Tutorial

Let’s get started!

For this tutorial we are going to use a well known case file from NIST. In this tutorial we assume Linux is used, on other operating systems most steps are the same but details may differ. First of all, we install Python and create a venv:

$ python3 -m venv dissect

Note

Learn how to install Dissect

Now activate the virtual environment to get some work done:

$ source dissect/bin/activate

Let’s download the case files. At the time of writing they are hosted at nist.gov. On Linux:

$ for i in {1..8}; do curl https://cfreds-archive.nist.gov/images/hacking-dd/SCHARDT.00$i -o SCHARDT.00$i; done

You can also download them manually of course.

Basic operations

Now, we are going to do some basic operations on this image. If you like, you can merge them together first, although this is not strictly necessary:

$ for i in `ls SCHARDT.00*`; do cat $i >> SCHARDT.img; done

Note

If you don’t want to merge the files, simply feed the first file to Dissect, for instance the one with the E01 or the 000 extension.

Basic image info

To get a brief summary of the forensic image, we use target-info like this:

$ target-info SCHARDT.img

The result will be something like this:

Disks
- <Disk type="RawContainer" size="4871301120">

Volumes
- <Volume name="part_00007e00" size="4869333504" fs="NtfsFilesystem">

Hostname       : N-1A9ODN6ZXK4LQ
Domain         : None
Ips            : 192.168.1.111
Os family      : windows
Os version     : Microsoft Windows XP (NT 5.1) 2600
Architecture   : x86_32-win32
Language       :
Timezone       : America/Chicago
Install date   : 2004-08-19 22:48:27+00:00
Last activity  : 2004-08-27 15:46:33.820240+00:00

Find user accounts

To get the list of user accounts on this machine we use two tools: target-query and rdump. target-query, as the name suggests, allows to query the images and outputs _records_ by default. rdump is used to process, filter and format the query results. Here we only select the name of the user:

$ target-query SCHARDT.img -f users | rdump -F name -C

With -f we select the function (technically a plugin) we like to use, in this case users. Then we pipe the result to rdump. With -F we can select specific fields, in this case we only select the field name. With -C we tell the rdump tool to output the result in CSV format.

The output is:

name
systemprofile
LocalService
NetworkService
Mr. Evil

Finding available plugins

To see what else we can query in this image, use the -l option:

$ target-query SCHARDT.img -l -q

We add -q to suppress warnings from plugins telling us they are not compatible with this forensic image.

You now see a list of plugins that you can use with the -f option. Try a couple of them.

Search specific files

If we want to query for suspicious programs that might have been installed on this machine, one option could be to search for all the files with an .exe extension and then try to identify a malicious one. To this end, our first step is to use the walkfs plugin, that yields all files in the image:

$ target-query SCHARDT.img -f walkfs

<filesystem/entry path='\sysvol\...\Local Settings' size=0 ...>
<filesystem/entry path='\sysvol\...\desktop.ini' size=62.0 ...>

This command returns a huge list of files. Our next step is to narrow this list down to only files ending with .exe. To accomplish this, we will again use rdump, the same filtering tool mentioned two examples above, and apply a Python expression for filtering:

$ target-query SCHARDT.img -f walkfs | rdump -s "r.path.suffix=='.exe'"

<filesystem/entry path='\sysvol\...\winfo.exe' size=811.0 ...>
<filesystem/entry path='\sysvol\...\pwdump.exe' size=1162.0 ...>

Here we use the -s option for rdump to filter on a particular file extension. The expression r.path.suffix=='.exe' is a snippet of Python that examines the suffix of each path and only includes the ones ending with .exe.

Hint

You can use any Python expression you like!

While this list is much better, we can still improve the formatting. We use the -F option from rdump to filter the columns:

$ target-query SCHARDT.img -f walkfs | rdump -s "r.path.suffix=='.exe'" -F path,ctime,mtime,size

This reduces the number of characters per line significantly. However due to the record representation, it is still hard to read (hence no output example is shown). To make it even more readable, we add the -C option which converts it to a comma separated format:

$ target-query SCHARDT.img -f walkfs | rdump -s "r.path.suffix=='.exe'" -F path,ctime,mtime,size -C

\sysvol\winfo.exe,2004-08-19 22:25:09.860123+00:00,2004-08-19 23:05:15.852375+00:00,41.6 KB
\sysvol\pwdump.exe,2004-08-19 22:25:09.860123+00:00,2004-08-19 23:05:15.852375+00:00,41.6 KB
\sysvol\...\LookAtLan.exe,2004-08-19 22:25:09.860123+00:00,2004-08-19 23:05:15.852375+00:00,41.6 KB

This already looks much more compact and searchable. Finally, we can put the resulting table in a spreadsheet for further investigation. We accomplish this by simply adding > db.csv

$ target-query SCHARDT.img -f walkfs | rdump -s "r.path.suffix=='.exe'" -F path,ctime,mtime,size -C > db.csv

You can now open the db.csv file in your favourite spreadsheet program and search for well known malicious executables.

Opening a shell

In our database we find a program that can be used for hacking: LookAtLan.exe. We can open a shell to the image to further investigate the compromised system and locate the hacking program:

$ target-shell SCHARDT.img

Using target-shell, you can now navigate inside the target image by using the regular UNIX commands like ls, cd, find, stat and so on.

So we can navigate to one of the suspicious files we found like this:

N-1A9ODN6ZXK4LQ /> cd C:\Program Files\Look@LAN\
N-1A9ODN6ZXK4LQ /C:/Program Files/Look@LAN> ls
...
LookAtLan.exe
...

All done! This was just a quick introduction to the basic tools that are at your disposal. To get an understanding of the basics of Dissect see: