Defcon 21 (p2) – “Forensic_Scraper” Released!

So, as promised last week at Defcon 2013, we’ve made Forensic_Scraper, the Meterpreter module demonstrated, available for download here.

To avoid a flurry of usability questions, here’s a few notes on functionality:

  1. No input or flags are currently needed for usability – Drop the script in your Meterpreter directory (/opt/metaspoit/apps/pro/msf3/scripts/meterpreter, in my case), and fire away!
  2. When run, Forensic_Scraper will grab the list of interesting files (which are easily changed, by the way), and download each one automatically.  Keep in mind file sizes here – if it seems to be ‘hung’, look at the file it’s downloading and check the file size in the download directory; most likely, it’s just a large file (such as an Outlook .OST) and needs some time.  Patience is a virtue.
  3. Speaking of file downloads, the download directory is currently hardcoded as  /root/.msf4/loot/forensic_scraper_results/   From here, you’ll find the system (target) name, and inside that, the categorization of the files (chrome, windows, miscellaneous, etc).  We figured this would be a logical way of organizing files from a pentest perspective, and there’s an option to change this directory in the help menu.

For functionality you’d like to see, bugs you don’t want to see, or anything else that needs mentioning about the Forensic_Scraper, email us at info at rhinosecuritylabs dot com.

Lastly, major credit to both Naomi Bornemann and Nicole Griesmeyer for late nights and long coding sessions to get this done sooner than expected.

Thanks and feel free to reach out via email or twitter!