How To Extract Credential Data Using KeyScout

Hello, this is Keith Lockhart from Oxygen Training, and this video is going to discuss the KeyScout application.

The KeyScout application is one of the tools available in the tool suite concept of the Forensic Detective product. KeyScout is a standalone application that can be run locally or on the go, we’ll look at use cases of those last two bullets there, and we’ll discuss both those use cases.

But to talk about what KeyScout is and does, we have to venture down the road we do in the boot camp course, about using your powers for good. So KeyScout allows a user the power to search through and collect information that might possibly be information that could be protected in some shape or fashion by the operating system; by legality in the jurisdiction of use; by morals; by anything.

And when I show you how the KeyScout works, especially in the use case of On The Go – meaning we’ll take a on-the-go device and put the KeyScot application on that device so it can walk around with us and collect data wherever we might be and bring it back to the lab, you really need to start thinking about what you’re doing, and what you might be collecting, and how that might or might not be a good thing.

So, it’s a tool. I certainly don’t want to deprive anybody of the capability to do this, but I will say: use your powers for good. Don’t get yourself in trouble. This could do some scope creep, in terms of what you have access to or not.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

However, when you’re in the position to need this information, it is a vital tool for the toolkit. I mean, this could be a time-sensitive, life-saving, “Wow, we need to get some data from this account right now, we don’t know the credentials, however the percentage of success of what we can do goes up greatly if we can get to a machine, run KeyScout against it, and possibly get the credentials back that we need.”

Or maybe some email information, or browser information, or iTunes backups if we can get to the box where we might not have the phone but we have a backup of it. KeyScout allows all kinds of data collection, and we’ll explore that as we move on.

So we’ve sort of already touched on the information gathering component. When we use KeyScout, its whole job is to search. We can configure how that search is going to go; provide different parameters; different depths of search – maybe we don’t have a lot of time; things we save from the search, we can limit that and maybe just doing a smash and grab, so we need credentials really quickly. Or maybe we’re digging through all the media hooked up to a particular machine, to try to go find backups or artifacts or mail, or things that KeyScout will gather for us whilst running.

Important for us to know: the OPCK file, the Oxygen credential package. This is one of KeyScout’s primary functionalities, is to feed the Cloud Extractor. Now what I mean by that is: when you’re trying to access cloud-based data, and need credentials to supply the cloud account, KeyScount is what gathers that data for you from a machine.

Or, as you’ll see inside Detective when you finally pull extracted data into a case, the accounts and passwords section is the same information that would be contained in an OCPK file. You’ll see a button in the tool called ‘Export to OCPK.’ We’ll talk about the way you’d do that and what that means. But this is the literal ability to grab the account data to feed the Cloud Extractor.

Or if you’re gathering lots of other data in a grander fashion, with much more space to be taken up, the Oxygen Desktop Backup might contain email archives; iTunes backups; browser artifacts; there’s a whole plethora – there’s our big word for the day – of tools, or areas that KeyScout can collect from.

And this ability, these options to collect from all these different areas, is a 12X version of KeyScout and higher. So if that’s new to you, pay particular attention as we go through this video, and know what you have in front of you when you upgrade to the new Detective.

OK, so to round this conversation out, listen, you can run KeyScout in the lab, which means the use case would be: if you have a target drive that you could mount virtually – you know, a VHD or a VM session, something like that – assign a drive letter to it, you can launch KeyScout against it like it’s a running machine.

Or if you’re out in the field – in a cave, I don’t know where you are – you need the ability to run against the machine right in front of you, whip out that USB drive with KeyScout on it, collect all kinds of things back to that USB and get back to the lab.

OK. Let’s see how this works.

We’ll access KeyScout from the Tools menu of our homescreen in Oxygen Forensic Detective. You’ll see you’ve got two options here: Launch KeyScout, and Add KeyScout to removable media. Let’s just discuss those quickly, because each one is relevant to use cases we just talked about.

Launching KeyScout from here almost seems nonsensical, because you really wouldn’t want to go install Detective on your target machine, just so you could run KeyScout. So it’s great for a demonstrative purpose, it’s fantastic. However, the reality use case is, mount that target drive on the same box as your Detective box and you can hit it as a drive letter and collect just like from before.

Or you can add it to removable media, like an on-the-go device or a USB drive that we talked about, you can have in your pocket or your go kit. And that’s as simple as hitting the link, navigating to the drive that you want to save KeyScout to.

OK, I’m just going to go ahead and run it from here, like we talked about, from a demonstrable perspective.

OK, so when the interface starts you can see we’ve got a couple of options off the bat. One is in our Settings. It could be that we want to add particular passwords to help us break other password things open, like a keychain; or tell the tool to search different places or exclude different places than are the defaults.

And, specifically new to the 12 version, is all these selectable tools, replications that we can collect data from or not. Again, depending on your situation. If you’ve got a lot of time, got a lot of space on your USB drive: OK. Or you’re in smash-and-grab mode, and you only need Skype. Or only Firefox. These are all selectable boxes.

And then we can read the About and the Help. And I just want to show you in Help for a second, an early quick synopsis of credential and application data that we can go after, including operating systems we can do, and then a couple of command line options if you want to get crazy during your KeyScout implementation. That’s accessible from the Help.

OK, let’s have a look at the Search. So if we click on ‘Search’ you can see we’ve got several options available to us. ‘Custom’, where you could enact some of those settings that I talked about a minute ago; but there are some defaults: Fast, Optimal, and Full. And you can see a little description of what those are doing underneath.

Let’s see how this works. I’ll click ‘Fast’ and start the search.

KeyScout takes off against the live drives on this machine, and we’ll fast-forward a little bit in time to get to the end of it, and we’ll see what KeyScout comes out with on the other side.

OK. My results are done: three minutes and fourteen seconds checking 96 directories by default. I didn’t make any changes to the settings.

And what did we get? Oh boy. 133 passwords and four tokens. That’s bad all by itself. Out of five different applications, 261MB of data – we’ll have a look. One backup found, that’s 12.5GB. Huh.

Well, let’s look here: Passwords and tokens. Wow. Well if we just have a bad look at all of the autocomplete passwords and account information on here, this is probably… yeah. Let’s just not spend a lot of time here.

OK. But if we look at the applications – hmm. I’m not a big Internet Explorer guy; it stands to reason there’s nothing there. I am a Chrome guy, which is why there’s 50MB of data there. I do some Mozilla stuff; there’s 31MB of data there. I’m a Skype guy – lots of data there. And Windows Mail. Well, this is just crazy. Hmm.

If I have a look… well, I’ve got FTKJedi account information for Skype; Slylock account information for Skype; that’s in my Google. Yeah, all kinds of internet browser based data.

Let’s see: Internet Explorer, nothing there. But the ability for KeyScout to go out and grab artifact data from all these locations – including, in this case, Windows Mail – we’ve got a Unistore database out there, there could be PSTs; who knows what we’re going to find?

From a backup perspective: that’s my backup of my iPhone 10, 12.5GB. Notice, though: tickbox. Alright? All of these are boxes, available for ticking or not. What are you trying to export or save out, or not? Again, all selectable. If you’re in smash-and-grab mode I probably would not take the iPhone backup, and I probably – well, it depends on what you’re after – if you don’t do all this and just take their credentials, you’ll have that OCPK file, that credential package, that lets you take this autocomplete username, password, or if we have token recovery, and feed it to the Cloud Extractor.

But if you’ve got time – maybe, who knows what you’re doing? Select it all.

Put the backups out there, get it out there, and you’ll have that Oxygen Desktop Backup. Takes a minute to save because of all the size, but again, up to you, based on your preference and what you’re trying to get done.

You can see a log of everything that was searched through.

And that’s it: my search is over. I could go back and run another version of the search if I wanted to do it; I could save information out, again depending on your size, space and time – I’m not going to save anything right now.

But let’s look at what happens with our results. Let me cancel that. And I’m just going to close KeyScout altogether at this point and hit my extractions, and let’s see where I have some data that would be OCPK relative. How about… Alison’s phone’s a good one. Accounts and passwords.

And all I did was take the Accounts and passwords section, just to refresh. All I’m doing is going to Alison’s phone and using the Accounts and passwords section, where we go and aggregate by account, by password, and then by token capability, everything we can get.

And if you see the cloud icon, that indicates that credentials or tokens could be used to access that data. Look: Extract with Cloud Extractor will send that information straight to the Cloud Extractor; or Save accounts data. And look what it says: Save accounts data to Oxygen credentials package.

A large chunk of analysts’ machines are not hooked up to the internet as a practice. However, somebody is, so if you can’t use this information in conjunction with a Cloud Extractor online, save it out to an OCPK file and give it to someone else who can. And what I mean by that is, just so we have an idea, I’ll just go back to the home screen really quick where I can grab the Cloud Extractor.

And on the main menu of the Cloud Extractor we’ll see the option right there: “Feed me an OCPK file.” Well, it’s probably not that direct as “Feed me,” but it is “Import credentials package.” It’s very straightforward.

And it says “Import credentials file generated by Oxygen Forensic Detective, which we just saw, or KeyScout, which we just saw. If you click that, it’s looking for that OCPK file.

So you kind of get a 360-degree idea of why KeyScout’s here, what it can do, and how it circles back to: listen, if we don’t get it from a target machine, we’re going to get it from a handset. Or a device we pull on Detective. And if we don’t get it from Detective, we’re going to get it from the target machine.

And I think one of the most relevant, or important, use cases we can talk about with this is: a young adult’s missing; their phone is missing with them; we can’t get that. But this is a cooperative recovery effort, so we are given credentials to get into the cloud accounts, where we can go find geolocation that’s real-time for that missing device, which is probably, hopefully, with that missing person.

That’s tried and true. This is a great tool. I know people get leery about scope creep when it comes to the cloud. However, exigent circumstance is not a bad situation. Articulation is not a bad concept. You have the tool available, whether it’s against a mapped drive, or Detective pulling the same information from a handset as far as extraction information. KeyScout capability to acquire that account information, or those web artifacts, or those mails, or those backups: we can’t leave that out of the toolbox.

OK, thanks for spending the time. Hope that’s been helpful. Let us know how it turns out for you. I’ll speak to you later.

Learn more about the Oxygen Forensic KeyScout and many other tools, tips, and workflows with Oxygen Forensic Detective by attending an in-person or online training course. Check the Oxygen Forensics website for course dates, locations and descriptions. 

Leave a Comment

Latest Articles