More complete documentation is available here. Then run ClamAV against a mounted disk with: clamscan -r /mnt/mountedĪ short cheat sheet is available for SANS SIFT here. Similarly you may also want to run anti-virus scans. Then run a Volatility command such as: python vol.py -f win7_m - profile=Win7SP0圆4 pslistįor more refer to the Volatility cheat sheet and command reference.Īnd run against a mounted image with a command such as: yara les -r /mnt/mounted You can also run log2timeline against mounted disks, or individual files and folders.įor more on running Log2Timeline, for more see here.įirst identify the memory profile with: python vol.py -f win7_m imageinfo The second command then turns this timeline file into a readable CSV file that you can read in a tool such as Excel. This takes the disk image (disk.image) and creates a timeline format file (processed.timeline). SIFT has all the dependencies installed to create a “super timeline” using Plaso/Log2Timeline.įor example you can create a timeline in CSV format from an Encase (E01) evidence format like so: log2timeline processed.timeline disk.image psort -z US/Pacific -o l2tcsv -w timeline_output.csv processed.timeline You can optionally add the parameter -e if the evidence is in Encase (E01) format, and -b to specify a BitLocker key. However now there is the easier to use imageMounter.py script: python imageMounter.py evidence.dd /mnt/evidence Previously, to mount the disk image evidence.dd read-only to the folder /mnt/evidence you would run: mkdir /mnt/evidence mount -t ntfs -o ro,loop show_sys_files evidence.dd /mnt/evidence Where shared_folder is the name of the share you created in the VirtualBox settings. Sudo mount -t vboxsf shared_folder /mnt/shared_folder
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |