First steps#

After reading the Introduction page, you are ready to tackle your first digital forensics and/or incident response case with Dissect. This page will guide you through your first steps, taking you by the hand through the process.

As case material, we’re using the images provided by NIST for the Hacking Case. This case consists of a DD image (in multiple parts) and an EnCase image (in two parts) of a laptop of a certain suspect. Next to these two images, we’ve added a .vmdk file from an IE11 Windows VM and an acquire container from the .vmdk file of an MSEdge Windows VM. These VM images were obtained from Microsoft Developer Virtual Machines.

Our investigation material consists of:

  • SCHARDT.001 (DD image, mirror, 636 MB)

  • SCHARDT.002 (DD image, mirror, 636 MB)

  • SCHARDT.003 (DD image, mirror, 636 MB)

  • SCHARDT.004 (DD image, mirror, 636 MB)

  • SCHARDT.005 (DD image, mirror, 636 MB)

  • SCHARDT.006 (DD image, mirror, 636 MB)

  • SCHARDT.007 (DD image, mirror, 636 MB)

  • SCHARDT.008 (DD image, mirror, 199 MB)

  • 4Dell Latitude CPi.E01 (EnCase image, mirror, 641 MB)

  • 4Dell Latitude CPi.E02 (EnCase image, mirror, 400 MB)

  • IE11-Win81-VMWare-disk1.vmdk (Full VMDK file, mirror, 8.0 GB)

  • MSEDGEWIN10_20220708124036.tar (acquire container, mirror, 469 MB)

While Dissect will work fine under Windows, a Unix based system is assumed when following along with these first steps.

Investigation directory structure#

Before starting your investigation with Dissect, it is advised to create a consistent and structured investigation directory. The following table shows an example of what we at Fox-IT use:

Investigation directory structure#






Often abbreviated to d/. Raw source data. Organised as:

  • d/YYYYMMDD/Source folder

Data in these folder is ideally made immutable using chattr +i to avoid accidentally deletion or modification.



Often abbreviated to t/. Symbolic links to target source data from the d/ folder. See Creating symlinks for a more elaborate description.



Often abbreviated to h/. Exported host data per hostname, such as mft_timeline results, evtx records, interesting binaries, etc.

Organised per hostname as:

  • h/HOSTNAME/mft_timeline.txt

  • h/HOSTNAME/evtx.rec

  • h/HOSTNAME/beacon.bin



Often abbreviated to e/. Actionable export data you either want to share with the client or use in some external tool, such as:

  • Overview of compromised machines

  • CMDBs

  • Files / data you want to share with client

  • Files / data you want to use in final report or presentation

  • Interesting binaries



Often abbreviated to m/. Mounted images from the d/ directory, organised per hostname.

  • m/HOSTNAME/<filesystem_structure>

  • m/HOSTNAME/ewf/ewf1

Creating a simple CMDB#

During most investigations, you want to keep track of the investigation material by creating your own simple CMDB. Dissect can do this for you! As explained in target-query, you can create a CMDB using target-query. Simply use the --cmdb argument, while using the basic OS functions. You can write this to a csv file to archive your CMDB.

$ target-query targets/ -f hostname,domain,OS,version,ips --cmdb -d ";" > export/CMDB.csv

The created csv file now contains the basic information about all the targets stored in the targets/ directory. When new targets are added to the directory, you can simply rerun the command to update your csv file.

Next steps#

You can click the cards below to navigate to your preferred next steps depending on your interest or role!

Incident Handler

Continue with basic analysis, typically useful for Incident Handlers.

Security Analyst

Continue with more advanced analysis tasks, typically useful for Security Analysts.