Dissect

Overview

is a digital forensics & incident response Python toolset that allows access and parsing of forensic artefacts from various disk and file formats.

Dissect supported targets

Dissect supports the :

• Raw disk images and evidence containers (.E01).

• Virtual disks (.vmdk, .vhdx, etc.).

• Virtual machine descriptor files (.vmx, .vmcx, etc.). By using a VM descriptor file, dissect will load the all the virtual disks associated with the VM.

• Local live systems (\\.\PhysicalDrive0, /dev/sda, etc.).

• .tar archives created by acquire

• Directories, such as KAPE or velociraptor (KapeTargets) collection outputs.

Dissect tools

Dissect is composed of the following tools:

• : to gather forensic artifacts from disk images or the live system.

• : to interact with the filesystem of a target, using a set of familiar Unix commands.

• : to mount the filesystem of a target to an arbitrary directory on the analysis machine (similar to the mount utility).

• : to parse data and artefacts from the specified target, mostly as records outputs.

• : to tool query the registry of Windows targets.

• : to interact and manipulate dissect's records outputs.

Installation

The dissect toolset can be easily installed through Python3's pip:

python3 -m pip install dissect
python3 -m pip install acquire

acquire

acquire can be used to extract artifacts either from the local system or the specified targets, and place the collected artefacts in a tar archive (or output folder).

acquire supports three levels of profiles, that specify the artefacts that will be collected depending on the target operating system: minimal, default, and full.

# OUTPUT_TYPE: tar or dir

acquire -p <minimal | default | full> -o <OUTPUT_FOLDER> [-ot <OUTPUT_TYPE>] <TARGET | local>

target-fs

target-fs can be used to interact with the filesystem of a target, to list or copy individual or multiple files from the target to the analysis destination.

target-fs <TARGET> <ls | cat | walk> <TARGET_DIR | TARGET_FILE>

target-fs <TARGET> cp <TARGET_DIR | TARGET_FILE> -o <OUTPUT_DIR>

target-query

target-query can be used to parse artefacts from the target, often (but not always) resulting in dissect's records outputs. target-query's records can be converted to CSV or JSON outputs as well as filtered with rdump.

Multiple artefacts sources are implemented, as target-query's function. The implemented functions can be listed using target-query -l. The following notable functions are implemented:

• Windows operating systems: activitiescache, amcache, lnk, evt / evtx, powershell_history, prefetch, recyclebin, registry (bam, shimcache, etc.), shellbags, shimcache, sru, ual, userassist, etc.

• Filesystem: mft, usnjrnl, walkfs

• Linux / Unix operating systems: bashhistory, cronjobs, dpkg, audit, btmp, lastlog, messages, services, ssh.authorized_keys, ssh.known_hosts, suid

• Web browsers: browser.history (Chrome, Firefox, Edge, and Internet Explorer histories)

• remote access applications: remoteaccess.remoteaccess (AnyDesk and TeamViewer logs)

• Yara scans: yara

# Example: target-query windows_vm.vmdk -f mft
target-query -f <FUNCTION> <TARGET>

# Retrieves basic information about the target operating system.
target-query -f hostname,domain,version,ips <TARGET>

# Outputs the records as JSON (only for functions that return records).
target-query -s --json -f <FUNCTION> <TARGET>

# Uses rdump to transform the records outputs as CSV or JSON.
# --multi-timestamp: deduplicate a record if it contains multiple timestamps to create a timeline.
target-query [--multi-timestamp] -f <FUNCTION> <TARGET> | rdump <--csv | --json | --jsonlines> [--fields <FIELDS_FOR_OUTPUT>]

# Example Linux functions.
target-query --multi-timestamp -f bashhistory,browser.history,capability_binaries,cronjobs,dpkg,audit,btmp,lastlog,messages,wtmp,services,ssh.authorized_keys,ssh.known_hosts,ssh.private_keys,suid <TARGET>