Snoopdigg

Snoopdigg is a simple tool to automate some basic steps to acquire some evidence of compromise from Windows computers. Snoopdigg is normally intended for trainers, researchers, and incident responders without a particular background in information security and computer forensics.

Snoopdigg doesn’t require any configuration or parameters, it just needs to be executed with Administrator privileges. Once launched, the software automatically harvests and collects copies of the Windows executables that maintain persistence on the system, and afterward attempts at taking a full snapshot of the memory.

Often, it is not possible (because of logistical reasons, lack of appropriate hardware, or simply privacy issues) to do a full disk image of the computer. Snoopdigg allows to at least fetch sufficient data to initiate an investigation minimizing the exposure of personal information as well as avoiding the need for the person performing the acquisition to be specifically trained in using rather unfriendly tools.

Changelog v3.1

• Fixed arguments for new WinPmem

Download

How to use

1. Extract this folder on a USB device. Make sure that the device has enough space to store all the acquisitions you are going to make. It is advisable to format the USB device as NTFS, in case you will end up dumping the memory of computers with significant RAM.
2. Mount the USB device on the computer to inspect. Browse to the Snoopdigg folder and double-click on the tool. It should ask you to allow the application to run with Administrator privileges, which are required to obtain a memory snapshot.
3. Wait for the tool to complete its execution. You will see some log messages displayed in the console. Pay particular attention in case it mentions problems for example in relation to the generation of the memory dump.
4. Once completed, you will find a new folder called “acquisitions”. Inside this folder, you will see a folder for each acquisition you made. The folders will be named in the format YYYY-MM-DD_\<COMPUTER NAME\>. You can perform multiple acquisitions from the same computer, new folders will be distinguished by a numeric suffix.
5. Each acquisition folder will contain the following files:
   • A profile.json file containing basic information on the computer system.
   • A processlist.json file containing a list of running processes.
   • An autoruns.json file containing a list of all items with persistence on the system.
   • An autoruns/ folder containing copies of the files and executables marked for persistence in the previous JSON file.
   • If successful, a memory/ folder will contain a physical memory dump as well as some metadata.

Encryption & Potential Threats

It might be the case that carrying the acquisitions unencrypted might expose yourself, and even more so those you acquired data from, to significant risk. For example, you might be stopped at a problematic border and your Snoopdigg drive could be seized. The raw data might not only expose the purpose of your trip, but it will also likely contain very sensitive data (particularly in the memory image, which could contain usernames & passwords, browsing history, and more).

Ideally, you would have the drive fully encrypted, but because of practicality that might not be possible. You could also consider placing Snoopdigg inside a VeraCrypt and carry with it a copy of VeraCrypt to mount it. However, this might be used to force you to unlock and mount it.

Alternatively, Snoopdigg allows encrypting each acquisition with a provided PGP public key. Preferably, this public key belongs to a keyset for which you don’t possess or don’t carry the private key.

If you place a file called public.asc in the same folder as the Snoopdigg executable, Snoopdigg will automatically attempt to compress and encrypt each acquisition and delete the original unencrypted copies. The encrypted file will be named with an undescriptive unique identifier.

Bear in mind, it is always possible that at least some portion of the unencrypted data could be recovered through advanced forensics techniques – although we’re working to mitigate that.

Copyright (C) 2018 botherder