Forensics first responder
If it is a criminal case the Police should be the point of contact, otherwise ensure system is isolated, have a log of forensic steps witnessed, photographed and signed by another on-site, have with you DEFT/CAINE/Guymyger on USB and a write-blocker with empty target disk for collection. An ENCASE .EO1 or EW1 disk image is best created, and a chain of custody should be established from the start. [web:30]
Another Digital Forensic Expert should be able to follow the document and come to the same findings. The page also notes that once the E01 image is captured it can be mounted using ewfmount from ewftools. [web:30]
ewfmount /source/disk/captured.E01 /mnt/evidence
Command line tools
Disk analysis
After mounting the image, the next steps are creating a mount point and mounting the evidence read-only so the Windows filesystem can be inspected safely. The original page then moves on to partition review using mmls from Sleuth Kit. [web:30]
$ mkdir win_mount
$ mount -o ro,loop,show_sys_files,streams_interface=windows ewf1 /mnt/evidence/ewf1 /mnt/win_mount
Super timelines of machine and user activity
The legacy page recommends timescanner or log2timeline.py to create a timeline by recursively scanning directories and writing a CSV file. It specifically says to add the plaso-tools package first, then sort the timeline for the examination window and analyse the results in ELK, Splunk or Excel. [web:30]
$ sudo dnf install python-plaso plaso-tools
$ log2timeline.py -z UTC -–parsers “win7,-filestat” /tmp/plaso-2.dump IMAGEDDISK.E01
$ psort.py -z “UTC” -o L2tcsv plaso-2.dump “date > ‘2018-04-01 00:00:00’ AND date < ‘2019-04-20 23:59:00’” -w plaso-0418-0419.csv
$ timescanner -d /mnt/win_mount -w /home/evidence/20160901_df01/timeline.csv
Registry and hive review
The page highlights registry hive files such as Windows/System32/config/SAM and <$USER>/NTUSER.DAT, then lists reglookup, Regripper and Hivex reged for analysis. It also references the CERT forensic tools package for installation. [web:30]
$ rpm -Uvh cert-forensics-tools-release*rpm
$ reglookup ,,/mnt/win_mount/Users/Jeff_Bridges/NTUSER.DAT " | grep ,,U:"
$ reglookup -s -t DWORD NTUSER.DAT | grep Logon
$ rip.pl –f ntuser −r windows\system32\config\NTUSER.DAT > out /sam.txt or SOFTWARE, SYSTEM, SECURITY
$ Yum install hivex
$ reged -e NTUSER.DAT
Memory analysis and file carving
The old page says that using strings is a quick first step for interesting text in a memory image, then moves to file carving with scalpel and foremost. It also notes that scalpel.conf and foremost.conf must be adjusted to match the file types you want to recover. [web:30]
$ strings -a MEMORY-IMG.DMP > strings.txt
$ grep 'http:\/\/' strings.txt > http.txt
$ grep 'https:\/\/' strings.txt > https.txt
$ grep 'c:\\' strings.txt > paths.txt
$ scalpel -o files/ -c scalpel.conf MEMORY-IMG2.DMP
$ foremost -i MEMORY-IMG2.DMP -o foremost2/
The same page also says carved files can then be checked with ClamAV, with the example command below shown directly in the scalpel results context. [web:30]
$ clamscan *
Volatility workflow
The legacy version lists the package installation and setup steps first, then shows a sequence of Volatility commands for image profiling, process inspection, hidden process checks, command-line history, timeline generation and memory-resident file extraction. Every original dollar-prefixed command from that page is preserved below. [web:30]
$ git clone https://github.com/volatilityfoundation/volatility.git
$ cd volatility/
$ sudo python setup.py install
$ sudo yum install pycrypto
$ sudo pip install distorm3
The original page then continues with Volatility runtime examples, some of which were shown without a leading dollar sign on the page itself, including imageinfo, pslist, malfind, psxview, timeliner, dumpfiles and cmdscan examples. These remain important context around the preserved setup commands. [web:30]
vol.py -f MEMORY-IMG2.DMP imageinfo
vol.py pslist -f MEMORY-IMG2.DMP --profile=Win7SP0x64
vol.py malfind -f MEMORY-IMG2.DMP --profile=Win7SP0x64
vol.py pslist -f MEMORY-IMG2.DMP --profile=Win10x86_14393
vol.py psxview -f MEMORY-IMG2.DMP --profile=Win10x86_14393
vol.py cmdscan -f MEMORY-IMG2.DMP --profile=Win10x86_14393
vol.py -f MEMORY-IMG2.DMP --profile=WinXPSP2x86 timeliner --output-file out.body --output=body
vol.py dumpfiles -f MEMORY-IMG2.DMP -n -i -r \\.pdf --dump-dir=voldump
vol.py cmdscan