Digital Forensics – eyehatemalwares

TSK – fls

Posted on January 31, 2023July 24, 2023 by randrada

Digital Forensics with The Sleuth Kit - fls

In The Sleuth Kit (TSK), “fls” is a command line tool used to recover or display information about the files and directories in a given image or file system. “fls” works by reading the file system metadata, such as the file allocation table (FAT) or inode tables, to locate the files and directories of interest. The tool then generates a list of file and directory names, along with other relevant information such as timestamps, inode numbers, and file sizes.

The “fls” tool is commonly used in digital forensics and incident response to quickly locate specific files or directories within an image or file system, or to generate a directory tree for analysis. The output of “fls” can be used in conjunction with other tools, such as “icat”, to recover or display the contents of specific files.

The Sleuth Kit Tools

TSK – fsstat

Posted on January 31, 2023July 24, 2023 by randrada

Digital Forensics with The Sleuth Kit - fsstat

In The Sleuth Kit (TSK), “fsstat” is a command line tool that provides information about the file system structure and metadata of a given image or file system. The “fsstat” command works by analyzing the file system metadata, such as the file system’s superblock and inode tables, to extract information about the file system layout, block size, total size, and other relevant details.

This information is then displayed to the user, providing a high-level overview of the file system and its characteristics. “fsstat” is commonly used in digital forensics and incident response to quickly gain an understanding of the file system and to identify any unusual or suspicious characteristics that may indicate a security incident.

The Sleuth Kit Tools

TSK – icat

Posted on January 31, 2023July 24, 2023 by randrada

Digital Forensics with The Sleuth Kit - icat

In The Sleuth Kit (TSK), “icat” is a command line tool used to recover or display the contents of a specific file or data object in a given image or file system. The “icat” tool works by reading the file system metadata to locate the file or data object of interest and then reading the raw data associated with that object.

The contents of the file can then be displayed to the user or saved to disk. “icat” is commonly used in digital forensics and incident response to recover deleted or damaged files, or to retrieve specific data of interest for analysis.

The Sleuth Kit Tools

TSK – ils

Posted on January 31, 2023July 24, 2023 by randrada

Digital Forensics with The Sleuth Kit - ils

In The Sleuth Kit (TSK), “ils” is a command line tool that provides information about the files and directories in a given image or file system. The “ils” command works by reading the file system metadata and generating a list of inode numbers, file names, and other information about each file. This information is then displayed to the user, making it easier to identify and analyze specific files of interest.

The “ils” tool is commonly used in digital forensics and incident response to quickly scan a large image or file system for specific files or patterns of interest.

The Sleuth Kit Tools

File Carving Photorec

Posted on November 26, 2022February 27, 2023 by randrada

File Carving using CGSecurity - Photorec

Photorec is file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media’s file system has been severely damaged or reformatted.

Pagefile

Posted on November 26, 2022March 1, 2023 by randrada

Live Forensics: Pagefile

Lab Requirements

- VMWare – Win7x64 Systems
- Windows Registry Editor
- Strings by Sysinternals
- AccessData FTK Imager
- Photorec
- BulkExtractor

In this demo, we will explore different ways how to perform live forensics and acquire artifacts that can aid the investigator even though acquiring the memory image of the system is not feasible.

We will be tackling about a Windows source artifact called Pagefile.

Comae Hibr2bin

Posted on November 22, 2022February 27, 2023 by randrada

Hibernation File Decompression using Comaetoolkit- Hibr2bin.exe

Hibr2bin.exe is a hibernation file decompression tool and is part of comaetoolkit by comae known now as part of Magnet Forensics.

What is Hibernation File?

Hibernation file is a compressed copy of Random Access Memory(RAM, it is created when the system is in hibernation mode and its size is equal to the size of RAM that is installed in the system.

The Hibernation file is in a form of Hiberfil.sys that can be located in the root folder of the drive where the operating system is installed. This is used to store a copy of the system memory on the hard disk when the system is in hibernation mode.

To download the toolkit, sign-up for Magnet Idea Lab and an email verification will be sent to the email provided.

Hibernation File

Posted on November 22, 2022March 1, 2023 by randrada

Live Forensics: Hibernation File

Lab Requirements

In this demo, we will explore different ways how to perform live forensics and acquire artifacts that can aid the investigator even though acquiring the memory image of the system is not feasible.

We will be tackling about a Windows source artifact that can even replace a full memory image of the system for analysis, called Hibernation File.

BulkExtractor

Posted on November 11, 2022February 27, 2023 by randrada

Memory Analysis using Digital Corpora - BulkExtractor

Read Lab Instruction

Download Sample

BulkExtractor is a command-line tool that carve data such as URLs, emails, and PDF files.

Windows Memory contains rich and valuable information that can be used as source artifact for gathering evidences and by having enough knowledge how to parse the data can be helpful for the investigator to perform their tasked.

Volatility UserAssist

Posted on November 11, 2022February 27, 2023 by randrada

Memory Analysis using Volatility - Userasssist

Volatility is a tool used for the extraction of digital artifacts from volatile memory (RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time-efficient and quick manner.

UserAssist– a volatility plugin that is used to print userassist registry keys and information.

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.