Software

• Software
  • Autopsy
  • Autopsy Plugins
  • Vmware / Virtualbox
  • Emeditor
  • Splunk / SOF-ELK
  • Linux
  • Simplemind pro
  • Screenpresso
  • Windows
  • FTK imager
  • DD / DC3 DD / DCFL DD
  • Note programs
  • HASHtool for filhash
  • Wireshark
  • Cyberchef
  • Python framework
  • KAPE
  • Flare VM
  • Remnux
  • Nmap
  • Velociraptor
  • Volatility

Autopsy

Autopsy is for many better known as sleuthkit, which came to Linux many years ago. It is today developed for Windows as well, and work on several operating systems.

We use it in Windows, where it is a really good piece of developed software. Can do a lot of things and is fast. We look at what we can get out of Autopsy and how we use ingest modules, which are the functions you can use in the software.

License = Free open Source.

Autopsy Plugins

Here are a collection of the plugins that you can install on Autopsy. This wil give the tool extra leverage towards yor investegations.

Lunk to the Pluginsite on github

Vmware / Virtualbox

This is the virtualization software I / we use in class. For teaching, I use VMware as it has become my favorite software. That's why I thought it was a little more rounded and more delicious to use. The compatibility works a little more smoothly here for me.

Virtualbox is quite nice and good software. It's free and easy to get started with if you need to virtualize your computers.

License VMware costs = $ 200 and a 50% discount is given on upgrading the version (at the time of writing) License = Virtualbox is free

Emeditor

Emeditor is a text editor that is unknown to most people I meet. It is a simple editor in many respects, which supports a lot of different code languages, searches and regex etc.

The reason I invested in this editor is that it can open text files up to 250 GB in size. It is an advantage once in a while if you are sitting in a Windows environment and have to look down in large files. You can also use powershell for this with high probability, but here I have the opportunity to look down in the files with an app and it is convenient.

License = $ 259 for a lifetime license or $ 40 annually in license.

A note: i use this on a personal license. I think the program is worth every penny. The software are updated on a regular basis. I am not sponsored to write this.

Splunk / SOF-ELK

SIEM (System Incident and Event Monitor) is monitoring, indexing of logs and events in the company. It is used in class to analyze logs and other log data.

Splunk is quick to install on a windows machine and get started analyzing logs. Since the software is predefined in what logs it can index. Splunk is free up to 500 MB per. day. Then it costs money. Do not know the prices at the time of writing, but rumors will say that it is not cheap software. For our needs, however, it costs nothing.

License = Unknown

SOF-ELK is made by Phil Hagen from SANS and is available to download for free. It has been developed over time and has many great features built into it. Can lots of functionality, but at the same time requires that you know Elastic Searc, Kibana and Logstash to customize logs. A little more convoluted. However, it must be said that common log formats are recognized and indexed.

License = Free

Linux

Linux does not require the big intro. If I have a laptop with Linux, or a virtual machine with Linux, then in many respects I have a multitool right there. Linux can do a lot with few funds and is free… .. Nuff said!

License = free

Simplemind pro

A simple tool for making mind maps, and clarifying thoughts and concepts. Can be used as a summary of topics. It is not a DFIR tool, but do not underestimate a mind map.

Proversion has slightly more options in terms of exports and designs

License = $ 28 for single license, lifetime license for Windows (Read more here)

Screenpresso

Underrated tool in many ways. The ability to record images, video and audio is often overlooked. It is an invaluable tool for the work when documenting what one is doing.

License = at the time of writing free, or $ 45 for a single license, one-time investment. (Read more here)

Windows

Windows does not require introduction either. It is an operating system like so many others. A standalone license can be purchased as an OEM

I get a trial license which works 90 days, which is fine for my purpose and has full functionality, like Windows 7, 8, 10. (The Edge program is here)

License = Volume license or OEM, which is set at 699.- Danish kroner.

FTK imager

We will use FTK imager, which is free. But is licensed to Access Data. We use the software to secure data with, for AD1, DD, E01 etc.

FTK can assist you in the aquisition of data from media such at SD cards, Harddrives and other hardware (Plrase be adviced that media such as USB might require a seperate writeblocker, like those for SATA drives).

DD / DC3 DD / DCFL DD

The little tool for linux that can be used to secure data with. Is quite efficient and easy to use. It does exactly what you ask. There are several versions of the same program, which are customized with some extra features like HASHing and progress bar, etc.

DF -ls (Show mounted disks)

dd if=/dev/urandom of=/dev/null status=progress (defines DD is used, IF = indput file og OF= Output File )

Note programs

A good system for storing notes is important. You can not remember everything, so it is important to have a place where your notes are available. There are many different programs for it. Some free others cost money. I can recommend Standard Notes, which is a note program that works really well for me. It's not perfect, but has the features I'm looking for, namely security, easy to use, synchronized across platforms and just work. Then the program uses strong encryption (See their article)

License = free or purchase extra features for approx. $ 99 for a 5 year plan.

HASHtool for filhash

One of the most important things in the subject is to be able to demonstrate file integrity. So therefore it is also good to have a program that can calculate HASH values ​​next to files and text. Linux and Mac have it built-in as features in the Terminal (such as md5sum filename.txt)

For windows, there are HASHtools which are located in the path finder, so you can calculate the hash value simply by right-clicking.

We have seen Dirhash for recursivly calculate the HASH values

Link to the software DirHash

Below is an example

    Calculate
    DirHash.exe C:\Users\testuser\Downloads\test -sumRelativePath -sum sha256 -progress -t test

    Verify
    DirHash.exe C:\Users\testuser\Downloads\test SHA256 -verify test

Wireshark

Wireshark is without a doubt one of the programs that comes in handy. It's easy to make a .PCAP file and then analyze it. The analysis part can wireshark too, albeit a bit cumbersome, since requires you know a lot of filters. There are also programs that can help with this, such as network mines, netmon freemium, tshark (Part of wireshark). There are probably many other great tools out there.

The most important thing is that we can make a network recording for our machines and exercises and then try to analyze it afterwards.

Cyberchef

One of the newer shots at the tribe is Cyberchef (Github). It is a program developed by GCHQ in England. It is a small tool that can edit, search convert and everything else. It is for small amounts of data and large amounts of data. It is a small app that works offline in a browser.

It is definitely worth taking a look at.

License = free

Python framework

Python is a code language that you should have installed if you are working with the above. As there are many small tools or you can develop them yourself

License = free

KAPE

KAPE is one of the tools that has been developed to know a lot. It can generally collect and analyze data, based on the modules you use pre-installed or even installed.

The tool is used for collecting data in a triage, and then parse the content afterwards. Like MFT, Prefetch files, logs and more. Takes the bulk out of the datacollection and can be extended with your own scripts.

License = free for private and costs a license for commercial use.

Flare VM

Flare VM is the collection of tools we use for our malware analysis. The system is based on Windows.

In class I do an intro and there is a video showing the installation (Requires login to the guide on the page)

License = free

Remnux

Remnux is the Linux based malware analysis platform which is also used in class.

License = free

Note to analyze Pcaps

tshark -q -r trickster.pcap -T fields -e dns.qry.name 
The list is unsorted

 > dns.txt
saves the file in dns.txt 

cat dns.txt | sort
Filters what is the domains

cat dns.txt | sort | uniq
Sorts uniques

Nmap

Should probably also be mentioned here. It is an indispensable tool in the event of incidents. If malicious actors have put equipment on your network. Then being able to scan your network for devices can be an important step. Of course, this requires that you know your units (assets) in advance and have a list of them. (as recommended in the CIS controls and ISo27001)

Nmap is also available for Windows and can be installed via the terminal on unix based systems. (ex sudo apt-get install nmap)

License = free / Open source

Velociraptor

One of the tools that I play around with a bit is the velociraptor. It is a small agent that can be installed on all devices during a security attack.

The agent can be accessed securely via a console, on the server you define. From there, you can query down on the individual machines or to the entire network. You can scan for artifacts and ex Yara rules. The client is an inherited species of GRR developed by Google and Michael Cohen (who created Velociraptor)

The application is quite smartly made. You have an installation file and from there the program creates a server yaml and a client yaml file. Which can be sent to clients with client yaml. Then the installation file will act as a client or server. Server yaml should only be located 1 place.

The clients have via the yaml file, a secure connection via SSH access to secure communication between client and server. Which means that in theory you can install the application on a VPS (Virtual Private Server) and query your clients over the Internet.

The purpose is to create transparency in its perhaps compromised network.

Read more here on medium

License = Free and Open source

Volatility

Volatility Analysis of memory is also one of the areas we are going to look at. Since the memory in a system can contain information about malware etc.

We'll look at what the difference is between version 2 and 3.

Volatility fingers with the Velociraptor and KAPE programs

License = free and open source.

Note to volatiltiy Only for analyzing the file

Reference volatility https://github.com/volatilityfoundation/volatility/wiki/Command-Reference (Info om profiler vol.exe --info | more)

Make a dumpfile from dumpit, FTK, magnet ramdump Remember the output is the same as the amount of RAM.

Volatility 2.6 examples Image info volatility-2.X.standalone.exe pslist -f Filnavn.dmp imageinfo Processliste volatility-2.X.standalone.exe pslist -f Filnavn.dmp(eller raw, mem, wmem) --profile=Win10x64 volatility-2.5.standalone.exe pslist -f Filnavn.mem --profile=Win10x64 dumps/ (Netscan) volatility-2.5.standalone.exe netscan -f Filnavn.mem --profile=Win10x64

Volatility3 example

vol.py -f "I:\TEMP\DESKTOP-1090PRO-20200708-114621.dmp" windows.psscan.PsScan (Shows the proceses running)

For more see this cheatsheet or press vol.py -h for help

volatility 3 cheatsheet (PDF, 161.55 KB)