The following transcript was generated by AI and may contain inaccuracies.
Keith Lockhart: Hey, Keith Lockhart here. I got some inbound messaging around the “We had no idea” concept, which is not uncommon. We release new stuff, or sometimes you haven’t seen older stuff, or sometimes just didn’t know something did something. We’ve got a lot of things—a lot of buttons, bells, tools, and whistles.
This concept was relative to our KeyScout tool. When something like that happens, here’s a video on some of the killer KeyScout features. I think this is tagged somewhere as a “how to” video, but the reality is it’s a “what’s cool, how to do those cool things, and why you might want to” experience.
As I learned from the Minecraft movie this summer with my son, first we mine, then we craft. Let’s start with how do we actually use KeyScout. I want to look at the launcher and Detective, because we’ve got a couple options right out of the gate.
What you can see on the screen right now is the end game that we want to get to. Maybe not all the way to the end, because this transfer out of the KeyScout collection to importing into Detective is underway. It’s complete here. It took a minute because I literally used one of our out-of-the-gate options here to acquire data—target collect data with a custom profile against a live drive.
I started Detective, pointed at the drive it’s running on, and ran KeyScout against it with a profile that got 129 out of 129 application and artifact sections checked. It gathered 24 passwords and two tokens on an iTunes backup that it found and decrypted. Three out of the nine encrypted data stores that it found on this drive.
That is powerful. Use your powers for good, as I always say, not evil. That’s powerful stuff. Let’s look here. I’m just gonna minimize this KeyScout and come up here to the extraction section where we have Oxygen Forensic KeyScout—add to removable media or acquire an external drive.
I’m just gonna do this one: add to removable media. It comes to a menu to navigate to a drive where it wants to put the executable for KeyScout, which means you can take it with you, run it somewhere else, collect data, and then bring it back to your lab to process it.
I want to show you two things. First, this thing. Here’s an OTG (on-the-go) device. I’ve got a million of them. I just went out to Amazon to find one. This is a transportation medium, not a storage device. It allows you to stick an SD card in here of a variation of sizes, and then hook up to a computer via USB-C.
Sometimes you’ll find them with a little flip-up thing here so you can do micro USB as well. This is great. Here I am at the concert taking all these videos and my phone’s out of storage. Well, hey, I’ll just pop my OTG device into my phone, transfer all the videos off the phone onto the on-the-go device, and I’m back in business filming videos.
Terrific. You get one of these, throw an SD card in it, and then come back to Detective where you’re saying, “Hey, I want to put KeyScout out there,” and you navigate to the OTG device and put the executable on there.
Now let’s look real quick at executable options because I want to show you—not that drive, this drive—Program Files, Detective, in the KeyScout folder. Look at this. There’s a Linux version of KeyScout, there’s a Mac version of KeyScout, and there’s a Windows version of KeyScout—32-bit, 64-bit, ARM processors, whatever. We get all three flavors for whichever machine we’re after because we can get artifacts from all of those environments.
You throw an executable on the OTG device, off you go with a new ninja tool. I’ll just minimize this out of the way and come back to Detective because our other option is “acquire a drive.” Let me click that one.
Now when you run KeyScout, I just gotta tell you that it is a multi-threaded world here because I’ve got a new KeyScout running here with the old KeyScout also running right there. Just mental notes on that. If you happen to have a lot of drives to hook up to a machine and a lot of KeyScouts to run to acquire data from them independently but concurrently, right?
I’ll just minimize this one and we’ll start new. Remember, this is our end goal: finding a bunch of stuff. I’ll go here. One, run it against a live drive. That’s what I did here. I just ran it from the drive that Detective’s installed to, ran KeyScout right out the home screen, and just acquired from the drive that it’s sitting on.
Not the most prolific use case out there—that’s kind of crazy. But if you take it with you and plug it into another machine and run it live against that live drive, the power becomes this: you can do a new search against the live system. We’ll come back to images and drives in a second. A live system can use profiles.
Now, this is the strength—not the total key to the kingdom, but one of the keys to the kingdom, and I’ll talk more about that later. This is the meat and potatoes, where the rubber meets the road, pick your analogy.
We include several default profiles: applications, system artifacts, passwords and tokens at their default locations. All files, applications—you might as well get a discount—and memory. Holy cow, that’s another option. We’re not even there yet. System artifacts, passwords, tokens by all paths—not the default ones—just memory. All files by all paths, or all documents and images from user stuff only. That’s all fantastic.
We can go back and look at those later. Let’s do the create before we do it. Here’s a live drive. Which partition or physical drive do we want? I’ve got one, two, three physical drives attached to the machine. Each of them have their logical partition set up.
This one’s BitLockered, so I can’t get that one unless I know the password. This is a GPT that’s not gonna come out of this collection. I can pick whatever I want, but I’m not worried about that now. I’m worried about profile creation. I’m gonna click that and let’s explore.
I have all these tabs, all these different things I can elect to collect in a targeted fashion. In general, look—do I want hibernation file information from the machine? Tied in with RAM and coinciding things like that. Do I want swap file information? Those are tick-box choices.
Additionally, do I want to determine files found by their content? Looking at file header information for prefetch and things like that. Reading the content significantly increases the search time but gets more accurate information as a result.
Then I come over here to the search routes. Where do I want KeyScout to look? I can force it through individual paths, and I can do that to a specific depth—like go to the user folder, the machine name, the downloads folder, and four folders deep from there. Users—I can use an operator or a variable, the asterisk symbol at this point, and get everybody’s profile with their downloads folder.
These are things I force the tool to look in. Or I can say, “Do not go to these locations, exclude these things. Don’t waste your time.” There’s a default set of them for Windows, and there’s a default set of them for Linux and Mac. For Pete’s sake, right? I don’t want to go in the Windows.old folder.
If I installed and upgraded from Windows 10 to Windows 11, I don’t care about operating system data—or I might, right? You can modify these. But this is a great way when you’re targeting to say, “Go look here. I don’t care if you look anywhere else, but be sure to go here. And don’t look here—don’t waste your time for sure.” You can modify these however you want.
Passwords. Listen, if you know you’re going to collect protected data from a machine—like that BitLocker drive, or maybe a password store application that locks everything else up like that—if you know some of those and you have the master passwords, you can put them in here.
When KeyScout comes across those, it will attempt to use these passwords to open those lock boxes to collect more data. Very cool. That’s why you saw in that other one I had three of the nine things decrypted. I supplied a password and it was able to use it against some of the Windows DPAPI materials. That’s fantastic.
Files. Sitting here by itself, it looks blank and really not a lot of fun. However, if I add a rule—or a hash set, by the way—if I add a rule, I can come in here and say, “Okay, for the first rule in this profile, I want to detect a full match. The file name contains ‘Keith,’ and fantastic.”
Let me add another rule. For this rule, I want a partial match where the file content has the text string “dog” in UTF-8 character set. And for the next rule, I want to say I want a full match for files that were created from July 1st to today.
Then I can add another rule. What I’m building is a big filter. This one’s telling me, “Hey, listen, the stated condition may be mutually exclusive.” Yeah, I’m saying get a full match, but I’m giving it a range, so I can do partial there and fix that.
I’m creating a big file filter manager for my old-school AccessData life. I’m telling my profile to go after all these different things by different criteria. Not only can I modify the paths I want it to look specifically or not, I can supply some ammunition with passwords to break things open, and I can go get specific files based on these rules I create.
Another one—I’ll just throw one more in here. I want a full match for file signature that is documents that are just PowerPoints—considered a document at that point. Just get me things that are PPTs or PPTXs by file content. Super powerful stuff right there.
And then of course the hash set manager. If you’re used to working with hash sets in Detective, you come right back to your manager and use the hash set and find the things that are matched by hash. Right down to the nitty gritty at that point.
Applications—oh my gosh. And I thought our profile was creative already. Go here and check this out. I can just sort by the platform here. Here’s everything Mac, here’s everything Windows, here’s everything Windows and Linux, here’s everything Windows and Mac, and here’s everything on all three.
Look at all these applications you can elect to gather data from. That is incredibly powerful stuff. But when we’re talking PC information here, I’m going after a—I’m sitting down at a computer. I’m plugging in my OTG device. I’m launching the executable. I don’t need a license. I can collect all day long.
A hundred—I can walk into a library, plug a USB device into every one of those machines, run a triage profile to find out which machines I really want in the end, and go to town. Only when I bring it back to the lab to parse it and process it do I need a Detective license at that point. But I can select all these applications or not, right? Obviously be judicious. This is why the checkboxes are here. But man, that is super powerful to go after application-specific data.
Then it gets even crazier. The system artifacts. Hey, listen, which platform am I talking about? Linux, Windows, and Mac again. If I just looked down here—oh my gosh—I would immediately come down and get everything in the recycle bin, all the recent files, probably the USB store information to see what USB devices have been hooked in there.
Shell bags to find out what’s been open. If you’re into file system artifacts and you want to add those on top of your targeted collected application artifacts, on top of your file-specific filter rules, on top of these specific locations you want to look only—I mean, we are talking serious power. Filtering down to what we want.
Finally, I can come over to the memory tab and grab things out of memory. If not all memory, I can grab an entire memory extraction. But if not that, I can go in there and look for BitLocker key information, file handles, what processes are running.
I’m not talking crazy live instant response remediation, but I can go get the process list from memory like I would do with other tools and process them and parse them in Detective. Character keys. Oh my gosh.
You can put all these things together and save them as a profile. “The rule five search is not set.” Okay. We’ll get rid of rule five. We will save that as a new profile. And you know what? I don’t like that. Let’s call it “Cool New Profile” to be succinct. Let me just see what I made—I made some definite rules there. There we go. Yep, that’s it.
Now I’ve got this cool new profile that is saved, and I can import or export it, give it to other people, put it on eBay, things like that. I can go after a live drive, specifically a partition, or check the physical drive itself. That is crazy stuff.
Now I can capture memory, right? I can run in whatever administrative mode I need to get a big BIN file and process it with other memory tools or throw it in Detective and see what you can get out of that. Or I can even capture a disc image.
I’ll click this button and I can pick physical or partition-level stuff, right? And my options are E01, as we would all come to expect, and a DD, a raw image like that. I can compress it like I would probably be used to, or split it up for different media storage sizes, verifying it if I want to.
KeyScout on a USB drive in your pocket. That’s crazy stuff considering the things we can go get. Let’s see how this plays out when we actually collect data and see what our results look like so we know what we gotta import into other tools.
If I come here, well, first recap: we got a live system option, which is, don’t let Keith ever come over for a barbecue. If I start throwing things down like, “Hey, can I just use your computer to check my mail?” The answer is no. Get away from any of my technology. Because I’ve got an OTG in my pocket with KeyScout and several other tools in there that I can just go steal anything I want. Don’t let me anywhere near anything if I ever come over. That’s the live system route, right?
Or an image. Hey, listen, we haven’t really talked about this yet, but if you are in the lab and you’ve got a bunch of drives that have evidence files on them that are copies of your working stuff from the evidence locker—look, you can hook up KeyScout to a machine with an E01 in it and parse it for stuff.
That’s phenomenal. Especially if you didn’t know what you could do in KeyScout until you saw a video like this. You’re like, “Whoa, I’m gonna go in all of my spare time and run it against all those evidence files I have sitting in storage.” Or you can hook up to just a drive.
Take a drive. Let’s look here real quick. If I come down here and check our Windows Explorer on this machine. This PC has the ecosystem—the live drive I’m in right now. The D drive, that BitLocker drive we saw earlier. The data drive, which is another partition E. And this OC storage drive, which is hooked up with a SATA cable right now.
We have an external drive; we can run that option also. Because if I come in here and I pick a live system—and you know what, we’re gonna take the default profile: applications, system artifacts, passwords, and tokens by default path.
Let me just have a look really quickly. Let’s go see what we’re up against or what we’re getting ourselves into. Search routes—I’ve got a specified list of places to look at, at a depth of four. Excluded—here’s a set of places to not look. I got no passwords in here right now. I have no file rules right now.
From an application perspective, I’ve just selected everything as part of this default profile, and all the system artifacts. In memory, I’ve got nothing here, and that’s fine. We’re just gonna take it as a default. I’ll cancel that and then I’m gonna come here to my device and partition selector, right?
Here’s the one physical drive—it’s got a couple partitions in it. Here’s the other physical drive. And here’s that attached drive from USB. Watch what happens if I do this. I just turned off the live drive that I booted into right now and it says, “Hey, listen, the search type is currently set to live system. If you want to analyze an external drive, select drive and then come back and do it again.”
No problem. I’m gonna turn back on the live drive and turn off this other drive that’s in the system mounted right now, and this USB SATA cable hooked-up drive. And I want—not the BitLocker one, not the GPT, and the basic partition—I’m gonna take the C drive, the ecosystem drive I’m booted into right now.
We’re using the default profile that we just talked about, and I’ll click go. KeyScout goes out there, mounts the drive, and starts looking. Right away, what comes up here?
Oh wow. Let me just scroll down a little bit. Encrypted data. We got DPAPI from Windows data. Interesting. I’ve got Windows logon manager sessions, eight of those. I got some AnyDesk, some BlueStacks. Just checking application and artifacts out there. It’s encrypted data. I’m just gonna let it run for a minute.
Okay, my search is done at this point. It’s saving the data. Found data selected for saving: 197 gigabytes, 0.92. My options are this: export data directly to Detective, or save it to a disc.
Let’s have a look at what’s in here first. I’m just gonna maximize. Okay, applications and artifact section—checked 126 things out. 126 things. Passwords and tokens—24 passwords and one token.
Well, first, let’s go here: Applications and Artifacts. Here’s a map of all the different things that found through different applications. For instance, let’s go look at Edge. Microsoft’s Edge had this much junk in this location. Same thing with Firefox. What we got—passwords, check. Tokens, oh, cool, check. Cloud extraction coming up here. Accounts, good. Bookmarks, cookies, web history—all these different artifacts. You can see which ones were discovered for which applications.
Passwords and tokens—what do we got here? Oh, evil. No good user powers, use your powers for good. Look at this. Here’s a bunch of username information, a bunch of locations and services, and a bunch of passwords from where they originate. That’s scary stuff. We know keys to the kingdom are sitting there.
Backups—what we found is a Samsung Smart Switch backup. Interesting. And encrypted data. Let’s see. The DPAPI stuff, Google credential information, Edge, Telegram, Zoom. Some things were brute-forced based on what was found, and some things were unable to be decrypted.
That’s pretty interesting from a summary perspective. And I can see I’ve got AnyDesk and BlueStacks and Chrome, OneDrive, Teams, Notepad, Smart Switch, Defender, Mail Center, and then encrypted information in here.
Very cool. I’m just gonna save this to disc and I’ll put it out on this data drive and I’ll just click—matter of fact, I lied. I’m gonna make a folder and I’ll call it “HHH” and I’ll select that and I’ll put our contents in there.
And no, I’m not—I do not have enough free space to save that 197 gig. That’s okay. Let’s go do another search. But this time we’re gonna point at that hooked-up drive. Live search—no, new search. I’m gonna pick a drive search this time as it told us. And I will drop down and pick the F drive and select it.
I’m pretty sure I get the option to choose to help us navigate what we’re doing. It’s a Windows drive. Terrific. I’ll use the same old thing there and start that search.
Okay, this one finished and nothing like the other one. However, this time, let’s see—I got, oh, these are all system artifacts. NTFS file system things, recycle bin data. But interesting, an iTunes backup—a 72-gigabyte iTunes backup. Probably not gonna have room for that either.
What I’m gonna do is unselect this. Look, time/space management. Maybe when I’m stealing everything from your computer, I don’t want your iTunes backup. I got what I needed and I don’t have time to wait or the space to put that thing, so I’m gonna turn it off.
Then I’ll come back and I’ll save to disc and I’m gonna put it in that same folder I made before—HHH—where I didn’t have the room with that previous collection. I’ll select that and off it goes, saving out the artifacts. I want to do this just so we can see the resulting ODB data.
Okay, show extracted data in the folder. Let’s go look. Here I’ve got the name of the drive, the user that did it, the date and the time. DOT ODB—Oxygen Desktop Backup. There’s a list file if it happens to contain several segments, Z01s, because I saved 72 gigs of data or something. A log of what was obtained in this and an ODR file.
Here’s what we would do. I would come back—if I didn’t open it directly in Detective, I’d come back to Detective and use this option: “Hey, I want to import an Oxygen Forensic Desktop Backup.” I’ll click it.
I’m gonna navigate to that HHH folder. I’m looking for E drive, Program Files, Detective, or Oxygen Forensics, the re folder, the KeyScout folder, and HHH. And in there I have the ODB list or the ODB to pick from.
I’ll just go ahead and pick the ODB file and open that, and it’s like, “Okay, listen, fire up that ODB, import it,” and off it goes just like anything else.
And when it’s done, I’ll look at it and it is a desktop extraction. Windows 11, indicated by the icon. 11,000 files, a bunch of system artifacts is what this boils down to. There really wasn’t a bunch of data in that collection, and that’s fine. We just want to see what it looked like to collect some data, navigate to the results, and import it into Detective.
That’s KeyScout in a nutshell, right? Live drive, evidence file, dead drive. Create an evidence file—E01 or a DD—with it. Create custom profiles. Carry the thing around on an OTG so you’re never without.
Imagine the use case. You walk in the library, there’s a hundred machines in there, and you’ve gotta triage to see which ones you’re actually going to take with you. Maybe you run a KeyScout collection on each one of them for a specific profile data. The ones that get the hits are the ones you take.
Grab some KeyScout when you can. Catch you later.
