[forensic-disk] forensic tips for disk analysis #bash #malware #forensic #tips #disk

forensic-disk-info.md

file

file ${file} # show informations

fdisk

fdisk -x ${file} # show informations

qemu-img

qemu-img info ${file} # show informations on virtual disk

guestfish

guestfish --rw -a $file
run
list-filesystems

qemu-nbd

sudo modprobe nbd
sudo qemu-nbd -c /dev/nbd0 ${file} -f qcow2
sudo fdisk /dev/nbd0 -l
sudo qemu-nbd -d /dev/nbd0

parted

parted ${file}
print

losetup

losetup -a # show mounted devices in /dev/loopX # show mounted loop devices

forensic-disk-mount.md

guestmount / guestunmount

guestmount --add %f --mount /dev/sda1 /vms/data
guestunmount /vms/data

qemu-nbd

mount

sudo modprobe nbd
sudo qemu-nbd -c /dev/nbd0 ${file} -f qcow2
sudo fdisk /dev/nbd0 -l
sudo mount /dev/nbd0p1 /vms/data
sudo umount /vms/data
sudo qemu-nbd -d /dev/nbd0

mount

# get offset in bytes with info.md
sudo mount -o ro,loop,offset=$((1126400*512)) ${file} /mnt # mount disk partition with the partition offset
sudo mount -o ro,loop,offset=$((1126400*512)) ${file} /mnt # mount disk partition with the partition offset
sudo umount /mnt # umount disk

losetup

sudo losetup --find --show ${file} # mount disk in /dev/loopX and show /dev/loopX
sudo losetup --find --show --offset ${offset} ${file} # mount partition/disk with offset in /dev/loopX and show /dev/loopX
sudo losetup -d /dev/loopX # umount disk