Logo
RSS Feed

👈🏼 Back to
Forensic Environment Setup

📘 BTFM

Created: 18.07.2023

This is an attempt to collect all the most frequently used commands for forensic analysis.

vol2.py -f image --profile=Win7x64 imageinfo
vol2.py -f image --profile=Win7x64 pslist
vol2.py -f image --profile=Win7x64 psscan
vol2.py -f image --profile=Win7x64 ldrmodules
vol2.py -f image --profile=Win7x64 dlllist
vol2.py -f image --profile=Win7x64 hivelist
vol2.py -f image --profile=Win7x64 cmdscan
vol2.py -f image --profile=Win7x64 malfind


# create a body file
📘 MFTECmd.exe -f "E:\C\$MFT" --body "F:result" --bodyf timeline_mft.body --blf --bdl C: # cannot be used on a live system. NTFS only
📘 fls [options] image [inode] # works on an image or a live system. Also, can work on other filesystems including CDROM.

# convert the body file to a timeline 
📘 mactime -d -b timeline_mft.body -z UTC > timeline.csv


# ===============================================================
# ===================== PLASO ===================================
# ===============================================================
# create a timeline with Plaso
📘 log2timeline --parsers "webhist,!binary_cookies" outputfile imagefile -z timezone # this command will process imagefile with all webhist parsers excluding binary_cookies and output the result in an outputfile. 
📘 log2timeline --file_filter filter_custom.txt outputfile imagefile # either use txt filter files or yaml. The latter support the "exclude" operator.
📘 pinfo.py -v outputfile | more
📘 pinfo.py -v outputfile | less
📘 psort.py --output-time-zone 'UTC' -o l2tcsv -w result.csv outputfile [FILTER] # there are many output format, for example, elastic which can be fed into Elasticsearch.
📘 psort.py --output-time-zone 'UTC' -o l2tcsv -w result.csv outputfile "date > datetime('2023-07-01T00:00:00') AND date < datetime('2023-07-02T00:00:00')" # here the [FILTER] option was provided to narrow the timeline to the time of the incident.


# create a body file
📘 MFTECmd.exe -f "E:\C\$MFT" --csv "C:\results" --csvf output.csv # cannot be used on a live system. NTFS only
📘 MFTECmd.ee -f 'H:\E\$Extend\$J' --csv C:\Users\user\Documents --csvf results.csv

📘 vol2.py --profile=Win10x64 -f image pslist | grep exename.exe
📘 vol2.py --profile=Win10x64 -f image pslist | head -n 4
📘 vol2.py --profile=Win10x64 -f image dlllist -p exePID 

📘 PECmd.exe -d . --csv C:\output\folder --csvf result.csv

📘 memprocfs.exe -device c:\temp\win10x64-dump.raw -forensic 1 # review the forensics folder, findevil.txt

echo -n somebase64string | base64 -d

References

Expand… Something here