Forensic Suites and Utilities - Paiet/Tech-Journal-for-Everything GitHub Wiki

Forensic Suites and Utilities

  • Forensic investigation suite

  • Analysis utilities

    • Forensic Suites
      • FTK
      • EnCase
      • Magnet
      • Autopsy/SleuthKit
    • Forensic OS
      • CAINE
      • SIFT
    • Imaging utilities
      • Rhino Hunt files
      • dd (Data Destroyer LOL)
        • Image Partition
          • dd if=/dev/sda1 of=/dev/sdb1 bs=64K conv=noerror,sync status=progress
        • Full disk image
          • dd if=/dev/sdX of=/dev/sdY bs=64K conv=noerror,sync status=progress
      • FTK Imager Lite
        • Runs in Windows

Forensic Suites and Utilities Pt.2

  • Data carving
    • The discovery of hidden data in the "slack space" of a filesystem
      • Data can be purposely hidden
      • Could be data remnants
    • Foremost
      • foremost -t doc,jpg,pdf,xls -i /root/RHINO/RHINOUSB.dd
    • Bulk Extractor
      • bulk_extractor -S jpeg_carve_mode=2 RHINO/RHINOUSB.dd -o /root/RHINO
  • Alternate Data Streams(ADS)
    • "Hidden" data in NTFS
    • C:\> notepad.exe test.txt:hidden.txt
      • Notepad will open hidden.txt first
        • Save secret data
        • Close notepad
      • Use notepad to save data to test.txt
      • Perform dir
        • Notice you don't see hidden.txt
      • Perform dir /R

Forensic Suites and Utilities Pt.3

  • Memory dumps

    • Allows you to see what was in volatile memory before you shut down victim machine and lose it
      • Encryption keys
      • Malware discovery
    • How to dump memory
      • Linux
        • memdump
        • dd if=/dev/(f)mem of=/tmp/dump.dd
      • Windows
        • FTK
        • Autopsy
    • Volatility
      • man file

  • Chain of custody

    • Maintaining the integrity of the gathered evidence
    • Chain of custody forms
    • Barcodes

  • Hashing utilities

    • md5sum
    • shasum

Forensic Suites and Utilities Pt.4

  • OS and process analysis
    • Task Manager
    • Sysinternals
      • pslist
    • top/htop
    • ps -aux
    • System Monitor
  • Mobile device forensics
    • Extraction types
      • Manual Extraction
        • As the name implies
        • Prone to human error
        • Takes time
      • Logical Extraction
        • Much like working with FTK or Autopsy
        • Simple/Easy
      • Hex Dumping
        • Device connects to workstation
        • Software instructs device to dump memory to workstation
        • Can see deleted files and unused space
      • Chip Off
        • Remove device memory chip
        • Dump memory to image and read from image
        • High level of expertise
      • Micro Read
        • Read the chip logic gates with electron microscope
          • Convert 1's and 0's into ASCII
        • High level of expertise
        • $$$$$
    • GrayKey
    • https://www.secureview.us
  • Password crackers
  • Cryptography tools
    • Password crackers
    • Decode "packers"
      • base64
  • Log viewers
    • Wireshark
      • .pcap files
      • tcpdump .log files
        • Find FTP-DATA from RHINO
          • FF D8 is jpg lossy compression signature
          • Follow TCP stream
          • Change format to hexdump
          • Highlight FF D8
            • "Magic Number"
            • jpeg start with 0xFFD8 and ends with 0xFFD9
          • Change format to RAW
          • Save as file.jpg
    • Windows Event Viewer
    • Syslogs
    • SIEM