Logo
RSS Feed

📘 SIFT BTFM


Created: 23.09.2020

Here is the official cheatsheet from SANS. I’ve copied it here for convenience. I will comment some of them after I try each command in the list.

Shadow Timeline Creation

Step 1 – Attach Local or Remote System Drive

ewfmount system-name.E01 /mnt/ewf

Step 2 – Mount VSS Volume

VSS - Windows NT Volume Shadow Snapshot.

cd /mnt/ewf
vshadowmount ewf1 /mnt/vss

Step 3 – Run fls across ewf1 mounted image

cd /mnt/ewf
fls –r –m C: ewf1 >> /cases/vss-
bodyfile

Step 4 – Run fls Across All Snapshot Images

cd /mnt/vss
for i in vss*; do fls -r –m C: $i >> /cases/vss-bodyfile; done

Step 5 – De-Duplicate Bodyfile using sort and uniq

sort /cases/vss-bodyfile | uniq > /cases/vss-dedupe-bodyfile

Step 6 – Run mactime Against De-Duplicated Bodyfile

mactime –d –b /cases/vss-dedupe-bodyfile –z EST5EDT MM-DD-YYYY..MM-DD-YYYY > /cases/vss-timeline.csv

Memory Analysis

vol.py command –f /path/to/windows_xp_memory.img  --profile=WinXPSP3x86
Commands Meaning
connscan Scan for connection objects
files list of open files process
imagecopy Convert hibernation file
procdump Dump process
pslist list of running processes
sockscan Scan for socket objects

SleuthKit

fsstat

Displays details about the file system

fsstat imagefile.dd

Data Layer Tools (Block or Cluster)

blkcat

Displays the contents of a disk block.

blkcat imagefile.dd block_num

# cd /mnt/ewf
# fls –r –m C: ewf1 >> /cases/vss-
bodyfile

blkls

Lists contents of deleted disk blocks.

blkls imagefile.dd > imagefile.blkls

blkcalc

Maps between dd images and blkls results.

blkcalc imagefile.dd -u blkls_num

blkstat

Display allocation status of block.

blkstat imagefile.dd cluster_number

MetaData Layer Tools (Inode, MFT, or Directry Entry)

ils

Displays inode details.

ils imagefile.dd

istat

Displays information about a specific inode

istat imagefile.dd inode_num

icat

Displays contents of blocks allocated to an inode

icat imagefile.dd inode_num

ifind

Determine which inode contains a specific block

ifind imagefile.dd –d block_num

Filename Layer Tools

fls

Displays deleted file entries in a directory inode

fls -rpd imagefile.dd

ffind

Find the filename that using the inode

ffind imagefile.dd inode_num

Mouting dd images

mount -t fstype [options] image mountpoint

Commands Meaning
ro mount as read only
loop mount on a loop device
noexec do not execute files
offset= logical drive mount
show_sys_files show ntfs metafiles
streams_interface=windows use ADS

Example: mount –o loop,ro,show_sys_files,streams_interface=windows imagefile.dd /mnt/windows_mount. Mounts an image file at specific location.

Mouting E01 images

ewfmount image.E01 mountpoint

Example: mount –o loop,ro,show_sys_files,streams_interface=windows /mnt/ewf/ewf1 /mnt/windows_mount.

Mounting Volume Shadow Copies

Stage 1 – Attach local or remote system drive

ewfmount system-name.E01 /mnt/ewf

Stage 2 – Mount raw image VSS

vshadowmount ewf1 /mnt/vss/

Stage 3 – Mount all logical filesystem of snapshot

cd /mnt/vss
for i in vss*; do mount -o ro,loop,show_sys_files,streams_interface=windows $i /mnt/shadow_mount/$i; done

Recovering Data

blkls

Create Unallocated Image (deleted data)

Example: blkls imagefile.dd > mount –o loop,ro,show_sys_files,streams_interface=windows /mnt/ewf/ewf1 /mnt/windows_mount

Create Slack Image Using dls (for FAT and NTFS)

Example: blkls –s imagefile.dd > imagefile.slack

foremost

Carves out files based on headers and footers

data_file.img = raw data, slack space, memory, unallocated space. Example: foremost –o outputdir –c /path/to/foremost.conf data_file.img.

sigfind

Search for a binary value at a given offset (-o).

Template: sigfind <hexvalue> -o <offset>.

Stream Extraction

bulk_extractor

Template: bulk_extractor <options> –o output_dir image.

Example: bulk_extractor -F keywords.txt –e net -e aes -e wordlist -o /cases/bulk- extractor-memory-output /cases/ memory-raw.001

Options:

-o outdir
-f <regex>
-F <rfile>
-Wn1:n2
-q nn
-e scanner
-e wordlist
-e aes
-e net

Creating Super Timelines

Template: log2timeline –r –p –z <system-timezone> –f <type-input> /mnt/windows_mount –w timeline.csv.

mount –o loop,ro,show_sys_files,streams_interface=windows imagefile.dd /mnt/windows_mount # mount the image file
log2timeline –z EST5EDT –p –r -f win7 /mnt/windows_mount -w /cases/bodyfile.txt # write logs on timeline
l2t_process –b /cases/bodyfile.txt –w whitelist.txt 04-02-2012 > timeline.csv # get specific timeframe?

Registry Parsing (RegRipper)

Template: rip.pl –r <HIVEFILE> –f <HIVETYPE>.

Options:

-r # Registry hive file to parse <HIVEFILE>
-f #  Use <HIVETYPE> (e.g. sam, security, software, system, ntuser)
-l # list all plugins

Example: rip.pl –r /mnt/windows_mount/Windows/System32/config/SAM –f sam > /cases/windowsforensics/SAM.txt

Recover Deleted Registry Keys

Template: deleted.pl <HIVEFILE>

Example: deleted.pl /mnt/windows_mount/Windows/System32/config/SAM > /cases/windowsforensics/SAM_DELETED.txt