Documente Academic
Documente Profesional
Documente Cultură
Guidance Incase
Access Data FTK
ProDiscover
Hard disks geometry and ATA features: DCO and HPA (Host Protected Area)
can be revealed and removed with a tool: hdparm
result:
/dev/sda:
setting max visible sectors to 120103200 (permanent)
SET_MAX_ADDRESS failed: ip/op error
max sectors = 120103200 /120103200 HPA disabled
to make external sd card executable as android blocks installing and running apps
from sdcard
on android use new sdcard and install dc3dd in it and acquire the image from the
android partition
download dc3dd version for android first and push it to sdcard
===================================================================================
=============================================
Artifacts extraction and Analysis with CLI tool
===================================================================================
=============================================
extract and analysis filesystem using the sleuth kit (TSK) tools
windows registry analysis with RegRipper
TSK groups:
"mm-" volume or media management layer
"fs-" file system structures
"blk-" data unit or block layer
"i-" metadata layer or inode layer
"-stat" displays information about the queried item
"-ls" lists the content of the queried layer
"-cat" dumps/extracts the content of the queried layer
---RegRipper----
registry are composed of binary data files called "hives"
the main registry hives are SAM, Security, Software and System
located under c:/Windows/system32/config
there are also user specific hives: NTUSER.DAT and USRCLASS.DAT ( located under
user's profile directory)
if we have 64 bit system we need to add 32 bit support using below command
dpkg --add-architecture i386
apt-get install wine32
mkdir /mnt/image
ls -l
affuse suspect_hd.img.000 /mnt/image/
cd /mnt/image
mkdir /mnt/suspect
mount -ro,offset=32256 suspect_hd.img.000.raw /mnt/suspect
cd /mnt/suspect/
cd WINDOWS/system32/config
copy all registry to inspect them SAM, Software, Security, System and also
NTUSER.DAT and USRCLASS.DAT from documents and settings
now run RegRipper
malwares use autostart to persist in the system
Software/Microsoft/Windows/CurrentVersion/Run
another imp is userAssist keys
=================================================================================
extracting and analysis of Browser,Email and IM artifacts
=================================================================================
IE stores typed URLs for autocompletes and preferences are stored in registry keys
under:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\
cache:(user profile)\Local\Microsoft\Windows\Temporary Internet
Files\Content.IE\index.data
cookie: (user profile)\Roaming\Microsoft\Windows\Cookies\index.data
use pasco to analyse history
pasco index.dat
# esedbexport WebCacheV01.dat
Chrome:
userProfile\APPdata\chrome
===========================
use log2timeline/plaso to build super-timeline
===========================
network analysis
metasploitable
=========
Reporting Tools