Showing posts with label forensics. Show all posts
Showing posts with label forensics. Show all posts

Sunday, January 23, 2022

Making Image of A Laptop (Summary)

1.      Summary

A Forensic image is an exact copy of the hard drive. The objective is to capture the image of a hard disk bit by bit without changing even a shred of data. It should also copy the deleted data, including files that are left behind in swap and free space.

 

There are 2 types of the making image of a suspicious system.

1)    Cold copy: The system will be booted from USB sticker or DVD. And run the imager tool from the customized Linux system.

2)    Hot copy: The system installs the imager tool to make the image.

 

It is recommended to use “Cold copy” because the less changes on the suspicious system, the better.

However, in some circumstance, it is not possible to get a cold copy, hot copy can be used. And hot copy can also capture the volatile memory for analysis purpose.

 

Below introduces 3 tools. The first 2 tools are for “Cold Copy” and the last tool is for “Hot Copy”.

1)    Paladin Edge 64 (https://andyinmatrix.blogspot.com/2021/03/making-image-of-laptop.html )

2)    Kali Linux (https://andyinmatrix.blogspot.com/2022/01/making-image-of-laptop-part-2.html )

3)    FTK Imager (https://andyinmatrix.blogspot.com/2022/01/making-image-of-laptop-part-3.html )

Making Image of A Laptop (Part 3)

 

1.      Making image with FTK Imager

1.1      Description

FTK Imager is a Windows acquisition tool utilized by SANS forensics toolkits. FTK imager can create an image and paging file for windows; along with capturing volatile memory for analysis purpose.

 

1.2      Requirement

1)    USB External hard drive. Recommend 1T or greater. It will be used to save the image.

2)    Download FTK Imager (https://accessdata.com/product-download)

 

1.3      Make Image of the suspicious system

1)    Install FTK Imager and open it.

2)    Click Menu “File” > “Create Disk Image”

       


 

3)    Choose the option “Physical Drive” click in “Next”, select the drive and click "finish".



 

4)    Click “add”, Select Image Type: “Raw(dd)”. Click “Next”.



 

5)    Leave “Evidence Information” blank, click “next”



 

6)    Select the destination folder and add the name (Excluding Extension) entry with value zero for Raw, E01 and AFF Formats.



 

7)    Click “Start” and wait until the Progress finish.

 

Also refer to:

1)    Making Image of a laptop – Summary (https://andyinmatrix.blogspot.com/2022/01/making-image-of-laptop-summary.html )

2)    Paladin Edge 64 (https://andyinmatrix.blogspot.com/2021/03/making-image-of-laptop.html )

3)    Kali Linux (https://andyinmatrix.blogspot.com/2022/01/making-image-of-laptop-part-2.html )

4)    FTK Imager (https://andyinmatrix.blogspot.com/2022/01/making-image-of-laptop-part-3.html )

Making Image of A Laptop (Part 2)

1.      Making image with Kali Linux

1.1   Description

 

The first step of the incident response is to image the suspicious system and get the hash of the

DD image, which can prove the status of the suspicious system don’t get any modifications. Keep in mind that the less changes on the suspicious system, the better.

 

1.2   Requirement

1)    USB sticker, 8GB or greater. It will be used to boot the system with a customized Linux to make the image.

2)    USB External hard drive. Recommend 1TB or greater. It will be used to save the image.

3)    Download Kali ISO (https://www.kali.org/docs/introduction/download-official-kali-linux-images/ )

4)    Rufus 3.8 or later (https://rufus.ie/)

 

1.3   Make a bootable USB Sticker with Kali Linux

1)    On a test laptop (not the suspicious laptop), download Kali Linux ISO from https://www.kali.org/get-kali/#kali-bare-metal, make sure you select the correct version.

2)    Download Rufus from https://rufus.ie/

3)    Insert the USB sticker. Run Rufus, select the device and ISO file (Boot selection), leave other options as default setting. Click “Start” button to start making the bootable USB.



 

 

1.4   Make DD image of the suspicious system

 

1)    Make the suspicious computer sleep or shut it down as soon as possible to maintain the environment.

2)    Find out how to boot from a USB Stricker on the suspicious laptop. Different laptop might have different methods.

3)    Attached the Kali Linux USB sticker and boot the suspicious system from it.

4)    On the “Boot menu”, select “Live (forensic mode)”. This option is going to run the Kali without installing.



5)    Attach the external USB hard disk. The image will be saved on it.

6)    Open the “Terminal Simulator”.



7)    Run the following command

# sudo su

# fdisk -l

# dd if=/dev/nvme0n1 of=/media/kali/Fast_External/myimage.img bs=65536  conv=noerror,sync

 

Note: In this example, the computer’s disk name is “nvme0n1” and the name of external USB Hard Disk is “Fast_External” change these points according to the result of fdisk command.



Also refer to:

1)    Making Image of a laptop – Summary (https://andyinmatrix.blogspot.com/2022/01/making-image-of-laptop-summary.html )

2)    Paladin Edge 64 (https://andyinmatrix.blogspot.com/2021/03/making-image-of-laptop.html )

3)    Kali Linux (https://andyinmatrix.blogspot.com/2022/01/making-image-of-laptop-part-2.html )

4)    FTK Imager (https://andyinmatrix.blogspot.com/2022/01/making-image-of-laptop-part-3.html )

 


Thursday, January 6, 2022

Windows File operation during IR

 

Windows File operation during IR (Incident Response)

 

(Just for my references)

Sort files by date

 

dir *.* /s /O:D > c:\temp\filelist.txt

dir /O:-D: sort by time, newer to older

 

Show file ownership

dir *.exe /ah /q

 

Search file using Where command:

WHERE /R c:\windows *.exe *.dll *.bat

 

File Property

Powershell:

Get-ItemProperty -Path .\test.exe | Format-list -Property * -Force

Get-Item .\test.exe | select-object -Property *

Get-acl .\test.exe | select-object -Property *

 

Search files with modified day

Command line: (new files since 2021-12-21)

forfiles.exe /D +2021-12-21 /S /C "cmd.exe /c IF @isdir==FALSE dir /q @file"

If you got “ERROR: Invalid date specified.”, type "FORFILES /?" to find out the correct date format.

 

PowerShell: (new files since 10 days ago)

$time = (Get-Date).AddDays(-10)

Get-ChildItem c:\windows -Recurse | Where-Object {$_.LastWriteTime -gt $time}

 

Get file hash

Command line: certutil.exe -hashfile c:\test.exe sha256

Powershell: Get-FileHash c:\test.exe | Format-List

 

Delete file / folder

Below commands delete all *.txt files under c:\temp folder and subfolder older than 10 days. Save it as a .bat file and run it:

Set "Target=c:\temp\"

Set "daysold=10"

If Exist "%Target%" (

 rem ECHO Y| Icacls %Target% /T /C /grant Administrators:F

"forfiles.exe" /p "%Target%" /M *.txt /d -%daysold% /c "cmd /c if @isdir==FALSE del @file /q"

)

 

Below commands delete all $Recycle.Bin folder under c:\temp folder and subfolder older than 10 days. Save it as a .bat file and run it:

Set "Target=C:\temp\$Recycle.Bin"

Set "daysold=10"

If Exist "%Target%" (

"forfiles.exe" /p "%Target%" /d -%daysold% /c "cmd.exe /c IF @isdir==TRUE RD @Path /S /Q"

)

 

Another example:

Rem if starting from c:\, use c:\\, “c:\” doesn’t seem to work

Set "Target=c:\\"

If Exist "%Target%" (

 "forfiles.exe" /p "%Target%" /S /M $Recycle.Bin /c "cmd /c attrib @file -S -H +A"

 "forfiles.exe" /p "%Target%" /S /M $Recycle.Bin /c "cmd /c rmdir @file /s /q"

)

 

 

Below commands delete all files under c:\temp folder and subfolder older than 10 days. Save it as a .bat file and run it:

 

$DateToDelete = 10

$StartFolder = "c:\temp"

dir $StartFolder -Recurse -Force -ea 0 | ?{!$_.PsIsContainer -and $_.LastWriteTime -lt (Get-Date).AddDays(-$DateToDelete)} | rmdir -Force

 

Monday, March 15, 2021

Making Image of A Laptop (Part 1)

1.     Description

The first step of the incident response is to image the suspicious system and get the hash of the DD image, which can prove the status of the suspicious system don’t get any modifications. Keep in mind that the less changes on the suspicious system, the better.

2.     Requirement

1)    USB sticker, 8G or greater. It will be used to boot the system with a customized Linux to make the image.

2)    USB External hard drive. Recommend 1T or greater. It will be used to save the image.

3)    PALADIN EDGE 64 (Version 8.01) ISO (https://sumuri.com/product/paladin-edge-64-bit/). The tool is available for FREE. However, it is highly recommended a donation to support the project.

4)    Rufus 3.8 or later (https://rufus.ie/)

 

3.     Make a bootable USB Sticker with Paladin Edge tool

1)    On a test laptop (not the suspicious laptop), download Paladin Edge 64-bit ISO from https://sumuri.com/product/paladin-edge-64-bit/

2)    Download Rufus from https://rufus.ie/

3)    Insert the USB sticker. Run Rufus, select the device and ISO file (Boot selection), leave other options as default setting. Click “Start” button to start making the bootable USB.


 

4.     Make DD image of the suspicious system

DD file is a disk image file and replica of a hard disk drive. It is widely used on Forensics investigation.

Keep in mind that the less changes on the suspicious system, the better.

 

1)    Shutdown the suspicious computer or make it sleep as soon as possible to maintain the environment.

2)    Find out how to boot from a USB drive on the suspicious laptop. Different laptop might have different methods.

3)    Use the ThinkPad T480s as the example:

4)    Attach the USB sticker to the system via any available USB port.

5)    Power on the system. Press F12 immediately as the Thinkpad logo appears.

6)    There should be a pop-up menu with a list of choices. Select the USB drive using the arrow key and press Enter.


 

7)    The system should now boot from the USB sticker (if not, try to disable “secure boot” on BIOS setup).


 

8)    On the screen, select the first option: “Sumuri Paladin Live Session – Forensic Mode” and press Enter.


 

9)    Wait until the OS loaded. Connect the External Hard Disk to an available USB port.

10) Click the first icon “Paladin Toolbox” 


 

11) There might be a warning about the time synchronization. Adjust the host system time if needed. Click OK button to continue.


 

12) Click “Source” dropdown list, select the Laptop’s hard drive.


 

13) Click “Image Type” dropdown list, select “DD(RAW)”


 

14) Click “Destination” dropdown list, select the External Hard drive.


 

15) Enter the label name, and click “Start”

16) After image is done. Open the .log.hashes to check the hash

17) Now you have a DD image with the hash. You can mount it as read-only hard drive to perform the forensics.

Also refer to:

1)    Making Image of a laptop – Summary (https://andyinmatrix.blogspot.com/2022/01/making-image-of-laptop-summary.html )

2)    Paladin Edge 64 (https://andyinmatrix.blogspot.com/2021/03/making-image-of-laptop.html )

3)    Kali Linux (https://andyinmatrix.blogspot.com/2022/01/making-image-of-laptop-part-2.html )

4)    FTK Imager (https://andyinmatrix.blogspot.com/2022/01/making-image-of-laptop-part-3.html )