DFLabs is going to announce its new No-Script Automation Tool (NAT) At Black Hat USA on August 8th, 2018 in Las Vegas. DFLabs’ No-Script Automation Tool (NAT) is a new free tool that helps incident responders collect live forensic data. In this blog post, we will discuss the details about the NAT tool.
Why has live data acquisition become an increasingly important task?
When responding to a potential security incident, it is often standard practice to perform some level of live data acquisition on potentially compromised hosts. In some cases, this is due to the need to acquire volatile data, such as running processes, open files, network connections and other memory artifacts. In other cases, it is simply not possible to take the host offline to perform traditional dead-box forensics. No matter the reason, live data acquisition has become an increasingly important task.
Performing live data acquisitions presents some unique challenges not present with traditional dead-box forensics. Chief among these challenges is ensuring that any live response tools are run in a repeatable, documented and secure manner. These challenges are most often solved by placing live response tools on a USB drive which can be attached to the target host and script their execution (usually via a batch script on Windows hosts) to guarantee that each tool is run in the correct manner.
While batch scripting does address many of the challenges of live data acquisition, it has several shortcomings. Many live data acquisition tools are specific to a certain OS or CPU architecture. Attempting to make logic choices within a batch script regarding OS and CPU architecture is unreliable at best, and significantly increases the complexity of the batch script. The only other option is to have a separate batch script for each OS group and CPU architecture, which does not scale well.
Running live data acquisition tools via a batch script can also create security concerns. Unless each tool and its associated commands are manually examined before each execution, it is possible that either the tools themselves or their commands have been modified, whether accidentally or maliciously. This could lead to unintended results when executing the batch script, or even further compromise of the host.
What is The No-Script Automation Tool (NAT)?
The No-Script Automation Tool (NAT) is a free command line tool from DFLabs designed to solve the complexity and management issues surrounding scripting multiple tools via batch scripts for Windows systems. No-Script Automation Tool (NAT) allows users to run sets of pre-defined and pre-verified tools based on the user-specified input, predefined commands and system properties such as architecture and Windows version.
How the No-Script Automation Tool (NAT) works?
As with previous methods, NAT is placed on a USB drive along with any live data acquisition tools. However, that is where the similarities end. Live data acquisition tools are organized into directories based on their category (process information, network information, file information, etc.) and then by OS range and CPU architecture if required. If specific command line arguments are required for a certain tool, one or more set of arguments can be defined by placing a text file in the same directory as the tool.
Once the drive is configured with the appropriate directory structure, tools, and commands, the NAT tool allows users to create an integrity file which will hash the contents of both the tools and the commands and store this information in a password protected file on the drive. Once the integrity file is created, NAT will require the user to enter the password or specifically choose to bypass the integrity check. If the correct password is entered, NAT will compare the hash of each tool and command to the known-good values and alert the user if any mismatches are detected.
During execution, NAT records a detailed log of each tool that is executed. By default, NAT will write the output of each tool to a folder named for the hostname it is executed on, in the root of the drive it is executed from. Users have the option to change the output directory when NAT is run. Upon completion, the output from each tool is hashed and this information is also recorded in the log to ensure data integrity.
Download the No-Script Automation Tool (NAT) from DFLabs here.