This repository contains various scripts and commands for performing eDiscovery and forensics activities. There is nothing overly complex or novel here, just ways to automate common preparation tasks in a way that is repeatable.
To successfully use the scripts in this directory, you will need to pre-configure a Linux system with the following software.
- BASH - the Bourne Again SHell
- libc 2.15+ [1]
- Hashdeep, including md5deep, sha1deep, and ssdeep
- disable automount of connected devices
For the scipts in this directory, where it makes sense (and as I update them), I have devised the following common directory path for the output
/Data <---- the parent of all your collected data
|---Archive <---- Archive location for long-term storage
|---Case Identifier <---- some number or name for the case
|---Images <---- archived images
|---Email <---- archived exports from email systems
|---Collab <---- archived exports from collaboration platforms
|---Docs <---- archived documents from file sharing
|---Backups <---- archived exports from backup systems
|---Forensics <---- parent of forensics activities
|---Case Identifier <---- some number or name for the case
|---Images <---- disk images and raw evidence data
|---Analysis <---- output of tools and notes
|---Malware <---- discovered malicious code samples
|---Logs <---- other supporting logs (e.g. network traffic)
|---Hashes <---- various hash databases
|---NSRL <---- NSRL data files storage
|---Malware <---- malware hash files
|---Malware <---- malware samples repository
|---Wordlists <---- dictionaries and password wordlists
This is a silly, probably over-engineered script that Copies evidence files in a source directory, adds them to the evidence file, verifies that the copy was successful via comparing the SHA1 sum of the original with the copy.
The purpose of this script is to easily copy evidence data from sources on the network and drop them into the archival directories in a consistent manner. It also checks the checksum of the source against the copied file. If there is a mismatch, then the copy is deleted and the script exits.
Create image is a shell script to prompt for some relevant categorical metadata regarding a physical storage device. It takes this information to add to an disk inventory and create a forensic image of the device to be used for further analysis. After creating the image, it also places a compressed copy of the image into an archive for long-term storage
Currently, the script is tailored for unencrypted and bitlocker-encrypted drives only. To read in an unencryptedimage of a bitlocker-encrypted drive requires libbde: https://code.google.com/p/libbde
Your examination system should be configured to NOT automatically mount devices connected to it.
Disk examine is a shell script to create an image and perform initial examination on a disk image. This is intended to be run against a previously captured drive image in raw (dd) format.
The script makes certain assumptions about the operating system layout upon which it is run. If you do not want to conform, you can simply change the relevant parts of the script. Otherwise, you can make changes so you have the following:
- multiple ‘examine’ directories under mnt numbered sequentially (e.g. /mnt/examine1, /mnet/examine2…)
- a /Data directory (with a symlink from /data for typos)
- a /Data/hashes directory that contains white and black list hash files, and also acts as a repository for collected hashes for later analysis
The Analyze image script has the most requirements
This is a list of some additional mandatory software for running the image analysis
- plaso (log2timeline)
These are not strictly required, but highly recommended
- ClamAV
- AVG (http://free.avg.com/us-en/download-free-all-product)
- f-prot (installed under /opt/f-prot)
This script simply automates a number of tasks you would perform anyway in order to examine a disk image or preserve data for later review or outside consultants at such a time you realize that system you ignored became interesting due to new information. The functions are in alphabetical order, for no reason other than I am anal.
A laughable script that helps to prepare your environment so that it meets the requirements to run the junk in this repository. Also, it is because I am lazy while setting up a new system
This simple shell script creates an inventory of the provided path, which is expected to be a set of directories, each for a case or collection of evidence
This quick command takes a list of custodians in various CSV files[2] and then sorts and de-duplicates them, outputting to a file called ‘custodians.txt’
(Planned) This will go and grab the current version of the NSRL and perform any necessary preparation.
[1] on Debian, you need to use testing repo
- add
deb http://ftp.debian.org/debian testing mainto /etc/apt/sources.lst - run
apt-get -t testing install libc6-amd64 libc6-dev libc6-dbg
[2] The CSV file should take the format for a RedmineCRM Contacts plugin import (see http://redminecrm.com/projects/crm/pages/1)
- The first eight fields -which is all that is relevant here- take the form of: Is company,First Name,Middle Name,Last Name,Job title,Company,Phone,Email
- only fields 2, 4, and 8 are used.