14 January 2020

Analisis Registry Hive

- get ip
rip.pl -r SYSTEM -p nic_mst2
rip.pl -r SYSTEM -p nic



- get computer name
rip.pl -r SYSTEM -p compname



- get timezone
rip.pl -r SYSTEM -p timezone

10 January 2020

Salin UsnJrnl utk forensic analisis

mmls diskimage.raw
(dapatkan offset partition)



1)
fls -r -i raw -o _offset_ diskimage.raw | grep Usn
(dapatkan inode number)
Output:
+ r/r 88280-128-3:      $UsnJrnl:$J
+ r/r 88280-128-17:     $UsnJrnl:$Max


2)
istat -i raw -o _ofset_  diskimage.raw _inode_number_      (eg: 88280)
Output:
..
..
..
Attributes:
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $FILE_NAME (48-1)   Name: N/A   Resident   size: 82
Type: $DATA (128-3)   Name: $J   Non-Resident, Sparse   size: 4731298448  init_size: 4731298448
..
..


3)
icat -i raw -o _offset_   diskimage.raw   88280-128-3  > UsnJrnl.bin


4) To convert to csv, can use:
    -  https://github.com/jschicht/UsnJrnl2Csv  or
    - usnj.pl -f UsnJrnl.bin  -c > Usnjrnl.bin.csv



refer

https://countuponsecurity.com/2017/05/25/digital-forensics-ntfs-change-journal/amp/
http://az4n6.blogspot.com/2015/03/usn-journal-where-have-you-been-all-my.html

08 January 2020

Persediaan Forensic utk vmdk

File vmdk ada 2 jenis:
1- compress vmdk. (yg di eksport ke ovf, akan ada file vmdk juga)
2- normal vmdk file



---Jenis Pertama(Compress)------
Header file spt berikut


$ cat mydisk-1.vmdk | head -n 24
KDMV
����������


# Disk DescriptorFile
version=1
CID=c5c13606
parentCID=ffffffff
createType="streamOptimized"


# Extent description
RDONLY 167772160 SPARSE "generated-stream.vmdk"


# The Disk Data Base
#DDB


ddb.adapterType = "lsilogic"
ddb.deletable = "true"
ddb.geometry.cylinders = "10443"
ddb.geometry.heads = "255"
ddb.geometry.sectors = "63"
ddb.longContentID = "00302ffb1ab341039d5bd86cdfdc2093"
ddb.toolsInstallType = "1"
ddb.toolsVersion = "10305"
ddb.virtualHWVersion = "13"





-------Jenis Ke-2 (Normal vmdk)---------------
Header file spt berikut:

$ cat mydisk-disk1.vmdk | head -n 26
KDMV
�)(�P

# Disk DescriptorFile
version=1
encoding="windows-1252"
CID=5760ddb4
parentCID=ffffffff
createType="monolithicSparse"

# Extent description
RW 167772160 SPARSE "mydisk-disk1.vmdk"

# The Disk Data Base
#DDB

ddb.adapterType = "lsilogic"
ddb.deletable = "true"
ddb.geometry.cylinders = "10443"
ddb.geometry.heads = "255"
ddb.geometry.sectors = "63"
ddb.longContentID = "759eeb7f459530d2044013365760ddb4"
ddb.toolsInstallType = "1"
ddb.toolsVersion = "10305"
ddb.uuid = "60 00 C2 9d 9d 85 7f 58-7b d8 30 ac 1b ae 1d bb"
ddb.virtualHWVersion = "13"




--------Mounting-Jenis 2(normal)--------
0) sudo -i    (attemp using normal user with sudo, failed)
1) affuse mydisk.vmdk mnt_affuse/point/
2) mmls mnt_affuse/point/mydisk.vmdk.raw  (utk dapatkan offset(start * 512(bytes size per sector)))
3) mount -o ro,loop,show_sys_files,streams_interface=windows,offset=_offset_number_   mnt_affuse/point/mydisk.vmdk.raw  mnt_dir/point
  
4) do your work/analysis on mnt_dir/point

5) umount mnt_dir/point
6) fusermount -u mnt_affuse/point/


##notes about losetup##
On step3, will result /dev/loopX being created
Can  check with losetup -l   (to list)
losetup -f (check next available number loopX)

On step5, will remove /dev/loopX

##Notes about Steps 0##
Alternatively you can ommit steps 0, but must use sudo for steps 1, 2, 3


--------Mounting-Jenis 1(compress vmdk)--------
1) kena import dulu ova tersebut. (ini akan hasil kan vmdk yg normal)
2) teruskan langkah mounting Jenis 2 diatas.







Ref:
1) https://sanbarrow.com/vmdk-howtos.html

03 January 2020

semak vmdk corrupt

Salah satu cara nak semak samada vmdk file corrupt atau tidak?

vmware-mount -p vmdk_file.vmdk


kalau ok, akan paparkan partition.
Nr      Start       Size Type Id Sytem
-- ---------- ---------- ---- -- ------------------------
 1       2048   10479616 BIOS  7 HPFS/NTFS


kalau masalah akan keluarkan paparan:
Failed to open disk: The specified file is not a virtual disk (16063)
Failed to get the list of partitions: The virtual disk specified is invalid.


On Windows:
c:\Program Files (x86)\VMware\VMware Workstation\vmware-vdiskmanager.exe" -e disk-4.vmdk
Disk chain is consistent.

>"c:\Program Files (x86)\VMware\VMware Workstation\vmware-vdiskmanager.exe" -e disk-3.vmdk
Failed to open the disk 'disk-3.vmdk' : The specified file is not a virtual disk (0x3ebf).

ref: