MMULLINIX1 @mark-hallman @digitalsleuth @salty4n6