Differences

This shows you the differences between two versions of the page.

--- soc:irt:playbooks:windows_disk [2026/06/16 09:40] – titannet
+++ soc:irt:playbooks:windows_disk [2026/06/16 14:45] (current) – titannet
@@ Line 7: / Line 7: @@
     * executed with output copied back to "IR log"
       * recommendation: move commands/output from "useless commands" to second "IR dump" text/md file
+  * ''##'' is a placeholder for a number
+==== setup ====
 <code bash>
+echo 'source $HOME/.case.env' >> ~/.bashrc
+</code>
+==== Env variables ====
+<code bash>
+rm ~/.case.env
 pwd
-WF=/case/working/folder
+WD=/case/working/folder && echo "WD=$WD" >> ~/.case.env
-EF=/case/working/folder/evidence/evidence.E01
+E=/case/working/folder/evidence/evidence.E01 && echo "E=$E" >> ~/.case.env
-# EF1+.. additional variables for evidence files
+</code>
+==== Disk Image basics ====
+<code bash>
+mmls -r $E
+sudo -E ~/.local/bin/imount -p -o ## $E
+# -p has 'pretty' & predictable folder name, fails if in use
+# new tab or crtl-z
+DISK_C=<imount_dir> && echo "DISK_C=$DISK_C" >> ~/.case.env
+</code>
+==== Start with plaso ====
+<code bash>
+docker run -it --rm --entrypoint=/bin/bash -v ./:/work log2timeline/plaso
+# docker run -it --rm --user :$(id -g) --entrypoint=/bin/bash -v ./:/work log2timeline/plaso
+# one step
+psteal.py --source /work/evidence/<filename> -o dynamic,json_line -w /work/data/plaso_#.json
+# two step
+log2timeline.py --storage-file /work/data/timeline.plaso /work/evidence/<filename>
+psort.py -o json_line -w /work/output/plaso_out.json /work/data/timeline.plaso
+#psort.py -o json_line -w /work/output/plaso_out.json /work/data/timeline.plaso
+cp output/plaso_out.json tools/splunk/import/
+cd tools/splunk
+docker compose up -d
+# -> localhost:8000, admin:password, settings->add->monitor->files->index_once->source_type=plaso
+</code>
+=== Extended disk image anaylsis ===
+<code bash>
+fsstat -o <offset> $E
+istat -o <offset> $E 5 # root node
+istat -o <offset> $E <inode from fsstat>
+fls -o <offset> -m C: -r $E > data/bodyfile
+mactime -b data/bodyfile -d -z UTC yyyy-mm-ddThh:mm:ss > output/disk_timeline.csv
+mactime -b data/bodyfile -d -z UTC yyyy-mm-ddThh:mm:ss..yyyy-mm-dd > output/disk_timeline.csv
+# dissect
+target-query -f hostname,domain,version,ips,install_date,timezone $E
+# much more useful for queries on multiple disks at once
+target-query -j -f services $E | jq -r '.name'
+# JSON output → jq
+target-query --list | grep -iE 'userassist|shimcache|amcache|services|powershell_history|browser.history'
 </code>

Tools

menus and quick search

quick search

site status

Page Tools

meta data for this page

Differences