Tools to Grab Locked Files

Sometime ago I released my Tr3Secure Volatile Data Collection Script which is a dual purpose triage script. The script can not only be leveraged “to properly preserve and acquire data from live systems” but it can also help to train people on examining volatile data. I have completely overhauled the Tr3Secure collection script including collecting non-volatile data. I wanted to release the updated script to the community but I encountered a small issue.

At the time my updated script was collecting locked files using HBGary’s FGET tool. FGET is a handy little tool. It can collect locked files such as registry hives both locally and remotely. It can natively collect a collection of files such as the registry hives or it can collect any file or NTFS artifact specified by file path. The best part about FGET was the ability to use it in scripts. FGET was freely available that at first was downloadable from the HBGary website then downloadable from the registered users’ portion of the HBGary website. Unfortunately, FGET is no longer available for download and this was my small issue. How could I release a script that depended on a tool no longer available? I can’t so I set out to find a FGET replacement so I can have ability to collect locked files and NTFS artifacts while also scripting with it in a Windows batch file. This post outlines the items I came across as I searched for my replacement.

Invoke-NinjaCopy

The first item up came from a recommendation by Jon Turner (@z4ns4tsu).  Invoke-NinjaCopy is a powershell script that according to its Github home “copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures. This bypasses file DACL's, read handle locks, and SACL's”.  The clymb3r blog post Using PowerShell to Copy NTDS.dit / Registry Hives, Bypass SACL’s / DACL’s / File Locks explains why the author created the script and demonstrates how they were able to grab the NTDS.dit (aka Active Directory) off a live system. Out of everything I came across Invoke-NinjaCopy was the only script/tool capable of grabbing locked files either locally or remotely like FGET can. Towards the top of my to-do list is to take a closer look at Invoke-NinjaCopy since I think it could be helpful in incident response activities in addition to pen testing.

RawCopy

Lately it seems like if I need anything related to the NTFS file system I first check Joakim Schicht’s mft2csv’s website. Joakin’s site is a gold mine and anyone doing forensics on the NTFS file system should become familiar with his site. One of his available tools is RawCopy which is an “application that copy files off NTFS volumes by using low level disk reading method”. RawCopy can copy out either the data ($DATA) or all attributes from the file’s MFT entry. It can copy files using either the file path or MFT record number. Download RawCopy from here.

TZWorks NTFSCopy

Next up is a tool from the folks over at TZWorks called NTFSCopy. NTFSCopy is a “tool that can copy any file (or alternate data stream) from a NTFS file system. This can be from either from a live system or from an imaged NTFS volume or drive”. Similar to the other items, the tool is able to bypass locks and permissions to grab files and it can copy NTFS artifacts. To copy a file you can specify the file name, cluster, or MFT record number. NTFSCopy does work as described and quickly can copy NTFS artifacts and locked files from live systems. For anyone wanting to copy files from a live system should take a close look at NTFSCopy (downloaded the tool from here). Just keep in mind the free version is for non-commercial use only but there is a commercial version available.

ircollect

The next tool up is a Python script developed by David Kovar. ircollect “is a Python tool designed to collect files of interest in an incident response investigation or triage effort”. David’s blog post IRcollect – collect incident response information via raw disk reads and $MFT parsing provides additional information about the script. I think this is an interesting project since everything is done using Python and it’s one I’m going to keep my eye on.

OSTriage

The last item may be overkill as a FGET replacement since it is a complete triage tool. Eric Zimmerman’s OSTriage is still in development and I was afforded the opportunity to test it. The tool is able to parse artifacts and presents a range of information. Some of the presented information includes: P2P, network information (ARP cache and open ports), basic system information, browser history, browser searches, and USB devices. OSTriage even has the capability to image RAM. This is a tool to be on the look for.


For those wondering what I ended up deciding to replace FGET with will have to wait until my next post when I release the new and improved  TR3Secure collection script.