Digital Forensics and Incident Response
The primary competition we have done with lots of DFIR problems is WACTF.
DEFCON DFIR and Otter CTF are both good places to practice DFIR problems.
- Autopsy - Disk Images (Eg.
.img
) - Volatility - Memory Dumps (Eg.
.mem
) - RegRipper - Registry Dumps (Eg.
NTUSER.dat
)
- RegRipper (GUI Version)
- FTK Imager
- Open Autopsy
- Create New case
- Open disk image file
- Analyse
- Find the profile -
volatility -f triage.mem imageinfo
- Run the desired analysis tool using the
--profile=<profile_here>
flag
Utility | Command |
---|---|
Get all Info | for i in $( rip -l -c | grep NTUSER.DAT | cut -d , -f1 ); do rip -p $i -r NTUSER.DAT &>> case1.txt ; done |
List installed Programs | rip -p listsoft -r NTUSER.DAT |