Forensic

Create a forensic USB key

Be sure to have libelf install on your system.

sudo apt install libelf-dev

In the following command we assume that your USB key is mount on /mnt/usb.

cd /mnt/usb/
mkdir forensic_dump_tools
cd forensic_dump_tools
git clone https://github.com/halpomeranz/lmg.git .
git clone https://github.com/504ensicsLabs/LiME.git lime
cd lime/src
patch < ../../lime-Makefile.patch
cd -
tar xf static-dwarfdump.tgz
git clone https://github.com/volatilityfoundation/volatility.git

Your forensic key is now ready. If you have problem or need more detail to install your forensic USB key, you can read /mnt/usb/ forensic_dump_tools /INSTALL file with all information about installation.

Memory dump creation

Windows

Download DumpIt, put it on an USB Key, plug this USB key to the victim computer and execute dumpit.exe with administrator rights.

dumpit.exe

Linux

If your USB key mount automatically, be sure to have exec right on the device.

sudo mount -o remount,exec /dev/sdb1 

If your USB key doesn't mount automatically.

mount –o exec /dev/sdb1 /mnt/usb

Memory dump:

sudo /mnt/usb/forensic_dump_tools/lmg -y

Archive and encrypt this directory with 7zip.

sudo apt install p7zip-full p7zip-rar
7za a -tzip -p<password> -mem=AES256 zipname.zip /mnt/usb/forensic_dump_tools/capture/<{compromise_device_name-date}>/*

Virtual box

https://www.andreafortuna.org/dfir/forensics/how-to-extract-a-ram-dump-from-a-running-virtualbox-machine

How to get MFT

With icat and analyseMFT

From image disk, use mmls to get display the partition layout of a volume system.

mmls image.E01
    DOS Partition Table
    Offset Sector: 0
    Units are in 512-byte sectors
          Slot      Start        End          Length       Description
    000:  Meta      0000000000   0000000000   0000000001   Primary Table (#0)
    001:  -------   0000000000   0000000062   0000000063   Unallocated
    002:  000:000   0000000063   0035551844   0035551782   NTFS / exFAT (0x07)
    003:  -------   0035551845   0035567909   0000016065   Unallocated

Next use icat extract MFT layout. MFT offset is 63.

icat -o 63 image.E01 0 > mft.raw

And parse the MFT file with analyseMFT.py to get the results as accurately as possible in multiple formats.

analyzeMFT.py -f mft.raw -o mftanalyzed.csv

Create a forensic USB key​

Memory dump creation​

Windows​

Linux​

Virtual box​

How to get MFT​

With icat and analyseMFT​