🧩Forensics
Tools
On Premise
SaferWall : https://github.com/saferwall/saferwall
Noriben (Python, Sysmon) : https://github.com/Rurik/Noriben
Online
Virus Total : https://virustotal.com
Any Run : https://any.run/
Cuckoo : https://cuckoo.cert.ee/
Cape Sandbox : https://capesandbox.com/
Image analysis
Aperi'Solve
# usage on cli
sudo sh -c "$(curl -fs https://www.aperisolve.com/install.sh)"
aperisolve <image>Ghiro
Ghiro is a fully automated tool designed to run forensics analysis over a massive amount of images, just using an user friendly and fancy web application.
Set Up
Usage
Username: ghiro
Password: ghiromanager
Stereograms
An autostereogram (also known as Magic Eye) is a 2D image designed to create the illusion of 3D. In each image, there is a 3D object that can only be viewed by looking at the image a certain way, as if the screen was transparent and you looked at the wall behind it.
Disk Image Analysis
Autopsy Tool
Autopsy is an open-source tool that is used to perform forensic operations on the disk image of the evidence.
Set Up
Usage
General
Linux
Windows
FTK Imager : disk and RAM acquisition under Windows
sleuthkit : NTFS analysis
Memory Analysis
Volatility
Volatility is a tool that can be used to analyze a volatile memory of a system. You can inspect processes, look at command history, and even pull files and passwords from a system without even being on the system.
Installation
# volatility3
git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
python3 setup.py install
python3 vol.py —h
# volatility2
# Download the executable from https://www.volatilityfoundation.org/26
git clone https://github.com/volatilityfoundation/volatility.git
cd volatility
python setup.py installUseful commands
# image infos
volatility -f file.mem imageinfo
# Hive and Registry key values
volatility -f file.mem --profile=MyProfile hivelist
volatility -f file.mem --profile=MyProfile printkey -K "MyPath"
# Analyzing processes
volatility -f file.mem --profile=Win7SP1x64 pslist
# list parent-child relations processes
volatility -f file.mem --profile=Win7SP1x64 pstree
# list all app running
volatility-f file.mem --profile=Win7SP1x64 shimcache > shimcache.txt
# analyze network connections
volatility -f file.mem --profile=Win7SP1x64 netscan > output_netscan.txt
# running sockets & open connections
volatility -f file.mem --profile=Win7SP1x64 connscan
volatility -f file.mem --profile=Win7SP1x64 sockets
# commandline history
volatility -f file.mem --profile=Win7SP1x64 cmdline
volatility -f file.mem --profile=Win7SP1x64 consolesDetect malicious files
In volatility, there exists an attribute named malfind. This is actually an inbuilt plugin and can be used for malicious process detection.
volatility -f file.mem --profile=Win7SP1x64 -D <Output_Location> -p $PID malfind
# dump infected process
volatility -f file.mem --profile=Win7SP1x64 procdump -p 3496 --dump-dir $dumpfolderUSB Forensics
Universal Serial Bus flash drives, commonly known as USB flash drives are the most common storage devices which can be found as evidence in Digital Forensics Investigation. The digital forensic investigation involves following a defined procedure for investigation which needs to be performed in such a manner that the evidence isn’t destroyed.
Tutorials
Binary Analysis
Windows
PEiD : packer identification on Windows binary
Procmon.exe (from Sysinternals) : Monitoring of API used by malwares, registry base monitoring
Sysmon.exe (from Sysinternals) : Executable file behavior analysis
Linux
binwalk : Analyze headers / magic numbers
Network Analysis
Suricata : IDS and OCAP analysis
https://www.snort.org/ : IDS
Network Miner (not free) : PCAP analysis
https://packetlife.net/ : filter for tcpdump and wireshark
Mobile Analysis
Phishing Analysis
Last updated
Was this helpful?