diff --git a/Help/Tool_installation.pptx b/Help/Tool_installation.pptx index 27498b5..b851ac6 100644 Binary files a/Help/Tool_installation.pptx and b/Help/Tool_installation.pptx differ diff --git a/Help/Wine_installation.pptx b/Help/Wine_installation.pptx deleted file mode 100644 index c03c4b3..0000000 Binary files a/Help/Wine_installation.pptx and /dev/null differ diff --git a/Help/tool-install-bash.sh b/Help/tool-install-bash.sh deleted file mode 100644 index 49a561d..0000000 --- a/Help/tool-install-bash.sh +++ /dev/null @@ -1,117 +0,0 @@ -#!/bin/bash - -echo 'This might take a while. Please wait...' - -# Update apt first -# Note: -y means the install will go through without user input -sudo apt update -y - - -# Install Python-related tools first -sudo apt install python-setuptools python3-pip -y - - -# Install software that can be installed from the repository -sudo apt install vinetto tree python3-evtx xmlstarlet libhivex-bin python3-hivex libesedb-utils pasco pff-tools libnl-utils libvshadow-utils -y -pip3 install time-decode -sudo apt install npm -y -sudo npm install -g imgclip - - -# Installing Regripper -cd ~/Downloads -wget https://raw.githubusercontent.com/siftgrab/siftgrab/master/regripper.conf/RegRipper30-apt-git-Install.sh -sudo bash RegRipper30-apt-git-Install.sh - - -# Git clone other tools -mkdir ~/UB-730-Tools -cd ~/UB-730-Tools -git clone https://github.com/PoorBillionaire/USN-Record-Carver.git -git clone https://github.com/dkovar/analyzeMFT.git -git clone https://github.com/PoorBillionaire/USN-Journal-Parser.git -git clone https://github.com/PoorBillionaire/Windows-Prefetch-Parser.git -git clone https://github.com/prolsen/recentfilecache-parser.git - - -# Installing JLEC -cd ~/Downloads -wget https://f001.backblazeb2.com/file/EricZimmermanTools/JLECmd.zip -unzip JLECmd.zip && mkdir ~/UB-730-Tools/JLEC && mv JLECmd.exe ~/UB-730-Tools/JLEC - - -# Installing wine -sudo apt install wine wine64 -y -cd ~/Downloads -wget https://dl.winehq.org/wine/wine-mono/5.0.0/wine-mono-5.0.0-x86.msi - - -# Create .bash_aliases file. .bashrc is set to run this file by default. -# This will allow you to call the git cloned programs anywhere in the terminal. Current solution anyway. -touch ~/.bash_aliases -echo "alias prefetch.py='python2 ~/UB-730-Tools/Windows-Prefetch-Parser/windowsprefetch/prefetch.py'" >> ~/.bash_aliases -echo "alias rfcparse.py='python2 ~/UB-730-Tools/recentfilecache-parser/rfcparse.py'" >> ~/.bash_aliases -echo "alias usn.py='python2 ~/UB-730-Tools/USN-Journal-Parser/usnparser/usn.py'">> ~/.bash_aliases -echo "alias usncarve.py='python2 ~/UB-730-Tools/USN-Record-Carver/usncarve.py'" >> ~/.bash_aliases -echo "alias analyzeMFT.py='python2 ~/UB-730-Tools/analyzeMFT/analyzeMFT.py'" >> ~/.bash_aliases -echo "alias JLECmd.exe='wine64 ~/UB-730-Tools/JLEC/JLECmd.exe'" >> ~/.bash_aliases - - -# Creating reference file in case user doesn't know how to call these commands -touch ~/UB-730-Tools/Tools-Reference.txt -echo 'This is a reference for all of the programs installed via the script.' >> ~/UB-730-Tools/Tools-Reference.txt -echo "" >> ~/UB-730-Tools/Tools-Reference.txt -echo "" >> ~/UB-730-Tools/Tools-Reference.txt -echo 'Key: Program --> Command' >> ~/UB-730-Tools/Tools-Reference.txt -echo '-------------------------' >> ~/UB-730-Tools/Tools-Reference.txt -echo '' >> ~/UB-730-Tools/Tools-Reference.txt -echo 'AnalyzeMFT --> analyzeMFT.py' >> ~/UB-730-Tools/Tools-Reference.txt -echo 'Hivex --> hivexsh' >> ~/UB-730-Tools/Tools-Reference.txt -echo 'libesedb --> esedbinfo, esedbexport' >> ~/UB-730-Tools/Tools-Reference.txt -echo 'libpff --> pffinfo, pffexport' >> ~/UB-730-Tools/Tools-Reference.txt -echo 'libvshadow --> vshadowdebug, vshadowinfo, vshadowmount' >> ~/UB-730-Tools/Tools-Reference.txt -echo 'libnl --> nl, nl-* (There are many different commands; type in nl- and press TAB key twice to see)' >> ~/UB-730-Tools/Tools-Reference.txt -echo 'Pasco --> pasco' >> ~/UB-730-Tools/Tools-Reference.txt -echo 'Python-evtx --> evtx_info.py, evtx_dump.py (There are other commands; type in evtx_ and press TAB key twice to see)' >> ~/UB-730-Tools/Tools-Reference.txt -echo 'Regripper --> rip.pl' >> ~/UB-730-Tools/Tools-Reference.txt -echo 'RecentFileCacheParser --> rfcparse.py' >>~/UB-730-Tools/Tools-Reference.txt -echo 'Tree --> tree' >> ~/UB-730-Tools/Tools-Reference.txt -echo 'Time-Decode --> time_decode.py' >> ~/UB-730-Tools/Tools-Reference.txt -echo 'USNJournalParser --> usn.py' >> ~/UB-730-Tools/Tools-Reference.txt -echo 'USNRecordCarver --> usncarve.py'>> ~/UB-730-Tools/Tools-Reference.txt -echo 'Vinetto --> vinetto' >> ~/UB-730-Tools/Tools-Reference.txt -echo 'WindowsPrefetchParser --> prefetch.py' >> ~/UB-730-Tools/Tools-Reference.txt -echo 'Xmlstarlet --> xmlstarlet' >> ~/UB-730-Tools/Tools-Reference.txt -echo 'JLECmd --> JLECmd.exe' >> ~/UB-730-Tools/Tools-Reference.txt -echo 'Imgclip --> imgclip' >> ~/UB-730-Tools/Tools-Reference.txt - -# Creating README.txt -touch ~/UB-730-Tools/README.txt -echo "Warning: If you move any of the tools' folders, the settings I put may/will break. If you know everything I did, great, if not, be careful." >> ~/UB-730-Tools/README.txt -echo "" >> ~/UB-730-Tools/README.txt -echo "As of now, you do not have to type in the full path to use any of these programs. I took care of that for you. See Tools-Reference.txt." >> ~/UB-730-Tools/README.txt -echo "" >> ~/UB-730-Tools/README.txt -echo "With that said, if you want to set it up on your own or have a better way of doing it, then feel free to change what you want." >> ~/UB-730-Tools/README.txt -echo "That is only for JLECmd though. If there are any other Windows programs you want to run, you WILL have to use wine , because I did not set an alias for any other .exe except for JLEC." >> ~/UB-730-Tools/READforWineIssues.txt -echo "Malcolm Hayward (malcolm.hayward@ubalt.edu)" >> ~/UB-730-Tools/README.txt - - -# Instructions for troubleshooting wine -touch ~/UB-730-Tools/READforWineIssues.txt -echo "On my systems, Wine would not work unless wine-mono was installed." >> ~/UB-730-Tools/READforWineIssues.txt -echo "" >> ~/UB-730-Tools/READforWineIssues.txt -echo "Make sure that your Wine version is 5.0." >> ~/UB-730-Tools/READforWineIssues.txt -echo " Commands to check Wine version: wine --version OR wine64 --version." >> ~/UB-730-Tools/READforWineIssues.txt -echo "" >> ~/UB-730-Tools/READforWineIssues.txt -echo "I will assume that your version is 5.0. I already downloaded Wine Mono for you. You just have to do three things." >> ~/UB-730-Tools/READforWineIssues.txt -echo "" >> ~/UB-730-Tools/READforWineIssues.txt -echo "1. Run this command: wine64 uninstaller" >> ~/UB-730-Tools/READforWineIssues.txt -echo "2. You will see a menu. There is an install button. Click that." >> ~/UB-730-Tools/READforWineIssues.txt -echo "3. A file explorer will appear. The mono file is in your Downloads directory (/home//Downloads). Install it." >> ~/UB-730-Tools/READforWineIssues.txt -echo "" >> ~/UB-730-Tools/READforWineIssues.txt -echo "Both wine and wine64 should work after that. You do not have to type in wine when you run Windows programs like JLECmd. I made an alias so that you only need to type in JLECmd.exe to run it." >> ~/UB-730-Tools/READforWineIssues.txt -echo "" >> ~/UB-730-Tools/READforWineIssues.txt -echo "If there are any questions or problems, send me an email (malcolm.hayward@ubalt.edu) and/or invite me to a Zoom meeting, and I'll help." >> ~/UB-730-Tools/READforWineIssues.txt - -# Finish message -echo "Done! Please restart the terminal for some settings to take effect." \ No newline at end of file diff --git a/Help/tool-install-zsh.sh b/Help/tool-install-zsh.sh index 9037bd4..4e2819a 100644 --- a/Help/tool-install-zsh.sh +++ b/Help/tool-install-zsh.sh @@ -1,127 +1,298 @@ -#!/bin/bash +#! /bin/bash -echo 'This might take a while. Please wait...' +cd ~ +[ ! -d "lab" ] && mkdir lab || cd lab + +############################################## +# Tool Installation Report Summary +############################################## +[ -f ~/installation-report.txt ] && sudo rm ~/installation-report.txt +touch ~/installation-report.txt +echo -e "\e[1;32m " >> ~/installation-report.txt +echo -e "\e[1;32m " >> ~/installation-report.txt +echo -e "\e[1;32m*******************************" >> ~/installation-report.txt +echo -e "\e[1;32m* University of Baltimore *" >> ~/installation-report.txt +echo -e "\e[1;32m* Frank Xu wxu@ubalt.edu *" >> ~/installation-report.txt +echo -e "\e[1;32m*******************************" >> ~/installation-report.txt + +message(){ + (eval "$2") | grep -iq "$3" &> /dev/null + if [ $? == 1 ]; then + echo -e "\e[1;31mTool $1: \"$2\" installation Failed!" >> ~/installation-report.txt + else + echo -e "\e[1;32mTool $1: \"$2\" installation successed!" >> ~/installation-report.txt + fi +} + +############################################# +# Lab tools: NIST Data Leakage +############################################## +#install wine +#https://linuxhint.com/install_wine_-ubuntu_20-24/ +sudo apt -y update +sudo apt -y upgrade +# install both boot +sudo dpkg --add-architecture i386 +sudo apt -y update +sudo apt -y install wine64 wine32 +tool_name="wine" +command_string="wine --version" +sudo apt -y install $tool_name +key_str="wine-" +message $tool_name "$command_string" "$key_str" -# Update apt first -sudo apt update -y +#install other packages +sudo apt -y install python3-pip +sudo apt -y install leafpad +sudo apt -y install terminator +sudo apt -y install sqlite3 +sudo apt -y install tree +sudo apt -y install xmlstarlet +sudo apt -y install libhivex-bin +sudo apt -y install pasco + +sudo apt -y install npm +sudo apt -y install binwalk +sudo apt -y install foremost +sudo apt -y install hashdeep +sudo apt -y install ewf-tools +sudo apt -y install nautilus + +#Install pff-tools +tool_name="pff-tools" +command_string="pffexport -h" +sudo apt -y install $tool_name +key_str="usage" +message $tool_name "$command_string" "$key_str" + +#Install libesedb-utils +tool_name="libesedb-utils" +command_string="esedbexport -h" +sudo apt -y install $tool_name +key_str="usage" +message $tool_name "$command_string" "$key_str" + +#Install liblnk-utils +tool_name="liblnk-utils" +command_string="lnkinfo -h" +sudo apt -y install $tool_name +key_str="usage" +message $tool_name "$command_string" "$key_str" -# Install Python-related tools first -# Note: -y means the install will go through without user input -sudo apt install python-setuptools python3-pip -y +#Install usncarve +tool_name="usncarve" +command_string="usncarve.py -h" +sudo pip install $tool_name +key_str="usage" +message $tool_name "$command_string" "$key_str" + +#Install usnparser +tool_name="usnparser" +command_string="usn.py -h" +sudo pip install $tool_name +key_str="usage" +message $tool_name "$command_string" "$key_str" + +# install RegRipper +cd ~/lab +tool_name="RegRipper30" +command_string="rip.pl -h" +key_str="RegRipper tool" +[ -d "tools/RegRipper30/" ] && sudo rm -rf tools/RegRipper30 +sudo mkdir tools/RegRipper30 +sudo wget -q https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/Help/scripts/RegRipper30-apt-git-Install.sh -P tools/RegRipper30/ +sudo chmod 755 tools/RegRipper30/RegRipper30-apt-git-Install.sh +sudo tools/RegRipper30/RegRipper30-apt-git-Install.sh +message $tool_name "$command_string" "$key_str" + +#Install Vinetto for Thumbcache +cd ~/lab +tool_name="Vinetto" +command_string="vinetto -h" +key_str="usage" +[ -d "tools/Vinetto/" ] && sudo rm -rf tools/Vinetto +sudo git clone https://github.com/AtesComp/Vinetto.git tools/Vinetto +cd tools/Vinetto +sudo pip install . +message $tool_name "$command_string" "$key_str" + +#Install time_decode +cd ~/lab +tool_name="time_decode" +command_string="time_decode.py -h" +key_str="usage" +[ -d "tools/time_decode/" ] && sudo rm -rf tools/time_decode +sudo git clone https://github.com/digitalsleuth/time_decode.git tools/time_decode +sudo mv tools/time_decode/time_decode/time_decode.py /usr/local/bin/. +message $tool_name "$command_string" "$key_str" + +#Install windowsprefetch +cd ~/lab +tool_name="windowsprefetch" +command_string="prefetch.py -h" +key_str="usage" +sudo pip install $tool_name +sudo cp /home/kali/.local/bin/prefetch.py /usr/local/bin/. +message $tool_name "$command_string" "$key_str" + +#Install evtx_dump +cd ~/lab +tool_name="python3-evtx" +command_string="evtx_dump.py -h" +sudo apt -y install $tool_name +key_str="usage" +message $tool_name "$command_string" "$key_str" + +#Install INDXParse +cd ~/lab +tool_name="INDXParse" +command_string="INDXParse.py -h" +key_str="usage" +[ -d "tools/INDXParse/" ] && sudo rm -rf tools/INDXParse +sudo wget https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/NIST_Data_Leakage_Case/tools/INDXParse.7z -P tools +sudo 7z x tools/INDXParse.7z -aoa -otools +sudo sh -c 'chmod +x tools/INDXParse/*.py' +sudo sh -c 'mv tools/INDXParse/*.py /usr/local/bin/.' +message $tool_name "$command_string" "$key_str" + +#Install +cd ~/lab +tool_name="analyzeMFT" +command_string="analyzeMFT.py -h" +key_str="usage" +[ -d "tools/analyzeMFT/" ] && sudo rm -rf tools/analyzeMFT +sudo git clone https://github.com/dkovar/analyzeMFT.git tools/analyzeMFT +cd tools/analyzeMFT +alias python=/usr/bin/python2 +sudo python setup.py install +unalias python +message $tool_name "$command_string" "$key_str" + +#Install imgclip +cd ~/lab +tool_name="imgclip" +command_string="imgclip -h" +sudo npm install -g $tool_name +key_str="usage" +message $tool_name "$command_string" "$key_str" + +#Install libvshadow-alpha-20210425 +#https://github.com/libyal/libvshadow/wiki/Building +cd ~/lab +tool_name="libvshadow-alpha-20210425" +command_string="vshadowinfo -h" +key_str="usage" +sudo apt install -y libfuse-dev +sudo apt install -y git autoconf automake autopoint libtool pkg-config +[ -d "tools/libvshadow-20210425" ] && sudo rm -ft tools/libvshadow-20210425 +sudo wget -q wget https://github.com/libyal/libvshadow/releases/download/20210425/libvshadow-alpha-20210425.tar.gz -P tools +cd tools +sudo tar -xf libvshadow-alpha-20210425.tar.gz +[ -f "libvshadow-alpha-20210425.tar.gz" ] && sudo rm libvshadow-alpha-20210425.tar.gz +cd libvshadow-20210425 +./configure +sudo make +sudo make install +sudo ./configure --prefix=/usr +sudo ldconfig +message $tool_name "$command_string" "$key_str" + +#Install undark for carving sqlite .db +cd ~/lab +tool_name="undark" +command_string="undark -h" +key_str="SQLite3" +[ -d "tools/undark/" ] && sudo rm -rf tools/undark +sudo git clone https://github.com/inflex/undark.git tools/undark +cd tools/undark +sudo make +sudo mv undark /usr/local/bin/. +message $tool_name "$command_string" "$key_str" +cd ~/lab + +#Install LogFileParser +cd ~/lab +[ -d "LogFileParser/" ] && sudo rm -rf LogFileParser +sudo git clone https://github.com/jschicht/LogFileParser.git + +#Install UsnJrnl2Csv +cd ~/lab +[ -d "UsnJrnl2Csv/" ] && sudo rm -rf UsnJrnl2Csv +sudo git clone https://github.com/jschicht/UsnJrnl2Csv.git + +#Install JLECmd +cd ~/lab +[ -f "JLECmd.exe" ] && sudo rm JLECmd.exe +wget -q https://f001.backblazeb2.com/file/EricZimmermanTools/JLECmd.zip +unzip JLECmd.zip +sudo rm JLECmd.zip -# Install software that can be installed from the repository -sudo apt install vinetto tree python3-evtx xmlstarlet libhivex-bin python3-hivex libesedb-utils pasco pff-tools libnl-utils libvshadow-utils -y -pip3 install time-decode -sudo apt install npm -y -sudo npm install -g imgclip +############################################# +# Lab Tools: Illegal Possession Images +############################################# +#install stegdetect +cd ~/lab +tool_name="stegdetect" +command_string="stegdetect -V" +key_str="Stegdetect Version" +[ -d "tools/stegdetect/" ] && sudo rm -rf tools/stegdetect +sudo wget https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/Illegal_Possession_Images/tools/stegdetect.7z -P tools +sudo 7z x tools/stegdetect.7z -aoa -otools +[ -f "tools/stegdetect.7z" ] && sudo rm -rf tools/stegdetect.7z +sudo cp tools/stegdetect/stegdetect /usr/bin/. +message $tool_name "$command_string" "$key_str" +sudo cp tools/stegdetect/stegbreak /usr/bin/. +tool_name="stegbreak" +command_string="stegbreak -V" +key_str="stegbreak Version" +message $tool_name "$command_string" "$key_str" -# Installing Regripper -cd ~/Downloads -wget https://raw.githubusercontent.com/siftgrab/siftgrab/master/regripper.conf/RegRipper30-apt-git-Install.sh -sudo bash RegRipper30-apt-git-Install.sh +#install stego-toolkit +cd ~/lab +tool_name="stego-toolkit " +command_string="jphide" +key_str="jphide" +[ -d "tools/stego-toolkit/" ] && sudo rm -rf tools/stego-toolkit +sudo git clone https://github.com/DominicBreuker/stego-toolkit.git tools/stego-toolkit +cd tools/stego-toolkit/install +sudo chmod +x jphide.sh +sudo ./jphide.sh +message $tool_name "$command_string" "$key_str" +command_string="jpseek" +key_str="jpseek" +message $tool_name "$command_string" "$key_str" +############################################# +# Lab Tools: Memory Forensics +# https://seanthegeek.net/1172/how-to-install-volatility-2-and-volatility-3-on-debian-ubuntu-or-kali-linux/ +############################################# +cd ~/lab +sudo apt install -y build-essential git libdistorm3-dev yara libraw1394-11 libcapstone-dev capstone-tool tzdata -# Git clone other tools -mkdir ~/UB-730-Tools -cd ~/UB-730-Tools -git clone https://github.com/PoorBillionaire/USN-Record-Carver.git -git clone https://github.com/dkovar/analyzeMFT.git -git clone https://github.com/PoorBillionaire/USN-Journal-Parser.git -git clone https://github.com/PoorBillionaire/Windows-Prefetch-Parser.git -git clone https://github.com/prolsen/recentfilecache-parser.git +sudo apt install -y python2 python2.7-dev libpython2-dev +curl https://bootstrap.pypa.io/pip/2.7/get-pip.py --output get-pip.py +sudo python2 get-pip.py +sudo python2 -m pip install -U setuptools wheel -# Installing JLEC -cd ~/Downloads -wget https://f001.backblazeb2.com/file/EricZimmermanTools/JLECmd.zip -unzip JLECmd.zip && mkdir ~/UB-730-Tools/JLEC && mv JLECmd.exe ~/UB-730-Tools/JLEC +python2 -m pip install -U distorm3 yara pycrypto pillow openpyxl ujson pytz ipython capstone +sudo python2 -m pip install yara +sudo ln -s /usr/local/lib/python2.7/dist-packages/usr/lib/libyara.so /usr/lib/libyara.so +python2 -m pip install -U git+https://github.com/volatilityfoundation/volatility.git +echo 'export PATH=/home/kali/.local/bin:$PATH' >> ~/.zshrc +tool_name="volatility-2" +command_string="vol.py -h" +key_str="usage" +message $tool_name "$command_string" "$key_str" -# Installing wine -sudo apt install wine wine64 -y -cd ~/Downloads -wget https://dl.winehq.org/wine/wine-mono/5.0.0/wine-mono-5.0.0-x86.msi +# Delete all downloaded source code +[ -d "tools" ] && sudo rm -rf tools +# Show report +echo -e "\e[1;31mNeed to reboot the VM to execute some commands, e.g., volatility2 \"vol.py -h\" with Kali account" >> ~/installation-report.txt -# Create .zsh_aliases file. .bashrc is set to run this file by default. -# This will allow you to call the git cloned programs anywhere in the terminal. Current solution anyway. -touch ~/.zsh_aliases -echo "alias prefetch.py='python2 ~/UB-730-Tools/Windows-Prefetch-Parser/windowsprefetch/prefetch.py'" >> ~/.zsh_aliases -echo "alias rfcparse.py='python2 ~/UB-730-Tools/recentfilecache-parser/rfcparse.py'" >> ~/.zsh_aliases -echo "alias usn.py='python2 ~/UB-730-Tools/USN-Journal-Parser/usnparser/usn.py'">> ~/.zsh_aliases -echo "alias usncarve.py='python2 ~/UB-730-Tools/USN-Record-Carver/usncarve.py'" >> ~/.zsh_aliases -echo "alias analyzeMFT.py='python2 ~/UB-730-Tools/analyzeMFT/analyzeMFT.py'" >> ~/.zsh_aliases -echo "alias JLECmd.exe='wine64 ~/UB-730-Tools/JLEC/JLECmd.exe'" >> ~/.zsh_aliases - - -# Allow .zshrc to run .zshaliases -echo "" >> ~/.zshrc -echo '# Alias definitions' >> ~/.zshrc -echo 'if [ -f ~/.zsh_aliases ]; then' >> ~/.zshrc -echo ' . ~/.zsh_aliases' >> ~/.zshrc -echo 'fi' >> ~/.zshrc - - -# Creating reference file in case user doesn't know how to call these commands -touch ~/UB-730-Tools/Tools-Reference.txt -echo 'This is a reference for all of the programs installed via the script.' >> ~/UB-730-Tools/Tools-Reference.txt -echo "" >> ~/UB-730-Tools/Tools-Reference.txt -echo "" >> ~/UB-730-Tools/Tools-Reference.txt -echo 'Key: Program --> Command' >> ~/UB-730-Tools/Tools-Reference.txt -echo '-------------------------' >> ~/UB-730-Tools/Tools-Reference.txt -echo '' >> ~/UB-730-Tools/Tools-Reference.txt -echo 'AnalyzeMFT --> analyzeMFT.py' >> ~/UB-730-Tools/Tools-Reference.txt -echo 'Hivex --> hivexsh' >> ~/UB-730-Tools/Tools-Reference.txt -echo 'libesedb --> esedbinfo, esedbexport' >> ~/UB-730-Tools/Tools-Reference.txt -echo 'libpff --> pffinfo, pffexport' >> ~/UB-730-Tools/Tools-Reference.txt -echo 'libvshadow --> vshadowdebug, vshadowinfo, vshadowmount' >> ~/UB-730-Tools/Tools-Reference.txt -echo 'libnl --> nl, nl-* (There are many different commands; type in nl- and press TAB key twice to see)' >> ~/UB-730-Tools/Tools-Reference.txt -echo 'Pasco --> pasco' >> ~/UB-730-Tools/Tools-Reference.txt -echo 'Python-evtx --> evtx_info.py, evtx_dump.py (There are other commands; type in evtx_ and press TAB key twice to see)' >> ~/UB-730-Tools/Tools-Reference.txt -echo 'Regripper --> rip.pl' >> ~/UB-730-Tools/Tools-Reference.txt -echo 'RecentFileCacheParser --> rfcparse.py' >>~/UB-730-Tools/Tools-Reference.txt -echo 'Tree --> tree' >> ~/UB-730-Tools/Tools-Reference.txt -echo 'Time-Decode --> time_decode.py' >> ~/UB-730-Tools/Tools-Reference.txt -echo 'USNJournalParser --> usn.py' >> ~/UB-730-Tools/Tools-Reference.txt -echo 'USNRecordCarver --> usncarve.py'>> ~/UB-730-Tools/Tools-Reference.txt -echo 'Vinetto --> vinetto' >> ~/UB-730-Tools/Tools-Reference.txt -echo 'WindowsPrefetchParser --> prefetch.py' >> ~/UB-730-Tools/Tools-Reference.txt -echo 'Xmlstarlet --> xmlstarlet' >> ~/UB-730-Tools/Tools-Reference.txt -echo 'JLECmd --> JLECmd.exe' >> ~/UB-730-Tools/Tools-Reference.txt -echo 'Imgclip --> imgclip' >> ~/UB-730-Tools/Tools-Reference.txt - - -# Creating README.txt -touch ~/UB-730-Tools/README.txt -echo "Warning: If you move any of the tools' folders, the settings I put may/will break. If you know everything I did, great, if not, be careful." >> ~/UB-730-Tools/README.txt -echo "" >> ~/UB-730-Tools/README.txt -echo "As of now, you do not have to type in the full path to use any of these programs. I took care of that for you. See Tools-Reference.txt." >> ~/UB-730-Tools/README.txt -echo "" >> ~/UB-730-Tools/README.txt -echo "With that said, if you want to set it up on your own or have a better way of doing it, then feel free to change what you want." >> ~/UB-730-Tools/README.txt -echo "" >> ~/UB-730-Tools/README.txt -echo "Malcolm Hayward (malcolm.hayward@ubalt.edu)" >> ~/UB-730-Tools/README.txt - - -# Instructions for troubleshooting wine -touch ~/UB-730-Tools/READforWineIssues.txt -echo "On my systems, Wine would not work unless wine-mono was installed." >> ~/UB-730-Tools/READforWineIssues.txt -echo "" >> ~/UB-730-Tools/READforWineIssues.txt -echo "Make sure that your Wine version is 5.0." >> ~/UB-730-Tools/READforWineIssues.txt -echo " Commands to check Wine version: wine --version OR wine64 --version." >> ~/UB-730-Tools/READforWineIssues.txt -echo "" >> ~/UB-730-Tools/READforWineIssues.txt -echo "I will assume that your version is 5.0. I already downloaded Wine Mono for you. You just have to do three things." >> ~/UB-730-Tools/READforWineIssues.txt -echo "" >> ~/UB-730-Tools/READforWineIssues.txt -echo "1. Run this command: wine64 uninstaller" >> ~/UB-730-Tools/READforWineIssues.txt -echo "2. You will see a menu. There is an install button. Click that." >> ~/UB-730-Tools/READforWineIssues.txt -echo "3. A file explorer will appear. The mono file is in your Downloads directory (/home//Downloads). Install it." >> ~/UB-730-Tools/READforWineIssues.txt -echo "" >> ~/UB-730-Tools/READforWineIssues.txt -echo "Both wine and wine64 should work after that. You do not have to type in wine when you run JLECmd. I made an alias so that you only need to type in JLECmd.exe to run it." >> ~/UB-730-Tools/READforWineIssues.txt -echo "That is only for JLECmd though. If there are any other Windows programs you want to run, you WILL have to use wine , because I did not set an alias for any other .exe except for JLEC." >> ~/UB-730-Tools/READforWineIssues.txt -echo "If there are any questions or problems, send me an email (malcolm.hayward@ubalt.edu) and/or invite me to a Zoom meeting, and I'll help." >> ~/UB-730-Tools/READforWineIssues.txt - - -# Finish message -echo "Done! Please restart the terminal for some settings to take effect." \ No newline at end of file +cat ~/installation-report.txt diff --git a/README.md b/README.md index 997827a..684d362 100644 --- a/README.md +++ b/README.md @@ -47,46 +47,64 @@ - Forensic Intelligence Repository - [Email forensics](/STIX_for_digital_forensics/Email_Harassment) - [Illegal Possession of Images](/STIX_for_digital_forensics/Illegal_Possession_Images) -- Tool Installation - - [Tools Used](#Tools-Used) - - [Installation PPTs](https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/Help/Kali_Installation_2020.pptx) - - Installation Scripts (see commands as follows) + +## Tool Installation (new- updated on 12/5/2021) + +### Method 1: Import Kali VM image + +The Kali VM includes the tools needed for most of the labs + +- Install [Virturalbox](https://www.virtualbox.org/). See Kali installation [instruction](https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/Help/Kali_Installation_2020.pptx) +- Import [Kali 2020.4](https://www.dropbox.com/s/y7svxg2pyy94ab5/Kali-Linux-2020.4-vbox-amd64_tools.ova) + +### Method 2: Install tools using script (the script ONLY is tested on Kali 2020.4) + +The following script will install all tools needed for most of the labs. We will upgrade the script to add more tools. + +- The installation [instruction](https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/Help/Tool_Installation.pptx) ``` -# The following commands will install all tools needed for Data Leakage Case. We will upgrade the script to add more tools for other labs soon. - wget https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/Help/tool-install-zsh.sh chmod +x tool-install-zsh.sh ./tool-install-zsh.sh ``` ---- +The list of [tools installed](#Tools-Used). Note that most of the commands for tools can executed globally. -### Investigating P2P Data Leakage +### Tools -============== +- Commands tested -The [P2P data leakage case study](https://github.com/frankwxu/digital-forensics-lab/tree/main/NIST_Data_Leakage_Case) is to help students to apply various forensic techniques to investigate intellectual property theft involving P2P. The study include +| Name | Command | Installation Method | Installation Method | +| ----------------------- | ----------------- | --------------------------------------------------------------- | ------------------- | +| Wine | wine --version | https://source.winehq.org/git/wine.git/ | Custom | +| Vinetto | vinetto -h | https://github.com/AtesComp/Vinetto | Custom | +| imgclip | imgclip -h | https://github.com/Arthelon/imgclip | apt insta | +| RegRipper | rip.pl -h | https://github.com/keydet89/RegRipper3.0 | Custom | +| Windows-Prefetch-Parser | prefetch.py -h | https://github.com/PoorBillionaire/Windows-Prefetch-Parser.git | Custom | +| python-evtx | evtx_dump.py -h | https://github.com/williballenthin/python-evtx | apt install | +| libesedb-utils | esedbexport -h | https://github.com/libyal/libesedb | apt install | +| libpff | pffexport -h | https://github.com/libyal/libpff | apt install | +| USN-Record-Carver | usncarve.py -h | https://github.com/PoorBillionaire/USN-Record-Carver | apt install | +| USN-Journal-Parser | usn.py -h | https://github.com/PoorBillionaire/USN-Journal-Parser | apt install | +| time_decode | time_decode.py -h | https://github.com/digitalsleuth/time_decode | Git clone | +| analyzeMFT | analyzeMFT.py -h | https://github.com/dkovar/analyzeMFT | Custom | +| libvshadow | vshadowinfo -h | https://github.com/libyal/libvshadow | Custom | +| INDXParse | INDXParse.py - | | Custom | +| carving sqlite .db | undark -h | https://github.com/inflex/undark.git | Custom | +| stegdetect | stegdetect -V | | Custom | +| stegbreak | stegbreak -V | | Custom | +| stego-toolkit | jphide | | Custom | +| jpsestego-toolkitek | jpseek | | Custom | +| volatility-2 | vol.py -h | https://github.com/volatilityfoundation/volatility.git | Custom | +| liblnk-utils | lnkinfo -h | | apt install | +| JLECmd | | https://f001.backblazeb2.com/file/EricZimmermanTools/JLECmd.zip | Git clone | +| recentfilecache-parser | | https://github.com/prolsen/recentfilecache-parser | | +| LogFileParser | | https://github.com/jschicht/LogFileParser.git | Git clone | +| UsnJrnl2Csv | | ttps://github.com/jschicht/UsnJrnl2Csv.git | Git clone | -- A large and complex case involving a uTorrent client. The case is similar to NIST data leakage lab. However, it provides a clearer and more detailed timeline. -- Solid evidence with explanations. Each evidence that is associated with each activity is explained along with the timeline. We suggest using this before study NIST data leakage case study. -- 10 hands-on labs/topics in digital forensics - -**Topics Covered** - -| Labs | Topics Covered | Size of PPTs | -| ------ | ----------------------------------------------------------------------------------------------------- | ------------ | -| Lab 0 | [Lab Environment Setting Up](P2P_Leakage/Presentation/ID00_Lab_Setup.pptx) | 4M | -| Lab 1 | [Disk Image and Partitions](P2P_Leakage/Presentation/ID01_Disk_Image_and_Partitions.pptx) | 5M | -| Lab 2 | [Windows Registry and File Directory](P2P_Leakage/Presentation/ID02_Registry_and_File_Directory.pptx) | 15M | -| Lab 3 | [MFT Timeline ](P2P_Leakage/Presentation/ID03_MFT_Timeline.pptx) | 6M | -| Lab 4 | [USN Journal Timeline](P2P_Leakage/Presentation/ID03_MFT_Timeline.pptx) | 3M | -| Lab 5 | [uTorrent Log File ](P2P_Leakage/Presentation/ID05_uTorrent_Log_File.pptx) | 9M | -| Lab 6 | [File Signature ](P2P_Leakage/Presentation/ID06_File_Signature.pptx) | 8M | -| Lab 7 | [Emails ](P2P_Leakage/Presentation/ID07_Emails.pptx) | 9M | -| Lab 8 | [Web History ](P2P_Leakage/Presentation/ID08_Web_History.pptx) | 11M | -| Lab 9 | [Website Analysis ](P2P_Leakage/Presentation/ID09_Website_Analysis.pptx) | 2M | -| Lab 10 | [Timeline (Summary)](P2P_Leakage/Presentation/Questions.docx) | 13K | +- Other tools installed via apt install + python3-pip, leafpad, terminator, sqlite3, tree, xmlstarlet, libhivex-bin, pasco, libhivex-bin, npm, binwalk, foremost, hashdeep, ewf-tools, nautilus --- @@ -120,6 +138,34 @@ The [case study](https://github.com/frankwxu/digital-forensics-lab/tree/main/NIS --- +### Investigating P2P Data Leakage + +============== + +The [P2P data leakage case study](https://github.com/frankwxu/digital-forensics-lab/tree/main/NIST_Data_Leakage_Case) is to help students to apply various forensic techniques to investigate intellectual property theft involving P2P. The study include + +- A large and complex case involving a uTorrent client. The case is similar to NIST data leakage lab. However, it provides a clearer and more detailed timeline. +- Solid evidence with explanations. Each evidence that is associated with each activity is explained along with the timeline. We suggest using this before study NIST data leakage case study. +- 10 hands-on labs/topics in digital forensics + +**Topics Covered** + +| Labs | Topics Covered | Size of PPTs | +| ------ | ----------------------------------------------------------------------------------------------------- | ------------ | +| Lab 0 | [Lab Environment Setting Up](P2P_Leakage/Presentation/ID00_Lab_Setup.pptx) | 4M | +| Lab 1 | [Disk Image and Partitions](P2P_Leakage/Presentation/ID01_Disk_Image_and_Partitions.pptx) | 5M | +| Lab 2 | [Windows Registry and File Directory](P2P_Leakage/Presentation/ID02_Registry_and_File_Directory.pptx) | 15M | +| Lab 3 | [MFT Timeline ](P2P_Leakage/Presentation/ID03_MFT_Timeline.pptx) | 6M | +| Lab 4 | [USN Journal Timeline](P2P_Leakage/Presentation/ID03_MFT_Timeline.pptx) | 3M | +| Lab 5 | [uTorrent Log File ](P2P_Leakage/Presentation/ID05_uTorrent_Log_File.pptx) | 9M | +| Lab 6 | [File Signature ](P2P_Leakage/Presentation/ID06_File_Signature.pptx) | 8M | +| Lab 7 | [Emails ](P2P_Leakage/Presentation/ID07_Emails.pptx) | 9M | +| Lab 8 | [Web History ](P2P_Leakage/Presentation/ID08_Web_History.pptx) | 11M | +| Lab 9 | [Website Analysis ](P2P_Leakage/Presentation/ID09_Website_Analysis.pptx) | 2M | +| Lab 10 | [Timeline (Summary)](P2P_Leakage/Presentation/Questions.docx) | 13K | + +--- + ### Investigating Illegal Possession of Images =====================