Tutorial¶
Let’s get started!¶
For this tutorial we are going to use a well known case file from NIST. In this tutorial we assume Linux is used, on other operating systems most steps are the same but details may differ. First of all, we install Python and create a venv:
$ python3 -m venv dissect
Note
Learn how to install Dissect
Now activate the virtual environment to get some work done:
$ source dissect/bin/activate
Let’s download the case files. At the time of writing they are hosted at nist.gov. On Linux:
$ for i in {1..8}; do curl https://cfreds-archive.nist.gov/images/hacking-dd/SCHARDT.00$i -o SCHARDT.00$i; done
You can also download them manually of course.
Basic operations¶
Now, we are going to do some basic operations on this image. If you like, you can merge them together first, although this is not strictly necessary:
$ for i in `ls SCHARDT.00*`; do cat $i >> SCHARDT.img; done
Note
If you don’t want to merge the files, simply feed the first file to Dissect, for instance the
one with the E01
or the 000
extension.
Basic image info¶
To get a brief summary of the forensic image, we use target-info like this:
$ target-info SCHARDT.img
The result will be something like this:
Disks
- <Disk type="RawContainer" size="4871301120">
Volumes
- <Volume name="part_00007e00" size="4869333504" fs="NtfsFilesystem">
Hostname : N-1A9ODN6ZXK4LQ
Domain : None
Ips : 192.168.1.111
Os family : windows
Os version : Microsoft Windows XP (NT 5.1) 2600
Architecture : x86_32-win32
Language :
Timezone : America/Chicago
Install date : 2004-08-19 22:48:27+00:00
Last activity : 2004-08-27 15:46:33.820240+00:00
Find user accounts¶
To get the list of user accounts on this machine we use two tools: target-query and rdump. target-query, as the name suggests, allows to query the images and outputs _records_ by default. rdump is used to process, filter and format the query results. Here we only select the name of the user:
$ target-query SCHARDT.img -f users | rdump -F name -C
With -f
we select the function (technically a plugin)
we like to use, in this case users
. Then we pipe
the result to rdump
. With -F
we can select specific fields, in this case
we only select the field name
.
With -C
we tell the rdump
tool to output the result in CSV format.
The output is:
name
systemprofile
LocalService
NetworkService
Mr. Evil
Finding available plugins¶
To see what else we can query in this image, use the -l
option:
$ target-query SCHARDT.img -l -q
We add -q
to suppress warnings from plugins telling us they are not compatible with this forensic image.
You now see a list of plugins that you can use with the -f
option.
Try a couple of them.
Search specific files¶
If we want to query for suspicious programs that might have been installed
on this machine, one option could be to search for all the files with an .exe
extension and then try to identify a malicious one. To this end, our first step is to use the
walkfs
plugin, that yields all files in the image:
$ target-query SCHARDT.img -f walkfs
<filesystem/entry path='\sysvol\...\Local Settings' size=0 ...>
<filesystem/entry path='\sysvol\...\desktop.ini' size=62.0 ...>
This command returns a huge list of files. Our next step is to narrow this
list down to only files ending with .exe
. To accomplish this, we will again use rdump
, the same filtering tool mentioned two examples above, and apply a
Python expression for filtering:
$ target-query SCHARDT.img -f walkfs | rdump -s "r.path.suffix=='.exe'"
<filesystem/entry path='\sysvol\...\winfo.exe' size=811.0 ...>
<filesystem/entry path='\sysvol\...\pwdump.exe' size=1162.0 ...>
Here we use the -s
option for rdump to filter on a particular file extension.
The expression r.path.suffix=='.exe'
is a snippet of Python that examines
the suffix of each path and only includes the ones ending with .exe
.
Hint
You can use any Python expression you like!
While this list is much better, we can still improve the formatting.
We use the -F
option from rdump
to filter the columns:
$ target-query SCHARDT.img -f walkfs | rdump -s "r.path.suffix=='.exe'" -F path,ctime,mtime,size
This reduces the number of characters per line significantly.
However due to the record representation, it is still hard to read
(hence no output example is shown).
To make it even more readable, we add the
-C
option which converts it to a comma separated format:
$ target-query SCHARDT.img -f walkfs | rdump -s "r.path.suffix=='.exe'" -F path,ctime,mtime,size -C
\sysvol\winfo.exe,2004-08-19 22:25:09.860123+00:00,2004-08-19 23:05:15.852375+00:00,41.6 KB
\sysvol\pwdump.exe,2004-08-19 22:25:09.860123+00:00,2004-08-19 23:05:15.852375+00:00,41.6 KB
\sysvol\...\LookAtLan.exe,2004-08-19 22:25:09.860123+00:00,2004-08-19 23:05:15.852375+00:00,41.6 KB
This already looks much more compact and searchable. Finally, we can put the resulting table
in a spreadsheet for further investigation. We accomplish this by simply adding > db.csv
$ target-query SCHARDT.img -f walkfs | rdump -s "r.path.suffix=='.exe'" -F path,ctime,mtime,size -C > db.csv
You can now open the db.csv
file in your favourite spreadsheet program and
search for well known malicious executables.
Opening a shell¶
In our database we find a program that can be
used for hacking: LookAtLan.exe
. We can open a shell to the image to further investigate the
compromised system and locate the hacking program:
$ target-shell SCHARDT.img
Using target-shell, you can now navigate inside the target image by using the regular UNIX commands like
ls
, cd
, find
, stat
and so on.
So we can navigate to one of the suspicious files we found like this:
N-1A9ODN6ZXK4LQ /> cd C:\Program Files\Look@LAN\
N-1A9ODN6ZXK4LQ /C:/Program Files/Look@LAN> ls
...
LookAtLan.exe
...
All done! This was just a quick introduction to the basic tools that are at your disposal. To get an understanding of the basics of Dissect see: