Monday, 31 October 2016

Testing Environment & Setup


Testing Environment 
A test lab was configured for the purposes of this review, below are the specifications:

VMWare Virtual Machine (Workstation, 12)
Operating system: Windows 7 Professional
Memory: 2gb
Hard Drive: 50gb
Virtual Network adapter with host only and bridged networking.

This virtual machine is configured with hourly snapshot backups to ensure retention of the lab environment. This will also allow for a system rollback if required. See Figure 1.

Figure 1: Virtual Machine Settings


Additionally, snapshots before important changes will be made also.

 Software:
None, vanilla install of Windows 7 Professional.
The following has been installed to meet the pre requisites of Dumpzilla:
Python 3.5.2 (64-Bit)
GnuWin32 File utility (Required by Magic Module)

Python Modules:
The following additional modules were required by Dumpzilla
Magic Module (https://github.com/ahupp/python-magic)

Additional Software & Configuration: 
Notepad++ - An extended text editor.
Environment Variable - PYTHONIOENCODING=UTF-8
This environment variable is suggested as directed by the Python 3.x Wiki (2012) to prevent unprintable characters flooding the output of the tool.


Software Installation Timeline:
This forensics tool does not install, instead it is utilized by using the python 3.x binary. As such, there isn't much of a timeline that can be shown here, nor the system changes that have occurred.
Various DLL files that required for the Magic Module and GnuWin32 File Utility were installed into the system32 folder of windows so that they can be accessed later via the default path environment.

Some screenshots were taken to visualize the installation process of these pre-requisites.
Figure 2: The Python installation folder was added to the windows PATH environment variable so that it can be accessed from the command prompt.,

Figure 3: Magic Module being installed (python setup.py install)

Figure 4: A screenshot showing the Dumpzilla script being ran for the first time, and outputting the syntax / help menu.

Once these had been installed, the latest version of the Firefox web browser was installed and several searches were performed along with the installation of two addons. The Procmon tool by Microsoft (Russinovich, 2016) was used to capture all system events during the processing of the Firefox profile with Dumpzilla. This garnered a large amount of results and thus has been compiled into parsable XML output and is available for download and viewing here! (Easton, 2016)

The summary of events from Procmon for the python process is shown below in Figure 5.
Figure 5: Summary of events from the Python process whilst running Dumpazilla



Bibliography
Busindre. (2013) Dumpzilla Manual [Online]. Available from: <http://www.dumpzilla.org/Manual_dumpzilla_en.txt>[Accessed 31/10/2016]

Python Wiki (2012) PrintFails, 2012-11-25 11:32:18 [Online]. Available from: <https://wiki.python.org/moin/PrintFails>[Accessed 31/10/2016]

Russinovich, M. (2016) Process Monitor [Online]. Available from: <https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx>[Accessed 2/11/2016]

Easton, C (2016) Procmon_Dumpzilla.txt [Online]. Available from: <https://www.dropbox.com/s/fo23x5zces3zpz2/Procmon_Dumpzilla.txt?dl=0>[Accessed 2/11/2016]



Posted by at No comments:
Labels: , , , ,

Tool Introduction: DumpZilla

(Busindre, 2013)



"Dumpzilla application is developed in Python 3.x and has as purpose extract all forensic interesting information of Firefox, Iceweasel and Seamonkey browsers to be analyzed. Due to its Python 3.x developement, might not work properly in old Python versions, mainly with certain characters. Works under Unix and Windows 32/64 bits systems. Works in command line interface, so information dumps could be redirected by pipes with tools such as grep, awk, cut, sed… Dumpzilla allows to visualize following sections, search customization and extract certain content." (Busindre, 2014)

The application of choice for this assignment is Dumpzilla, as mentioned above, this python tool is designed to analyze the Firefox, Iceweasel and Seamonkey web browsers user data and then display the information retrieved visually.

The tool can be downloaded from: http://www.dumpzilla.org/, the latest version was released in 2013. However, there is a GitHub repository which has not been updated since the beginning of 2016 which contains the same file that can be found on the Dumpzilla main website. The author of this tool goes by the name of Busindre. This is an independently authored tool that was not published by a company.

Claims:
Busindre, the developer of Dumpzilla claims that the application is capable of visualizing the following:
 "- Cookies + DOM Storage (HTML 5).
 - User preferences (Domain permissions, Proxy settings...).
 - Downloads.
 - Web forms (Searches, emails, comments..).
 - Historial.
 - Bookmarks.
 - Cache HTML5 Visualization / Extraction (Offline cache).
 - visited sites "thumbnails" Visualization / Extraction .
 - Addons / Extensions and used paths or urls.
 - Browser saved passwords.
 - SSL Certificates added as a exception.
 - Session data (Webs, reference URLs and text used in forms).
 - Visualize live user surfing, Url used in each tab / window and use of forms. 
Dumpzilla will show SHA256 hash of each file to extract the information and finally a summary with totals.

Sections which date filter is not possible: DOM Storage, Permissions / Preferences, Addons, Extensions, Passwords/Exceptions, Thumbnails and Session"(Busindre, 2013)

Three different browsers are supported by the tool, these are:
- Firefox (Win, Linux, Mac)
- IceWeasel (Win, Linux, Mac)
- SeaMonkey (Win, Linux, Mac)

No information is provided as to whether or not the support of these browsers differs over versions of the tool, however the storage of information between these browsers are almost identical. All of which stored information within SQLite Databases.


Licensing
The licensing of Dumpzilla is defined as GPLv3+: GNU GPL version 3 or later from the main website and manual. (Busindre, 2013) From the GPLv3 website, this license is expressed to be a non-restrictive, open-source license which allows anybody to modify, update or share the software. This is also known as copyleft: the software is copyrighted, but instead of using those rights to restrict users like proprietary software does, the rights are applied to ensure every user has freedom. (Smith, 2014)

As this script is free and open source, an analysis of the source code can take place to further investigate how the tool performs its many functions.


Bibliography:
Busindre. (2013) Dumpzilla Logo [Online image]. Available from: <http://www.dumpzilla.org/dumpzilla.png>[Accessed 31/10/2016]

Busindre. (2013) Dumpzilla Manual [Online]. Available from: <http://www.dumpzilla.org/Manual_dumpzilla_en.txt>[Accessed 31/10/2016]

Smith, B. (2014) A Quick Guide to GPLv3, 11th November [Online]. Available from: <https://www.gnu.org/licenses/quick-guide-gplv3.html>[Accessed 31/10/2016]



Posted by at No comments:
Labels: , , ,

Saturday, 29 October 2016

Hello World...

This blog has been created to track the progress and to show the results of a critical review of a browser digital forensics analysis tool, Dumpzilla by Busindre. Available from: http://www.dumpzilla.org/

Over the course of the next two months, this blog will be kept maintained to show all the results and 'behind the scenes' of this review.

This blog has been created for Leeds Beckett University by Christopher Easton (c3398352) as part of the Digital Forensics Analysis module of the BSc Hons Computer Forensics & Security final year program.


Posted by at No comments:
Labels: ,
Subscribe to: Comments (Atom)