How Truxton Works

From truxwiki.com
Jump to navigation Jump to search

Truxton was designed to exploit data in a scalable way. You can add more exploitation processes on your loader machine or you can add more machines to the exploitation process.

This high level overview will give you an idea of what Truxton is doing. We will not give details of the design of the Truxton Architecture.

The Truxton exploitation process can be broken down into discrete stages. All processes running at a given stage will execute in parallel. Early stages can overlap, meaning a later stage can execute in parallel with an earlier stage. Later stages execute serially where a later stage will not begin unless the previous stage has completed.

Overview

Truxton's goal is to present relevant information to analysts as the starting point for their investigations rather than giving them a big pile of data. Truxton automates much of the mundane forensic exploitation to produce artifacts and reports allowing analysts to start with information rather than data. It does this in a scalable way, running 24x7 to keep up with the demands of the incoming data volume. Truxton's work flow is:

  1. Ingest raw media to produce files
  2. Files are exploited to produce artifacts
  3. As artifacts are discovered, items of interest are automatically tagged
  4. Artifacts and files are used to produce reports that analysts can distribute
  5. The Analyst Desktop presents information to the user allowing them to navigate and discover relationships

Load

Someone has decided that they have data that needs Truxton exploitation. Let's say it is a hard drive image in the popular E01 format, Bob.E01

The entry point for Truxton is the Load process.

load.exe T:\Bob.E01

Load will open the file, determine what type it is and navigate it. Load's purpose in life is to find files, identify their type, eliminate their contents based on known-good MD5 hashes, put the meta-data about the file into a database, contents into a depot, then send messages to other ETL processes that have registered to receive that type of file.

Exploit

The next stage, which runs in parallel with Load, exploits files to produce:

  • More files - When Truxton encounters a file archive (like a zip file), it will extract the files from that archive and send them through the exploitation pipeline.
  • Artifacts - Truxton will exploit files to extract things like serial numbers, accounts, etc that analysts can use in their examinations.
  • Events - Significant events such as connecting to networks, running programs, etc. to plot them on a time line.
  • Geographic Locations - Places embedded in photos, videos, drones, etc.
  • Camera Information - Truxton extracts camera make, model and serial numbers from photos and videos.

Reporting

Once all of the files and meta data have been produced, Truxton can can apply automation to jumpstart an investigation with reports such as:

  • Media Summary Report - This report is a non-technical summary of the media that was loaded. It will give you information about the life of the media, activity in the last 24 hours of that life, USB devices seen on the device, etc.
  • Geographic Report - A KMZ with all of the geographic coordinates found in the media to include Sensitive Site Violations.

Analysis

A user doesn't have to wait until reporting has finished in order to begin using the Desktop GUI to look at the data. The user interface is completely separate from the load/expand/report processes. Through the Desktop, users can view files, query for artifacts, see activity on a timeline, review videos, etc.

Capabilities

Here are a few things that Truxton does. This is not a complete list.

  • Navigate disk images in raw (dd), E01, and other formats
  • Navigate file systems FAT, NTFS, etc.
  • Undelete files
  • Gather the unused area in a file system (called free space)
  • Gather file "slack" space
  • Carve files from free space
  • Carve files from unrecognized files
  • Defragment carved files
  • Expand archives (Zip, tar, rar, etc)
  • Exploit file formats to produce artifacts such as
    • Phone Numbers
    • Document Authors
    • Search Terms
  • Automatically Tag Activity
    • Possible Malware Infection
    • Use of Encrypted Disks
    • External Drives
  • Find references to Geographic locations in
    • Databases
    • Drone flight logs
    • Images
    • Videos
    • URLs
  • Unified communications
    • EMail
    • Chat
    • SMS
  • Synthesizes data from many files to produce:
    • Password Dumps
    • USB Device History
  • Generate stand-alone reports such as:
    • Media Summary Report - Collects information from the
    • Geographic Report - Collects all geographic locations, drone track logs, etc. and puts it into a KMZ file.
    • Consolidated Contact List - gathers all contact information from all files on the media, sorts and deduplicates the list.
  • File contents are indexed

Configurations

Truxton allows you to customize the amount of effort spent exploiting the media. There are two main configurations that are used.

Full Forensic

This configuration performs all possible tasks to glean as much information as possible from the source media. It does everything it can to every bit of data. This is the exhaustive exploitation option.

All capabilities listed above are performed on the media. This is the default configuration when loading data.

Typical

This configuration performs everything that a Full Forensic does except the following:

  • Gather the unused area in a file system (called free space)
  • Gather file "slack" space
  • Carve files from free space
  • Carve files from unrecognized files
  • Defragment carved files