Skip to main content

Part 1.3 :Disk Analysis, Autopsy & Redline

 



Disk Analysis, Autopsy & Redline

Autopsy:

Autopsy gives you the option to acquire data from both live systems or from a disk image. After adding your data source, navigate to the location of the files you want to extract, then right-click and select the Extract File(s) option. It will look similar to what you see in the screenshot below

How to start Digital forensics Investigations with Autopsy

1.      Download Autopsy

2.      Download Hxd

3.      Download md5sum

4.      Download dd.exe

5.      Create disk image using dd.exe

PS C:\Users\ME\Desktop\Tool\tools source> .\dd.exe if=\\.\e: of=c:\users\me\desktop\cases\image.dd bs=1M –-progress

6.      Create hash for image using md5sum or hasher

PS C:\Users\ME\Desktop\Tool\tools source> .\md5sums.exe c:\users\me\desktop\cases\image2.dd

 Or

Use Hasher from Get-ZimmermanTools

 

f6a6fdc46f64d20ca80441b36aca86c4

7.      Create case folder(case_Num)

7.1    Create file.txt for case documentation include start timestamp and case number, path of image.dd , case data directory (7.3)

7.2    Create folder to include image.dd

7.3    Create folder named Autopsy

 

8.      Open Autopsy https://www.youtube.com/watch?v=fEqx0MeCCHg

8.1    new case : select case name (as we named in step 7)

8.2    Base Directory : Autopsy (7.3)

8.3    Select Host name (can be the image name)

8.4    Disk image (dd image) or use Local disk for local hard Drive

8.5    Past hash value we calculate from md5

8.6    Select what Configure Ingest (what modules to include in investigations )**** we deselect android analyzer for example

8.7    If we want to see all USB : Data Artifices : USB

8.8    We can save as CSV and open using Get-ZimmermanTools\TimelineExplorer

 

8.9    we can looking for visited sites …

 

8.10  from tool we can see the time line

 

 

 

 

8.11  Add tages by select result à rcà Add Resukts Tags

8.12  Generate a reports

We can select what to include in this report: we can choose all result or what we tagged

 

 

 

 

 

 Redline

Redline®, FireEye’s premier free endpoint security tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile. Use Redline to collect, analyze and filter endpoint data and perform IOC analysis and hit review. In addition, users of FireEye’s Endpoint Security (HX) can open triage collections directly in Redline for in-depth analysis, allowing the user to establish the timeline and scope of an incident.

 

How to Use Redline

 

1. Download Redline for OS : https://fireeye.market/apps/211364

2. Install Reline

3. Create Empty Folder

4. Open Reline

 

5. Create a stander Collector

6. Select Target OS

7. Edit Your Script *** From here we choose what we need to collect and analyze

 

8. Choose where we need to save our collected data

9. We can copy content of folder that contains collected data to USB and run in Target machine

 

10.    Open collected data folder and run RunRedlineAudit as administrator (Its take a time)

11.    Close redline

12.    After run RunRedlineAudit new folder created (Sessions)

13.    Open Session folder

14.Run AnalysisSession1

 

 

 

Labels:

Comments

Post a Comment

Popular posts from this blog

Part 1.2: Memory Analysis

  Part 1.2: Memory Analysis  Investigating Malware Using Memory Forensics   Memory forensics is a technique used in digital forensics that involves the analysis of a computer's volatile memory (RAM) to obtain information about running processes, open network connections, system configurations, and other valuable data. This technique is particularly useful in investigating malware, as malware often tries to hide its presence on a system, making it difficult to detect using traditional methods. When investigating malware using memory forensics, there are several steps to follow: 1.       Acquisition: The first step is to acquire the volatile memory from the infected system. This can be done using tools such as FTK Imager or Volatility. 2.       Analysis: Once the memory has been acquired, it is time to analyze it. This involves examining the memory for suspicious processes, network connections, and other indicato...
Post a Comment
Read more

Step1: Identification & Preparation

Step 1:Identification and preparation Identification involves recognizing and documenting potential digital evidence, which includes identifying devices, storage media, and files that may contain relevant information. This step often involves creating a forensic image of the storage media to preserve the data for analysis. Preparation involves ensuring that the digital evidence is collected and handled properly to maintain its integrity and admissibility in court. This includes using proper tools and techniques to collect and preserve the data, documenting the chain of custody, and ensuring that the evidence is not altered or destroyed during the collection process . Both identification and preparation are critical to the success of a digital forensic investigation, as they lay the foundation for the analysis and interpretation of the data. 1.  Identification &   Preparation : The first step is to identify the scope of the investigation and create a plan for the investi...
Post a Comment
Read more