The following transcript was generated by AI and may contain inaccuracies.
Keith Lockhart: Here’s a video on some of the killer KeyScout features. This is tagged as a how-to video, but the reality is it’s a ‘what’s cool, how to do those cool things, and why you might want to’ experience.
As I learned from the Minecraft movie this summer with my son, first we mine, then we craft. Let’s start with how do we actually use KeyScout. I want to look at the launcher and Detective because we’ve got a couple options. What you can see on the screen right now is the end game that we want to get to. This transfer out of the KeyScout collection to importing into Detective is underway.
It’s complete here. It took a minute because I literally used one of our out-of-the-gate options here to acquire data, target-collect data with a custom profile against a live drive. I started Detective, pointed at the drive it’s running on, and ran KeyScout against it with a profile that got 120 out of 120 online application and artifact sections checked.
It gathered 24 passwords and two tokens and an iTunes backup. It found and decrypted three out of the nine encrypted data stores it found on this drive. That is powerful. Use your powers for good, as I always say, not evil. That’s powerful stuff.
I’m going to minimise this KeyScout and come up here to the extraction section where we have Oxygen Forensic KeyScout. You can add it to removable media or acquire an external drive. I’m going to do ‘Add to removable media’. It comes to a menu to navigate to a drive where it wants to put the executable for KeyScout, which means you can take it with you, run it somewhere else, collect data, and then bring it back to your lab to process it.
I want to show you two things. First, this OTG (on-the-go) device. I got a million of these on Amazon. This is a transportation medium, not a storage device. It allows you to stick an empty card in here of various sizes and then hook up to a computer via USB-C. Sometimes you’ll find them with a little flip-up thing so you can do micro USB as well.
Here I am at the concert, taking all these videos and my phone’s out of storage. I’ll just pop my OTG device into my phone, transfer all the videos off the phone onto the on-the-go device, and I’m back in business. You get one of these, throw an SD card in it, then come back to Detective where you navigate to the OTG device and put the executable on there.
Let’s look at executable options. In Program Files, Detective, in the KeyScout folder — there’s a Linux version of KeyScout, a Mac version, and a Windows version: 32-bit, 64-bit, ARM processors, whatever. We get all three flavours. Whichever machine we’re after, we can get artifacts from all of those environments. You throw an executable on the OTG device, off you go with a new ninja tool.
I’ll minimise this and come back to Detective because our other option is ‘Acquire a drive’. When you run KeyScout, it is a multi-threaded world here because I’ve got a new KeyScout running with the old KeyScout also running. If you happen to have a lot of drives to hook up to a machine and a lot of KeyScouts to run to acquire data from them independently but concurrently, you can do that.
I’ll minimise this one and we’ll start new. Remember, this is our end goal — finding a bunch of stuff. Option number one: run it against a live drive. That’s what I did here. I ran it from the drive that Detective was installed to, ran KeyScout right out of the home screen, and acquired from the drive it’s sitting on. Not the most prolific use case, but if you take it with you and plug it into another machine and run it live against that drive, the power becomes clear.
You can do a new search against a live system. We’ll come back to images and drives in a second. Use profiles — now this is the strength, not the total key to the kingdom, but one of the keys to the kingdom. I’ll talk more about that later. But this is the meat and potatoes, where the rubber meets the road.
We include several default profiles: applications, system artifacts, passwords and tokens at their default locations. All files applications — you might as well get a disk and memory hold, and that’s another option we’re not even there yet. System artifacts, passwords, tokens by all paths — not the default ones. Just memory. All files but all paths, or all documents and images from user stuff only. That’s all fantastic. We can go back and look at those later.
Before we create, here’s a live drive. Which partition or physical drive do we want? I’ve got one to three physical drives attached to this machine. Each of them have their logical partition set up. This one’s BitLocker so I can’t get that one — I must enter the password. And this is a GPT that’s not going to come out of this collection. I can pick whatever I want, but I’m not worried about that now — I’m worried about profile creation.
I’m going to click that and let’s explore. I have all these tabs of all these different things I can elect to collect in a targeted fashion. In general: do I want a hibernation file, information from the machine, tied in with RAM and coinciding things like that? Do I want swap file information? Those are tick-box choices.
Additionally, do I want to determine files found by their content, looking at file header information for prefetch and things like that? Reading the content significantly increases the search time, but you get more accurate information as a result. Then I come over here to search routes. Where do I want KeyScout to look? I can enforce it through individual paths.
I can do that to a specific depth — like go to the user folder, the machine name, the downloads folder, and four folders deep from there. Or users — I can use an operator or variable, the asterisk symbol, at this point and get everybody’s profile with their downloads folder. Things that I force the tool to look in. Or I can say do not go to these locations, exclude these things, don’t waste your time.
There’s a default set of them for Windows, a default set for Linux and Mac. For Pete’s sake, I don’t want to go in the Windows.old folder if I installed and upgraded from Windows 10 to Windows 11. I don’t care about operating system data — or I might. You can modify these, but this is a great way when you’re targeting to say ‘go look here, I don’t care if you look anywhere else, but be sure to go here and don’t look here, don’t waste your time.’ You can modify these however you want.
Passwords: If you know you’re going to collect protected data from a machine — like that BitLocker drive, or maybe a password store application like 1Password that locks everything else up — if you know some of those and you have the master password, you can put them in here. When KeyScout comes across those, it will attempt to use these passwords to open those lock boxes to collect more data. Very cool.
That’s why you saw in that other one I had three of the nine things encrypted. I supplied a password and it was able to use it against some of the Windows DPAPI materials. Fantastic.
Files: sitting here by itself, it looks blank and not a lot of fun. However, if I add a rule — by the way, if I add a rule, I can say for the first rule in this profile I want to detect a full match where the file name contains ‘keys’. Fantastic. Let me add another rule. For this rule, I want a partial match where the file content has the text string ‘dog’ in UTF-8 character set.
For the next rule, I want a full match for files that were created from July 1st to today. Then I can add another rule. What I’m building is a big — and this one’s telling me ‘hey listen, your stated condition may be mutually exclusive.’ So I’m saying get a full match, but I’m giving it a range, so I can do partial there. But I’m creating a big file filter manager for my old school Access data live.
I’m telling my profile to go after all of these different things by different criteria. Not only can I modify the paths where I want it to look specifically or not, I can supply some ammunition with passwords to break things open, and I can go get specific files based on these rules I create.
I’ll throw one more in here. I want a full match for file signature — that is, documents that are just PowerPoints considered a document at that point. So just give me things that are these — by file content, I mean super powerful stuff right there. And then the hash set manager: if you’re used to working with hash sets in Detective, you can write back to your manager and use a hash set and find things that match by hash. Right down to the nitty gritty at that point.
Applications: Oh my gosh, I thought our profiles were creative already. Go here and check this out. I can sort by the platform here. Here’s everything Mac, here’s everything Windows, here’s everything Windows and Linux, here’s everything Windows and Mac, and here’s everything on all three. Look at all these applications you can elect to gather data from. That is incredibly powerful stuff.
When we’re talking PC information here, I’m sitting down at a computer, plugging in my OTG device, launching the executable — I don’t need a licence, I can collect all day long. I can walk into a library, plug a USB device into every one of those machines, run a triage profile, and find out which machines I really want in the end.
Only when I bring it back to the lab to parse it and process it do I need a Detective licence. I can select all these applications or not. Be judicious — this is why we have the checkboxes. But that is super powerful to go after application-specific data.
Then it gets even crazier: system artifacts. Which platform are we talking about — Linux, Windows, and Mac again. I would immediately come down and get everything in the recycle bin, all the recent files, probably the USB store information to see what USB devices have been attached, and their Shellbag to find out what’s been opened.
If you’re into file system artifacts and you want to add those on top of your targeted collected application artifacts, on top of your file-specific filter rules, on top of these specific locations you want to look only — we are talking serious power to filter down to what we want.
Finally, I can come over to the memory tab and grab things out of memory. If not all memory — I can grab an entire memory extraction — but if not that, I can go in there and look for BitLocker key information, file handles, what processes are running. I’m not talking crazy live incident response remediation, but I can go get the process list from memory like I would do with other tools, and process them and parse them in Detective. Crypt keys and more. You can put all these things together and save them as a profile.
Rule five search is not set. We’ll get rid of rule five. We’ll save that as a new profile. I’ll call it ‘Cool New Profile’ to be succinct. I made some definite rules there. Now I’ve got this cool new profile that is saved. It’s a profile I can import or export to other people. I can go after a live drive, specifically a partition, or check the physical drive itself. That is crazy stuff.
Now I can capture memory. I can run it in whatever administrative mode I need to get a big .bin file and process it with other memory tools, or throw it in Detective to see what you can get out of that. Or I can even capture a disk image. I’ll click this button and I can pick physical or partition level. My options are E01, as we would all come to expect, and a raw image. I can compress it or split it up for different media storage sizes, verifying it if I want to.
KeyScout on a USB drive in your pocket — that’s crazy stuff, considering the things we can go get. Let’s see how this plays out when we actually collect data and see what our results look like.
We got a live system option — don’t let Keith ever come over for a barbecue. If I start throwing things around like ‘hey, can I just use your computer to check my mail?’, the answer is no. Get away from any of my technology. Because I’ve got an OTG in my pocket with KeyScout and several other tools in there. I can just go steal anything I want, so don’t let me anywhere near anything if I ever come over. That’s the live system route.
Or an image: if you are in the lab and you’ve got a bunch of drives that have evidence files on them that are copies of your work from the evidence locker, you can hook up KeyScout to a machine with an E01 and parse it for stuff. That’s phenomenal, especially if you didn’t know what you could do in KeyScout until you saw a video like this. You might think ‘Whoa, in all my spare time I’m going to run it against all those evidence files sitting in storage.’
Or you can hook up to just a drive. Let’s look at Windows Explorer on this machine. This PC has the live drive I’m in right now, the D drive (that BitLocker drive we saw earlier), the data drive which is another partition (E), and this OCZ storage drive which is hooked up with a SATA cable. We have an external drive; we can run that option also.
If I come in here and pick live system, I’ll take the default profile: applications, system artifacts, passwords and tokens by default paths. Let me just have a look at what we’re up against. Search routes: I’ve got a specified list of places to look at. Here’s a set of places not to look. I’ve got no passwords in here right now, no file rules right now.
From an application perspective, I’ve selected everything as part of this default profile, and all the system artifacts. In memory I’ve got nothing here, and that’s fine. We’re just going to take it as a default. I’ll cancel that and come here to my device and partition selector. Here’s the one physical drive with a couple of partitions. Here’s the other physical drive. And here’s that attached drive from USB.
Watch what happens if I do this: I just turned off the live driver and put it into right now. It says ‘hey listen, the search type is currently set to live system. If you want to analyse an external drive, select drive and then come back and do it again.’ No problem. I’m going to turn back on the live drive and turn off this other drive that’s in the system mounted right now, and this USB SATA cable hooked-up drive.
I want not the BitLocker one, not the GPT — the basic partition. I’m going to take the C drive, the system drive I booted into right now. We’re using the default profile that we just talked about. I’ll click go. KeyScout goes out there, mounts the drive, and starts looking.
What comes up here? I’ll scroll down a little bit. Encrypted data — we got DPAPI from Windows data. Interesting. Got Windows Logon Manager sessions, eight of those. I got some AnyDesk, some BlueStacks. Just checking applications and artifacts out there and data. I’m just gonna let it run for a minute.
My search is done. At this point, it’s saving the data — 197.92 gigabytes. My options are: export data directly to Detective, or save it to a disk. Let’s have a look at what’s in here first. The applications and artifacts section checked 126 things. Passwords and tokens: 24 passwords and one token.
First let’s go to application artifacts. Here’s a map of all the different things I found — different applications. For instance, let’s look at Edge. Microsoft Edge had this much junk in this location. Same thing with Firefox. We got passwords — check. Tokens — oh, cool, check. Think cloud extraction coming up here. Accounts — good. Bookmarks, cookies, web history, all these different artifacts. You can see which ones were discovered for which applications.
Passwords and tokens: we’ve got here — powerful stuff, use your powers for good. Here’s a bunch of username information, a bunch of locations and services, and a bunch of passwords from where they originate. That’s scary stuff. Keys to the kingdom are sitting there.
Backups: oh, we found a Samsung Smart Switch backup. Interesting. Encrypted data: let’s see the DPAPI stuff. Google credential information, Edge, Telegram, Zoom. Some things are brute-forced based on what was found, some things were unable to be decrypted. Pretty interesting from a summary perspective.
I can see I’ve got AnyDesk, BlueStacks, Chrome, OneDrive, Teams, Notepad, Smart Switch, Defender, Mail Center, and encrypted information in here. Very cool. I’m going to save this to disk. I’ll put it out on this data drive. I’ll make a folder and call it ‘hhh’. I’ll select that and put our contents in there.
No, I do not have enough free space to save that 197 gig. That’s okay. Let’s go do another search. But this time we’re going to point at that hooked-up drive. Live search? No — new search. I’m going to pick a drive search this time, as it told us. I will drop down and pick the F drive and select it. I’m pretty sure I get the option to choose to help us navigate what we’re doing. It’s a Windows drive. Terrific. I’ll use the same old settings there and start that search.
This one finished and nothing like the other one. However, this time — great — I got these, all system artifacts. NTFS file system things, recycle bin data. But interesting: an iTunes backup, a 72-gig iTunes backup. Probably not going to have room for that either.
What I’m going to do is unselect this. Look — time, space management. Maybe when I’m stealing everything from your computer, I don’t want your iTunes backup. I got what I needed and I don’t have time to wait or the space to put that thing. So I’m going to turn it off. Then I’ll come back and save to disk, and I’m going to put it in that same folder I made before, where I didn’t have the room for the previous collection. I’ll select that and off it goes, saving out the artifacts.
I want to do this just so we can see the resulting ODB data. Show extracted data in a folder. Let’s go look. Here I’ve got the name of the drive, the user, the date and time, dot ODB — Oxygen Desktop Backup. There’s a list file if it happens to contain several segments. Zeros and ones because I saved 72 gigs of data or something. A log of what was obtained in this, and an ODB file.
Here’s what we would do. I would come back — if I didn’t open it directly in Detective — I’d come back to Detective and use this option: ‘I want to import an Oxygen Forensic Desktop Backup.’ I’ll click it. I’m going to navigate to that folder, looking for E drive, Program Files, Detective (or Oxygen Forensics), the re folder or the KeyScout folder. In there I have the ODB list or the ODB to pick from.
I’ll go ahead and pick the ODB file and open that. It’s like ‘okay, listen, fire up that ODB, import it’ and off it goes, just like anything else. When it’s done, I’ll look at it. It is a desktop extraction, Windows, indicated by the icon. 11,000 files, a bunch of system artifacts is what this boils down to. There really wasn’t a bunch of data in that collection, and that’s fine. We just want to see what it looked like to collect some data, navigate to the results, and import it into Detective.
That’s KeyScout in a nutshell. Live drive, evidence file, dead drive — create an evidence file. These are E01 or DD with it. Create custom profiles. Carry the thing around on an OTG so you’re never without it.
Imagine the use case: you walk into a library, there’s 100 machines in there, and you’ve got to triage to see which ones you’re actually going to take with you. Maybe you run a KeyScout collection on each one of them for specific profile data. The ones that get the hits are the ones you take. Grab some KeyScout when you can. Catch you later.
