BanditLab - Ubuntu based Linux VM for Digital Forensics
It was supposed to be a lightweight Linux distribution for digital forensics
and incident response, but it kind of spiraled out of control.
Primarily focused on the Apple Silicon and ARM64 based systems.
The X86_64 architecture is now supported as well!
Prerequisites:
Multipass
Ubuntu Multipass is a tool developed by Canonical that allows users to create, manage,
and configure lightweight virtual machines (VMs) on their local system,
specifically designed for Ubuntu environments.
Installation:
Lab Deployment:
The following command will create a VM named BanditLab with 2GB of RAM and a 15GB disk.
- You can adjust the VM name and hardware specifications according to your preferences.
Cloud-Init for the MacOS or ARM architecture:
multipass launch -n BanditLab -m 2GB -d 15G --cloud-init https://github.com/0CM/BinaryBanditsForensicLab/raw/main/BanditLab-aarch64.yaml
Cloud-Init for the X86_64 architecture:
multipass launch -n BanditLab -m 2GB -d 15G --cloud-init https://github.com/0CM/BinaryBanditsForensicLab/raw/main/BanditLab-x86-64.yaml
Log into the VM:
multipass shell BanditLab
Stop the VM:
multipass stop BanditLab
Delete the VM:
multipass delete BanditLab
multipass purge
Share folder between the VM and host system:
multipass mount path/to/local/folder BanditLab:/home/ubuntu/DATA
In order to see files in the macOS folder Full Disk access for Multipass is required.
System Preferences > Security & Privacy Preferences > Full Disk Access
Alternatively you can copy files to and from the VM via transfer command
Copy file FROM the VM to a host machine
multipass transfer BanditLab:/home/ubuntu/evidence/MFT.csv ./
Copy file TO the VM from a host machine
multipass transfer ./image.E01 BanditLab:/home/ubuntu/evidence
Lab Help:
Run the alias command to get a list of shortcuts for running the custom tools.
alias
Forensics Tools:
-
EZTools - Eric Zimmerman's tools
-
JLECmd version 1.5.0.0 - Jump List parser
-
EvtxECmd version 1.5.0.0 - Event log (evtx) parser
-
LECmd version 1.5.0.0 - Lnk file parser
-
MFTECmd version 1.2.2.1 - $MFT, $Boot, $J, $SDS, $I30 parser
-
RBCmd version 1.5.0.0 - Recycle Bin artifact (INFO2/$I) parser
-
RECmd version 2.0.0.0 - Command line Registry tool
-
rla version 2.0.0.0 - Replay transaction logs and update Registry hives
-
RecentFileCacheParser version 1.5.0.0
-
SQLECmd version 1.0.0.0
-
SrumECmd version 0.5.1.0
-
WxTCmd version 1.0.0.0
-
bstrings version 1.5.2.0
-
SIDR - Github Repository
- SIDR (Search Index DB Reporter) is a Rust-based tool designed to parse Windows
search artifacts from Windows 10 (and prior) and Windows 11 systems.
-
MemProcFS - Github Repository
- MemProcFS: MemProcFS is an easy and convenient way of viewing
physical memory as files in a virtual file system.
-
Timeliner - Github Repository
- Timeliner uses a real expression engine to parse
and apply the BPF logic to filter events based on the time.
SIGMA, YARA, IOC and other scanners:
-
Chainsaw - Github Repository
- Chainsaw offers a generic and fast method of searching through event logs
for keywords, and by identifying threats using built-in support for Sigma
detection rules, and via custom Chainsaw detection rules.
-
Hayabusa - Github Repository
- Hayabusa is a Windows event log fast forensics timeline generator
and threat hunting tool created by the Yamato Security.
-
VT-CLI - Github Repository
- VirusTotal Command Line Interface
-
Nikto - Github Repository
-
Nuclei - Github Repository
- Fast and customisable vulnerability scanner based on simple YAML based DSL.
-
ioc-scanner - Github Repository
- Cybersecurity and Infrastructure Security Agency IoC scanner
-
yara - Github Repository
- Pattern matching swiss knife for malware researchers
Sensitive Data / Secrets Scanners:
Text Manipulation Tools:
Python Libs and Tools:
-
peepdf - Github Repository - tool to explore
PDF files, it can parse different versions of a file, object streams and encrypted files.
-
pdfid - Github Repository
- Didier Stevens’s tool to test a PDF file
-
dfir_ntfs - Github Repository
- an NTFS/FAT parser for digital forensics & incident response
-
oletools - Github Repository
- oletools is a package of python tools to analyze Microsoft OLE2 files
-
hindsight - Github Repository
- web artefacts and browsing history from Chromium-based web browsers
-
browserexport - Github Repository
- web artefacts and browsing history from Chrome-based web browsers,Firefox, Safari and more.
-
windowsprefetch - Github Repository
- Parser for Windows XP - Windows 10 Prefetch files
-
xlsxgrep - Github Repository
- tool to search text in XLSX, XLS, CSV, TSV and ODS files.
-
flare-capa - Github Repository
- capa detects capabilities in executable files. You run it against a PE,
ELF, .NET module, shellcode file, or a sandbox report
-
DomainTools - Github Repository
- The DomainTools Python API Wrapper provides an interface to work with
cybersecurity and related data tools provided by the Iris Investigate.
Optional Tools:
-
azure-cli - Github Repository - Azure Command-Line Interface
- run
installazurecli
to install the package
-
gcloud-cli - Home Page - Google Cloud Command Line Interface
- run
installgcloudcli
to install the package
-
PowerShell 7.4 - Home Page - Microsoft PowerShell
- run
installpwsh
to install the package
Linux Packages:
-
aeskeyfind
- tool for locating AES keys in a captured memory image
-
afflib-tools
- Advanced Forensics Format Library (utilities)
-
binwalk
- tool library for analyzing binary blobs and executable code
-
cewl
- custom word list generator
-
dc3dd
- patched version of GNU dd with forensic features
-
dislocker
- read/write encrypted BitLocker volumes
-
dnsrecon
- DNS enumeration script
-
ewf-tools
- collection of tools for reading and writing EWF (E01) files
-
exifprobe
- read metadata from digital pictures
-
extundelete
- utility to recover deleted files from ext3/ext4 partition
-
fcrackzip
- password cracker for zip archives
-
forensic-artifacts
- knowledge base of forensic artifacts (data files)
-
forensics-colorize
- show differences between files using color graphics
-
galleta
- Internet Explorer cookie forensic analysis tool
-
getxattr
- getxattr() retrieves the value of the extended attribute identified
by name and associated with the given path in the file system.
-
hashdeep
- recursively compute hashsums or piecewise hashings
-
pff-tools
- utilities for MS Outlook PAB, PST and OST files
-
mc
- MidnightCommander File Manager
-
recoverdm
- recover files on disks with damaged sectors
-
scrounge-ntfs
- Data recovery program for NTFS filesystems
-
sleuthkit
- tools for forensics analysis on volume and filesystem data
-
ssdeep
- recursive piecewise hashing tool
-
ext3grep
- tool to help recover deleted files on ext3 filesystems
-
libimage-exiftool-perl
- Exiftool - program to read and write meta information in multimedia files
-
unblob
- unblob is an accurate, fast, and easy-to-use extraction suite. It parses unknown
binary blobs for more than 30 different archive, compression, and file-system
formats, extracts their content recursively.
-
binvis
- project to visualize binary-file structures in unique ways
-
testdisk
- partition scanner and disk recovery tool, and PhotoRec file recovery tool
-
chntpw
- NT SAM password recovery utility
-
geoip-bin
- IP lookup command line tools that use the GeoIP library
-
mblaze
- UNIX utilities to deal with Maildir
-
mboxgrep
- grep through mailboxes
-
pev
- text-based tool to analyze PE files
-
tshark
- network traffic analyzer - console version
-
unar
- unarchiver for a variety of file formats
-
libvshadow-utils
- libvshadow is a library to access the Volume Shadow Snapshot (VSS) format.
-
dotnet-runtime-6.0
- .NET runtime v 6.0 for Linux
-
python3.12-venv
- Python Virtual Environments
-
python3-pip
- package installer for Python
-
tesseract-ocr
- Tesseract 4 adds a new neural net (LSTM) based OCR engine
-
readpe
- readpe is a toolkit designed to analyze Microsoft Windows PE (Portable Executable)
binary files. Its tools can parse and compare PE32/PE32+ executable files (EXE,
DLL, OCX, etc), and analyze them in search of suspicious characteristics
-
parallel - GNU parallel is a shell tool for executing jobs in parallel using one or more computers.