forensic suites

Guidance Incase
Access Data FTK
ProDiscover

Forensic image formats

Expert Witness Format (EWF)

SMART

libewf package to convert and manage ewf images

Forensic image acquiring process

dcfldd
dc3dd
Guymager

Hard disks geometry and ATA features: DCO and HPA (Host Protected Area)
can be revealed and removed with a tool: hdparm

# hdparm --dco-identify /dev/sda

# hdparm -N /dev/sda
result:
/dev/sda:
max sectors = 100000000 / 120103200 HPA is enabled

#hdparm -N p120103200 /dev/sda

result:
/dev/sda:
setting max visible sectors to 120103200 (permanent)
SET_MAX_ADDRESS failed: ip/op error
max sectors = 120103200 /120103200 HPA disabled

to make external sd card executable as android blocks installing and running apps
from sdcard

on android use new sdcard and install dc3dd in it and acquire the image from the
android partition
download dc3dd version for android first and push it to sdcard

# mount -o remount,rw,exec /storage/sdcard1/

# ./ dc3dd if=/dev/block/mmcblk0 hof=mmcblk0.img hash=sha512 log=mmcblk0.log
# cat /proc/mounts shows the which mmcblk is associated with which type of
partition

===================================================================================
=============================================
Artifacts extraction and Analysis with CLI tool
===================================================================================
=============================================

extract and analysis filesystem using the sleuth kit (TSK) tools
windows registry analysis with RegRipper

log2timeline/plaso to build a super-

TSK groups:
"mm-" volume or media management layer
"fs-" file system structures
"blk-" data unit or block layer
"i-" metadata layer or inode layer
"-stat" displays information about the queried item
"-ls" lists the content of the queried layer
"-cat" dumps/extracts the content of the queried layer

use on acquired image file

# mmls suspect_hd.img.*
# fsstat -o 63 suspect_hd.img.*
# fsstat -o 63 -rdp suspect_hd.img.*
# fsstat -o 63 -m suspect_hd.img.* > bodyfile.txt
# ils -o 63 suspect_hd.img.*
# ils -o 63 -m suspect_hd.img.* > bodyfile.txt
# istat -o 63 suspect_hd.img.* 0
# blkcat -o 63 suspect_hd.img.* 788751 | xxd | head
# mactime -b bodyfile.txt > mactime.txt

---RegRipper----
registry are composed of binary data files called "hives"
the main registry hives are SAM, Security, Software and System
located under c:/Windows/system32/config
there are also user specific hives: NTUSER.DAT and USRCLASS.DAT ( located under
user's profile directory)

has two basic elements keys and values

imp root key is HKEY_LOCAL_MACHINE(HKLM) where the main registry hives are mapped
as subkeys
RegRipper is written in Perl has both GUI and CLI, executes plugins to to parse the
registry and extract data, hundreds of plugins are available

if we have 64 bit system we need to add 32 bit support using below command
dpkg --add-architecture i386
apt-get install wine32
mkdir /mnt/image
ls -l
affuse suspect_hd.img.000 /mnt/image/
cd /mnt/image
mkdir /mnt/suspect
mount -ro,offset=32256 suspect_hd.img.000.raw /mnt/suspect
cd /mnt/suspect/
cd WINDOWS/system32/config
copy all registry to inspect them SAM, Software, Security, System and also
NTUSER.DAT and USRCLASS.DAT from documents and settings
now run RegRipper
malwares use autostart to persist in the system
Software/Microsoft/Windows/CurrentVersion/Run
another imp is userAssist keys
=================================================================================
extracting and analysis of Browser,Email and IM artifacts
=================================================================================
IE stores typed URLs for autocompletes and preferences are stored in registry keys
under:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\
cache:(user profile)\Local\Microsoft\Windows\Temporary Internet
Files\Content.IE\index.data
cookie: (user profile)\Roaming\Microsoft\Windows\Cookies\index.data
use pasco to analyse history
pasco index.dat

use galleta to analyse cookie

gelleta file.txt

on windows10 IE stores to ESE database files.

%USERPROFILE%\LOCAL\Microsoft\Windows\WebCache\WebCacheV01.dat
to read such files install "Libesedb"
on windows use NIRSOFT and Mandiant

# esedbexport WebCacheV01.dat

Firefox and chrome store files in database files

Firefox:
History and bookmarks: places.sqlite
cookies: cookies.sqlite
Downloaded files: downloads.sqlite
forms: formhistory.sqlite

Chrome:
userProfile\APPdata\chrome

use sqlitebrowser (DB Browser for sqlite)

==============================================================
use readpst -h to read outlook files
===========================================================
EXIV2 -pa DSC_img.jpg

===========================
use log2timeline/plaso to build super-timeline
===========================
network analysis

metasploitable

=========
Reporting Tools

KeepNote and Dradis