Forensics

Forensics

Disk Forensics

Basic useful CLI tools:

ps

Show the processes for all users (a), displaying the process's user/ownser (u), and the processes that are not attached to a terminal (x):

$ ps aux

Display the full listing of all processes (useful for finding underisable processes):

$ ps ef

lsof

Display a specific pricess in more details, by displaying the files and ports associated with that process.

$ lsof -p

Display processes running form or acessing files that have been unlinked:

$ lsof +L1

find

$ find / -uid 0

arp

Display all MAC to IP address mapping of the system (useful for finding addresses of systems that are not part of the network.

$ arp -a

Others: uptime, free, df.

dd

strings

$ strings /tmp/mem.dump | grep BOOT_
$ BOOT_IMAGE=/vmlinuz-3.5.0-23-generic

scalpel

TrID

binwalk

foremost

ExifTool

dff

CAINE

The Sleuth Kit

---

Memory Forensics

memdump

Volatility: Analysing Dumps

• Lots of material on Volatility and Memory Forensics here
• On OSX Memory Forensics

Scripts

PDFs

Tools to test a PDF file:

• pdfid
• pdf-parser

References

• File system analysis
• TSK Tool Overview