Forensic

Author @plozzz54

Create a forensic USB key

Plug your USB key on your computer.
Be sure to have libelf install on your system.

sudo apt install libelf-dev

In the following command we assume that your USB key is mount on /mnt/usb.

cd /mnt/usb/
mkdir forensic_dump_tools
cd forensic_dump_tools
git clone https://github.com/halpomeranz/lmg.git .
git clone https://github.com/504ensicsLabs/LiME.git lime
cd lime/src
patch < ../../lime-Makefile.patch
cd -
tar xf static-dwarfdump.tgz
git clone https://github.com/volatilityfoundation/volatility.git

Your forensic key is now ready. If you have problem or need more detail to install your forensic USB key, you can read /mnt/usb/ forensic_dump_tools /INSTALL file with all information about installation.

Memory dump creation

Windows

Download DumpIt, put it on an USB Key, plug this USB key to the victim computer and execute dumpit.exe with administrator rights.

dumpit.exe
Linux

Plug your USB key.
If your USB key mount automatically, be sure to have exec right on the device:

sudo mount -o remount,exec /dev/sdb1 

If your USB key doesn’t mount automatically:

Mount –o exec /dev/sdb1 /mnt/usb

Memory dump:

sudo /mnt/usb/forensic_dump_tools/lmg -y

When this command is over, you can find the memory dump and the volatility profile in /mnt/usb/forensic_dump_tools/capture/{compromised_device_name-date}.
Archive and encrypt this directory with 7zip:

sudo apt install p7zip-full p7zip-rar
7za a -tzip -p<password> -mem=AES256 zipname.zip /mnt/usb/forensic_dump_tools/capture/<{compromise_device_name-date}>/*
Linux with volatility’s profile

to complete

Virtual box

https://www.andreafortuna.org/dfir/forensics/how-to-extract-a-ram-dump-from-a-running-virtualbox-machine

Volatility

to complete

How to get MFT

With Volatility

to complete

With Bulk-extractor

to complete

With icat and analyseMFT

From image disk, use mmls to get display the partition layout of a volume system

mmls image.E01
	DOS Partition Table
	Offset Sector: 0
	Units are in 512-byte sectors
	      Slot      Start        End          Length       Description
	000:  Meta      0000000000   0000000000   0000000001   Primary Table (#0)
	001:  -------   0000000000   0000000062   0000000063   Unallocated
	002:  000:000   0000000063   0035551844   0035551782   NTFS / exFAT (0x07)
	003:  -------   0035551845   0035567909   0000016065   Unallocated

Next use icat extract MFT layout. MFT offset is 63

icat -o 63 image.E01 0 > mft.raw

And parse the MFT file with analyseMFT.py to get the results as accurately as possible in multiple formats

analyzeMFT.py -f mft.raw -o mftanalyzed.csv

MFT Analyze

to complete

PDF

to complete

HD Acquisition

FTK imager