Open Source DFIR

  Many of the concepts and the definitions mentioned in this blog post are referenced from [Brian (2005)] File System Forensic Analysis and libfsntfs documentation by Joachim Metz.   If you’re new to Digital Forensics a first question you might be asking is: why do I need to learn how file systems work as a digital forensics analyst? And how much do I need to know about it? Why do we need File System Forensics? Let’s answer that question starting with a very simple definition of digital forensics. Digital forensics is typically used to determine what happened after the fact. Throughout a digital forensics investigation this question will very likely be broken down to multiple smaller questions. For example an analyst might start their investigation with an alert from a network based intrusion detection system, warning them that a certain host in their network is communicating with a malicious domain attributed to an active threat group, known to be targeting their industry. The analy

Plaso 20210213 released The Plaso team is pleased to announce a new Plaso release, 20210213. This release has a mixture of new features and under the hood improvements. Notable changes Experimental integration with libvsgpt/pyvsgpt has been added to provide hybrid GUID Partition Table/Master Boot Record (GPT/MBR) support. This support is needed to correctly process CoreOS and ChromeOS storage media images.  Use the `--vfs-back-end=vsgpt` option to use libvsgpt instead of Sleuthkit when Plaso encounters a hybrid GPT/MBR. A substantial revision to the ‘elastic’ output module, with some new features: Support for custom mappings ( #3314 )  Support for exporting additional fields ( #3463 ) (also see: Dynamic output module fields ). A new elastic_ts output module ( #3470 ) that allows Plaso to directly output to a Timesketch Elasticsearch database. More information about this feature will be in the upcoming Timesketch release. Changes to pinfo.py JSON output to match the text output more cl

  Introduction As previous blog posts on cloud forensics have noted, applications are increasingly being deployed using container orchestration frameworks such as Kubernetes, especially in cloud environments.  Similar to traditional deployments on physical servers or virtual machines (VMs), when a containerised application has a security issue it can lead to a compromise of the underlying compute architecture. In the case of container deployments this means a compromise of the container itself, the container host, or even a wider cluster compromise via abuse of orchestration tools. Often digital forensics is required to establish what went wrong and remediate any issues. This article will provide an introduction to container forensics with Docker Explorer by working through a scenario involving a compromised container running within a Kubernetes cluster. Although Kubernetes is briefly mentioned, this article will focus on analysis of an individual container rather than the wider clust

  Plaso 20201228 released The Plaso team is pleased to announce a new Plaso release, 20201228. This release has a mixture of new features and under the hood improvements. Notable changes The mactime parser now supports extracting symbolic links from bodyfiles. libfshfs/pytfshfs has been added as an experimental feature to overcome shortcomings in the pytsk HFS+/HFSX implementation. Use the `--vfs-back-end=fshfs` option to use libfshfs instead of Sleuthkit when Plaso encounters HFS+ or HFSX file systems. The filestat parser now supports the directory entry added date and time of HFS+/HFSX (when using the fshfs back-end) and APFS. This means that creation time and added time are no longer treated as being synonymous. libfsxfs/pytfsxfs has been added to provide XFS (version 4 and 5) support. Note that XFS support is considered experimental and could benefit from broader testing. Let us know if you encounter issues. Image_export.py and log2timeline.py now support single-disk LVM volume