Wine
Wine is great as you can run Windows apps on any linux distributions.
sudo apt update && sudo apt upgrade -y
sudo apt-get install wine64
Disk and Filesystem Analysis
The most famous open-source DFIR tool. It is essential to any tool-kit.
sudo apt-get install sleuthkit
Another essential tool, as it can extract .ad1 images. You will need to install wine to run it in a Linux VM.
#run with
wine '.wine/drive_c/Program Files/AccessData/FTK Imager/FTK Imager.exe'
Useful to parse NTFS filesystem and MFT file records.
pip3 install https://github.com/msuhanov/dfir_ntfs/archive/1.1.13.tar.gz
Artifact Analysis: Credentials
LOVE this package, it’s very useful when needing to crack hashes or extract DPAPI blobs.
git clone https://github.com/SecureAuthCorp/impacket && cd impacket
python3 -m pip install .
Similar to impacket, but can be more useful when needing to just see information.
git clone https://github.com/dfirfpi/dpapilab
The last command will normally print the secrets in the memory dump.
Artifact Analysis: Registry
My go to, it almost always works, although sometimes other tools are needed if the hive is dirty.
Installation copied from here:
wget http://search.cpan.org/CPAN/authors/id/J/JM/JMACFARLA/Parse-Win32Registry-1.0.tar.gz
gunzip Parse-Win32Registry-1.0.tar.gz
tar -xvf Parse-Win32Registry-1.0.tar.gz
cd Parse-Win32Registry-1.0
perl Makefile.PL
make
make test
sudo make install
curl -O https://raw.githubusercontent.com/dfir-scripts/installers/main/RegRipper30-apt-git-Install.sh
chmod +x RegRipper30-apt-git-Install.sh
sudo ./RegRipper30-apt-git-Install.sh
My second favourite tool to quickly look into registry hives:
sudo apt install libregf-utils
#usage
regfexport /path/to/hive > output.txt
Artifact Analysis: Prefetch
Never let me down…
git clone https://github.com/dfir-scripts/prefetchruncounts
sudo cp prefetchruncounts/prefetchruncounts.py /usr/bin/prefetchruncounts.py
prefetchruncounts.py /path/to/Prefetch
Artifact Analysis: Browser
Decrypts saved firefox passwords.
https://github.com/unode/firefox_decrypt
python3 firefox_decrypt/firefox_decrypt.py /path/to/profiles/directory
To run this application in Linux, you will need to have wine installed.
This tool is not limited to Chrome. For example, you can select Discord’s Cache directory and the conversations will be parsed and saveable in Json format.
wine chrome_cache_viewer.exe
Great tool overall that parses multiple browsers and artifacts.
pip3 install pyhindsight
curl -sSL https://raw.githubusercontent.com/obsidianforensics/hindsight/master/install-js.sh | sh
Artifact Analysis: Emails
Great tool overall that parses multiple browsers and artifacts.
sudo apt install pff-tools
pffexport
Artifact Analysis: EventLogs
The best !!! I love it so much. I used the library to write my own script to extract PowerShell Scripts from Event ID 4401.
pip3 install evtxtract
#one big file
evtxtract [file] > output
#split the records individually
evtxtract -s -o [output_dir] [file]
Windows Timestamp to Datetime
from __future__ import division
import struct
import sys
from binascii import unhexlify
from datetime import datetime, timedelta
#ts in hexformat
ts = ""
nt_timestamp = struct.unpack("
