Scribd
Upload
479 views2 pages

Sift Cheatsheet PDF

This document provides steps for creating a shadow timeline from disk images and mounted volume shadow copies: 1. Mount the disk image and any volume shadow copies. 2. Run fls commands against the disk image and each volume shadow copy to extract file system metadata. 3. De-duplicate and sort the extracted metadata, then run mactime to generate a timeline of file system activity in CSV format. The document also summarizes commands for memory analysis, recovering deleted data, creating super timelines combining different data sources, searching for strings, using The Sleuthkit tools, and extracting file streams.

Uploaded by

Shawlar Naphew
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
479 views2 pages

Sift Cheatsheet PDF

This document provides steps for creating a shadow timeline from disk images and mounted volume shadow copies: 1. Mount the disk image and any volume shadow copies. 2. Run fls commands against the disk image and each volume shadow copy to extract file system metadata. 3. De-duplicate and sort the extracted metadata, then run mactime to generate a timeline of file system activity in CSV format. The document also summarizes commands for memory analysis, recovering deleted data, creating super timelines combining different data sources, searching for strings, using The Sleuthkit tools, and extracting file streams.

Uploaded by

Shawlar Naphew
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Shadow Timeline Creation Sleuthkit Tools

SIFT
Step 1 Attach Local or Remote System Drive File System Layer Tools (Partition Information) WORKSTATION
# ewfmount system-name.E01 /mnt/ewf
fsstat -Displays details about the file system Cheat Sheet v3.0
Step 2 Mount VSS Volume # fsstat imagefile.dd SANS DFIR
# cd /mnt/ewf http://computer-forensics.sans.org
# vshadowmount ewf1 /mnt/vss Data Layer Tools (Block or Cluster) http://blogs.sans.org/computer-forensics

Step 3 Run fls across ewf1 mounted image blkcat -Displays the contents of a disk block
# cd /mnt/ewf # blkcat imagefile.dd block_num
# fls r m C: ewf1 >> /cases/vss- Purpose
blkls -Lists contents of deleted disk blocks
bodyfile # blkls imagefile.dd > imagefile.blkls DFIR Forensic Analysts are on the front lines
blkcalc -Maps between dd images and blkls results of computer investigations. This guide aims
Step 4 Run fls Across All Snapshot Images
# cd /mnt/vss # blkcalc imagefile.dd -u blkls_num to support Forensic Analysts in their quest
# for i in vss*; do fls -r m C: $i to uncover the truth.
>> /cases/vss-bodyfile; done blkstat -Display allocation status of block
# blkstat imagefile.dd cluster_number
How To Use This Sheet
Step 5 De-Duplicate Bodyfile using sort and uniq
# sort /cases/vss-bodyfile | uniq > When performing an investigation it is helpful to be
/cases/vss-dedupe-bodyfile MetaData Layer Tools (Inode, MFT, or Directry Entry) reminded of the powerful options available to the
investigator. This document is aimed to be a
Step 6 Run mactime Against De-Duplicated Bodyfile ils -Displays inode details reference to the tools that could be used. Each of
# mactime d b /cases/vss-dedupe- # ils imagefile.dd these commands runs locally on a system.
bodyfile z EST5EDT MM-DD-YYYY..MM-
DD-YYYY > /cases/vss-timeline.csv istat -Displays information about a specific inode This sheet is split into these sections:
# istat imagefile.dd inode_num Mounting Images
icat -Displays contents of blocks allocated to an inode Shadow Timeline Creation
Memory Analysis # icat imagefile.dd inode_num Mounting Volume Shadow Copies
Memory Analysis
ifind -Determine which inode contains a specific block
# ifind imagefile.dd d block_num Recovering Data
vol.py command f
Creating Supert Timelines
/path/to/windows_xp_memory.img --
String Searches
profile=WinXPSP3x86
Filename Layer Tools The Sleuthkit
[Supported commands] Stream Extraction
connscan Scan for connection objects fls -Displays deleted file entries in a directory inode
files list of open files process # fls -rpd imagefile.dd
imagecopy Convert hibernation file
procdump Dump process ffind -Find the filename that using the inode TIME TO GO HUNTING
pslist list of running processes # ffind imagefile.dd inode_num
sockscan Scan for socket objects
Mounting DD Images Creating Super Timelines Registry Parsing - Regripper
Forensic Analysis
mount -t fstype [options] image mountpoint # log2timeline r p z <system-timezone> # rip.pl r <HIVEFILE> fCheat
<HIVETYPE>
Sheet
f <type-input> /mnt/windows_mount w
[Useful Options]
Forensics
image can be a disk partition or dd image file timeline.csv
-r Registry hive file to parse <HIVEFILE>
file|dir artifact target -f Use <HIVETYPE> (e.g. sam, MANDIANT
security,
[Useful Options]
-f <TYPE-INPUT> input format software, system, ntuser) [email protected]
ro mount as read only -o <TYPE-OUTPUT> output format: default csv file 703.683.3141
loop mount on a loop device -l List all plugins http://www.mandiant.org
-w <FILE> append to log file
noexec do not execute files -z <SYSTEM TIMEZONE> # rip.pl r
-Z <OUTPUT TIMEZONE> /mnt/windows_mount/Windows/System32/config/SAM f sam
ro mount as read only
-r recursive mode > /cases/windowsforensics/SAM.txt
loop mount on a loop device -p preprocessors
offset=<BYTES> logical drive mount
show_sys_files show ntfs metafiles # mount o Recover Deleted Registry Keys
streams_interface=windows use ADS loop,ro,show_sys_files,streams_interface=windows
imagefile.dd /mnt/windows_mount
# deleted.pl <HIVEFILE>
Example: Mount an image file at mount_location # log2timeline z EST5EDT p r -f win7
/mnt/windows_mount -w /cases/bodyfile.txt # deleted.pl
# mount o
loop,ro,show_sys_files,streams_interface=window # l2t_process b /cases/bodyfile.txt w
/mnt/windows_mount/Windows/System32/config/SAM >
s imagefile.dd /mnt/windows_mount whitelist.txt 04-02-2012 > timeline.csv /cases/windowsforensics/SAM_DELETED.txt

Mounting E01 Images Stream Extraction Recovering Data


# ewfmount image.E01 mountpoint # bulk_extractor <options> o output_dir
image
Create Unallocated Image (deleted data) using blkls
# mount o
# blkls imagefile.dd >
loop,ro,show_sys_files,streams_interface=window [Useful Options]
-o outdir unallocated_imagefile.blkls
s /mnt/ewf/ewf1 /mnt/windows_mount
-f <regex> regular expression term
Mounting Volume Shadow Copies -F <rfile> file of regex terms Create Slack Image Using dls (for FAT and NTFS)
-Wn1:n2 extract words between n1
and n2 in length # blkls s imagefile.dd > imagefile.slack
Stage 1 Attach local or remote system drive -q nn quiet mode.
# ewfmount system-name.E01 /mnt/ewf -e scanner enables a scanner.
foremost Carves out files based on headers and footers
-e wordlist - enable scanner wordlist
Stage 2 Mount raw image VSS -e aes - enable scanner aes data_file.img = raw data, slack space, memory, unallocated space
# vshadowmount ewf1 /mnt/vss/ -e net - enable scanner net
# foremost o outputdir c
Stage 3 Mount all logical filesystem of snapshot /path/to/foremost.conf data_file.img
# bulk_extractor -F keywords.txt e net
# cd /mnt/vss
# for i in vss*; do mount -o -e aes -e wordlist -o /cases/bulk-
ro,loop,show_sys_files,streams_interface= extractor-memory-output /cases/ sigfind - search for a binary value at a given offset (-o)
windows $i /mnt/shadow_mount/$i; done memory-raw.001 -o <offset> start search at byte <offset>

# sigfind <hexvalue> -o <offset>

You might also like