Dissect
Overview
Dissect
is a digital forensics & incident response Python toolset that allows access and parsing of forensic artefacts from various disk and file formats.
Dissect supported targets
Dissect
supports the following targets:
Raw disk images and evidence containers (
.E01
).Virtual disks (
.vmdk
,.vhdx
, etc.).Virtual machine descriptor files (
.vmx
,.vmcx
, etc.). By using a VM descriptor file,dissect
will load the all the virtual disks associated with the VM.Local live systems (
\\.\PhysicalDrive0
,/dev/sda
, etc.)..tar
archives created byacquire
Directories, such as
KAPE
orvelociraptor
(KapeTargets
) collection outputs.
Dissect tools
Dissect
is composed of the following tools:
acquire
: to gather forensic artifacts from disk images or the live system.target-fs
: to interact with the filesystem of a target, using a set of familiar Unix commands.target-mount
: to mount the filesystem of a target to an arbitrary directory on the analysis machine (similar to themount
utility).target-query
: to parse data and artefacts from the specified target, mostly asrecords
outputs.target-reg
: to tool query the registry of Windows targets.rdump
: to interact and manipulatedissect
'srecords
outputs.
Installation
The dissect
toolset can be easily installed through Python3
's pip
:
python3 -m pip install dissect
python3 -m pip install acquire
acquire
acquire
can be used to extract artifacts either from the local system or the specified targets, and place the collected artefacts in a tar
archive (or output folder).
acquire
supports three levels of profiles, that specify the artefacts that will be collected depending on the target operating system: minimal
, default
, and full
.
# OUTPUT_TYPE: tar or dir
acquire -p <minimal | default | full> -o <OUTPUT_FOLDER> [-ot <OUTPUT_TYPE>] <TARGET | local>
target-fs
target-fs
can be used to interact with the filesystem of a target, to list or copy individual or multiple files from the target to the analysis destination.
target-fs <TARGET> <ls | cat | walk> <TARGET_DIR | TARGET_FILE>
target-fs <TARGET> cp <TARGET_DIR | TARGET_FILE> -o <OUTPUT_DIR>
target-query
target-query
can be used to parse artefacts from the target, often (but not always) resulting in dissect
's records
outputs. target-query
's records
can be converted to CSV
or JSON
outputs as well as filtered with rdump
.
Multiple artefacts sources are implemented, as target-query
's function
. The implemented functions can be listed using target-query -l
. The following notable functions are implemented:
Windows operating systems:
activitiescache
,amcache
,lnk
,evt
/evtx
,powershell_history
,prefetch
,recyclebin
,registry
(bam
,shimcache
, etc.),shellbags
,shimcache
,sru
,ual
,userassist
, etc.Filesystem:
mft
,usnjrnl
,walkfs
Linux / Unix operating systems:
bashhistory
,cronjobs
,dpkg
,audit
,btmp
,lastlog
,messages
,services
,ssh.authorized_keys
,ssh.known_hosts
,suid
Web browsers:
browser.history
(Chrome, Firefox, Edge, and Internet Explorer histories)remote access applications:
remoteaccess.remoteaccess
(AnyDesk and TeamViewer logs)Yara scans:
yara
# Example: target-query windows_vm.vmdk -f mft
target-query -f <FUNCTION> <TARGET>
# Retrieves basic information about the target operating system.
target-query -f hostname,domain,version,ips <TARGET>
# Outputs the records as JSON (only for functions that return records).
target-query -s --json -f <FUNCTION> <TARGET>
# Uses rdump to transform the records outputs as CSV or JSON.
# --multi-timestamp: deduplicate a record if it contains multiple timestamps to create a timeline.
target-query [--multi-timestamp] -f <FUNCTION> <TARGET> | rdump <--csv | --json | --jsonlines> [--fields <FIELDS_FOR_OUTPUT>]
# Example Linux functions.
target-query --multi-timestamp -f bashhistory,browser.history,capability_binaries,cronjobs,dpkg,audit,btmp,lastlog,messages,wtmp,services,ssh.authorized_keys,ssh.known_hosts,ssh.private_keys,suid <TARGET>
Last updated