Offensive Forensics – “Forensic_Scraper”
So, as promised last week at Defcon 2013, we’ve made Forensic_Scraper, the Meterpreter module demonstrated – if you’d like to get a download or check out the slides from the Defcon 21 presentation, please send our team a brief message here.
To avoid a flurry of usability questions, here’s a few notes on functionality:
- No input or flags are currently needed for usability – Drop the script in your Meterpreter directory (/opt/metaspoit/apps/pro/msf3/scripts/meterpreter, in my case), and fire away!
- When run, Forensic_Scraper will grab the list of interesting files (which are easily changed, by the way), and download each one automatically. Keep in mind file sizes here – if it seems to be ‘hung’, look at the file it’s downloading and check the file size in the download directory; most likely, it’s just a large file (such as an Outlook .OST) and needs some time. Patience is a virtue.
- Speaking of file downloads, the download directory is currently hardcoded as /root/.msf4/loot/forensic_scraper_results/ From here, you’ll find the system (target) name, and inside that, the categorization of the files (chrome, windows, miscellaneous, etc). We figured this would be a logical way of organizing files from a pentest perspective, and there’s an option to change this directory in the help menu.
For functionality you’d like to see, bugs you don’t want to see, or anything else that needs mentioning about the Forensic_Scraper, email us at [email protected] or drop us a message on the contact us page.
Lastly, major credit to both Naomi Bornemann and Nicole Griesmeyer for late nights and long coding sessions to get this done sooner than expected.
Thanks for all of the support and questions along the way!
Rhino Security Labs