digital-forensics-labs/digital-forensics-lab
1
0
Fork 0
mirror of https://github.com/frankwxu/digital-forensics-lab.git synced 2026-02-20 13:40:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

new script for tool installation

Browse Source
This commit is contained in:
Frank Xu
2021-12-05 23:31:59 -05:00
parent c8f7b4f5d3
commit c5c3b04e8c
5 changed files with 357 additions and 257 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
Help/Tool_installation.pptx
View File

Binary file not shown.

BIN
Help/Wine_installation.pptx
View File

Binary file not shown.

117
Help/tool-install-bash.sh
View File

@@ -1,117 +0,0 @@
#!/bin/bash
echo 'This might take a while. Please wait...'
# Update apt first
# Note: -y means the install will go through without user input
sudo apt update -y
# Install Python-related tools first
sudo apt install python-setuptools python3-pip -y
# Install software that can be installed from the repository
sudo apt install vinetto tree python3-evtx xmlstarlet libhivex-bin python3-hivex libesedb-utils pasco pff-tools libnl-utils libvshadow-utils -y
pip3 install time-decode
sudo apt install npm -y
sudo npm install -g imgclip
# Installing Regripper
cd ~/Downloads
wget https://raw.githubusercontent.com/siftgrab/siftgrab/master/regripper.conf/RegRipper30-apt-git-Install.sh
sudo bash RegRipper30-apt-git-Install.sh
# Git clone other tools
mkdir ~/UB-730-Tools
cd ~/UB-730-Tools
git clone https://github.com/PoorBillionaire/USN-Record-Carver.git
git clone https://github.com/dkovar/analyzeMFT.git
git clone https://github.com/PoorBillionaire/USN-Journal-Parser.git
git clone https://github.com/PoorBillionaire/Windows-Prefetch-Parser.git
git clone https://github.com/prolsen/recentfilecache-parser.git
# Installing JLEC
cd ~/Downloads
wget https://f001.backblazeb2.com/file/EricZimmermanTools/JLECmd.zip
unzip JLECmd.zip && mkdir ~/UB-730-Tools/JLEC && mv JLECmd.exe ~/UB-730-Tools/JLEC
# Installing wine
sudo apt install wine wine64 -y
cd ~/Downloads
wget https://dl.winehq.org/wine/wine-mono/5.0.0/wine-mono-5.0.0-x86.msi
# Create .bash_aliases file. .bashrc is set to run this file by default.
# This will allow you to call the git cloned programs anywhere in the terminal. Current solution anyway.
touch ~/.bash_aliases
echo "alias prefetch.py='python2 ~/UB-730-Tools/Windows-Prefetch-Parser/windowsprefetch/prefetch.py'" >> ~/.bash_aliases
echo "alias rfcparse.py='python2 ~/UB-730-Tools/recentfilecache-parser/rfcparse.py'" >> ~/.bash_aliases
echo "alias usn.py='python2 ~/UB-730-Tools/USN-Journal-Parser/usnparser/usn.py'">> ~/.bash_aliases
echo "alias usncarve.py='python2 ~/UB-730-Tools/USN-Record-Carver/usncarve.py'" >> ~/.bash_aliases
echo "alias analyzeMFT.py='python2 ~/UB-730-Tools/analyzeMFT/analyzeMFT.py'" >> ~/.bash_aliases
echo "alias JLECmd.exe='wine64 ~/UB-730-Tools/JLEC/JLECmd.exe'" >> ~/.bash_aliases
# Creating reference file in case user doesn't know how to call these commands
touch ~/UB-730-Tools/Tools-Reference.txt
echo 'This is a reference for all of the programs installed via the script.' >> ~/UB-730-Tools/Tools-Reference.txt
echo "" >> ~/UB-730-Tools/Tools-Reference.txt
echo "" >> ~/UB-730-Tools/Tools-Reference.txt
echo 'Key: Program --> Command' >> ~/UB-730-Tools/Tools-Reference.txt
echo '-------------------------' >> ~/UB-730-Tools/Tools-Reference.txt
echo '' >> ~/UB-730-Tools/Tools-Reference.txt
echo 'AnalyzeMFT --> analyzeMFT.py' >> ~/UB-730-Tools/Tools-Reference.txt
echo 'Hivex --> hivexsh' >> ~/UB-730-Tools/Tools-Reference.txt
echo 'libesedb --> esedbinfo, esedbexport' >> ~/UB-730-Tools/Tools-Reference.txt
echo 'libpff --> pffinfo, pffexport' >> ~/UB-730-Tools/Tools-Reference.txt
echo 'libvshadow --> vshadowdebug, vshadowinfo, vshadowmount' >> ~/UB-730-Tools/Tools-Reference.txt
echo 'libnl --> nl, nl-* (There are many different commands; type in nl- and press TAB key twice to see)' >> ~/UB-730-Tools/Tools-Reference.txt
echo 'Pasco --> pasco' >> ~/UB-730-Tools/Tools-Reference.txt
echo 'Python-evtx --> evtx_info.py, evtx_dump.py (There are other commands; type in evtx_ and press TAB key twice to see)' >> ~/UB-730-Tools/Tools-Reference.txt
echo 'Regripper --> rip.pl' >> ~/UB-730-Tools/Tools-Reference.txt
echo 'RecentFileCacheParser --> rfcparse.py' >>~/UB-730-Tools/Tools-Reference.txt
echo 'Tree --> tree' >> ~/UB-730-Tools/Tools-Reference.txt
echo 'Time-Decode --> time_decode.py' >> ~/UB-730-Tools/Tools-Reference.txt
echo 'USNJournalParser --> usn.py' >> ~/UB-730-Tools/Tools-Reference.txt
echo 'USNRecordCarver --> usncarve.py'>> ~/UB-730-Tools/Tools-Reference.txt
echo 'Vinetto --> vinetto' >> ~/UB-730-Tools/Tools-Reference.txt
echo 'WindowsPrefetchParser --> prefetch.py' >> ~/UB-730-Tools/Tools-Reference.txt
echo 'Xmlstarlet --> xmlstarlet' >> ~/UB-730-Tools/Tools-Reference.txt
echo 'JLECmd --> JLECmd.exe' >> ~/UB-730-Tools/Tools-Reference.txt
echo 'Imgclip --> imgclip' >> ~/UB-730-Tools/Tools-Reference.txt
# Creating README.txt
touch ~/UB-730-Tools/README.txt
echo "Warning: If you move any of the tools' folders, the settings I put may/will break. If you know everything I did, great, if not, be careful." >> ~/UB-730-Tools/README.txt
echo "" >> ~/UB-730-Tools/README.txt
echo "As of now, you do not have to type in the full path to use any of these programs. I took care of that for you. See Tools-Reference.txt." >> ~/UB-730-Tools/README.txt
echo "" >> ~/UB-730-Tools/README.txt
echo "With that said, if you want to set it up on your own or have a better way of doing it, then feel free to change what you want." >> ~/UB-730-Tools/README.txt
echo "That is only for JLECmd though. If there are any other Windows programs you want to run, you WILL have to use wine <command>, because I did not set an alias for any other .exe except for JLEC." >> ~/UB-730-Tools/READforWineIssues.txt
echo "Malcolm Hayward (malcolm.hayward@ubalt.edu)" >> ~/UB-730-Tools/README.txt
# Instructions for troubleshooting wine
touch ~/UB-730-Tools/READforWineIssues.txt
echo "On my systems, Wine would not work unless wine-mono was installed." >> ~/UB-730-Tools/READforWineIssues.txt
echo "" >> ~/UB-730-Tools/READforWineIssues.txt
echo "Make sure that your Wine version is 5.0." >> ~/UB-730-Tools/READforWineIssues.txt
echo " Commands to check Wine version: wine --version OR wine64 --version." >> ~/UB-730-Tools/READforWineIssues.txt
echo "" >> ~/UB-730-Tools/READforWineIssues.txt
echo "I will assume that your version is 5.0. I already downloaded Wine Mono for you. You just have to do three things." >> ~/UB-730-Tools/READforWineIssues.txt
echo "" >> ~/UB-730-Tools/READforWineIssues.txt
echo "1. Run this command: wine64 uninstaller" >> ~/UB-730-Tools/READforWineIssues.txt
echo "2. You will see a menu. There is an install button. Click that." >> ~/UB-730-Tools/READforWineIssues.txt
echo "3. A file explorer will appear. The mono file is in your Downloads directory (/home/<user>/Downloads). Install it." >> ~/UB-730-Tools/READforWineIssues.txt
echo "" >> ~/UB-730-Tools/READforWineIssues.txt
echo "Both wine and wine64 should work after that. You do not have to type in wine <command> when you run Windows programs like JLECmd. I made an alias so that you only need to type in JLECmd.exe to run it." >> ~/UB-730-Tools/READforWineIssues.txt
echo "" >> ~/UB-730-Tools/READforWineIssues.txt
echo "If there are any questions or problems, send me an email (malcolm.hayward@ubalt.edu) and/or invite me to a Zoom meeting, and I'll help." >> ~/UB-730-Tools/READforWineIssues.txt
# Finish message
echo "Done! Please restart the terminal for some settings to take effect."

393
Help/tool-install-zsh.sh
View File

@@ -1,127 +1,298 @@
#!/bin/bash
#! /bin/bash
echo 'This might take a while. Please wait...'
cd ~
[ ! -d "lab" ] && mkdir lab || cd lab
##############################################
# Tool Installation Report Summary
##############################################
[ -f ~/installation-report.txt ] && sudo rm ~/installation-report.txt
touch ~/installation-report.txt
echo -e "\e[1;32m " >> ~/installation-report.txt
echo -e "\e[1;32m " >> ~/installation-report.txt
echo -e "\e[1;32m*******************************" >> ~/installation-report.txt
echo -e "\e[1;32m* University of Baltimore *" >> ~/installation-report.txt
echo -e "\e[1;32m* Frank Xu wxu@ubalt.edu *" >> ~/installation-report.txt
echo -e "\e[1;32m*******************************" >> ~/installation-report.txt
message(){
(eval "$2") | grep -iq "$3" &> /dev/null
if [ $? == 1 ]; then
echo -e "\e[1;31mTool $1: \"$2\" installation Failed!" >> ~/installation-report.txt
else
echo -e "\e[1;32mTool $1: \"$2\" installation successed!" >> ~/installation-report.txt
fi
}
#############################################
# Lab tools: NIST Data Leakage
##############################################
#install wine
#https://linuxhint.com/install_wine_-ubuntu_20-24/
sudo apt -y update
sudo apt -y upgrade
# install both boot
sudo dpkg --add-architecture i386
sudo apt -y update
sudo apt -y install wine64 wine32
tool_name="wine"
command_string="wine --version"
sudo apt -y install $tool_name
key_str="wine-"
message $tool_name "$command_string" "$key_str"
# Update apt first
sudo apt update -y
#install other packages
sudo apt -y install python3-pip
sudo apt -y install leafpad
sudo apt -y install terminator
sudo apt -y install sqlite3
sudo apt -y install tree
sudo apt -y install xmlstarlet
sudo apt -y install libhivex-bin
sudo apt -y install pasco
sudo apt -y install npm
sudo apt -y install binwalk
sudo apt -y install foremost
sudo apt -y install hashdeep
sudo apt -y install ewf-tools
sudo apt -y install nautilus
#Install pff-tools
tool_name="pff-tools"
command_string="pffexport -h"
sudo apt -y install $tool_name
key_str="usage"
message $tool_name "$command_string" "$key_str"
#Install libesedb-utils
tool_name="libesedb-utils"
command_string="esedbexport -h"
sudo apt -y install $tool_name
key_str="usage"
message $tool_name "$command_string" "$key_str"
#Install liblnk-utils
tool_name="liblnk-utils"
command_string="lnkinfo -h"
sudo apt -y install $tool_name
key_str="usage"
message $tool_name "$command_string" "$key_str"
# Install Python-related tools first
# Note: -y means the install will go through without user input
sudo apt install python-setuptools python3-pip -y
#Install usncarve
tool_name="usncarve"
command_string="usncarve.py -h"
sudo pip install $tool_name
key_str="usage"
message $tool_name "$command_string" "$key_str"
#Install usnparser
tool_name="usnparser"
command_string="usn.py -h"
sudo pip install $tool_name
key_str="usage"
message $tool_name "$command_string" "$key_str"
# install RegRipper
cd ~/lab
tool_name="RegRipper30"
command_string="rip.pl -h"
key_str="RegRipper tool"
[ -d "tools/RegRipper30/" ] && sudo rm -rf tools/RegRipper30
sudo mkdir tools/RegRipper30
sudo wget -q https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/Help/scripts/RegRipper30-apt-git-Install.sh -P tools/RegRipper30/
sudo chmod 755 tools/RegRipper30/RegRipper30-apt-git-Install.sh
sudo tools/RegRipper30/RegRipper30-apt-git-Install.sh
message $tool_name "$command_string" "$key_str"
#Install Vinetto for Thumbcache
cd ~/lab
tool_name="Vinetto"
command_string="vinetto -h"
key_str="usage"
[ -d "tools/Vinetto/" ] && sudo rm -rf tools/Vinetto
sudo git clone https://github.com/AtesComp/Vinetto.git tools/Vinetto
cd tools/Vinetto
sudo pip install .
message $tool_name "$command_string" "$key_str"
#Install time_decode
cd ~/lab
tool_name="time_decode"
command_string="time_decode.py -h"
key_str="usage"
[ -d "tools/time_decode/" ] && sudo rm -rf tools/time_decode
sudo git clone https://github.com/digitalsleuth/time_decode.git tools/time_decode
sudo mv tools/time_decode/time_decode/time_decode.py /usr/local/bin/.
message $tool_name "$command_string" "$key_str"
#Install windowsprefetch
cd ~/lab
tool_name="windowsprefetch"
command_string="prefetch.py -h"
key_str="usage"
sudo pip install $tool_name
sudo cp /home/kali/.local/bin/prefetch.py /usr/local/bin/.
message $tool_name "$command_string" "$key_str"
#Install evtx_dump
cd ~/lab
tool_name="python3-evtx"
command_string="evtx_dump.py -h"
sudo apt -y install $tool_name
key_str="usage"
message $tool_name "$command_string" "$key_str"
#Install INDXParse
cd ~/lab
tool_name="INDXParse"
command_string="INDXParse.py -h"
key_str="usage"
[ -d "tools/INDXParse/" ] && sudo rm -rf tools/INDXParse
sudo wget https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/NIST_Data_Leakage_Case/tools/INDXParse.7z -P tools
sudo 7z x tools/INDXParse.7z -aoa -otools
sudo sh -c 'chmod +x tools/INDXParse/*.py'
sudo sh -c 'mv tools/INDXParse/*.py /usr/local/bin/.'
message $tool_name "$command_string" "$key_str"
#Install
cd ~/lab
tool_name="analyzeMFT"
command_string="analyzeMFT.py -h"
key_str="usage"
[ -d "tools/analyzeMFT/" ] && sudo rm -rf tools/analyzeMFT
sudo git clone https://github.com/dkovar/analyzeMFT.git tools/analyzeMFT
cd tools/analyzeMFT
alias python=/usr/bin/python2
sudo python setup.py install
unalias python
message $tool_name "$command_string" "$key_str"
#Install imgclip
cd ~/lab
tool_name="imgclip"
command_string="imgclip -h"
sudo npm install -g $tool_name
key_str="usage"
message $tool_name "$command_string" "$key_str"
#Install libvshadow-alpha-20210425
#https://github.com/libyal/libvshadow/wiki/Building
cd ~/lab
tool_name="libvshadow-alpha-20210425"
command_string="vshadowinfo -h"
key_str="usage"
sudo apt install -y libfuse-dev
sudo apt install -y git autoconf automake autopoint libtool pkg-config
[ -d "tools/libvshadow-20210425" ] && sudo rm -ft tools/libvshadow-20210425
sudo wget -q wget https://github.com/libyal/libvshadow/releases/download/20210425/libvshadow-alpha-20210425.tar.gz -P tools
cd tools
sudo tar -xf libvshadow-alpha-20210425.tar.gz
[ -f "libvshadow-alpha-20210425.tar.gz" ] && sudo rm libvshadow-alpha-20210425.tar.gz
cd libvshadow-20210425
./configure
sudo make
sudo make install
sudo ./configure --prefix=/usr
sudo ldconfig
message $tool_name "$command_string" "$key_str"
#Install undark for carving sqlite .db
cd ~/lab
tool_name="undark"
command_string="undark -h"
key_str="SQLite3"
[ -d "tools/undark/" ] && sudo rm -rf tools/undark
sudo git clone https://github.com/inflex/undark.git tools/undark
cd tools/undark
sudo make
sudo mv undark /usr/local/bin/.
message $tool_name "$command_string" "$key_str"
cd ~/lab
#Install LogFileParser
cd ~/lab
[ -d "LogFileParser/" ] && sudo rm -rf LogFileParser
sudo git clone https://github.com/jschicht/LogFileParser.git
#Install UsnJrnl2Csv
cd ~/lab
[ -d "UsnJrnl2Csv/" ] && sudo rm -rf UsnJrnl2Csv
sudo git clone https://github.com/jschicht/UsnJrnl2Csv.git
#Install JLECmd
cd ~/lab
[ -f "JLECmd.exe" ] && sudo rm JLECmd.exe
wget -q https://f001.backblazeb2.com/file/EricZimmermanTools/JLECmd.zip
unzip JLECmd.zip
sudo rm JLECmd.zip
# Install software that can be installed from the repository
sudo apt install vinetto tree python3-evtx xmlstarlet libhivex-bin python3-hivex libesedb-utils pasco pff-tools libnl-utils libvshadow-utils -y
pip3 install time-decode
sudo apt install npm -y
sudo npm install -g imgclip
#############################################
# Lab Tools: Illegal Possession Images
#############################################
#install stegdetect
cd ~/lab
tool_name="stegdetect"
command_string="stegdetect -V"
key_str="Stegdetect Version"
[ -d "tools/stegdetect/" ] && sudo rm -rf tools/stegdetect
sudo wget https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/Illegal_Possession_Images/tools/stegdetect.7z -P tools
sudo 7z x tools/stegdetect.7z -aoa -otools
[ -f "tools/stegdetect.7z" ] && sudo rm -rf tools/stegdetect.7z
sudo cp tools/stegdetect/stegdetect /usr/bin/.
message $tool_name "$command_string" "$key_str"
sudo cp tools/stegdetect/stegbreak /usr/bin/.
tool_name="stegbreak"
command_string="stegbreak -V"
key_str="stegbreak Version"
message $tool_name "$command_string" "$key_str"
# Installing Regripper
cd ~/Downloads
wget https://raw.githubusercontent.com/siftgrab/siftgrab/master/regripper.conf/RegRipper30-apt-git-Install.sh
sudo bash RegRipper30-apt-git-Install.sh
#install stego-toolkit
cd ~/lab
tool_name="stego-toolkit "
command_string="jphide"
key_str="jphide"
[ -d "tools/stego-toolkit/" ] && sudo rm -rf tools/stego-toolkit
sudo git clone https://github.com/DominicBreuker/stego-toolkit.git tools/stego-toolkit
cd tools/stego-toolkit/install
sudo chmod +x jphide.sh
sudo ./jphide.sh
message $tool_name "$command_string" "$key_str"
command_string="jpseek"
key_str="jpseek"
message $tool_name "$command_string" "$key_str"
#############################################
# Lab Tools: Memory Forensics
# https://seanthegeek.net/1172/how-to-install-volatility-2-and-volatility-3-on-debian-ubuntu-or-kali-linux/
#############################################
cd ~/lab
sudo apt install -y build-essential git libdistorm3-dev yara libraw1394-11 libcapstone-dev capstone-tool tzdata
# Git clone other tools
mkdir ~/UB-730-Tools
cd ~/UB-730-Tools
git clone https://github.com/PoorBillionaire/USN-Record-Carver.git
git clone https://github.com/dkovar/analyzeMFT.git
git clone https://github.com/PoorBillionaire/USN-Journal-Parser.git
git clone https://github.com/PoorBillionaire/Windows-Prefetch-Parser.git
git clone https://github.com/prolsen/recentfilecache-parser.git
sudo apt install -y python2 python2.7-dev libpython2-dev
curl https://bootstrap.pypa.io/pip/2.7/get-pip.py --output get-pip.py
sudo python2 get-pip.py
sudo python2 -m pip install -U setuptools wheel
# Installing JLEC
cd ~/Downloads
wget https://f001.backblazeb2.com/file/EricZimmermanTools/JLECmd.zip
unzip JLECmd.zip && mkdir ~/UB-730-Tools/JLEC && mv JLECmd.exe ~/UB-730-Tools/JLEC
python2 -m pip install -U distorm3 yara pycrypto pillow openpyxl ujson pytz ipython capstone
sudo python2 -m pip install yara
sudo ln -s /usr/local/lib/python2.7/dist-packages/usr/lib/libyara.so /usr/lib/libyara.so
python2 -m pip install -U git+https://github.com/volatilityfoundation/volatility.git
echo 'export PATH=/home/kali/.local/bin:$PATH' >> ~/.zshrc
tool_name="volatility-2"
command_string="vol.py -h"
key_str="usage"
message $tool_name "$command_string" "$key_str"
# Installing wine
sudo apt install wine wine64 -y
cd ~/Downloads
wget https://dl.winehq.org/wine/wine-mono/5.0.0/wine-mono-5.0.0-x86.msi
# Delete all downloaded source code
[ -d "tools" ] && sudo rm -rf tools
# Show report
echo -e "\e[1;31mNeed to reboot the VM to execute some commands, e.g., volatility2 \"vol.py -h\" with Kali account" >> ~/installation-report.txt
# Create .zsh_aliases file. .bashrc is set to run this file by default.
# This will allow you to call the git cloned programs anywhere in the terminal. Current solution anyway.
touch ~/.zsh_aliases
echo "alias prefetch.py='python2 ~/UB-730-Tools/Windows-Prefetch-Parser/windowsprefetch/prefetch.py'" >> ~/.zsh_aliases
echo "alias rfcparse.py='python2 ~/UB-730-Tools/recentfilecache-parser/rfcparse.py'" >> ~/.zsh_aliases
echo "alias usn.py='python2 ~/UB-730-Tools/USN-Journal-Parser/usnparser/usn.py'">> ~/.zsh_aliases
echo "alias usncarve.py='python2 ~/UB-730-Tools/USN-Record-Carver/usncarve.py'" >> ~/.zsh_aliases
echo "alias analyzeMFT.py='python2 ~/UB-730-Tools/analyzeMFT/analyzeMFT.py'" >> ~/.zsh_aliases
echo "alias JLECmd.exe='wine64 ~/UB-730-Tools/JLEC/JLECmd.exe'" >> ~/.zsh_aliases
# Allow .zshrc to run .zshaliases
echo "" >> ~/.zshrc
echo '# Alias definitions' >> ~/.zshrc
echo 'if [ -f ~/.zsh_aliases ]; then' >> ~/.zshrc
echo ' . ~/.zsh_aliases' >> ~/.zshrc
echo 'fi' >> ~/.zshrc
# Creating reference file in case user doesn't know how to call these commands
touch ~/UB-730-Tools/Tools-Reference.txt
echo 'This is a reference for all of the programs installed via the script.' >> ~/UB-730-Tools/Tools-Reference.txt
echo "" >> ~/UB-730-Tools/Tools-Reference.txt
echo "" >> ~/UB-730-Tools/Tools-Reference.txt
echo 'Key: Program --> Command' >> ~/UB-730-Tools/Tools-Reference.txt
echo '-------------------------' >> ~/UB-730-Tools/Tools-Reference.txt
echo '' >> ~/UB-730-Tools/Tools-Reference.txt
echo 'AnalyzeMFT --> analyzeMFT.py' >> ~/UB-730-Tools/Tools-Reference.txt
echo 'Hivex --> hivexsh' >> ~/UB-730-Tools/Tools-Reference.txt
echo 'libesedb --> esedbinfo, esedbexport' >> ~/UB-730-Tools/Tools-Reference.txt
echo 'libpff --> pffinfo, pffexport' >> ~/UB-730-Tools/Tools-Reference.txt
echo 'libvshadow --> vshadowdebug, vshadowinfo, vshadowmount' >> ~/UB-730-Tools/Tools-Reference.txt
echo 'libnl --> nl, nl-* (There are many different commands; type in nl- and press TAB key twice to see)' >> ~/UB-730-Tools/Tools-Reference.txt
echo 'Pasco --> pasco' >> ~/UB-730-Tools/Tools-Reference.txt
echo 'Python-evtx --> evtx_info.py, evtx_dump.py (There are other commands; type in evtx_ and press TAB key twice to see)' >> ~/UB-730-Tools/Tools-Reference.txt
echo 'Regripper --> rip.pl' >> ~/UB-730-Tools/Tools-Reference.txt
echo 'RecentFileCacheParser --> rfcparse.py' >>~/UB-730-Tools/Tools-Reference.txt
echo 'Tree --> tree' >> ~/UB-730-Tools/Tools-Reference.txt
echo 'Time-Decode --> time_decode.py' >> ~/UB-730-Tools/Tools-Reference.txt
echo 'USNJournalParser --> usn.py' >> ~/UB-730-Tools/Tools-Reference.txt
echo 'USNRecordCarver --> usncarve.py'>> ~/UB-730-Tools/Tools-Reference.txt
echo 'Vinetto --> vinetto' >> ~/UB-730-Tools/Tools-Reference.txt
echo 'WindowsPrefetchParser --> prefetch.py' >> ~/UB-730-Tools/Tools-Reference.txt
echo 'Xmlstarlet --> xmlstarlet' >> ~/UB-730-Tools/Tools-Reference.txt
echo 'JLECmd --> JLECmd.exe' >> ~/UB-730-Tools/Tools-Reference.txt
echo 'Imgclip --> imgclip' >> ~/UB-730-Tools/Tools-Reference.txt
# Creating README.txt
touch ~/UB-730-Tools/README.txt
echo "Warning: If you move any of the tools' folders, the settings I put may/will break. If you know everything I did, great, if not, be careful." >> ~/UB-730-Tools/README.txt
echo "" >> ~/UB-730-Tools/README.txt
echo "As of now, you do not have to type in the full path to use any of these programs. I took care of that for you. See Tools-Reference.txt." >> ~/UB-730-Tools/README.txt
echo "" >> ~/UB-730-Tools/README.txt
echo "With that said, if you want to set it up on your own or have a better way of doing it, then feel free to change what you want." >> ~/UB-730-Tools/README.txt
echo "" >> ~/UB-730-Tools/README.txt
echo "Malcolm Hayward (malcolm.hayward@ubalt.edu)" >> ~/UB-730-Tools/README.txt
# Instructions for troubleshooting wine
touch ~/UB-730-Tools/READforWineIssues.txt
echo "On my systems, Wine would not work unless wine-mono was installed." >> ~/UB-730-Tools/READforWineIssues.txt
echo "" >> ~/UB-730-Tools/READforWineIssues.txt
echo "Make sure that your Wine version is 5.0." >> ~/UB-730-Tools/READforWineIssues.txt
echo " Commands to check Wine version: wine --version OR wine64 --version." >> ~/UB-730-Tools/READforWineIssues.txt
echo "" >> ~/UB-730-Tools/READforWineIssues.txt
echo "I will assume that your version is 5.0. I already downloaded Wine Mono for you. You just have to do three things." >> ~/UB-730-Tools/READforWineIssues.txt
echo "" >> ~/UB-730-Tools/READforWineIssues.txt
echo "1. Run this command: wine64 uninstaller" >> ~/UB-730-Tools/READforWineIssues.txt
echo "2. You will see a menu. There is an install button. Click that." >> ~/UB-730-Tools/READforWineIssues.txt
echo "3. A file explorer will appear. The mono file is in your Downloads directory (/home/<user>/Downloads). Install it." >> ~/UB-730-Tools/READforWineIssues.txt
echo "" >> ~/UB-730-Tools/READforWineIssues.txt
echo "Both wine and wine64 should work after that. You do not have to type in wine <command> when you run JLECmd. I made an alias so that you only need to type in JLECmd.exe to run it." >> ~/UB-730-Tools/READforWineIssues.txt
echo "That is only for JLECmd though. If there are any other Windows programs you want to run, you WILL have to use wine <command>, because I did not set an alias for any other .exe except for JLEC." >> ~/UB-730-Tools/READforWineIssues.txt
echo "If there are any questions or problems, send me an email (malcolm.hayward@ubalt.edu) and/or invite me to a Zoom meeting, and I'll help." >> ~/UB-730-Tools/READforWineIssues.txt
# Finish message
echo "Done! Please restart the terminal for some settings to take effect."
cat ~/installation-report.txt

104
README.md
View File

@@ -47,46 +47,64 @@
- Forensic Intelligence Repository
- [Email forensics](/STIX_for_digital_forensics/Email_Harassment)
- [Illegal Possession of Images](/STIX_for_digital_forensics/Illegal_Possession_Images)
- Tool Installation
- [Tools Used](#Tools-Used)
- [Installation PPTs](https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/Help/Kali_Installation_2020.pptx)
- Installation Scripts (see commands as follows)
## Tool Installation (new- updated on 12/5/2021)
### Method 1: Import Kali VM image
The Kali VM includes the tools needed for most of the labs
- Install [Virturalbox](https://www.virtualbox.org/). See Kali installation [instruction](https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/Help/Kali_Installation_2020.pptx)
- Import [Kali 2020.4](https://www.dropbox.com/s/y7svxg2pyy94ab5/Kali-Linux-2020.4-vbox-amd64_tools.ova)
### Method 2: Install tools using script (the script ONLY is tested on Kali 2020.4)
The following script will install all tools needed for most of the labs. We will upgrade the script to add more tools.
- The installation [instruction](https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/Help/Tool_Installation.pptx)
```
# The following commands will install all tools needed for Data Leakage Case. We will upgrade the script to add more tools for other labs soon.
wget https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/Help/tool-install-zsh.sh
chmod +x tool-install-zsh.sh
./tool-install-zsh.sh
```
---
The list of [tools installed](#Tools-Used). Note that most of the commands for tools can executed globally.
### Investigating P2P Data Leakage
### Tools
==============
- Commands tested
The [P2P data leakage case study](https://github.com/frankwxu/digital-forensics-lab/tree/main/NIST_Data_Leakage_Case) is to help students to apply various forensic techniques to investigate intellectual property theft involving P2P. The study include
| Name | Command | Installation Method | Installation Method |
| ----------------------- | ----------------- | --------------------------------------------------------------- | ------------------- |
| Wine | wine --version | https://source.winehq.org/git/wine.git/ | Custom |
| Vinetto | vinetto -h | https://github.com/AtesComp/Vinetto | Custom |
| imgclip | imgclip -h | https://github.com/Arthelon/imgclip | apt insta |
| RegRipper | rip.pl -h | https://github.com/keydet89/RegRipper3.0 | Custom |
| Windows-Prefetch-Parser | prefetch.py -h | https://github.com/PoorBillionaire/Windows-Prefetch-Parser.git | Custom |
| python-evtx | evtx_dump.py -h | https://github.com/williballenthin/python-evtx | apt install |
| libesedb-utils | esedbexport -h | https://github.com/libyal/libesedb | apt install |
| libpff | pffexport -h | https://github.com/libyal/libpff | apt install |
| USN-Record-Carver | usncarve.py -h | https://github.com/PoorBillionaire/USN-Record-Carver | apt install |
| USN-Journal-Parser | usn.py -h | https://github.com/PoorBillionaire/USN-Journal-Parser | apt install |
| time_decode | time_decode.py -h | https://github.com/digitalsleuth/time_decode | Git clone |
| analyzeMFT | analyzeMFT.py -h | https://github.com/dkovar/analyzeMFT | Custom |
| libvshadow | vshadowinfo -h | https://github.com/libyal/libvshadow | Custom |
| INDXParse | INDXParse.py - | | Custom |
| carving sqlite .db | undark -h | https://github.com/inflex/undark.git | Custom |
| stegdetect | stegdetect -V | | Custom |
| stegbreak | stegbreak -V | | Custom |
| stego-toolkit | jphide | | Custom |
| jpsestego-toolkitek | jpseek | | Custom |
| volatility-2 | vol.py -h | https://github.com/volatilityfoundation/volatility.git | Custom |
| liblnk-utils | lnkinfo -h | | apt install |
| JLECmd | | https://f001.backblazeb2.com/file/EricZimmermanTools/JLECmd.zip | Git clone |
| recentfilecache-parser | | https://github.com/prolsen/recentfilecache-parser | |
| LogFileParser | | https://github.com/jschicht/LogFileParser.git | Git clone |
| UsnJrnl2Csv | | ttps://github.com/jschicht/UsnJrnl2Csv.git | Git clone |
- A large and complex case involving a uTorrent client. The case is similar to NIST data leakage lab. However, it provides a clearer and more detailed timeline.
- Solid evidence with explanations. Each evidence that is associated with each activity is explained along with the timeline. We suggest using this before study NIST data leakage case study.
- 10 hands-on labs/topics in digital forensics
**Topics Covered**
| Labs | Topics Covered | Size of PPTs |
| ------ | ----------------------------------------------------------------------------------------------------- | ------------ |
| Lab 0 | [Lab Environment Setting Up](P2P_Leakage/Presentation/ID00_Lab_Setup.pptx) | 4M |
| Lab 1 | [Disk Image and Partitions](P2P_Leakage/Presentation/ID01_Disk_Image_and_Partitions.pptx) | 5M |
| Lab 2 | [Windows Registry and File Directory](P2P_Leakage/Presentation/ID02_Registry_and_File_Directory.pptx) | 15M |
| Lab 3 | [MFT Timeline ](P2P_Leakage/Presentation/ID03_MFT_Timeline.pptx) | 6M |
| Lab 4 | [USN Journal Timeline](P2P_Leakage/Presentation/ID03_MFT_Timeline.pptx) | 3M |
| Lab 5 | [uTorrent Log File ](P2P_Leakage/Presentation/ID05_uTorrent_Log_File.pptx) | 9M |
| Lab 6 | [File Signature ](P2P_Leakage/Presentation/ID06_File_Signature.pptx) | 8M |
| Lab 7 | [Emails ](P2P_Leakage/Presentation/ID07_Emails.pptx) | 9M |
| Lab 8 | [Web History ](P2P_Leakage/Presentation/ID08_Web_History.pptx) | 11M |
| Lab 9 | [Website Analysis ](P2P_Leakage/Presentation/ID09_Website_Analysis.pptx) | 2M |
| Lab 10 | [Timeline (Summary)](P2P_Leakage/Presentation/Questions.docx) | 13K |
- Other tools installed via apt install
python3-pip, leafpad, terminator, sqlite3, tree, xmlstarlet, libhivex-bin, pasco, libhivex-bin, npm, binwalk, foremost, hashdeep, ewf-tools, nautilus
---
@@ -120,6 +138,34 @@ The [case study](https://github.com/frankwxu/digital-forensics-lab/tree/main/NIS
---
### Investigating P2P Data Leakage
==============
The [P2P data leakage case study](https://github.com/frankwxu/digital-forensics-lab/tree/main/NIST_Data_Leakage_Case) is to help students to apply various forensic techniques to investigate intellectual property theft involving P2P. The study include
- A large and complex case involving a uTorrent client. The case is similar to NIST data leakage lab. However, it provides a clearer and more detailed timeline.
- Solid evidence with explanations. Each evidence that is associated with each activity is explained along with the timeline. We suggest using this before study NIST data leakage case study.
- 10 hands-on labs/topics in digital forensics
**Topics Covered**
| Labs | Topics Covered | Size of PPTs |
| ------ | ----------------------------------------------------------------------------------------------------- | ------------ |
| Lab 0 | [Lab Environment Setting Up](P2P_Leakage/Presentation/ID00_Lab_Setup.pptx) | 4M |
| Lab 1 | [Disk Image and Partitions](P2P_Leakage/Presentation/ID01_Disk_Image_and_Partitions.pptx) | 5M |
| Lab 2 | [Windows Registry and File Directory](P2P_Leakage/Presentation/ID02_Registry_and_File_Directory.pptx) | 15M |
| Lab 3 | [MFT Timeline ](P2P_Leakage/Presentation/ID03_MFT_Timeline.pptx) | 6M |
| Lab 4 | [USN Journal Timeline](P2P_Leakage/Presentation/ID03_MFT_Timeline.pptx) | 3M |
| Lab 5 | [uTorrent Log File ](P2P_Leakage/Presentation/ID05_uTorrent_Log_File.pptx) | 9M |
| Lab 6 | [File Signature ](P2P_Leakage/Presentation/ID06_File_Signature.pptx) | 8M |
| Lab 7 | [Emails ](P2P_Leakage/Presentation/ID07_Emails.pptx) | 9M |
| Lab 8 | [Web History ](P2P_Leakage/Presentation/ID08_Web_History.pptx) | 11M |
| Lab 9 | [Website Analysis ](P2P_Leakage/Presentation/ID09_Website_Analysis.pptx) | 2M |
| Lab 10 | [Timeline (Summary)](P2P_Leakage/Presentation/Questions.docx) | 13K |
---
### Investigating Illegal Possession of Images
=====================