Here is the official cheatsheet from SANS. I’ve copied it here for convenience. I will comment some of them after I try each command in the list.
Shadow Timeline Creation
Step 1 – Attach Local or Remote System Drive
ewfmount system-name.E01 /mnt/ewf
Step 2 – Mount VSS Volume
VSS - Windows NT Volume Shadow Snapshot.
cd /mnt/ewf
vshadowmount ewf1 /mnt/vss
Step 3 – Run fls across ewf1 mounted image
cd /mnt/ewf
fls –r –m C: ewf1 >> /cases/vss-
bodyfile
Step 4 – Run fls Across All Snapshot Images
cd /mnt/vss
for i in vss*; do fls -r –m C: $i >> /cases/vss-bodyfile; done
Step 5 – De-Duplicate Bodyfile using sort and uniq
sort /cases/vss-bodyfile | uniq > /cases/vss-dedupe-bodyfile
Step 6 – Run mactime Against De-Duplicated Bodyfile
mactime –d –b /cases/vss-dedupe-bodyfile –z EST5EDT MM-DD-YYYY..MM-DD-YYYY > /cases/vss-timeline.csv
Memory Analysis
vol.py command –f /path/to/windows_xp_memory.img --profile=WinXPSP3x86
| Commands | Meaning |
|---|---|
connscan |
Scan for connection objects |
files |
list of open files process |
imagecopy |
Convert hibernation file |
procdump |
Dump process |
pslist |
list of running processes |
sockscan |
Scan for socket objects |
SleuthKit
fsstat
Displays details about the file system
fsstat imagefile.dd
Data Layer Tools (Block or Cluster)
blkcat
Displays the contents of a disk block.
blkcat imagefile.dd block_num
# cd /mnt/ewf
# fls –r –m C: ewf1 >> /cases/vss-
bodyfile
blkls
Lists contents of deleted disk blocks.
blkls imagefile.dd > imagefile.blkls
blkcalc
Maps between dd images and blkls results.
blkcalc imagefile.dd -u blkls_num
blkstat
Display allocation status of block.
blkstat imagefile.dd cluster_number
MetaData Layer Tools (Inode, MFT, or Directry Entry)
ils
Displays inode details.
ils imagefile.dd
istat
Displays information about a specific inode
istat imagefile.dd inode_num
icat
Displays contents of blocks allocated to an inode
icat imagefile.dd inode_num
ifind
Determine which inode contains a specific block
ifind imagefile.dd –d block_num
Filename Layer Tools
fls
Displays deleted file entries in a directory inode
fls -rpd imagefile.dd
ffind
Find the filename that using the inode
ffind imagefile.dd inode_num
Mouting dd images
mount -t fstype [options] image mountpoint
| Commands | Meaning |
|---|---|
| ro | mount as read only |
| loop | mount on a loop device |
| noexec | do not execute files |
| offset= | logical drive mount |
| show_sys_files | show ntfs metafiles |
| streams_interface=windows | use ADS |
Example: mount –o loop,ro,show_sys_files,streams_interface=windows imagefile.dd /mnt/windows_mount. Mounts an image file at specific location.
Mouting E01 images
ewfmount image.E01 mountpoint
Example: mount –o loop,ro,show_sys_files,streams_interface=windows /mnt/ewf/ewf1 /mnt/windows_mount.
Mounting Volume Shadow Copies
Stage 1 – Attach local or remote system drive
ewfmount system-name.E01 /mnt/ewf
Stage 2 – Mount raw image VSS
vshadowmount ewf1 /mnt/vss/
Stage 3 – Mount all logical filesystem of snapshot
cd /mnt/vss
for i in vss*; do mount -o ro,loop,show_sys_files,streams_interface=windows $i /mnt/shadow_mount/$i; done
Recovering Data
blkls
Create Unallocated Image (deleted data)
Example: blkls imagefile.dd > mount –o loop,ro,show_sys_files,streams_interface=windows /mnt/ewf/ewf1 /mnt/windows_mount
Create Slack Image Using dls (for FAT and NTFS)
Example: blkls –s imagefile.dd > imagefile.slack
foremost
Carves out files based on headers and footers
data_file.img = raw data, slack space, memory, unallocated space. Example: foremost –o outputdir –c /path/to/foremost.conf data_file.img.
sigfind
Search for a binary value at a given offset (-o).
Template: sigfind <hexvalue> -o <offset>.
Stream Extraction
bulk_extractor
Template: bulk_extractor <options> –o output_dir image.
Example: bulk_extractor -F keywords.txt –e net -e aes -e wordlist -o /cases/bulk- extractor-memory-output /cases/ memory-raw.001
Options:
-o outdir
-f <regex>
-F <rfile>
-Wn1:n2
-q nn
-e scanner
-e wordlist
-e aes
-e net
Creating Super Timelines
Template: log2timeline –r –p –z <system-timezone> –f <type-input> /mnt/windows_mount –w timeline.csv.
mount –o loop,ro,show_sys_files,streams_interface=windows imagefile.dd /mnt/windows_mount # mount the image file
log2timeline –z EST5EDT –p –r -f win7 /mnt/windows_mount -w /cases/bodyfile.txt # write logs on timeline
l2t_process –b /cases/bodyfile.txt –w whitelist.txt 04-02-2012 > timeline.csv # get specific timeframe?
Registry Parsing (RegRipper)
Template: rip.pl –r <HIVEFILE> –f <HIVETYPE>.
Options:
-r # Registry hive file to parse <HIVEFILE>
-f # Use <HIVETYPE> (e.g. sam, security, software, system, ntuser)
-l # list all plugins
Example: rip.pl –r /mnt/windows_mount/Windows/System32/config/SAM –f sam > /cases/windowsforensics/SAM.txt
Recover Deleted Registry Keys
Template: deleted.pl <HIVEFILE>
Example: deleted.pl /mnt/windows_mount/Windows/System32/config/SAM > /cases/windowsforensics/SAM_DELETED.txt