Try   HackMD

Forensic quick note 2021/08/12

CheatSheet

Find something in disk image

  • Grep string


file dds1-alpine.flag.img
strings dds1-alpine.flag.img  |grep CTF{
  • Extract image
file /home/forensics/Desktop/dds2-alpine.flag.img
fdisk /home/forensics/Desktop/dds2-alpine.flag.img
mmls /home/forensics/Desktop/dds2-alpine.flag.img
fls /home/forensics/Desktop/dds2-alpine.flag.img -o 2048 -pr
fcat -o 2048 root/down-at-the-bottom.txt /home/forensics/Desktop/dds2-alpine.flag.img
  • Extract VHD images
    • analysis images
    ​​​​file ll2
​​​​xxd -l 20 ll2
    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    • extract bitlocker hash
    ​​​​./build/bitcracker_hash -i '/home/forensics/Desktop/disk4/ll2'
    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    • crack with hashcat
    ​​​​./hashcat.bin -D 1 -m 22100 -a 0 ../hash_user_pass.txt ../rockyou.txt --force
    • change extension name to ".vhdx"
    • mont on windows
  • Extract RAID disk
    • check maybe raid images
    ​​​​file *
    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    • extract raid partition
    ​​​​binwalk 1.img 2.img
​​​​dd if=1.img of=1.img.fix bs=1048576 skip=1
​​​​dd if=3.img of=3.img.fix bs=1048576 skip=1
​​​​file 1.img.fix 3.img.fix
    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    • check raid method and pair status
    ​​​​sudo mdadm --examine 1.img.fix 3.img.fix
    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    • mount raid
    ​​​​sudo mdadm --assemble --readonly --run /dev/md0 /dev/loop20 /dev/loop21
    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    • Debug:
    ​​​​sudo dmsetup table
​​​​sudo dmsetup remove_all
​​​​sudo mdadm --stop /dev/md127

Find someting in picture

  • Extract image metadata
exiftool radia_perlman.jpg

Online useful tools

Online useful resource

TSK Tool

In general, the following tools take a disk or file system image as input

常見取證流程與工具

Volatility

# determind image profile
python volatility/vol.py  -f OtterCTF.vmem imageinfo
# find user password
python volatility/vol.py  -f OtterCTF.vmem --profile=Win7SP1x64 lsadump
# list network connections
python volatility/vol.py  -f OtterCTF.vmem --profile=Win7SP1x64 netscan
# find host name
python volatility/vol.py  -f OtterCTF.vmem --profile=Win7SP1x64 envars
# find dump process memory
python volatility/vol.py  -f OtterCTF.vmem --profile=Win7SP1x64 memdump -p 708 -D dump/
# extract clipboard
python volatility/vol.py  -f OtterCTF.vmem --profile=Win7SP1x64 clipboard
# list process tree
python volatility/vol.py  -f OtterCTF.vmem --profile=Win7SP1x64 pstree
# find file in memory
python volatility/vol.py  -f OtterCTF.vmem --profile=Win7SP1x64 filescan
# extract file from memory
python volatility/vol.py  -f OtterCTF.vmem --profile=Win7SP1x64 dumpfiles -Q 0x000000007daad840 -D dump/
# view process command line
python volatility/vol.py  -f OtterCTF.vmem --profile=Win7SP1x64 cmdline -p 3720
# view process dll information
python volatility/vol.py  -f OtterCTF.vmem --profile=Win7SP1x64 dlllist -p 3720
# find chrome history
python volatility/vol.py  -f OtterCTF.vmem --profile=Win7SP1x64 filescan |grep -i "chrome" |grep -i "history"
# dump process
python volatility/vol.py  -f OtterCTF.vmem --profile=Win7SP1x64 procdump -p 3720 -D dump/
# find byte array in process memory
python volatility/vol.py  -f OtterCTF.vmem --profile=Win7SP1x64 yarascan --yara-rules="/\x64(.{6,8})\x40\x06(.{18})\x5a\x0c\x00\x00/" -p 708

bitcracker

BitCracker is the first open source password cracking tool for storage devices (Hard Disk, USB Pendrive, SD card, etc) encrypted with BitLocker, an encryption feature available on Windows Vista, 7, 8.1 and 10 (Ultimate, Pro and Enterprise editions). BitLocker offers a number of different authentication methods to encrypt a storage device like Trusted Platform Module (TPM), Smart Card, Recovery Password, User supplied password.

  • install
git clone https://github.com/e-ago/bitcracker.git
./build.sh
  • extract bitlocker hash
./build/bitcracker_hash -i '/home/forensics/Desktop/disk4/ll2'

hashcat

# crack bitlocker hash
./hashcat.bin -D 1 -m 22100 -a 0 ../hash_user_pass.txt ../rockyou.txt --force

ILSpy

ILSpy is the open-source .NET assembly browser and decompiler.

foremost

  • 從檔案中分離出圖片
foremost dump/executable.3720.exe

AccessData FTK Imager

Quickly assess electronic evidence by obtaining forensic images of computer data, without making changes to the original evidence, all with FTK® Imager!

Autopsy

Autopsy is a graphical interface to The Sleuth Kit and other open source digital(disk) forensics tools.

Last changed by 
Forensic
Forensic Notes
0
895
Published on HackMD