In this page I'm summarizing a lot of stuff which is related to collection triage data.
Required tools
- sleuthkit https://www.sleuthkit.org/
- afflib-tools https://github.com/simsong/AFFLIBv3
Expected Result (sorted by priority)
- Bodyfile for all partitions
- Windows event logs
- Registry
- User hives
- User profiles
Mounting stuff
in Linux
If you have vmdk files, you first need to turn them to raw images (which is vvery slow) or you need to create a raw view onto them:
sudo affuse -o ro,allow_other /cases/sample/myserver.vmdk /mnt/aff/myserver/
| Option | Meaning |
|---|---|
-o ro | read-only |
-o allow_other | allow access to other users |
Next, to make things easy, we create loop devices for every partition:
$ sudo losetup --show -f -P /mnt/aff/myserver/myserver.vmdk.raw
/dev/loop2
this generates /dev/loop2p1 for partition 1, and so on. To see which partitions you have, use mmls.
| Option | Meaning |
|---|---|
--show | print device name after setup (with -f) |
-f | --find | find first unused device |
-P | --partscan | create a partitioned loop device |
Now, we could mount a partition. Keep in mind that you never, ever, omit the ro option!
$ sudo mount -o ro,show_sys_files,streams_interface=windows /dev/loop2p1 /mnt/myserver/C
| Option | Meaning |
|---|---|
-o ro | read-only |
-o show_sys_files | Show the metafiles in directory listings |
-o streams_interface=windows | enable access to streams using the Windows syntax (e.g. cat file:stream) |
in MacOS
Currently, I do not know any option to mount VMDK files in MacOS. However, one can convert images using qemu-img:
qemu-img convert -f vmdk -O raw myserver.vmdk myserver.vmdk.raw
Now, you can attach that raw image as a loop device:
sudo hdiutil attach -imagekey diskimage-class=CRawDiskImage -nomount -readonly myserver.vmdk.raw
Handling LVM partitions
Assume you now have a partition /dev/loop20p1 which contains a physical volume (pv). You can use kpartx to read the volume information and create the relevant device nodes:
sudo kpartx -r -a -v /dev/loop20p1
| Option | Meaning |
|---|---|
-r | read-only partition mappings |
-a | add partition mappings |
-v | operate verbosely |
Now, you can use pvs to display information about physical volumes. In my case, I had a physical volume named data_pv. Next, you need to activate the volumes you're going to work with:
sudo vgchange --activate y data_pv
This will create a lot of device nodes beneath /dev/data_pv, one for every logical volume in data_pv. You can now work with them.
I took a lot of information from https://countuponsecurity.com/tag/linux-lvm-forensics
Timeline
Filesystem timeline
To create a filesystem timeline, you need to know the following information:
- Which partition to triage?
- Which timezone has been configured on the system?
fls -r -m "C:/" -z CET /dev/loop2p1 >myserver_c.bodyfile
| Option | Meaning |
|---|---|
-r | Recurse on directory entries |
-m "C:/" | Display output in mactime input format with C:/ as the actual mount point of the image |
-z CET | Time zone of original machine (CET) (only useful with -l) |
Important Windows triage artifacts
| Artifact | Location |
|-|-|
|System Registry | %windir%\System32\config\SYSTEM %windir%\System32\config\SOFTWARE |
|Event Logs | %windir%\System32\winevt\Logs\*.evtx|
|User profile hives| C:\Users\*\NTUSER.DAT |
|User profiles|C:\Users\*|