DFIR Playbook - Disk Images
source link: https://angry-bender.github.io/blog/DFIR_Playbook_Disk_Images-copy/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
IntroductionPermalink
This post aims to replicate my physical playbook on Disk Images and includes the following tools
- The SleuthKit(TSK)
- Ripl.pl
- find (Hash unallocated files without extracting... find that malware)
ContentsPermalink
OverviewPermalink
Broadly, the following overview, will show the basic fls / mmls commands. For each of the red circles, that is where we’re getting the inode or offset from
Command | Description | Comments | Use |
---|---|---|---|
mmls <filename> |
Show’s partitions and disk offsets | Usually the largest partition that starts at approximately 63 for BIOS versions of windows, and the second partition after 2048 for EFI versions of windows | |
fls -o <offset> <filename> |
Using the offsets identified on mmls will show the contents off the root directory (ls -lah equivalent) | - | |
fls -o <Offset> <filename> -D |
shows only directories the directories avialable. | - | |
fls -o <offset> <filename> <inode> |
lists the contents of a given directory. | - | - |
fls -o <offset> <filename> <inode> -r |
lists the contents of a given directory and all its sub directories | - | |
fls -l -z <TimeZoneofMachine> -o <offset> <filename> <inode> |
lists the times on files | Format: file_type inode file_name mod_time acc_time chg_time cre_time size uid gid | - |
icat -o <offset> <filename> <inode> |
cat’s out the file to STDOUT, can be redirected to make a copy of the file by adding > file.txt . |
- | |
tsk_recover -o <offset> <filename> -e -d <Directory inode> |
Extracts an entire directories files, including those that are unallocated, useful for deleted files | - |
Using TSK to make a timelinePermalink
You can tsk for more than just extracting files. Its one of the best, and most lightweight tools to make a quick MFTTimeline, or, Filesystem timeline. And, whats better, is there is no mounting, period, thank the DFIR Gods. This makes this one of the best and quickest triage tools to use.
Triage TimelinePermalink
Command | Description |
---|---|
fls -o <offset> <filename> -r -p -m <PartitionLetter>:/ > <outputfile> |
Generates a tsk triage timeline bodyfile from offset. Note, you can use / for a linux partition instead of <PartitionLetter>:/ |
fls -r -p -m <PartitionLetter>:/ -d /dev/<sdx> > <outputfile> |
Generates a tsk triage timeline bodyfile note from a diskmount, you can use / for a linux partition instead of <PartitionLetter>:/ |
mactime -b <bodyfile> -d -y -z <Timezone> <StartTime> <EndTime> > <outputfile>.csv |
Creates a csv timeline from the body file. Tzformat = Australia/Sydney TimeFormat = 2000-04-20T00:00:00 NOTE: -z with <timezone> <StartTime> or <EndTime> are optional note if you are unsure of the timezones OR times dont convert correctly , you can list them with mactime -z list if you get an error that states time module not loaded, you will need to install sudo apt-get install libdatetime-perl |
grep -v -i -f timeline_noise.txt <outputfile>.csv > <outfile-final>.csv |
Reduces timeline noise |
timeline_noise.txtPermalink
Content.IE5
Temporary\ Internet\ Files
IETldCache
PrivacIE
ACPI
MSIE\ Cache\ File
\(\$FILE\_NAME\)
THREAD
DLL\ LOADTIME
MFT TimelinePermalink
Command | Description |
---|---|
icat -o <offset> <filename> 0 > <directory>/mft.raw |
Extracts mft from disk for enhanced timeline |
analyzeMFT.py -f <directory>/mft.raw -e -o mfttl.csv |
Generates a MFT CSV Timeline |
Quick Registry analysisPermalink
rip.pl -r NTUSER.DAT -p userassist
From the files extracted with tsk_recover, you can quickly get the userassist keys. If you want to see other types you can use –help
Hash all files, including unallocated with find on a live linux systemPermalink
-find . -type f -exec md5sum "{}" \;
Get the physical location of a file on diskPermalink
-filefrag -v <filename>
Mounting from a raw imagePermalink
Pre-RequisitesPermalink
Install the following packages if you are not mounting a ext4 based image
sudo apt-get install fusermount xmount afflib-tools ewf-tools qemu-utils libbde-utils libvshadow-utils
InstructionsPermalink
You can mount from a raw image by confucting the following
fdisk -l <filename>
This will show an output like this for an ext4 based filesystem
Disk ./file: 64 GiB, 68719477248 bytes, 134217729 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x000bbd9c
Device Boot Start End Sectors Size Id Type
./filep1 * 2048 134217727 134215680 64G 83 Linux
Then, make a directory to mount
sudo mkdir /mnt/raw
Use the output above, where the Start point is (2048) and multiply by 512 to get the offset
echo $((512 * 2048))
Which should give
echo $((512 * 2048))
1048576
Use this offset to mount readonly NOTE: you can use the -t option to specify non EXT4 type systems like ntfs or fat
sudo mount -o ro,loop,offset=1048576 <filename> /mnt/raw/
if you get the following error:
mount: /mnt/raw: cannot mount /dev/loop read-only.
Add the noload
option, this allows you to mount a dirty journal, and prevents changing any data in anyway.
sudo mount -o ro,noload,loop,offset=1048576 <filename> /mnt/raw/
From the man page
Note that, depending on the filesystem type, state and kernel
behavior, the system may still write to the device. For
example, ext3 and ext4 will replay the journal if the
filesystem is dirty. To prevent this kind of write access,
you may want to mount an ext3 or ext4 filesystem with the
ro,noload mount options or set the block device itself to
read-only mode, see the blockdev(8) command.
See https://www.sans.org/blog/how-to-mount-dirty-ext4-file-systems/ for further info
Recommend
-
104
Make a Bootable USB macOS Installer Download the update for Big Sur compatibility What’s needed for...
-
10
The Wondrous World of Discoverable GPT Disk Images Posted on Fr 11 Juni 2021 The Wondrous World of Discoverabl...
-
3
News Ransomware, endpoint risks are top concerns for DFIR professionals Digital forensics incident responders...
-
7
Cybereason launches DFIR solution to automate incident response Endpoint protection vendor Cybereason has launched a new incident response (IR) solution to streamline and automate IR investigations. Digital Forensics Incident Response...
-
27
DFIR - Final result 1 - Powershell telemetry by Windows ...
-
5
IntroductionPermalink note this post is incomplete, Oct 2021, this is quite a large playbook to...
-
2
IntroductionPermalink This post aims to replicate my physical playbook on Networking and i...
-
3
DFIR Playbook - Memory Analysis ...
-
3
Handy DFIR Excel Formulas ...
-
4
This is a list of forensic artifacts that can be used by DFIR community to perform cyber investigations. USB Devices Log Files: XP - c:\windows\setupapi.log W7+...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK