Enhancing Digital Forensics with ReversingLabs Hash Query Plugin for Autopsy
Autopsy (version 4) is an open source tool used for digital forensics investigations to conduct disk image, local drive, and folder and file analysis. Some of the Autopsy features include timeline analysis, keyword search, registry analysis, email analysis, file type sorting, hash set filtering, and various ingest modules that look for evidence. You can find more information and download link here: https://www.sleuthkit.org/autopsy/
Polito Inc. has partnered with ReversingLabs (RL) and has developed a plugin extension called ReversingLabs Lookup Utility for Autopsy. ReversingLabs provides digital forensics solutions for file analysis, malware hunting and identification. To run the ReversingLabs Plugin, it is necessary to be a ReversingLabs Customer with API credentials.
The ReversingLabs hash query plugin assists digital investigators with faster analysis results and makes the process more efficient when trying to find malicious activity. The goal is to filter out the known good and known bad, and focus on the unknowns. This speeds up the analysis process and results when looking for malicious activity using forensics tools.
You can download the plugin from our GitHub repo at: https://github.com/PolitoInc/autopsy-reversinglabs-plugin. To run the ReversingLabs Lookup Utility for Autopsy there are a few steps that will need to be completed. The first step is to create a case to work on. Steps 2 through 6 will then walk you through how to install the ReversingLabs extension so it can be used on the case.
Create New Case, Open Recent Case, or Open Existing Case in Autopsy.
Adding Hash Database (optional)
This section is optional, you can skip to installing the ReversingLabs plugin. If you decide to skip Hash Database integration, just select “Calculate MD5 if no hash database is selected” in Run Ingest Modules -> Hash Lookup and this should work to run the ReversingLabs plugin.
In order to assist with finding malicious activities and evidence, it is best to incorporate the hash databases. There are different types of hash sets. For example, EnCase, MD5sum, NSRL, and HashKeeper. To learn more about hash databases, check out: http://sleuthkit.org/autopsy/docs/user-docs/4.4/hash_db_page.html
For this case example, we have used the NSRL Hash set:
2. To add the NSRL Hash Database to the case, go to Tools -> Options -> Hash Databases icon and select the downloaded hash set and click OK. a. It may have to be indexed which may take a long time depending on what set you use.
3. Click OK on the Hash Database window after indexing and integration is complete.
Installing the ReversingLabs Plugin
1. To add the new plugin, go to, Tools -> Plugins.
2. Go to the Downloaded tab and click Add Plugins.
3. Select your downloaded plugin and click Open.
4. Click Install and Next to continue installation.
5. Once installation is complete, Restart Autopsy.
Using the Plugin on the Case
1. To run Autopsy using the plugin re-open the case.
2. Click Continue on the Validation Warning window.
3. Select the Data Source image, right-click the image and click Run Ingest Modules.
4. Select Hash Lookup and check the boxes for NSRLFile for known hash databases, any preferred notable hash databases you may have, and “Calculate MD5 even if
no hash database is selected” (should you choose not to integrate Hash Database sets for this case).
a. If you have skipped Hash Database integration – just select “Calculate MD5 if no hash database is selected” and this should work to run the ReversingLabs plugin.
5. Click the ReversingLabs Lookup Utility and fill in the following to run the Ingest Modules.
a. Server Hostname/IP: ticloud-cdn-api.reversinglabs.com
b. Server Port: 443
c. Username: u/username
d. Password: ************************
e. Make sure Use SSL is selected and click Finish.
After running the Ingest Modules, Autopsy will automatically submit all file hashes to ReversingLabs and will return the results in the File Tags area. Upon receiving the results, the investigator can quickly look through the files and identify the malicious and unknown sources to effectively advance the investigation.
The ReversingLabs Lookup Utility for Autopsy plugin is available for immediate download from our GitHub repo at: https://github.com/PolitoInc/autopsy-reversinglabs-plugin. Happy hunting!
Note: The ReversingLabs Lookup Utility has been tested on 4.8.0 version of Autopsy.
Polito, Inc. offers a wide range of security consulting services including threat hunting, penetration testing, vulnerability assessments, incident response, digital forensics, and more. If your business or your clients have any cyber security needs, contact our experts and experience what Masterful Cyber Security is all about.