Author @plozzz54

Create a forensic USB key

Plug your USB key on your computer.
Be sure to have libelf install on your system.

sudo apt install libelf-dev

In the following command we assume that your USB key is mount on /mnt/usb.

cd /mnt/usb/
mkdir forensic_dump_tools
cd forensic_dump_tools
git clone .
git clone lime
cd lime/src
patch < ../../lime-Makefile.patch
cd -
tar xf static-dwarfdump.tgz
git clone

Your forensic key is now ready. If you have problem or need more detail to install your forensic USB key, you can read /mnt/usb/ forensic_dump_tools /INSTALL file with all information about installation.

Memory dump creation


Download DumpIt, put it on an USB Key, plug this USB key to the victim computer and execute dumpit.exe with administrator rights.


Plug your USB key.
If your USB key mount automatically, be sure to have exec right on the device:

sudo mount -o remount,exec /dev/sdb1 

If your USB key doesn’t mount automatically:

Mount –o exec /dev/sdb1 /mnt/usb

Memory dump:

sudo /mnt/usb/forensic_dump_tools/lmg -y

When this command is over, you can find the memory dump and the volatility profile in /mnt/usb/forensic_dump_tools/capture/{compromised_device_name-date}.
Archive and encrypt this directory with 7zip:

sudo apt install p7zip-full p7zip-rar
7za a -tzip -p<password> -mem=AES256 /mnt/usb/forensic_dump_tools/capture/<{compromise_device_name-date}>/*
Virtual box

How to get MFT

With icat and analyseMFT

From image disk, use mmls to get display the partition layout of a volume system

mmls image.E01
	DOS Partition Table
	Offset Sector: 0
	Units are in 512-byte sectors
	      Slot      Start        End          Length       Description
	000:  Meta      0000000000   0000000000   0000000001   Primary Table (#0)
	001:  -------   0000000000   0000000062   0000000063   Unallocated
	002:  000:000   0000000063   0035551844   0035551782   NTFS / exFAT (0x07)
	003:  -------   0035551845   0035567909   0000016065   Unallocated

Next use icat extract MFT layout. MFT offset is 63

icat -o 63 image.E01 0 > mft.raw

And parse the MFT file with to get the results as accurately as possible in multiple formats -f mft.raw -o mftanalyzed.csv