• Home
  • Articles
  • Tools
  • Support


Digital Forensics

Forensics first responder

If it is a criminal case the Police should be the point of contact, otherwise ensure system is isolated, have a log of forensic steps witnessed, photographed and signed by another on-site, have with you DEFT/CAINE/Guymyger on USB and a write-blocker with empty target disk for collection. An ENCASE .EO1 or EW1 (expert witness format) disk image is best created, a read-only image created using DEFT running on a USB that the laptop is booted from. Then utilise the Guymager application to acquire the disk image. The EO1 file has a header of case information and footer contains MD5 of the data stream. Setup a Chain of Custody for the data disk. The course advised take copies and place the original copy in tamper proof bag. If necessary also collect an image dump. Once you have the E01 image you can mount this using the ewfmount Linux command from package ''ewftools''.

Prepration -> Identification -> Seizure -> Analysis -> Presentation document

Another Digital Forensic Expert should follow your document and come to the same findings, proven findings.

Command Line tools

Disk Analysis

Once you have the E01 image you can mount this using the ewfmount Linux command from package ''ewftools''.

ewfmount /source/disk/captured.E01 /mnt/evidence

Next check the partition scheme of the disk using the command mmls from package ''sleuthkit''. Once you have the E01 image you can mount this using the ewfmount Linux command from package ''ewftools''.

$ mkdir win_mount

$ mount -o ro,loop,show_sys_files,streams_interface=windows ewf1 /mnt/evidence/ewf1 /mnt/win_mount

Super timelines of machine and user activity

Use timescanner or log2timeline.py to create file fimeline, through recursively scanning directories and writing a csv file. Add the plaso-tools package to have this. Once you have the E01 image you can mount this using the ewfmount Linux command from package ''ewftools''.

$ sudo dnf install python-plaso plaso-tools

$ log2timeline.py -z UTC -–parsers “win7,-filestat” /tmp/plaso-2.dump IMAGEDDISK.E01

Followed by

$ psort.py -z “UTC” -o L2tcsv plaso-2.dump “date > ‘2018-04-01 00:00:00’ AND date < ‘2019-04-20 23:59:00’” -w plaso-0418-0419.csv

Now analyse the timeline in ELK, Splunk or Excel for security events.

Once you have the E01 image you can mount this using the ewfmount Linux command from package ''ewftools''.

$ timescanner -d /mnt/win_mount -w /home/evidence/20160901_df01/timeline.csv

Now use regular searches for files or scalpel for file carving for hidden files in unallocated space. The scalpel.conf is important to configure to look for the file types to seek. Example config at bottom. Once you have the E01 image you can mount this using the ewfmount Linux command from package ''ewftools''.

scalpel workingcopy-usb.dd -o output

Scan the registry system hive files for items of interest, such as Windows/System32/config/SAM and <$USER>/NTUSER.DAT. Use the reglookup tool: https//forensics.cert.org/cert-forensics-tools-release-el5.rpm install using the first command. This tool works on memory extracted DAT files too. Once you have the E01 image you can mount this using the ewfmount Linux command from package ''ewftools''.

$ rpm -Uvh cert-forensics-tools-release*rpm

$ reglookup ,,/mnt/win_mount/Users/Jeff_Bridges/NTUSER.DAT " | grep ,,U:"

$ reglookup -s -t DWORD NTUSER.DAT | grep Logon

Regripper a great tool for viewing hive data. Also Hivex reged used for viewing registry hives. Once you have the E01 image you can mount this using the ewfmount Linux command from package ''ewftools''.

$ rip.pl –f ntuser −r windows\system32\config\NTUSER.DAT > out /sam.txt or SOFTWARE, SYSTEM, SECURITY

$ Yum install hivex

$ reged -e NTUSER.DAT

Memory Analysis and file carving

$ strings -a MEMORY-IMG.DMP > strings.txt

$ grep 'http:\/\/' strings.txt > http.txt

$ grep 'https:\/\/' strings.txt > https.txt

$ grep 'c:\\' strings.txt > paths.txt

Again scalpel can be used to extract the files. This is file carving. Once you have the E01 image you can mount this using the ewfmount Linux command from package ''ewftools''.

$ scalpel -o files/ -c scalpel.conf MEMORY-IMG2.DMP

Once this first pass over the disk is complete, Scalpel has a complete index of header and footer locations, used to populate ''work queues'' that control file carving operations during the second pass. For each ''file header'' in the index, an attempt is made to match the header with an appropriate footer, subject to rules in the configuration file. ''many filetypes contain no defined buffer'', this makes the processing of these manual. Formost file carving, like scalepl the /etc/foremost.conf file must be adjusted for file types. Once you have the E01 image you can mount this using the ewfmount Linux command from package ''ewftools''.

$ foremost -i MEMORY-IMG2.DMP -o foremost2/

If the file format has no footer a maximum file size is used in the carving program. Further guide : https://digital-forensics.sans.org/summit-archives/2010/eu-digital-forensics-incident-response-summit-bas-kloet-advanced-file-carving.pdf Use clamscan Linux AV to scan the carved files, it will highlight any malicious files. Once you have the E01 image you can mount this using the ewfmount Linux command from package ''ewftools''.

In scalpel results pdf directory for instance $ clamscan *

Volatility Memory Analysis

Volatility is powerful, among other things it can extract files '''by address offset''' and extract executables from memory samples. Perform Volatility inspection on an IMG dump obtained by DEFT. ''Linux Volatility package installs below.'' Once you have the E01 image you can mount this using the ewfmount Linux command from package ''ewftools''.

$ git clone https://github.com/volatilityfoundation/volatility.git

$ cd volatility/

$ sudo python setup.py install

$ sudo yum install pycrypto

$ sudo pip install distorm3

Obtain the file system info to then use as profile value with further commands.

vol.py -f MEMORY-IMG2.DMP imageinfo

Obtain a file list for the memory dump. This will also contain the memory offsets for the files.

vol.py pslist -f MEMORY-IMG2.DMP --profile=Win7SP0x64

Obtain a process listing for the memory dump

vol.py malfind -f MEMORY-IMG2.DMP --profile=Win7SP0x64

Find injected code and dump sections related to malware

vol.py pslist -f MEMORY-IMG2.DMP --profile=Win10x86_14393

Get process listing from memory capture, use proces numbers with -P on other modules

vol.py psxview -f MEMORY-IMG2.DMP --profile=Win10x86_14393

find hidden processes during cross view, signs of a rootkit

vol.py cmdscan -f MEMORY-IMG2.DMP --profile=Win10x86_14393

Get a timeline of user activity

vol.py -f MEMORY-IMG2.DMP --profile=WinXPSP2x86 timeliner --output-file out.body --output=body

Obtain a user timeline

vol.py dumpfiles -f MEMORY-IMG2.DMP -n -i -r \\.pdf --dump-dir=voldump

Get PDFs available from memory using REGEX

vol.py cmdscan

List command line history of full run command line traces.