Скачать или смотреть Forensics: Formats and bulk_extractor

Lab 0x04 - Working with Forensic Formats, Scripting Jobs, bulk_extractor, and Data Analysis
Copyright 2021 Paul W. Poteete

Overview
The student will be exposed to two new forensic disk formats: AFF and E01. They will also be required to convert the formats to raw images, process the images, and collect data on the images.

Part 1 - Convert Data from Expert Witness and Advanced Forensic Format to RAW

Install and Inspect the EWF and AFF Tools
sudo apt-get install ewf-tools afflib-tools

Convert the files

Individual Images:
affconvert -r Drive03_Clampet.aff
ewfexport Drive01_ADP.E01 -S0 -o0 -B0 -f raw -t Drive01_ADP

Scripted:
AFF
for var_file in `ls -1 *aff`; do affconvert -r $var_file ; done
E01
for var_old in `ls -1 *E01`; do var_new=`echo $var_old | sed s/.E01//g`; ewfexport $var_old -S0 -o0 -B0 -f raw -t $var_new ; done

Part 2 - Recover Information Using foremost

Individual Images:
foremost -qvdi Drive01_ADP.raw -o Drive01_ADP.foremost

Scripted:
for var_file in `ls -1 *raw`; do var_dir=`echo $var_file | sed s/raw/foremost/g`; foremost -qvdi $var_file -o $var_dir ; done
 
Part 3 - Recover Information Using bulk_extractor

Individual Images:
bulk_extractor Drive03_Clampet.raw -o Drive03_Clampet.bulk

Scripted:
for var_file in `ls -1 *raw`; do var_dir=`echo $var_file | sed s/raw/bulk/g`; bulk_extractor $var_file -o $var_dir ; done

Part 4 - Process bulk data using the Linux CLI
  cd Drive03_Clampet.bulk/
cat sin.txt
cat telephone.txt
cat url_searches.txt

  Command Summary:
cat
grep
sort
uniq
awk
rev
wc