Skip to content
Open
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ Before touching any system:
- prepare the forensic workstation:
- write blocker, imaging tools, and hashing tools ready
- storage media wiped
- make note of every step taken in a documentation template
- make note of every step taken

After an incident has been identified and scoped, next comes the evidence collection phase.<br />
Collected evidence must:
Expand Down Expand Up @@ -62,11 +62,31 @@ Commonly used algorithms:

#### Usage examples

``` sh/cmd/PowerShell
``` bash
sha256sum <file>
md5sum <file>
certutil.exe -hashfile <file> SHA1
Get-FileHash <file> -Algorithm MD5
```

``` powershell
> certutil.exe -hashfile .\indicators.csv
SHA1 hash of .\indicators.csv:
c3c60d608ba2ce8dcf6303b84d42f8e8a5cde766
> certutil.exe -hashfile .\indicators.csv SHA256
SHA256 hash of .\indicators.csv:
35fa7037c4218fbf61462f80f250c971bfb318ca1ae6a229f1f93ff6810adffc
> certutil.exe -hashfile .\indicators.csv MD5
MD5 hash of .\indicators.csv:
c9f752858cc253b2a48f712c0f74f3de

> Get-FileHash .\indicators.csv | Format-List
Algorithm : SHA256
Hash : 35FA7037C4218FBF61462F80F250C971BFB318CA1AE6A229F1F93FF6810ADFFC
Path : [..]\indicators.csv
> Get-FileHash .\indicators.csv -Algorithm SHA1 | Format-List
Algorithm : SHA1
Hash : C3C60D608BA2CE8DCF6303B84D42F8E8A5CDE766
Path : [..]\indicators.csv

```

## Evidence volatility
Expand Down Expand Up @@ -98,13 +118,13 @@ Disk artifacts may include:

- **information about file system metadata**
- linux: inode table, ext4 journal
- windows: $MFT file
- windows: $MFT file, $LogFile
- **evidence of execution**
- linux: syslog, systemd journal logs, `.bash_history`, `.zsh_history`
- windows: Prefetch files, SRUM
- **evidence of past file presence**
- linux: ext4 journal
- windows: USN Journal, Windows Search Index
- windows: USN Journal, AmCache, Windows Search Index
- **evidence of network communication**
- linux: `/var/log/ufw.log`, `/var/log/auth.log`
- windows: BITS Database
Expand Down Expand Up @@ -145,6 +165,62 @@ Common formats:
In practice, `E01` is used for most investigations for the integrity verification, compression, and metadata.<br />
`Raw (dd)` is used when interoperability is the priority.

### dd

`dd` is a command-line utility that copies, converts and formats data.
`dc3dd` is a fork of `dd` that does hash verification and logging as well.
We will use it to take a disk image on unix.

``` bash
# first we create a 100MB file to use as a practice disk
$ dd if=/dev/zero of=/data/sss-evidence/practice.img bs=1M count=100
[..]
104857600 bytes (105 MB, 100 MiB) copied, 0.865699 s, 121 MB/s

# we create a filesystem and put some data on it
$ mkfs.ext4 /data/sss-evidence/practice.img
mke2fs 1.46.2 (28-Feb-2021)
[..]
Writing superblocks and filesystem accounting information: done
$ sudo mkdir -p /mnt/practice
$ sudo mount -o loop /data/sss-evidence/practice.img /mnt/practice
$ echo "evidence file content" | sudo tee /mnt/practice/noticeme.txt
evidence file content
$ sudo umount /mnt/practice

# we attach it as a read only device to prevent writes to the source
$ sudo losetup --read-only --find --show /data/sss-evidence/practice.img
/dev/loop0
# we check it's read only
$ sudo blockdev --getro /dev/loop0
1
# we double check it's read only
$ sudo dd if=/dev/zero of=/dev/loop0 bs=512 count=1
dd: error writing '/dev/loop0': Operation not permitted
[..]

# we take a raw image with dc3dd
$ sudo dc3dd if=/dev/loop0 of=/data/sss-evidence/practice.raw hash=sha256 log=/data/sss-evidence/practice.log hlog=/data/sss-evidence/practice.hashes
dc3dd 7.2.646 started at 2026-06-22 09:36:21 +0000
compiled options:
command line: dc3dd if=/dev/loop0 of=/data/sss-evidence/practice.raw hash=sha256 log=/data/sss-evidence/practice.log hlog=/data/sss-evidence/practice.hashes
device size: 204800 sectors (probed), 104,857,600 bytes
sector size: 512 bytes (probed)
104857600 bytes ( 100 M ) copied ( 100% ), 1 s, 75 M/s
input results for device `/dev/loop0':
204800 sectors in
0 bad sectors replaced by zeros
51aa6ad4ee06375a71c32d6f9cd93ce352859f1c9698c01e0281bb790de8da0a (sha256)
output results for file `/data/sss-evidence/practice.raw':
204800 sectors out
dc3dd completed at 2026-06-22 09:36:22 +0000
# we verify the hashes
$ sha256sum practice.raw
51aa6ad4ee06375a71c32d6f9cd93ce352859f1c9698c01e0281bb790de8da0a practice.raw
$ sha256sum practice.img
51aa6ad4ee06375a71c32d6f9cd93ce352859f1c9698c01e0281bb790de8da0a practice.img
```

### [UAC](https://github.com/tclahr/uac) - Unix-like Artifacts Collector

Live collection tool for Unix-like operating systems.<br />
Expand All @@ -155,7 +231,57 @@ UAC comes with two basic predefined profiles:

Usage:

`./uac -p ir_triage /tmp # Collect all artifacts based on the ir_triage profile, and save the output file to /tmp.`
``` bash
# we collect all artifacts based on the ir_triage profile and save the outputs to /tmp
sss@sss:~/uac-3.3.0$ sudo ./uac -p ir_triage /tmp
--------------------------------------------------------------------------------
___ ___
| \ | | |
| / | | |
| | | |
|_ |___| |
|_________|

Unix-like Artifacts Collector 3.3.0
--------------------------------------------------------------------------------
Operating System : linux
System Architecture : x86_64
CPU : AMD Ryzen [..] with Radeon Graphics @ 1896 Mhz
Memory Size : 3960 MB
Hostname : sss
Time Zone : Europe/Bucharest
Mount Point : /
Running as : root
Temp Directory : /tmp/uac-data.tmp
--------------------------------------------------------------------------------
Artifacts collection started...
[001/219] 2026-06-22 13:06:36 +0300 live_response/process/ps.yaml
[002/219] 2026-06-22 13:06:37 +0300 live_response/process/lsof.yaml
[003/219] 2026-06-22 13:06:38 +0300 live_response/process/top.yaml
[004/219] 2026-06-22 13:06:38 +0300 live_response/process/procfs_information.yaml
[..]
# we check the hashes
$ cat /tmp/uac-sss-linux-20260622130635.log
Created by UAC (Unix-like Artifacts Collector) 3.3.0
[..]
[System Information]
Operating System: linux
System Architecture: x86_64
Hostname: sss
[Acquisition Information]
Mount Point: /
Acquisition Started: Mon Jun 22 13:06:36 2026 +0300
Acquisition Finished: Mon Jun 22 13:15:43 2026 +0300
[Output Information]
File: uac-sss-linux-20260622130635.tar.gz
Format: tar
[Computed Hashes]
MD5 checksum: c1ba1586c0d7eb5d57cf0e557454751f
SHA1 checksum: b476fec2c450c08fb3f6bc7cd387065a723329f7
# we verify the hashes
$ sha1sum /tmp/uac-sss-linux-20260622130635.tar.gz
b476fec2c450c08fb3f6bc7cd387065a723329f7 /tmp/uac-sss-linux-20260622130635.tar.gz
```

![uac](../media/uac.png)

Expand All @@ -175,13 +301,58 @@ Options:
- KAPE - Kroll Artifact Parser and Extractor
- can be used to collect the most critical artifacts prior to the start of the imaging process
- while the imaging completes, the data generated by KAPE can be reviewed for leads, building timelines, etc.
- [Timeline Explorer](https://download.ericzimmermanstools.com/net9/TimelineExplorer.zip) (analyze the parsed artifacts)
- [MFTECmd](https://github.com/EricZimmerman/MFTECmd) (extract and parse MFT and USN Journal)
- [PECmd](https://github.com/EricZimmerman/PECmd) (Prefetch parser)
- [Registry Explorer](https://ericzimmerman.github.io/#forensic-tools) (parser and viewer, fixes dirty hives)
- [AppCompatCacheParser](https://github.com/EricZimmerman/AppCompatCacheParser) (shimcache, amcache parser)
- [JLECmd](https://github.com/EricZimmerman/JLECmd) (jumplist parser)
- [LECmd](https://github.com/EricZimmerman/LECmd) (parser for shortcut files)

``` powershell
# we run KAPE to extract targets and process modules
PS E:\KAPE> .\kape.exe --tsource C:\ --tdest E:\kapeoutput\targets --target !BasicCollection --tflush --mdest E:\kapeoutput\modules --module !EZParser --mflush
System info: Machine name: TEST, 64-bit: True, User: test1 OS: Windows10 (10.0.26200)
Using Target operations
Flushing target destination directory E:\kapeoutput\targets
Creating target destination directory E:\kapeoutput\targets
Found 12 targets. Expanding targets to file list...
Found 1,070 files in 4.185 seconds. Beginning copy...
Deferring C:\Windows\System32\winevt\logs\Application.evtx due to IOException...
Deferring C:\Windows\System32\winevt\logs\HardwareEvents.evtx due to IOException...
[..]
Deferred file count: 257. Copying locked files...
Copied deferred file C:\Windows\System32\winevt\logs\Application.evtx to E:\kapeoutput\targets\C\Windows\System32\winevt\logs\Application.evtx. Hashing source file...
[..]
Copied 930 (Deduplicated: 140) out of 1,070 files in 780.0411 seconds. See E:\kapeoutput\targets\2026-06-23T12_53_52_9931707_CopyLog.csv for copy details

Using Module operations
Setting --msource to E:\kapeoutput\targets since --msource was not provided
Flushing module destination directory E:\kapeoutput\modules
Creating module destination directory E:\kapeoutput\modules
Module AmcacheParser: Found 1 processor
Found processor Executable: AmcacheParser.exe, Cmd line: -f %sourceFile% --csv %destinationDirectory% -i --mp, Export: csv, Append: False!
[..]
Module MFTECmd: Found 4 processors
Module MFTECmd_$Boot: Found 2 processors
Found processor Executable: MFTECmd.exe, Cmd line: -f %sourceFile% --csv %destinationDirectory%, Export: csv, Append: False!
Module MFTECmd_$MFT: Found 2 processors
Found processor Executable: MFTECmd.exe, Cmd line: -f %sourceFile% --csv %destinationDirectory%, Export: csv, Append: False!
Module MFTECmd_$J: Found 2 processors
Found processor Executable: MFTECmd.exe, Cmd line: -f %sourceFile% --csv %destinationDirectory%, Export: csv, Append: False!
[..]
Discovered 18 processors to run
Executing modules with file masks...
Running AmcacheParser.exe: -f "E:\kapeoutput\targets\C\Windows\appcompat\Programs\Amcache.hve" --csv E:\kapeoutput\modules\ProgramExecution -i --mp
Running AppCompatCacheParser.exe: -f "E:\kapeoutput\targets\C\Windows\System32\config\SYSTEM" --csv E:\kapeoutput\modules\ProgramExecution
Running MFTECmd.exe: -f "E:\kapeoutput\targets\C\$Boot" --csv E:\kapeoutput\modules\FileSystem
Running MFTECmd.exe: -f "E:\kapeoutput\targets\C\$MFT" --csv E:\kapeoutput\modules\FileSystem
[..]
Executed 18 processors in 805.5887 seconds

Total execution time: 1,585.7123 seconds
```

![ez](../media/ez.png) <br />
_image source: `ericzimmerman.github.io`_

Expand Down Expand Up @@ -341,17 +512,25 @@ _image source: `docs.velociraptor.app`_

## Drills

### Challenge 1
### before-it-disappears

A service seems to have crashed unexpectedly, leaving behind a dump and a binary.
Could you reconstruct what the program was doing?

### broken-seal

Description
We received a collection of KAPE triage artifacts, so we must follow procedure before we touch anything.

### Challenge 2
### droopy

Description
In the same set of artifacts from broken-seal, the attackers tried to cover their tracks but left behind the exact source of the payload.
The flag format is SSS{ip:port/something}

### Challenge 3
### ospaperleak

Description
This was a clumsy attacker.
They dropped all sorts of payloads among which a 32 bit one, see if you can find it.
The flag format is SSS{SHA1}

## Further practice

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@

# gone-not-gone

An analyst swears they deleted the incriminating file before we imaged the disk.
The directory entry is gone, but the disk doesn't forget that easily.
Recover what was deleted.

Artifacts:
`evidence.img`

Solution in `../solution/`
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# Solution

``` bash
# we run strings against the artifact to recover the flag
$ strings evidence.img | grep SSS
SSS{d3l3t3d_but_n0t_g0ne_inod3_l1v3s}
```
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@

# snack

We recovered a small block of disk. What's it hiding?
We recovered a small block of disk.
What's it hiding?

Artifacts:
`snack.bin`
Expand Down
Original file line number Diff line number Diff line change
@@ -1,16 +1,14 @@

# time-is-relative

It seems this threat actor tried to blend in with the file system.
But what what the real file creation time?
It seems this threat actor dropped something new, trying to blend in with the system.
But what is the real file creation time?

Artifacts:
`targets.zip`
The flag format is SSS{yyyy-MM-dd-hh:mm:ss}

Hint 1:
there is a master timekeeper you are seeking.
Artifacts:
`time-is-relative.zip`

Hint 2:
watch out for snakes.
Hint 1: it's a totally new payload.

Solution in `../solution/`
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,10 @@
# use KAPE to run modules against the targets
> .\kape.exe --msource "targets\" --mdest "modules\" --module !EZParser
# in modules/FileSystem we find the $MFT file
# we open it in Timeline Explorer and filter for .py files
# there are only 2 timestomped files with a Created0x30 field
# we open it in Timeline Explorer and filter for .exe files
# we find a payload.exe with a different Created0x30 field
Line Tag Entry Number Sequence Number Parent Entry Number Parent Sequence Number In Use Parent Path File Name Extension Is Directory Has Ads Is Ads File Size Created0x10 Created0x30 Last Modified0x10 Last Modified0x30 Last Record Change0x10 Last Record Change0x30 Last Access0x10 Last Access0x30 Zone Id Contents Reparse Target Reference Count SI<FN u Sec Zeros Copied
371347 Unchecked 248478 4 248476 4 Checked .\kapeoutput\targets\C\$Recycle.Bin\S-1-5-21-3757327896-2532397730-150904874-1001 $RB3CC5R.py .py Unchecked Unchecked Unchecked 966 2026-04-19 18:20:28 2026-06-06 11:45:47 2026-04-19 18:20:37 2026-06-06 11:45:47 2026-06-06 11:45:47 2026-06-06 11:45:47 2026-04-22 10:09:24 2026-06-06 11:45:47 1 Checked Unchecked Unchecked
371346 Unchecked 248477 4 248476 4 Checked .\kapeoutput\targets\C\$Recycle.Bin\S-1-5-21-3757327896-2532397730-150904874-1001 $IB3CC5R.py .py Unchecked Unchecked Unchecked 94 2026-06-05 16:29:35 2026-06-06 11:45:47 2026-06-05 16:29:35 2026-06-06 11:45:47 2026-06-06 11:45:47 2026-06-06 11:45:47 2026-06-06 10:35:11 2026-06-06 11:45:47 1 Checked Unchecked Unchecked
# both have the same timestamp, so we build the flag based on the format
SSS{2026-06-06-11:45:47}
1388 Unchecked 1351 6 171279 1 Checked .\Users\test1\Downloads payload.exe .exe Unchecked Checked Unchecked 256000 2026-04-19 18:46:15 2026-06-10 16:38:27 2026-04-19 18:46:15 2026-06-10 16:38:27 2026-04-19 18:46:15 2026-06-10 16:38:27 2026-06-10 17:01:38 2026-06-10 16:38:27 1 Checked Checked Unchecked
# we build the flag based on the given format
SSS{2026-06-10-16:38:27}
```
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@

# unc

We know the victim downloaded something, but what domain did the attacker deliver the payload from?

The flag format is `SSS{domainname.tld}`

Artifacts:
`unc.zip`

Hint 1:
the victim thought they were downloading a trade agreement.

Solution in `../solution/`
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# Solution

``` bash
# we analyze the $MFT file and filter for alternate data streams
# we find a deleted doc with Zone Id Contents
Zone Id Contents
"[ZoneTransfer]
ZoneId=3
ReferrerUrl=https://unece.org/fileadmin/DAM/trade/agr/meetings/ge.01/document/2005_i05_apples_copacogeca.doc?__cf_chl_tk=PXpcd_3p2w8vXuiQI__7Wpv985YIus.EReurjxE7ckQ-1780931618-1.0.1.1-rCjOIYKKLGWmTklMkXkXqAl8n.qukpjoca3C8Xy1dns
HostUrl=https://unece.org/fileadmin/DAM/trade/agr/meetings/ge.01/document/2005_i05_apples_copacogeca.do"
# we build the flag
SSS{unece.org}
```
Loading