Cheatsheet

Mounting DD Images

mount -t fstype [options] image mountpoint

image can be a disk partition or dd image file

Useful Options

Option Description
ro mount as read only
loop mount on a loop device
noexec do not execute files
offset=<BYTES> offset
show_sys_files system files
streams_interface=windows streams

Mounting E01 Images

mount_ewf.py image.E01 mountpoint
  1. mount_ewf.py image.E01 /mnt/ewf
  2. mount –o loop,ro,show_sys_files

/mnt/ewf/<RAWFILE> /mnt/mount_location

Mounting Split Raw Images

affuse image.001 mountpoint
  1. affuse image.001 /mnt/aff
  2. mount –o loop,ro,show_sys_files

Creating Super Timelines

  1. Step 1 – Find Partition Starting Sector
mmls image.dd calculate offset ##### (sector *512)
  1. Step 2 – Mount image for processing
mount -o ro, noexec,show_sys_files,loop,offset=##### image.dd /mnt/windows_mount
  1. Step 3 – Create Comprehensive Timeline
log2timeline -p -r -f winxp -z CST6CDT /mnt/windows_mount -w timeline.csv
  1. Step 4 – Filter Timeline
l2t_process -b timeline.csv -k keywords.txt MM-DD-YYYY..MM-DD-YYYY

String Searches

ASCII string search and list the byte offset

srch_strings -t d imagefile.dd > imagefile.ascii.str

uNICODE string search and list byte offset

srch_strings -e l –t d imagefile.dd > imagefile.uni.str

Search for a specific string using grep

GREP useful Options

Option Description
-i ignore case
-f dirty word list filename
grep -i password –f dirty_words.txt imagefile.ascii.str

Memory Analysis

vol.py [plugin] –f [image] --profile [PROFILE]

Supported Commands

Commands Description
connscan Scan for connection objects
files List of open files process
hibinfo Convert hibernation file
procdump Dump process
pslist List of running processes
sockscan Scan for socket objects

Profiles

Profile Operating System
VistaSP0x86 Windows Vista SP0 x86
VistaSP1x86 Windows Vista SP1 x86
VistaSP2x86 Windows Vista SP2 x86
Win2K8SP1x86 Windows 2008 SP1 x86
Win2K8SP2x86 Windows 2008 SP2 x86
Win7SP0x86 Windows 7 SP0 x86
WinXPSP2x86 Windows XP SP2
WinXPSP3x86 Windows XP SP3

Recovering Deleted Registry Hives

deleted.pl <HIVEFILE>

deleted.pl /mnt/windows_mount/Windows/System32/config/SAM  > /cases/windowsforensics/SAM_DELETED.txt

Recovering Data

Create unallocated Image (deleted data) using blkls blkls imagefile.dd > unallocated_imagefile.blkls

Create Slack Image Using dls (for FAT and NTFS) blkls –s imagefile.dd > imagefile.slack

Foremost Carves out files based on headers and footers foremost –o outputdir –c /path/to/foremost.conf data_file.img

Sigfind - search for a binary value at a given offset (-o) sigfind <hexvalue> -o <offset> data_file.img

SleuthKit Tools

File System Layer Tools (Partition Information)

Data Layer Tools (Block or Cluster)

Tool Name Description Example
blkcat Displays the contents of a disk block blkcat imagefile.dd block_num
blkls Lists contents of deleted disk blocks blkls imagefile.dd > imagefile.blkls
blkcalc Maps between dd images and blkls results blkcalc imagefile.dd -u blkls_num
blkstat Display allocation status of block blkstat imagefile.dd cluster_number

MetaData Layer Tools (inode, MFT, or Directory Entry)

Tool Name Description Example
ils Displays inode details ils imagefile.dd
istat Displays information about a specific inode istat imagefile.dd inode_num
icat Displays contents of blocks allocated to an inode icat imagefile.dd inode_num
ifind Determine which inode contains a specific block ifind imagefile.dd –d block_num

Filename Layer Tools

Tool Name Description Example
fls Displays deleted file entries in a directory inode  
ffind Find the filename that using the inode