Professional Documents
Culture Documents
FOR508HANDOUT SiftWkstatChtShtv3.1 E02 03
FOR508HANDOUT SiftWkstatChtShtv3.1 E02 03
Step 1 – Attach Local or Remote System Drive File System Layer Tools (Partition Information)
# ewfmount system-name.E01 /mnt/ewf
fsstat ‐Displays details about the file system
Step 2 – Mount VSS Volume # fsstat imagefile.dd
# cd /mnt/ewf
# vshadowmount ewf1 /mnt/vss Data Layer Tools (Block or Cluster)
TIME TO GO HUNTING
FOR508HANDOUT_SiftWkstatChtShtv3.1_E02_03
Mounting DD Images Creating Super Timelines Registry Parsing - Regripper
Forensic Analysis
mount -t fstype [options] image mountpoint # log2timeline.py plaso.dump [SOURCE] # rip.pl –r <HIVEFILE> –fCheat
<HIVETYPE>
Sheet
[Useful Options]
Forensics
image can be a disk partition or dd image file # psort.py plaso.dump FILTER >
supertimeline.csv -r Registry hive file to parse <HIVEFILE>
-f Use <HIVETYPE> (e.g. sam, MANDIANT
security,
[Useful Options]
software, system, ntuser) contact@mandiant.com
ro mount as read only 703.683.3141
loop mount on a loop device -l List all plugins http://www.mandiant.org
noexec do not execute files EXAMPLE: # rip.pl –r
/mnt/windows_mount/Windows/System32/config/SAM –f sam
ro mount as read only • Step 1 – Create Comprehensive Timeline
> /cases/windowsforensics/SAM.txt
loop mount on a loop device • # log2timeline.py plaso.dump
offset=<BYTES> logical drive mount /dev/sdc
show_sys_files show ntfs metafiles • Step 2 – Filter Timeline Recover Deleted Registry Keys
streams_interface=windows use ADS
• # psort.py -z "EST5EDT" –o L2tcsv
plaso.dump "date > 'YYYY-MM-DD # deleted.pl <HIVEFILE>
Example: Mount an image file at mount_location
HH:MM:SS' AND date < 'YYYY-MM-DD
# mount –o HH:MM:SS'“ > supertimeline.csv # deleted.pl
loop,ro,show_sys_files,streams_interface=window artifact not the entire image. /mnt/windows_mount/Windows/System32/config/SAM >
s imagefile.dd /mnt/windows_mount /cases/windowsforensics/SAM_DELETED.txt
FOR508HANDOUT_SiftWkstatChtShtv3.1_E02_03