RSS Feed


Created: 23.09.2020

Here is the official cheatsheet from SANS. I’ve copied it here for convenience. I will comment some of them after I try each command in the list.

Shadow Timeline Creation

Step 1 – Attach Local or Remote System Drive

ewfmount system-name.E01 /mnt/ewf

Step 2 – Mount VSS Volume

VSS - Windows NT Volume Shadow Snapshot.

cd /mnt/ewf
vshadowmount ewf1 /mnt/vss

Step 3 – Run fls across ewf1 mounted image

cd /mnt/ewf
fls –r –m C: ewf1 >> /cases/vss-

Step 4 – Run fls Across All Snapshot Images

cd /mnt/vss
for i in vss*; do fls -r –m C: $i >> /cases/vss-bodyfile; done

Step 5 – De-Duplicate Bodyfile using sort and uniq

sort /cases/vss-bodyfile | uniq > /cases/vss-dedupe-bodyfile

Step 6 – Run mactime Against De-Duplicated Bodyfile

mactime –d –b /cases/vss-dedupe-bodyfile –z EST5EDT MM-DD-YYYY..MM-DD-YYYY > /cases/vss-timeline.csv

Memory Analysis

vol.py command –f /path/to/windows_xp_memory.img  --profile=WinXPSP3x86
Commands Meaning
connscan Scan for connection objects
files list of open files process
imagecopy Convert hibernation file
procdump Dump process
pslist list of running processes
sockscan Scan for socket objects



Displays details about the file system

fsstat imagefile.dd

Data Layer Tools (Block or Cluster)


Displays the contents of a disk block.

blkcat imagefile.dd block_num

# cd /mnt/ewf
# fls –r –m C: ewf1 >> /cases/vss-


Lists contents of deleted disk blocks.

blkls imagefile.dd > imagefile.blkls


Maps between dd images and blkls results.

blkcalc imagefile.dd -u blkls_num


Display allocation status of block.

blkstat imagefile.dd cluster_number

MetaData Layer Tools (Inode, MFT, or Directry Entry)


Displays inode details.

ils imagefile.dd


Displays information about a specific inode

istat imagefile.dd inode_num


Displays contents of blocks allocated to an inode

icat imagefile.dd inode_num


Determine which inode contains a specific block

ifind imagefile.dd –d block_num

Filename Layer Tools


Displays deleted file entries in a directory inode

fls -rpd imagefile.dd


Find the filename that using the inode

ffind imagefile.dd inode_num

Mouting dd images

mount -t fstype [options] image mountpoint

Commands Meaning
ro mount as read only
loop mount on a loop device
noexec do not execute files
offset= logical drive mount
show_sys_files show ntfs metafiles
streams_interface=windows use ADS

Example: mount –o loop,ro,show_sys_files,streams_interface=windows imagefile.dd /mnt/windows_mount. Mounts an image file at specific location.

Mouting E01 images

ewfmount image.E01 mountpoint

Example: mount –o loop,ro,show_sys_files,streams_interface=windows /mnt/ewf/ewf1 /mnt/windows_mount.

Mounting Volume Shadow Copies

Stage 1 – Attach local or remote system drive

ewfmount system-name.E01 /mnt/ewf

Stage 2 – Mount raw image VSS

vshadowmount ewf1 /mnt/vss/

Stage 3 – Mount all logical filesystem of snapshot

cd /mnt/vss
for i in vss*; do mount -o ro,loop,show_sys_files,streams_interface=windows $i /mnt/shadow_mount/$i; done

Recovering Data


Create Unallocated Image (deleted data)

Example: blkls imagefile.dd > mount –o loop,ro,show_sys_files,streams_interface=windows /mnt/ewf/ewf1 /mnt/windows_mount

Create Slack Image Using dls (for FAT and NTFS)

Example: blkls –s imagefile.dd > imagefile.slack


Carves out files based on headers and footers

data_file.img = raw data, slack space, memory, unallocated space. Example: foremost –o outputdir –c /path/to/foremost.conf data_file.img.


Search for a binary value at a given offset (-o).

Template: sigfind <hexvalue> -o <offset>.

Stream Extraction


Template: bulk_extractor <options> –o output_dir image.

Example: bulk_extractor -F keywords.txt –e net -e aes -e wordlist -o /cases/bulk- extractor-memory-output /cases/ memory-raw.001


-o outdir
-f <regex>
-F <rfile>
-q nn
-e scanner
-e wordlist
-e aes
-e net

Creating Super Timelines

Template: log2timeline –r –p –z <system-timezone> –f <type-input> /mnt/windows_mount –w timeline.csv.

mount –o loop,ro,show_sys_files,streams_interface=windows imagefile.dd /mnt/windows_mount # mount the image file
log2timeline –z EST5EDT –p –r -f win7 /mnt/windows_mount -w /cases/bodyfile.txt # write logs on timeline
l2t_process –b /cases/bodyfile.txt –w whitelist.txt 04-02-2012 > timeline.csv # get specific timeframe?

Registry Parsing (RegRipper)

Template: rip.pl –r <HIVEFILE> –f <HIVETYPE>.


-r # Registry hive file to parse <HIVEFILE>
-f #  Use <HIVETYPE> (e.g. sam, security, software, system, ntuser)
-l # list all plugins

Example: rip.pl –r /mnt/windows_mount/Windows/System32/config/SAM –f sam > /cases/windowsforensics/SAM.txt

Recover Deleted Registry Keys

Template: deleted.pl <HIVEFILE>

Example: deleted.pl /mnt/windows_mount/Windows/System32/config/SAM > /cases/windowsforensics/SAM_DELETED.txt