🧩Forensics

Tools

On Premise

• SaferWall : https://github.com/saferwall/saferwall

• Cuckoo : https://cuckoo.sh/docs/installation/index.html

• Noriben (Python, Sysmon) : https://github.com/Rurik/Noriben

Online

• Virus Total : https://virustotal.com

• Any Run : https://any.run/

• Cuckoo : https://cuckoo.cert.ee/

• Cape Sandbox : https://capesandbox.com/

Image analysis

Aperi'Solve

Aperi'Solve - Steganography Analysiswww.aperisolve.com

Ghiro

Ghiro is a fully automated tool designed to run forensics analysis over a massive amount of images, just using an user friendly and fancy web application.

Set Up

Download Ghiro

Usage

Forensic Investigation: Ghiro for Image AnalysisHacking Articles

Username: ghiro

Password: ghiromanager

Stereograms

An autostereogram (also known as Magic Eye) is a 2D image designed to create the illusion of 3D. In each image, there is a 3D object that can only be viewed by looking at the image a certain way, as if the screen was transparent and you looked at the wall behind it.

Stereogram solverpiellardj.github.io

Disk Image Analysis

Autopsy Tool

Autopsy is an open-source tool that is used to perform forensic operations on the disk image of the evidence.

Set Up

Autopsy - DownloadAutopsy

Usage

General

• Foremost : deleted files retrieval

• Photorec : deleted files retrieval

Linux

• dcfldd : acquisition tool (enhanced dd)

• dc3dd : acquisition tool (enhanced dd)

Windows

• FTK Imager : disk and RAM acquisition under Windows

• sleuthkit : NTFS analysis

Memory Analysis

Volatility

Volatility is a tool that can be used to analyze a volatile memory of a system. You can inspect processes, look at command history, and even pull files and passwords from a system without even being on the system.

Installation

Useful commands

Detect malicious files

In volatility, there exists an attribute named malfind. This is actually an inbuilt plugin and can be used for malicious process detection.

USB Forensics

Universal Serial Bus flash drives, commonly known as USB flash drives are the most common storage devices which can be found as evidence in Digital Forensics Investigation. The digital forensic investigation involves following a defined procedure for investigation which needs to be performed in such a manner that the evidence isn’t destroyed.

Tutorials

USB Forensics: Detection & InvestigationHacking Articles

Binary Analysis

Windows

• PE Studio

• PEiD : packer identification on Windows binary

• Procmon.exe (from Sysinternals) : Monitoring of API used by malwares, registry base monitoring

• Sysmon.exe (from Sysinternals) : Executable file behavior analysis

Linux

• binwalk : Analyze headers / magic numbers

Network Analysis

• Suricata : IDS and OCAP analysis

• https://www.snort.org/ : IDS

• Network Miner (not free) : PCAP analysis

• https://packetlife.net/ : filter for tcpdump and wireshark

• Moloch

Mobile Analysis

GitHub - mvt-project/mvt: MVT (Mobile Verification Toolkit) helps with conducting forensics of mobile devices in order to find signs of a potential compromise.GitHub

Phishing Analysis

GitHub - emalderson/ThePhish: ThePhish: an automated phishing email analysis toolGitHub