First steps#
After reading the Introduction page, you are ready to tackle your first digital forensics and/or incident response case with Dissect. This page will guide you through your first steps, taking you by the hand through the process.
As case material, we’re using the images provided by NIST for the
Hacking Case. This case consists of a DD image (in multiple
parts) and an EnCase image (in two parts) of a laptop of a certain suspect. Next to these two images, we’ve added
a .vmdk file from an IE11 Windows VM and an acquire container from the .vmdk file of
an MSEdge Windows VM. These VM images were obtained from
Microsoft Developer Virtual Machines.
Our investigation material consists of:
SCHARDT.001(DD image, mirror, 636 MB)SCHARDT.002(DD image, mirror, 636 MB)SCHARDT.003(DD image, mirror, 636 MB)SCHARDT.004(DD image, mirror, 636 MB)SCHARDT.005(DD image, mirror, 636 MB)SCHARDT.006(DD image, mirror, 636 MB)SCHARDT.007(DD image, mirror, 636 MB)SCHARDT.008(DD image, mirror, 199 MB)4Dell Latitude CPi.E01(EnCase image, mirror, 641 MB)4Dell Latitude CPi.E02(EnCase image, mirror, 400 MB)IE11-Win81-VMWare-disk1.vmdk(Full VMDK file, mirror, 8.0 GB)MSEDGEWIN10_20220708124036.tar(acquirecontainer, mirror, 469 MB)
While Dissect will work fine under Windows, a Unix based system is assumed when following along with these first steps.
Investigation directory structure#
Before starting your investigation with Dissect, it is advised to create a consistent and structured investigation directory. The following table shows an example of what we at Fox-IT use:
Directory |
Abbreviation |
Description |
|---|---|---|
data/ |
d/ |
Often abbreviated to
Data in these folder is ideally made immutable using |
targets/ |
t/ |
Often abbreviated to |
host/ |
h/ |
Often abbreviated to Organised per hostname as:
|
export/ |
e/ |
Often abbreviated to
|
mount/ |
m/ |
Often abbreviated to
|
Creating symlinks#
When creating the investigation directory structure, you should also create symlinks to your target source data. Creating symlinks to your targets is useful so that you can arbitrarily group your targets, without having to copy or move actual files around. For example, all your original source data can stay in timestamped upload directories. Then you can symlink the target files by host type (workstation, server), Windows AD domain, Windows AD forest, or a combination hereof!
Since in this case the DD and the EnCase image consist of multiple files, it’s useful to create a symlink to the first
file such that you effectively have one target for the entire image (don’t worry, Dissect can handle this!).
Normally we would symlink the .vmx file of the VM, but our sample case material doesn’t, so we take the .vmdk file instead.
Let’s create symlinks for all images and store them in a directory called targets/.
$ ln -s /home/user/SCHARDT.001 /home/user/targets/SCHARDT.001
After all the symlinks have been created, the target/ directory contains the following links:
4Dell Latitude CPi.E01IE11-Win81-VMWare-disk1.vmdkMSEDGEWIN10.tarSCHARDT.001
Now that we have all our targets neatly organized, we can progress to the next step!
Creating a simple CMDB#
During most investigations, you want to keep track of the investigation material by creating your own simple CMDB. Dissect can do this for you!
As explained in target-query, you can create a CMDB using target-query. Simply use the
--cmdb argument, while using the basic OS functions. You can write this to a csv file to archive your CMDB.
$ target-query targets/ -f hostname,domain,OS,version,ips --cmdb -d ";" > export/CMDB.csv
The created csv file now contains the basic information about all the targets stored in the targets/ directory. When
new targets are added to the directory, you can simply rerun the command to update your csv file.
Next steps#
You can click the cards below to navigate to your preferred next steps depending on your interest or role!