Forensic quick note 2021/08/12

# Forensic quick note 2021/08/12 --- [TOC] --- ## CheatSheet ### Find something in disk image - Grep string ```=sh= file dds1-alpine.flag.img strings dds1-alpine.flag.img |grep CTF{ ``` - Extract image ```=sh file /home/forensics/Desktop/dds2-alpine.flag.img fdisk /home/forensics/Desktop/dds2-alpine.flag.img mmls /home/forensics/Desktop/dds2-alpine.flag.img fls /home/forensics/Desktop/dds2-alpine.flag.img -o 2048 -pr fcat -o 2048 root/down-at-the-bottom.txt /home/forensics/Desktop/dds2-alpine.flag.img ``` - Extract VHD images - analysis images ```=sh file ll2 xxd -l 20 ll2 ``` ![](https://i.imgur.com/JQ9xG6D.png) - extract bitlocker hash ```=sh ./build/bitcracker_hash -i '/home/forensics/Desktop/disk4/ll2' ``` ![](https://i.imgur.com/8ggqdyG.png) - crack with hashcat ```=sh ./hashcat.bin -D 1 -m 22100 -a 0 ../hash_user_pass.txt ../rockyou.txt --force ``` - change extension name to ".vhdx" - mont on windows - Extract RAID disk - check maybe raid images ```=sh file * ``` ![](https://i.imgur.com/cqpEBGt.png) - extract raid partition ```=sh binwalk 1.img 2.img dd if=1.img of=1.img.fix bs=1048576 skip=1 dd if=3.img of=3.img.fix bs=1048576 skip=1 file 1.img.fix 3.img.fix ``` ![](https://i.imgur.com/9Ra0N3o.png) ![](https://i.imgur.com/GJLShDZ.png) - check raid method and pair status ```=sh sudo mdadm --examine 1.img.fix 3.img.fix ``` ![](https://i.imgur.com/knkCJKn.png) - mount raid ```=sh sudo mdadm --assemble --readonly --run /dev/md0 /dev/loop20 /dev/loop21 ``` ![](https://i.imgur.com/gQJ6o39.png) - Debug: ```=sh sudo dmsetup table sudo dmsetup remove_all sudo mdadm --stop /dev/md127 ``` ### Find someting in picture - Extract image metadata ```=sh exiftool radia_perlman.jpg ``` ## Online useful tools - [Cyberchef](https://gchq.github.io/CyberChef) ## Online useful resource ### TSK Tool > In general, the following tools take a disk or file system image as input :::info 常見取證流程與工具 ::: - [TSK Tool Overview](https://wiki.sleuthkit.org/index.php?title=TSK_Tool_Overview) ### Volatility - [VolatilityCheatSheet](https://github.com/volatilityfoundation/volatility/raw/gh-pages/docs/VolatilityCheatSheet.pdf) - [Command Reference](https://github.com/volatilityfoundation/volatility/wiki/Command-Reference) - CheatSheet ```=sh # determind image profile python volatility/vol.py -f OtterCTF.vmem imageinfo # find user password python volatility/vol.py -f OtterCTF.vmem --profile=Win7SP1x64 lsadump # list network connections python volatility/vol.py -f OtterCTF.vmem --profile=Win7SP1x64 netscan # find host name python volatility/vol.py -f OtterCTF.vmem --profile=Win7SP1x64 envars # find dump process memory python volatility/vol.py -f OtterCTF.vmem --profile=Win7SP1x64 memdump -p 708 -D dump/ # extract clipboard python volatility/vol.py -f OtterCTF.vmem --profile=Win7SP1x64 clipboard # list process tree python volatility/vol.py -f OtterCTF.vmem --profile=Win7SP1x64 pstree # find file in memory python volatility/vol.py -f OtterCTF.vmem --profile=Win7SP1x64 filescan # extract file from memory python volatility/vol.py -f OtterCTF.vmem --profile=Win7SP1x64 dumpfiles -Q 0x000000007daad840 -D dump/ # view process command line python volatility/vol.py -f OtterCTF.vmem --profile=Win7SP1x64 cmdline -p 3720 # view process dll information python volatility/vol.py -f OtterCTF.vmem --profile=Win7SP1x64 dlllist -p 3720 # find chrome history python volatility/vol.py -f OtterCTF.vmem --profile=Win7SP1x64 filescan |grep -i "chrome" |grep -i "history" # dump process python volatility/vol.py -f OtterCTF.vmem --profile=Win7SP1x64 procdump -p 3720 -D dump/ # find byte array in process memory python volatility/vol.py -f OtterCTF.vmem --profile=Win7SP1x64 yarascan --yara-rules="/\x64(.{6,8})\x40\x06(.{18})\x5a\x0c\x00\x00/" -p 708 ``` ### [bitcracker](https://github.com/e-ago/bitcracker) > BitCracker is the first open source password cracking tool for storage devices (Hard Disk, USB Pendrive, SD card, etc...) encrypted with BitLocker, an encryption feature available on Windows Vista, 7, 8.1 and 10 (Ultimate, Pro and Enterprise editions). BitLocker offers a number of different authentication methods to encrypt a storage device like Trusted Platform Module (TPM), Smart Card, Recovery Password, User supplied password. - install ```=sh git clone https://github.com/e-ago/bitcracker.git ./build.sh ``` - extract bitlocker hash ```=sh ./build/bitcracker_hash -i '/home/forensics/Desktop/disk4/ll2' ``` ### hashcat - [wiki](https://hashcat.net/wiki/doku.php?id=hashcat) - cheatsheet ```=sh # crack bitlocker hash ./hashcat.bin -D 1 -m 22100 -a 0 ../hash_user_pass.txt ../rockyou.txt --force ``` ### ILSpy > ILSpy is the open-source .NET assembly browser and decompiler. - [github](https://github.com/icsharpcode/ILSpy) ### foremost - 從檔案中分離出圖片 ```=sh foremost dump/executable.3720.exe ``` ### AccessData FTK Imager > Quickly assess electronic evidence by obtaining forensic images of computer data, without making changes to the original evidence, all with FTK® Imager! - [download](https://accessdata.com/product-download/ftk-imager-version-4-5) ### Autopsy > Autopsy is a graphical interface to The Sleuth Kit and other open source digital(disk) forensics tools. - [github](https://github.com/sleuthkit/autopsy)