A Blog on digital investigations

Posts tagged "DFIR":

Dockerized Snort3 for Rule Crafting and Triage Forensics


In this blog post, you'll learn about a dockerized setup of snort3 and its usage for offline and online analyses. I'll demonstrate its usage and value by creating a Snort rule to detect the loader dubbed SVCready.


Gradual Evidence Acquisition From an Erroneous Drive


A hard drive is a relatively fragile data store. After discovering the first indicators of a drive failure, the hard drive might suddenly die. The present blog post, therefore, discusses the gradual acquisition of evidence from an erroneous drive by utilizing the synergy of the open source tools ddrescue and partclone. To spare the mechanics of the drive and acquire the most critical data first, partclone is used to create a so-called domain file, where the used blocks of the file system are noted.


Logical imaging with AFF4-L


Using AFF4-L containers is an efficient and forensically sound way of storing selectively imaged evidence. There exist two open source implementations to perform this task: c-aff4 and pyaff4. To image a directory with aff4.py, run:


Analyzing VM images


Virtualization is everywhere nowadays. So when you have to analyze an incident, you often come across virtual hard disks in the form of sparsely allocated VMDKs, VDIs, QCOW2s, and the like. To inspect the data in the virtual machine images you have several options to do so. guestmount is a helpful tool to perform a logical inspection of the file system, and qemu-nbd is a good choice to work on a raw block device without having to convert a sparsely allocated virtual disk into a raw image or rely on proprietary software.


Dump Linux process memory


If you need to acquire the process memory of a process running on a Linux system, you can use gcore 1 to create a core file or, alternatively, retrieve its memory areas from /proc/<PID>/maps and use GDB 2 itself to dump the content into a file. For a convenient way to do this, refer to a basic shell script hosted as a gist named dump_pmem.sh 3.

Other posts