Setting up for DFIR

1. Volatility2

#

To install I downloaded their linux standalone release

wget https://github.com/volatilityfoundation/volatility/releases/download/2.6.1/volatility_2.6_lin64_standalone.zip
unzip volatility_2.6_lin64_standalone.zip
./volatility_2.6_lin64_standalone/volatility_2.6_lin64_standalone

You can rename the file to make your job easier. This should be working out of the box.

Usage

#

1. When given a new memory dump, the first thing you want is to identify the profile of the machine that the dump belonged to

   ❯ ../vol -f MemoryDump_Lab0.raw imageinfo

   Volatility Foundation Volatility Framework 2.6
   INFO    : volatility.debug    : Determining profile based on KDBG search...
             Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
                       AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                       AS Layer2 : FileAddressSpace (/home/subzcuber/ctfs/dfir/lab2/MemoryDump_Lab2.raw)
                         PAE type : No PAE
                             DTB : 0x187000L
                             KDBG : 0xf800027f20a0L
             Number of Processors : 1
       Image Type (Service Pack) : 1
                   KPCR for CPU 0 : 0xfffff800027f3d00L
               KUSER_SHARED_DATA : 0xfffff78000000000L
             Image date and time : 2019-12-14 10:38:46 UTC+0000
       Image local date and time : 2019-12-14 16:08:46 +053

2. Once you have the profile you use different plugins on this mem dump to analyse it

   ❯ ../vol -f MemoryDump_Lab0.raw --profile=Win7SP1x64 pslist

   Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit
   ------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
   0xfffffa8000ca0040 System                    4      0     80      541 ------      0 2019-12-14 10:35:21 UTC+0000
   0xfffffa80014976c0 smss.exe                248      4      3       37 ------      0 2019-12-14 10:35:21 UTC+0000
   0xfffffa80014fdb30 csrss.exe               320    312     10      446      0      0 2019-12-14 10:35:27 UTC+0000

   Commonly used:

   • general
     • pslist: processes
     • cmdscan: commands executed in terminal
     • consoles: output of those commands
     • hashdump: NTLM password hashes
     • clipboard: check clipboard
   • process memory
     • memdump: dump all ram of a process as one file
     • envars: env vars
     • cmdline: check cli arguments given to processes
     • iehistory: internet explorer history
   • disk files
     • filescan: find all files in physical memory
     • dumpfiles: dump file at offset
     • mftparser: parse master file table

Resources

#

• Command Reference
• vol2 cheatsheet

2. stego-toolkit

#

To install this you can just pull the prebuilt Docker image

❯ sudo docker pull dominicbreuker/stego-toolkit

Usage

#

run the docker image in an interactive terminal and mount your local files

❯ sudo docker run -it  -v ./path/to/local/files/:/data dominicbreuker/stego-toolkit /bin/bash

you can make this an alias

alias stego="sudo docker run -it  -v $(pwd):/data dominicbreuker/stego-toolkit /bin/bash"

This gives you a shell with all the stego tools you could need. Some to start with are

❯ ./check_png.sh *.png
❯ ./check_jpg.sh *.jpg

3. Sleuthkit

#

Sleuthkit is an amazing collection of tools for forensic filesystem analysis

sudo pacman -S sleuthkit

Usage

#

Commonly Used:

1. fls: list files and directories on image

   ❯ fls -r -p image.raw > dump/file_scan

   • -p adds absolute paths
   • -r recursively prints everything

2. icat: output contents of file based on inode

   ❯ icat -f ext4 image.raw 664521 > dump/recovered.png

   • -f filesystem type

Resources

#

• case studies
• man pages
• recursively recover all deleted files
• command reference