Digital forensics

First response, disk imaging and memory analysis

A practical reference page covering first responder actions, evidence handling, timelines, registry inspection, file carving and Volatility-based memory analysis, while preserving the original command-line detail from the legacy Fortnetworks notes.

Digital Forensics

Forensics first responder

If it is a criminal case the Police should be the point of contact, otherwise ensure system is isolated, have a log of forensic steps witnessed, photographed and signed by another on-site, have with you DEFT/CAINE/Guymyger on USB and a write-blocker with empty target disk for collection. An ENCASE .EO1 or EW1 disk image is best created, and a chain of custody should be established from the start. [web:30]

Preparation -> Identification -> Seizure -> Analysis -> Presentation document

Another Digital Forensic Expert should be able to follow the document and come to the same findings. The page also notes that once the E01 image is captured it can be mounted using ewfmount from ewftools. [web:30]

ewfmount /source/disk/captured.E01 /mnt/evidence

Command line tools

Disk analysis

After mounting the image, the next steps are creating a mount point and mounting the evidence read-only so the Windows filesystem can be inspected safely. The original page then moves on to partition review using mmls from Sleuth Kit. [web:30]

$ mkdir win_mount
$ mount -o ro,loop,show_sys_files,streams_interface=windows ewf1 /mnt/evidence/ewf1 /mnt/win_mount

Super timelines of machine and user activity

The legacy page recommends timescanner or log2timeline.py to create a timeline by recursively scanning directories and writing a CSV file. It specifically says to add the plaso-tools package first, then sort the timeline for the examination window and analyse the results in ELK, Splunk or Excel. [web:30]

$ sudo dnf install python-plaso plaso-tools
$ log2timeline.py -z UTC -–parsers “win7,-filestat” /tmp/plaso-2.dump IMAGEDDISK.E01
$ psort.py -z “UTC” -o L2tcsv plaso-2.dump “date > ‘2018-04-01 00:00:00’ AND date < ‘2019-04-20 23:59:00’” -w plaso-0418-0419.csv
$ timescanner -d /mnt/win_mount -w /home/evidence/20160901_df01/timeline.csv

Registry and hive review

The page highlights registry hive files such as Windows/System32/config/SAM and <$USER>/NTUSER.DAT, then lists reglookup, Regripper and Hivex reged for analysis. It also references the CERT forensic tools package for installation. [web:30]

$ rpm -Uvh cert-forensics-tools-release*rpm
$ reglookup ,,/mnt/win_mount/Users/Jeff_Bridges/NTUSER.DAT " | grep ,,U:"
$ reglookup -s -t DWORD NTUSER.DAT | grep Logon
$ rip.pl –f ntuser −r windows\system32\config\NTUSER.DAT > out /sam.txt or SOFTWARE, SYSTEM, SECURITY
$ Yum install hivex
$ reged -e NTUSER.DAT

Memory analysis and file carving

The old page says that using strings is a quick first step for interesting text in a memory image, then moves to file carving with scalpel and foremost. It also notes that scalpel.conf and foremost.conf must be adjusted to match the file types you want to recover. [web:30]

$ strings -a MEMORY-IMG.DMP > strings.txt
$ grep 'http:\/\/' strings.txt > http.txt
$ grep 'https:\/\/' strings.txt > https.txt
$ grep 'c:\\' strings.txt > paths.txt
$ scalpel -o files/ -c scalpel.conf MEMORY-IMG2.DMP
$ foremost -i MEMORY-IMG2.DMP -o foremost2/

The same page also says carved files can then be checked with ClamAV, with the example command below shown directly in the scalpel results context. [web:30]

$ clamscan *

Volatility workflow

The legacy version lists the package installation and setup steps first, then shows a sequence of Volatility commands for image profiling, process inspection, hidden process checks, command-line history, timeline generation and memory-resident file extraction. Every original dollar-prefixed command from that page is preserved below. [web:30]

$ git clone https://github.com/volatilityfoundation/volatility.git
$ cd volatility/
$ sudo python setup.py install
$ sudo yum install pycrypto
$ sudo pip install distorm3

The original page then continues with Volatility runtime examples, some of which were shown without a leading dollar sign on the page itself, including imageinfo, pslist, malfind, psxview, timeliner, dumpfiles and cmdscan examples. These remain important context around the preserved setup commands. [web:30]

vol.py -f MEMORY-IMG2.DMP imageinfo
vol.py pslist -f MEMORY-IMG2.DMP --profile=Win7SP0x64
vol.py malfind -f MEMORY-IMG2.DMP --profile=Win7SP0x64
vol.py pslist -f MEMORY-IMG2.DMP --profile=Win10x86_14393
vol.py psxview -f MEMORY-IMG2.DMP --profile=Win10x86_14393
vol.py cmdscan -f MEMORY-IMG2.DMP --profile=Win10x86_14393
vol.py -f MEMORY-IMG2.DMP --profile=WinXPSP2x86 timeliner --output-file out.body --output=body
vol.py dumpfiles -f MEMORY-IMG2.DMP -n -i -r \\.pdf --dump-dir=voldump
vol.py cmdscan