登录查看更多内容

#DFIR: DIGITAL FORENSICS INCIDENT RESPONSE

Cynor Sense

Experience Safety

发布日期: 2023年2月8日

+ 关注

Quick steps to DFIR:

Capture 'C' drive triage and memory of entire windows system using below commands packed in the kape.zip file.

Link to download the KAPE zip: https://c459d849-403c-4b5e-8380-5d88cd28a0be.usrfiles.com/archives/c459d8_a0b42badb1f94c4284d3748864a4cbc4.zip

Step:1
PS D:\kape> docker run --rm -v //d/Forensics/KAPEDEST1/Artifacts:/Artifacts:rw  log2timeline/plaso log2timeline --storage-file /Artifacts/myownpc.plaso /Artifacts/C

Step:2
PS D:\kape> docker run --rm -v //d/Forensics/KAPEDEST1/Artifacts:/Artifacts:rw  log2timeline/plaso psort --analysis tagging --tagging-file /usr/share/plaso/tag_windows.txt -o null /Artifacts/myownpc.plaso

Step:3
docker run --rm -v //d/Forensics/KAPEDEST1/Artifacts:/Artifacts:rw log2timeline/plaso psort -o dynamic --fields datetime,timestamp_desc,source,source_long,message,parser,tag -w /Artifacts/myownpc.csv /Artifacts/myownpc.plaso

# YARA SCAN AND PLASO FILE
docker run -v //d/FORENSICS/Forensics/DuvvadaServers/Servers_KApe_1_12-25-2022/FTO7JUMPHOST-C.f49f4f46fd3fb160-F.CEJEOKFQ6ND66/clients/FTO7JUMPHOST/collections/F.CEJEOKFQ6ND66/uploads:/data:rw -v //c/Users/cynor:/data1:ro log2timeline/plaso log2timeline --process-archives --yara_rules /data1/rules/all_yara_rules.yar --storage-file /data/FTO7JUMPHOST-auto-c-allYARA.plaso /data/auto/C

#APPLY WINDOWS TAGGING

docker run -v //d/FORENSICS/Forensics/DuvvadaServers/Servers_KApe_1_12-25-2022/FTO7JUMPHOST-C.f49f4f46fd3fb160-F.CEJEOKFQ6ND66/clients/FTO7JUMPHOST/collections/F.CEJEOKFQ6ND66/uploads:/data:rw log2timeline/plaso psort --analysis tagging --tagging-file /usr/share/plaso/tag_windows.txt -o null /data/FTO7JUMPHOST-auto-c-allYARA.plaso
SUPER TIMELINE

Super Timeline

# CREATE SUPER TIMELINE FOR TIMESKETCH OR ELASTICSEARCH
docker run -v //d/FORENSICS/Forensics/DuvvadaServers/Servers_KApe_1_12-25-2022/FTO7JUMPHOST-C.f49f4f46fd3fb160-F.CEJEOKFQ6ND66/clients/FTO7JUMPHOST/collections/F.CEJEOKFQ6ND66/uploads:/data:rw log2timeline/plaso psort -o dynamic --fields datetime,timestamp_desc,source,source_long,message,parser,tag,yara_match -w /data/auto/SprTimeYara-FTO7JUMPHOST-auto-c.csv /data/FTO7JUMPHOST-auto-c-allYARA.plaso

#YARA MATCH

docker run -v //d/FORENSICS/Forensics/DuvvadaServers/Servers_KApe_1_12-25-2022/FTO7JUMPHOST-C.f49f4f46fd3fb160-F.CEJEOKFQ6ND66/clients/FTO7JUMPHOST/collections/F.CEJEOKFQ6ND66/uploads:/data:rw log2timeline/plaso psort -w /data/auto/SprTimeYara-FTO7JUMPHOST-auto-c.csv --additional_fileds yara_match

#DFIR: DIGITAL FORENSICS INCIDENT RESPONSE

Cynor Sense

Experience Safety

Cynor Sense : Guide

600 位关注者

Cynor Sense的更多文章

Cynor Sense : Guide

600 位关注者

Cynor Sense的更多文章

EDR: Master Function-Hooking DLLs (Part2)

EDR : Architecture & Solutions (Part1)

Attack Surface Reduction #ASR

ATTACK SURFACE REDUCTION FROM WINDOWS

Cyber Risk - Financial Impact

CIS Hardening Automation SaltStack

Attack surface of your product.

WP.29 CSMS and SUMS R155 and R156 regulations and the ISO/SAE 21434 standard

TTP; "Tactics, Techniques, and Procedures"

Pentesters Paradise