Enhancing Digital Forensics with ReversingLabs Plugins: Now for X-Ways!
At Polito Inc., our forensic experts often rely on X-Ways Forensics to rapidly acquire and analyze digital computer evidence. X-Ways Forensics is an increasingly popular tool in the Digital Forensics and Incident Response (DFIR) community largely due to its speed, reliability, and useful features such as support for a wide array of image formats, multi-threaded regex/keyword searching and file hashing, and 3rd party extensions. Today Polito Inc. is pleased to announce that in follow up to its ReversingLabs plugin for Autopsy, we are releasing ReversingLab extensions for X-Ways.
To recap our previously released Autopsy plugin and background:
Polito Inc. has partnered with ReversingLabs (RL) and has developed a plugin extension called ReversingLabs Lookup Utility for Autopsy. ReversingLabs provides digital forensics solutions for file analysis, malware hunting and identification. To run the ReversingLabs Plugin, it is necessary to be a ReversingLabs customer with API credentials.
The ReversingLabs hash query plugin assists digital investigators with faster analysis results and makes the process more efficient when trying to find malicious activity. The goal is to filter out the known good and known bad, and focus on the unknowns. This speeds up the analysis process and results when looking for malicious activity using forensics tools.
For X-Ways, we are releasing two different extensions (aka "X-Tensions"). One is an extension for RL hash lookups, similar in function to the Autopsy plugin. This is useful for quickly triaging a file hash or multiple file hashes at once, to help determine whether the hash is known or not and whether the underlying file is malicious or not. The other X-Ways extension is for submitting files to RL, which is handy when the hash is not found in the RL database (e.g., unknown).
Obtaining and Configuring the ReversingLabs X-Ways Extensions
The RL extensions are designed to run on 19.x 64-bit versions of X-Ways. The extensions may or may not work on older versions, as it has only been tested on 64-bit X-Ways versions 19.3 and 19.6 running on Windows 7 and Windows 10. We are working on testing additional recent versions for compatibility.
To start, you will need your RL API credentials and key ready. You can download the latest extension DLLs from our Github repo, consisting of RL_GetFileReputation.dll and RL_SubmitFile.dll. Save each DLL locally in a separate folder you will remember. It is important that the DLLs reside in their own folder because each DLL requires a separate configuration file to be present in the same folder with different types of RL API credentials.
In the folder for RL_GetFileReputation.dll, create a text file named "rlconfig.txt". It should contain Titanium Cloud API credentials in the following format:
Save that rlconfig.txt file once you have added your API credentials.
Similarly, in the folder for RL_SubmitFile.dll, create a text file also named "rlconfig.txt". It should contain an A1000 API key in the following format:
Save that rlconfig.txt file once you have added your API key.
Again, it is important to have separate rlconfig.txt files for each extension's DLL since the authentication configuration is formatted differently.
To add both extensions to X-Ways, go to Tools > Run X-Tensions then click the add button (plus sign). Navigate to the folder where you saved RL_GetFileReputation.dll, select it, and click OK. Repeat these steps to add RL_SubmitFile.dll. Verify that both DLLs are now listed then Click OK.
Before the extensions can be used, you need to hash the files of interest in your X-Ways evidence. The typical way to hash all files in X-Ways is to go to Specialist > Refine Volume Snapshot, and check the option to "Compute hash". If you want to process and hash the file contents of compressed file archives, also check the corresponding box to "Include contents of file archives: zip, rar, 7z, tar, gz, ... " Now ensure that the Hash (MD5) column and Metadata column are visible in X-Ways. Once the file hashing has completed, MD5 hashes will be visible in the Hash (MD5) column. To modify the column view, double click above on of the existing columns and enter a length >0 for each column you wish to have displayed.
To use either extension, right click on the file or files of interest to select them, and click Run X-Tensions... in the context menu that appears. Select the extension that you want to run then click the OK button to run it.
After running the GetFileReputation extension, the Metadata field will become populated with the RL results for the queried hash(es). The hash query results include the file's Threat Status (KNOWN/UNKNOWN/MALICIOUS), Scanner Count, Scanner Match (count of AV hits), Threat Name, Threat Level, and Trust Factor values.
After running the SubmitFile extension, the RL URL to the file report will appear in the X-Ways Messages box.
You can use your A1000 credentials to log in and visit that URL to see the full RL report for the submitted file.
Please feel free to open an issue on GitHub or contact us about any questions, bug reports, or other feedback. Happy forensicating!
Polito, Inc. offers a wide range of security consulting services including threat hunting, penetration testing, vulnerability assessments, incident response, digital forensics, and more. If your business or your clients have any cyber security needs, contact our experts and experience what Masterful Cyber Security is all about.