Forensic tools and their usage – a collection of tools I have used or come across, and information on how to use them.
Memory dump
Winpmem (Windows)
avml (Linux)
Volatility
Analyse ramdumps. Volatility 2.6 is no longer maintained, but might have plugins not existing for Volatility 3.
Can be used via docker – perhaps the simplest way:
sudo docker run -v $PWD:/workspace sk4la/volatility3 -f /workspace/ramdump.raw windows.pslist
sudo docker run -v $PWD:/workspace sk4la/volatility -f /workspace/ramdump.raw –profile=Win10x64 pslist
Optimizing for Linux:
$ sudo docker volume create VOL_VOLUME_CACHE
$ sudo docker run -v $PWD:/w -v “VOL_VOLUME_CACHE:/home/unprivileged/.cache/volatility3/:rw” -w /w sk4la/volatility3 -f memorydump.lime -s dir/ –save-config config.json linux.pslist
$ sudo docker run -v $PWD:/w -v “VOL_VOLUME_CACHE:/home/unprivileged/.cache/volatility3/:rw” -w /w sk4la/volatility3 -f memorydump.lime -s dir/ –config config.json linux.pslist
Optimizing for Windows:
sudo docker volume create VOL_VOLUME_CACHE
sudo docker volume create VOL_VOLUME_SYMBOLS_WINDOWS
sudo docker run -v $PWD:/w -v “VOL_VOLUME_CACHE:/home/unprivileged/.cache/volatility3/:rw” -v “VOL_VOLUME_SYMBOLS_WINDOWS:/usr/local/lib/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/:rw” -w /w sk4la/volatility3 -f memorydump.lime –save-config config.json windows.pslist
sudo docker run -v $PWD:/w -v “VOL_VOLUME_CACHE:/home/unprivileged/.cache/volatility3/:rw” -v “VOL_VOLUME_SYMBOLS_WINDOWS:/usr/local/lib/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/:rw” -w /w sk4la/volatility3 -f memorydump.lime –config config.json windows.pslist
Usage Vol 2.6 locally:
| vol.py -h | get help, list plugins |
| vol.py -f ramdump.raw imageinfo | find the type of profile to use for the investigation |
| vol.py -f ramdump.raw –profile=Win7SP1x86 pslist | Specify the profile found in “imageinfo” and list processes |
| vol.py -f ramdump.raw –profile=Win7SP1x86 truecryptsummary | If you have the truecrypt plugins, this will show you info about the use of truecrypt |
MemProcFS
Will mount a memory dump as a file system in Windows.
https://github.com/ufrisk/MemProcFS
Usage:
| memprocfs.exe -device memdump.raw | mounts the memdump as M: |
| memprocfs.exe -device memdump.raw -forensic 1 | Mounts the memdump AND starts forensic mode |
the Sleuthkit
Sleuthkit is a forensic tool suite used to analyse file systems. Some examples of use:
| Tool | What |
| mmls | Lists partition structure of disk or drive |
| fsstat | Show file system information |
| fls | list files in a partition (Forensic ls) |
| istat | information about a file. Needs inode number. |
| icat | Extract file by inode number |
| blkls | extract unallocated area of a file system |
Smaller stand-alone tools
| Link | Description |
| TZWorks Forensic tools | Tools for Windows forensics |
| https://ericzimmerman.github.io/ | Windows tools from Eric Zimmerman |
| https://www.nirsoft.net | Nirsoft – large amount of freeware tools |
| https://github.com/getreu/stringsext | strings replacement – with UTF support |
| https://github.com/tmbinc/bgrep | bgrep – binary grep |
| https://getdataforensics.com/product/fex-imager/ | FEX Imager |
| https://github.com/Gadzhovski/TRACE-Forensic-Toolkit | TRACE Forensic toolkit – full suite, free and open source |
Live Forensics:
https://tclahr.github.io/uac-docs – Unix-like Artifacts Collector
Mac Forensics:
https://github.com/ydkhatri/mac_apt – Tools for automatic analysis of mac artefacts