Monday, May 10, 2021

CLEAPP it! - ChromeOS Logs Events And Protobuf Parser

Short version:

Process data extractions from Chromebooks using the ChromeOS Logs Events And Protobuf Parser (CLEAPP.) 

CLEAPP is made in Python 3 and can be downloaded here:
https://github.com/markmckinnon/cLeapp


 

Long version:

Until not too long ago extracting data for forensic analysis from Chromebooks seemed impossible. Thanks Daniel Dickerman's workflow we can extract data provided you have a username and password for the device.

Check out the peer-reviewed process here:
https://dfir.pubpub.org/pub/inkjsqrh/release/1

Thanks to Magnet Forensics the process has been automated and now its implementation is available as a free software tool called the Magnet Chromebook Acquisition Assistant. 

You can do it!!

To get the free tool go here:

https://www.magnetforensics.com/resources/magnet-chromebook-acquisition-assistant/

Now what?

So now you have an awesome extraction from the device. You will receive a file named extracted.tgz.

extracted.tgz

What do you do with it? How can you dig into the contents? Use CLEAPP for it. You can get CLEAPP here: https://github.com/markmckinnon/cLeapp

Two step process:

  1. Extract the tgz file.
  2. Select the extracted data location with CLEAPP and press process. 
Simple!!! 

This project is Mark McKinnon's brainchild and it is based on the Android Logs Events And Protobuf Parser community project. ALEAPP can be found here:
https://github.com/abrignoni/ALEAPP

Currently CLEAPP parses 38 artifact categories. The project wouldn't be what it is without the contributions from Alex Caithness and Ryan Benson. Thank you so much!

Thank you gentlepeople <3

Installation

If you are familiar with how iLEAPP of ALEAPP works then you already know how to use CLEAPP. These projects are done in python. If you are not familiar with how to run python scripts just follow the steps in the following video.


You can also use the provided executables contained in the release version for CLEAPP. Those can be found here:
https://github.com/markmckinnon/cLeapp/releases/tag/v1.0

Using CLEAPP

Run the cleappGUI.py script for the graphical user interface version. It will look like this:

Click around and done

Notice the list of modules on the left. You can parse all or select individual modules. CLEAPP is pretty fast so for most purposes running with all modules enabled is recommended.

Here is a short list of some modules it supports:
  • Chromebook device details
  • Chromebook device logs
  • Chromium Browsers
  • Instagram Threads
  • Chromium LevelDB data stores (Thanks Alex Caithness & Ryan Benson)
  • Microsoft RDP
  • Real VNC
  • Google Docs
  • and tons more...

After CLEAPP finishes processing the output will be in the following formats:
  • HTML report
  • Tab separated values text files for every artifact
  • KML files for artifacts that have geolocation data points
  • SQLite timeline file for artifacts that have timestamps
  • SQlite contacts file for artifacts that have contacts information
The HTML report contains the categories and artifacts on the left of the report.

HTML report

The Device Details tab will have information on the Chromebook like serial number, current operatin system version, and more.

Device Details

One of the interesting facts about Chromebooks is that they can run Android apps. As time permits I plan to merge all ALEAPP artifacts for use in CLEAPP and make sure that both projects support Android artifacts. 

Since this is a community project we will be more than happy to have additional collaborators. 

Get ready for this, Mark has provided Autopsy integration for CLEAPP right out the bat. Check it out here:
https://medium.com/@markmckinnon_80619/cleapp-autopsy-plugin-59ba312beccc


Any questions or any comments I can be reached on twitter @AlexisBrignoni and email 4n6[at]abrignoni[dot]com.

-Brigs