Forensic Artifacts Collecting Toolkit

A basic shell pipeline for extracting forensic artifacts from disk images. Relevant artifacts will be processed and provided in ECS format for ingestion with Logstash.

# fmount image.dd | ffind | flog -D logstash

Tools

fmount

Mount disk images for read-only processing.

# fmount [-ruszqhv] [-H CRC32|MD5|SHA1|SHA256] [-V SUM] [-B KEY] [-D DIR] IMAGE

Available options:

• -D Mount point
• -B BitLocker key
• -H Hash algorithm
• -V Verify hash sum
• -r Recovery key ids
• -u Unmount image
• -s System partition only
• -z Unzip image
• -q Quiet mode
• -h Show usage
• -v Show version

Supported image types on Linux systems:

• vdi
• vpc
• vhdx
• vmdk
• parallels
• qcow2
• qcow
• raw

Required system commands:

• dislocker
• qemu-nbd
• lsblk
• mount
• umount

ffind

Find forensic artifacts in mount points or on the live system.

$ ffind [-rcsuqhv] [-H CRC32|MD5|SHA1|SHA256] [-C CSV] [-Z ZIP] [MOUNT ...]

Available options:

• -H Hash algorithm
• -C CSV listing name
• -Z Zip archive name
• -r Relative paths
• -c Volume shadow copy
• -s System artifacts only
• -u User artifacts only
• -q Quiet mode
• -h Show usage
• -v Show version

Supported artifacts for Windows 7+ systems:

• System Active Directory
• System Registry Hives
• System Prefetch Files
• System Event Logs
• System AmCache
• User Registry Hives
• User Jump Lists
• User Browser Histories

flog

Log forensic artifacts as JSON in ECS format.

$ flog [-pqhv] [-D DIRECTORY] [FILE ...]

Available options:

• -D Log directory
• -p Pretty JSON
• -q Quiet mode
• -h Show usage
• -v Show version

Required system commands:

• dotnet

Use make tools to install Eric Zimmerman's Tools.

Supported artifacts for Windows 7+ systems:

• System Event Logs
• User JumpLists
• User ShellBags
• User Browser Histories

License

Released under the MIT License.