Digital forensics
Forensics is the art of investigating crimes. Digital forensics is the same, but for cyber crimes.
-
Memory forensics πΊοΈ: dig into a memory capture of a machine to investigate suspect behaviors and map the attack path.
-
Reverse engineering π€: try to understand and investigate suspicious programs. Refer to this page.
-
File Investigation βοΈ: try to find hidden files, hidden messages, and hidden information in files. Refer to this page.
These categories further involve tasks such as:
- Malware Analysis πͺ²: investigate malware to find what they did, what they do, how they work, etc.
Forensics Tools
See also: ForensicsTools (0.8k β).
Disk Forensics Tools
You can create an image of a disk using:
- FTK Imager (popular)
- OSFClone
- dd/dcfldd
- AFF4 Imager
- ...
Memory Forensics Tools
To create a memory dump, you can use:
- DumpIt.exe
- WinPmem (0.6k β)
- Redline
- FTK Imager
- memdump
- LiME (1.6k β)
- For VMWare, suspend the machine and locate the
.vmem
- ...
You can investigate a memory dump using:
- Volatility is a well-known memory forensic tool.
Disk Forensics
Investigate Deleted Files
On Linux, rm
doesn't delete a file, it only delete the file metadata which marks the memory as 'free to use/writable' by the operating system.
Given the image data.bin
, these methods may be helpful:
$ strings data.bin
$ strings -n xxx data.bin
$ sudo apt install foremost
$ foremost -i data.bin
$ fls -rp data.bin
r/r * 5: filename
$ icat -r data.bin 5 > filename
$ debugfs -w data.bin
debugfs> lsdel
$ testdisk data.bin
Investigate A Virtual Machine Dump
You can mount a .vmdk
/.vhd
on Kali Linux using either:
$ sudo apt install libguestfs-tools
$ sudo mkdir /mnt/vmdk
$ sudo guestmount -a xxx.vmdk -i --ro /mnt/vmdk
$ sudo ls -lah /mnt/vmdk/
$ sudo SHELL=/bin/bash chroot /mnt/vmdk/
$ sudo umount /mnt/vmdk
$ sudo rm -rf /mnt/vmdk
$ sudo apt install qemu-utils
$ sudo modprobe nbd
$ sudo qemu-nbd -r -c /dev/nbd1 xxx.vmdk
$ ls -al /dev/nbd1p* # list the disk partitions
You can now mount any partition one by one.
$ mkdir p1 && sudo mount /dev/nbd1p1 ./p1
$ sudo SHELL=/bin/bash chroot p1
The drive may be encrypted using BitLocker.
Malware Analysis
Malware Acquisition Tools
You can use the following sources to find malware:
- theZoo (10.5k β)
- virusshare (π»)
- hybrid-analysis (π»)
- malware-traffic-analysis (π»)
- app.any.run (π»)
- contagiodump (π»)
- vx-underground (π»)
Malware Hashing Techniques
- Import Hashing (IMPHASH)
import sys
import pefile
import peutils
pe = pefile.PE(sys.argv[1])
print(pe.get_imphash())
- Fuzzy Hashing (SSDEEP/CTPH)
$ ssdeep xxx.exe
Malware Analysis Tools
- FLOSS (2.6k β)
$ floss xxx.exe
- Section hashing β identify modified sections
for section in pe.sections:
print (section.Name, "MD5 hash:", section.get_hash_md5())
print (section.Name, "SHA256 hash:", section.get_hash_sha256())
π» To-do π»
Stuff that I found, but never read/used yet.
- Arsenal Image Mounter
- KAPE (triage), KapeFiles
- velociraptor (artifact gathering)
Intesting files
-
C:\Windows\Prefetch
: programs executed+last execution date -
%AppData%\Microsoft\Windows\Recent
: recent files -
USN Journal
: logs of file system changes - mftexplorer: metadata for all files