forensicskween
Table Of Content

Cheatsheets

Mac & iOS Forensics Cheatsheet & Tools

This is a list of tools/cheatsheet for all things MacOS and iOS.

mac_apt & ios_apt

My favourite tool! Essential for quick MacOS/iOS analysis.   Install using these instructions and run:

				
					source env/bin/activate
cd mac_apt
python mac_apt.py -o /path/to/output [format] -i /path/to/input ALL
python ios_apt.py -o /path/to/output [format] -i /path/to/input ALL
#when finished
deactivate

iLEAPP

In-depth analysis of iOS filesystems and iTunesBackups.

				
					git clone https://github.com/abrignoni/iLEAPP
cd iLEAPP
pip3 install -r requirements.txt
sudo apt-get install python3-tk
python3 ileapp.py -t [type] -i /path/to/input -o /path/to/outpu

Artifact Analysis: Credentials

iChainbreaker

This script will decrypt the ‘keychain-2.db’ file located in the User’s keychain directory. User’s password is required for decryption.

LOVE LOVE LOVE anything by no fate. Literally so many of the scripts I wrote are based on his work! 

				
					python2 iChainbreaker.py -p /path/to/Library/Keychains -k [password] -v [MacOS Version] -X [exportfile]

Chainbreaker

It’s best to read the ReadMe of the package because it has a lot of different usages. Personally, this is what I do:

				
					python2 chainbreaker.py -e -o /path/to/output -p [keychainfile]

keychain-dumper

Keychain-dumper is an executable that you upload over ssh to a target jailbroken iOS device. It will read, decrypt and print the contents of the ‘keychain-2.db’ database. 

				
					sudo iproxy 22 44
scp keychain-dumper [username]@[host]:
scp updateEntitlements.sh [username]@[host]:
ssh [username]@[host]
sudo apt-get install sqlite3 openssl
chmod +x keychain-dumper
mv keychain-dumper /usr/bin
chmod +x updateEntitlements.sh
./updateEntitlements.sh
keychain-dumper -a

Sometimes the Internet Passwords are not printed out, this is depends on the device model and iOS version. 

iOS Keychain Decryptor

This is another great one! This code also relies on an executable uploaded to a jailbroken iOS Device. As opposed to the previous code, it calls the AppleKeyStore kernel extension to unwrap AES keys from ‘keychain-2.db’. I like this one a lot, because it helps understand the mechanism of Apple Keychain and Encryption. The python code will dump the genp and inet passwords to a property list file. 

I have been working on a package that extends it to also the keys and cert table. 

				
					#Upload the agent + entitlements and assign privileges
sudo iproxy 22 44
scp keyclass_unwrapper [user]@[hostname]:
scp entitlements.plist [user]@[hostname]:
ssh [user]@[hostname]
ldid -Sentitlements.plist keyclass_unwrapper
chmod +x keyclass_unwrapper
exit

#make sure to edit the python code for the port in use, and the password of the ssh device

golb

A lot lot lot of the codes you see related to iOS Forensics/Security, refers to the iconic iPhone-dataprotection. One of the key things was its ability to extract the AES keys from the device. Golb’s aes_ap does just that. Again, it works only on jailbroken devices. I’ve been playing around for a while with them and unfortunately I cannot confirm whether they work or not because I have been unable to get the Device Key from the AppleKeyStore lockers 🙁

				
					cd golb
make
scp aes_ap [username]@[hostname]:
ssh [username]@[hostname]
./aes_ap

Artifact Analysis: Misc

CallHistoryDecryptor

First, you need to find the key from the MacOS keychain, which Chainbreaker can find.

				
					curl -O https://github.com/n0fate/OS-X-Continuity/blob/master/Call%20History%20Decryptor/callhistorydecryptor.py 
python2 callhistorydecryptor.py -k [key] -f /path/to/CallHistory.storedata

AppleCloudNotesParser

Installation depends on your OS. Basically, this code will parse and decrypt encrypted Apple Notes, with the provided password. The actual commands vary so much that I advise you to read the ReadMe section to find what works best for you!

WhaCloud

This is a script I wrote! Basically, it decrypts WhatsApp iCloud backups. However there are limitations, due to how WhatsApp works. 

– The key is generated on the device that requests an iCloud backup. That key can decrypt iCloud backups on MacOS/iOS, given that it’s for the same account.

– If the user migrates to a new phone, a new key is generated. That means that the key from the new phone will not be able to decrypt iCloud backups saved ON the previous phone – locally.

– To get the key run iOS keychain decryptor or Keychain-dumper and look for the value wa.backup.e 

Windows Forensics Cheatsheet & Tools

Wine

Wine is great as you can run Windows apps on any linux distributions. 

				
					sudo apt update && sudo apt upgrade -y
 sudo apt-get install wine64

Disk and Filesystem Analysis

SleuthKit

The most famous open-source DFIR tool. It is essential to any tool-kit.

				
					 sudo apt-get install sleuthkit

FTK Imager

Another essential tool, as it can extract .ad1 images. You will need to install wine to run it in a Linux VM. 

				
					#run with
wine '.wine/drive_c/Program Files/AccessData/FTK Imager/FTK Imager.exe'

dfir_ntfs

Useful to parse NTFS filesystem and MFT file records.

				
					pip3 install https://github.com/msuhanov/dfir_ntfs/archive/1.1.13.tar.gz

Artifact Analysis: Credentials

Impacket

LOVE this package, it’s very useful when needing to crack hashes or extract DPAPI blobs.

				
					git clone https://github.com/SecureAuthCorp/impacket && cd impacket
python3 -m pip install .

dpapilab

Similar to impacket, but can be more useful when needing to just see information.

				
					git clone https://github.com/dfirfpi/dpapilab

The last command will normally print the secrets in the memory dump.

Artifact Analysis: Registry

RegRipper

My go to, it almost always works, although sometimes other tools are needed if the hive is dirty.

Installation copied from here:

				
					wget http://search.cpan.org/CPAN/authors/id/J/JM/JMACFARLA/Parse-Win32Registry-1.0.tar.gz
gunzip Parse-Win32Registry-1.0.tar.gz
tar -xvf  Parse-Win32Registry-1.0.tar.gz
cd Parse-Win32Registry-1.0
perl Makefile.PL
make
make test
sudo make install
curl -O https://raw.githubusercontent.com/dfir-scripts/installers/main/RegRipper30-apt-git-Install.sh
chmod +x RegRipper30-apt-git-Install.sh
sudo ./RegRipper30-apt-git-Install.sh

Libregf

My second favourite tool to quickly look into registry hives:

				
					sudo apt install libregf-utils
#usage
regfexport /path/to/hive > output.txt

Artifact Analysis: Prefetch

PrefetchRunCounts

Never let me down…

				
					git clone https://github.com/dfir-scripts/prefetchruncounts
sudo cp prefetchruncounts/prefetchruncounts.py /usr/bin/prefetchruncounts.py
prefetchruncounts.py /path/to/Prefetch

Artifact Analysis: Browser

firefox_decrypt

Decrypts saved firefox passwords.

				
					https://github.com/unode/firefox_decrypt
python3 firefox_decrypt/firefox_decrypt.py /path/to/profiles/directory

chrome_cache_viewer

To run this application in Linux, you will need to have wine installed.

This tool is not limited to Chrome. For example, you can select Discord’s Cache directory and the conversations will be parsed and saveable in Json format.

				
					wine chrome_cache_viewer.exe

Hindsight

Great tool overall that parses multiple browsers and artifacts.

				
					pip3 install pyhindsight
curl -sSL https://raw.githubusercontent.com/obsidianforensics/hindsight/master/install-js.sh | sh

Artifact Analysis: Emails

pffexport

Great tool overall that parses multiple browsers and artifacts.

				
					sudo apt install pff-tools
pffexport

Artifact Analysis: EventLogs

EVTXtract

The best !!! I love it so much. I used the library to write my own script to extract PowerShell Scripts from Event ID 4401.

				
					pip3 install evtxtract

#one big file
evtxtract [file] > output

#split the records individually
evtxtract -s -o [output_dir] [file]

Windows Timestamp to Datetime

				
					from __future__ import division
import struct
import sys
from binascii import unhexlify
from datetime import datetime, timedelta

#ts in hexformat
ts = ""
nt_timestamp = struct.unpack("<Q", unhexlify(ts))[0]
epoch = datetime(1601, 1, 1, 0, 0, 0)
nt_datetime = epoch + timedelta(microseconds=nt_timestamp / 10)

print(nt_datetime.strftime("%c"))

Memory Analysis Cheatsheet & Tools

Memory Analysis Cheatsheet & Tools

Analysis

Volatility2

Volatility is the go to for memory analysis. There are two versions: Volatility for Python 2 and Volatility3 for Python3. They are quite similar, but Volatility for Python2 has more plug-ins and open-source contributions.

If Python2 is not installed you can install it likeso:

				
					sudo apt install python2
curl https://bootstrap.pypa.io/pip/2.7/get-pip.py --output get-pip.py
python2 get-pip.py

Then, install volatility 2 with these Installation Instructions.
If you installed using the commands above, then instead of using pip directly, you will need to use python2 -m pip instead

Volatility3

				
					vol3 -f /path/to/memory/dump [pluginname]

Rekall

Rekall is depreciated, so you will need to install it manually and do some tweaks to make sure it works on your system. The only reason I suggest installing rekall is because it is required by pypykatz.

Rekall only works up to Python 3.6, so you will have to install that version of python on your system.

				
					sudo add-apt-repository ppa:deadsnakes/ppa
sudo apt-get update
sudo apt install python3.6
sudo apt install python3.6-distutils
virtualenv --python=/usr/bin/python3.6 rekall_env
				
			
				
					source rekall_env/bin/activate
python3.6 -m pip install --upgrade setuptools pip wheel
python3.6 -m pip install rekall-agent rekall
python3.6 -m pip install pypykatz

swap_digger

This is useful when you are dealing with a Linux disk image. It will analyze the swapfile.

				
					sudo ./swap_digger.sh  /path/to/swapfile

Artifact Analysis: Credentials

pypykatz

LOVE this package, it mimics mimikatz but in a non-Windows environment. 

				
					pypykatz lsa rekall /path/to/memory.dump

Windows Debugger + mimilib.dll

If you are using a Windows VM/environment, you can use this combo to dump credentials/secrets from a memory dump.

First, download Windbg and mimilib.dll. Then, load your memory file as a crash dump. Once that’s done do the following in the console:

				
					 .load /path/to/mimilib.dll
!process 0 0 lsass.exe
.process /r /p #address of EProcess
!mimikatz

The last command will normally print the secrets in the memory dump.

Dpapi Dumper

				
					sudo mkdir /mnt/Windows

FindAES

This is a good tool, especially as it gives the offset where the key was found. You can then check the memory dump in a hex viewer to find the context for the found keys.

				
					./findaes /path/to/memory.dump

Artifact Analysis: Misc

Strings

Basic, and honestly reliable.

				
					strings -E l -A /path/to/memorydump > memorydump.txt

Binwalk

This is especially usefull when dumping single process full memory. 

				
					binwalk --dd="*.extension" /path/to/process.dump

Socials

Twitter Github
Resources
None
Pages

Copyright © 2023 forensicskween