Skip to main content

Part 1.3 :Disk Analysis, Autopsy & Redline

 



Disk Analysis, Autopsy & Redline

Autopsy:

Autopsy gives you the option to acquire data from both live systems or from a disk image. After adding your data source, navigate to the location of the files you want to extract, then right-click and select the Extract File(s) option. It will look similar to what you see in the screenshot below

How to start Digital forensics Investigations with Autopsy

1.      Download Autopsy

2.      Download Hxd

3.      Download md5sum

4.      Download dd.exe

5.      Create disk image using dd.exe

PS C:\Users\ME\Desktop\Tool\tools source> .\dd.exe if=\\.\e: of=c:\users\me\desktop\cases\image.dd bs=1M –-progress

6.      Create hash for image using md5sum or hasher

PS C:\Users\ME\Desktop\Tool\tools source> .\md5sums.exe c:\users\me\desktop\cases\image2.dd

 Or

Use Hasher from Get-ZimmermanTools

 

f6a6fdc46f64d20ca80441b36aca86c4

7.      Create case folder(case_Num)

7.1    Create file.txt for case documentation include start timestamp and case number, path of image.dd , case data directory (7.3)

7.2    Create folder to include image.dd

7.3    Create folder named Autopsy

 

8.      Open Autopsy https://www.youtube.com/watch?v=fEqx0MeCCHg

8.1    new case : select case name (as we named in step 7)

8.2    Base Directory : Autopsy (7.3)

8.3    Select Host name (can be the image name)

8.4    Disk image (dd image) or use Local disk for local hard Drive

8.5    Past hash value we calculate from md5

8.6    Select what Configure Ingest (what modules to include in investigations )**** we deselect android analyzer for example

8.7    If we want to see all USB : Data Artifices : USB

8.8    We can save as CSV and open using Get-ZimmermanTools\TimelineExplorer

 

8.9    we can looking for visited sites …

 

8.10  from tool we can see the time line

 

 

 

 

8.11  Add tages by select result à rcà Add Resukts Tags

8.12  Generate a reports

We can select what to include in this report: we can choose all result or what we tagged

 

 

 

 

 

 Redline

Redline®, FireEye’s premier free endpoint security tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile. Use Redline to collect, analyze and filter endpoint data and perform IOC analysis and hit review. In addition, users of FireEye’s Endpoint Security (HX) can open triage collections directly in Redline for in-depth analysis, allowing the user to establish the timeline and scope of an incident.

 

How to Use Redline

 

1. Download Redline for OS : https://fireeye.market/apps/211364

2. Install Reline

3. Create Empty Folder

4. Open Reline

 

5. Create a stander Collector

6. Select Target OS

7. Edit Your Script *** From here we choose what we need to collect and analyze

 

8. Choose where we need to save our collected data

9. We can copy content of folder that contains collected data to USB and run in Target machine

 

10.    Open collected data folder and run RunRedlineAudit as administrator (Its take a time)

11.    Close redline

12.    After run RunRedlineAudit new folder created (Sessions)

13.    Open Session folder

14.Run AnalysisSession1

 

 

 

Labels:

Comments

Post a Comment

Popular posts from this blog

Chain of Custody – Digital Forensics

  Chain of Custody – Digital Forensics Chain of Custody refers to the logical sequence that records the sequence of custody, control, transfer, analysis and disposition of physical or electronic evidence in legal cases. Each step in the chain is essential as if broke, the evidence may be rendered inadmissible. Thus we can say that preserving the chain of custody is about following the correct and consistent procedure and hence ensuring the quality of evidence. The chain of custody in digital cyber forensics is also known as the paper trail or forensic link, or chronological documentation of the evidence. ·         Chain of custody indicates the collection, sequence of control, transfer and analysis. ·         It also documents details of each person who handled the evidence, date and time it was collected or transferred, and the purpose of the transfer. ·         It de...
Post a Comment
Read more

Part 1: Introduction to Computer Forensics for Windows

  Part 1: Introduction to Computer Forensics for Windows: https://tryhackme.com/room/windowsforensics1 Microsoft Windows is by large the most used Desktop Operating System right now. Private users and Enterprises prefer it, and it currently holds roughly 80% of the Desktop market share. This means that it is important to know how to perform forensic analysis on Microsoft Windows for someone interested in Digital Forensics. In this module, we will learn about the different ways we can gather forensic data from the Windows Registry and make conclusions about the activity performed on a Windows system based on this data. In computer forensics, forensic artifacts can be small footprints of activity left on the computer system. On a Windows system, a person's actions can be traced back quite accurately using computer forensics because of the various artifacts a Windows system creates for a given activity. These artifacts often reside in locations 'normal' users won't t...
Post a Comment
Read more

Step 2 : Collection & Preservation of evidence

Step 2 :  Collection  & Preservation of evidence   The collecting process in digital forensics is a critical phase of the investigation. It involves the systematic and careful acquisition of digital data from electronic devices or storage media in a manner that preserves the integrity and authenticity of the evidence. The following are the steps involved in the collecting process: Collection : This step involves the actual acquisition of the data from the device or storage media. This can be done by using a variety of techniques, including   Imaging : The first step in the collection process is to create a forensic image of the digital device or media that is being investigated. This involves creating an exact copy of the device or media, including all data, file systems, and metadata. The imaging process ensures that the original evidence is preserved and can be examined without altering it.  Live analysis: In some cases, it may be necessary to conduct...
Post a Comment
Read more