Digital forensics ¶

Forensics is the art of investigating crimes. Digital forensics is the same, but for cyber crimes.

• Memory forensics 🗺️: dig into a memory capture of a machine to investigate suspect behaviors and map the attack path.

• Reverse engineering 🤖: try to understand and investigate suspicious programs. Refer to this page.

• File Investigation ✈️: try to find hidden files, hidden messages, and hidden information in files. Refer to this page.

These categories further involve tasks such as:

• Malware Analysis 🪲: investigate malware to find what they did, what they do, how they work, etc.

Disk Forensics Tools ¶

You can create an image of a disk using:

• FTK Imager (popular)
• OSFClone
• dd/dcfldd
• AFF4 Imager
• ...

Memory Forensics Tools ¶

To create a memory dump, you can use:

• DumpIt.exe
• WinPmem (0.6k ⭐)
• Redline
• FTK Imager
• memdump
• LiME (1.6k ⭐)
• For VMWare, suspend the machine and locate the .vmem
• ...

You can investigate a memory dump using:

• Volatility is a well-known memory forensic tool.

Investigate Deleted Files ¶

On Linux, rm doesn't delete a file, it only delete the file metadata which marks the memory as 'free to use/writable' by the operating system.

Given the image data.bin, these methods may be helpful:

$ strings data.bin
$ strings -n xxx data.bin

$ sudo apt install foremost
$ foremost -i data.bin

$ fls -rp data.bin
r/r * 5:        filename
$ icat -r data.bin 5 > filename

$ debugfs -w data.bin
debugfs> lsdel

$ testdisk data.bin

Investigate A Virtual Machine Dump ¶

You can mount a .vmdk/.vhd on Kali Linux using either:

$ sudo apt install libguestfs-tools
$ sudo mkdir /mnt/vmdk
$ sudo guestmount -a xxx.vmdk -i --ro /mnt/vmdk
$ sudo ls -lah /mnt/vmdk/
$ sudo SHELL=/bin/bash chroot /mnt/vmdk/
$ sudo umount /mnt/vmdk
$ sudo rm -rf /mnt/vmdk

$ sudo apt install qemu-utils
$ sudo modprobe nbd
$ sudo qemu-nbd -r -c /dev/nbd1 xxx.vmdk 
$ ls -al /dev/nbd1p* # list the disk partitions

You can now mount any partition one by one.

$ mkdir p1 && sudo mount /dev/nbd1p1 ./p1
$ sudo SHELL=/bin/bash chroot p1

The drive may be encrypted using BitLocker.

Malware Acquisition Tools ¶

You can use the following sources to find malware:

• theZoo (10.5k ⭐)
• virusshare (👻)
• hybrid-analysis (👻)
• malware-traffic-analysis (👻)
• app.any.run (👻)
• contagiodump (👻)
• vx-underground (👻)

Malware Hashing Techniques ¶

• Import Hashing (IMPHASH)

import sys
import pefile
import peutils
pe = pefile.PE(sys.argv[1])
print(pe.get_imphash())

• Fuzzy Hashing (SSDEEP/CTPH)

$ ssdeep xxx.exe

Malware Analysis Tools ¶

• FLOSS (2.6k ⭐)

$ floss xxx.exe

• Section hashing — identify modified sections

for section in pe.sections:
    print (section.Name, "MD5 hash:", section.get_hash_md5())
    print (section.Name, "SHA256 hash:", section.get_hash_sha256())

• Arsenal Image Mounter
• KAPE (triage), KapeFiles
• velociraptor (artifact gathering)

Intesting files

• C:\Windows\Prefetch: programs executed+last execution date
• %AppData%\Microsoft\Windows\Recent: recent files
• USN Journal: logs of file system changes
• mftexplorer: metadata for all files