Skip to content

Forensic Linux VM for Apple Silicon, ARM64 and x86-64 compatible platforms

Notifications You must be signed in to change notification settings

0CM/BinaryBanditsForensicLab

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

BanditLab - Ubuntu based Linux VM for Digital Forensics

It was supposed to be a lightweight Linux distribution for digital forensics and incident response, but it kind of spiraled out of control.

Primarily focused on the Apple Silicon and ARM64 based systems. The X86_64 architecture is now supported as well!

Prerequisites:

Multipass

Ubuntu Multipass is a tool developed by Canonical that allows users to create, manage, and configure lightweight virtual machines (VMs) on their local system, specifically designed for Ubuntu environments.

Installation:

Lab Deployment:

The following command will create a VM named BanditLab with 2GB of RAM and a 15GB disk.

  • You can adjust the VM name and hardware specifications according to your preferences.

Cloud-Init for the MacOS or ARM architecture:


multipass launch -n BanditLab -m 2GB -d 15G --cloud-init https://github.com/0CM/BinaryBanditsForensicLab/raw/main/BanditLab-aarch64.yaml

Cloud-Init for the X86_64 architecture:


multipass launch -n BanditLab -m 2GB -d 15G --cloud-init https://github.com/0CM/BinaryBanditsForensicLab/raw/main/BanditLab-x86-64.yaml

Log into the VM:

multipass shell BanditLab

Stop the VM:

multipass stop BanditLab

Delete the VM:

multipass delete BanditLab
multipass purge

Share folder between the VM and host system:

multipass mount path/to/local/folder BanditLab:/home/ubuntu/DATA

In order to see files in the macOS folder Full Disk access for Multipass is required.

System Preferences > Security & Privacy Preferences >  Full Disk Access 

Alternatively you can copy files to and from the VM via transfer command

Copy file FROM the VM to a host machine

multipass transfer BanditLab:/home/ubuntu/evidence/MFT.csv ./

Copy file TO the VM from a host machine

multipass transfer  ./image.E01 BanditLab:/home/ubuntu/evidence

Lab Help:

Run the alias command to get a list of shortcuts for running the custom tools.

alias

Forensics Tools:

  • EZTools - Eric Zimmerman's tools

    • JLECmd version 1.5.0.0 - Jump List parser
    • EvtxECmd version 1.5.0.0 - Event log (evtx) parser
    • LECmd version 1.5.0.0 - Lnk file parser
    • MFTECmd version 1.2.2.1 - $MFT, $Boot, $J, $SDS, $I30 parser
    • RBCmd version 1.5.0.0 - Recycle Bin artifact (INFO2/$I) parser
    • RECmd version 2.0.0.0 - Command line Registry tool
    • rla version 2.0.0.0 - Replay transaction logs and update Registry hives
    • RecentFileCacheParser version 1.5.0.0
    • SQLECmd version 1.0.0.0
    • SrumECmd version 0.5.1.0
    • WxTCmd version 1.0.0.0
    • bstrings version 1.5.2.0
  • SIDR - Github Repository

    • SIDR (Search Index DB Reporter) is a Rust-based tool designed to parse Windows search artifacts from Windows 10 (and prior) and Windows 11 systems.
  • MemProcFS - Github Repository

    • MemProcFS: MemProcFS is an easy and convenient way of viewing physical memory as files in a virtual file system.
  • Timeliner - Github Repository

    • Timeliner uses a real expression engine to parse and apply the BPF logic to filter events based on the time.

SIGMA, YARA, IOC and other scanners:

  • Chainsaw - Github Repository

    • Chainsaw offers a generic and fast method of searching through event logs for keywords, and by identifying threats using built-in support for Sigma detection rules, and via custom Chainsaw detection rules.
  • Hayabusa - Github Repository

    • Hayabusa is a Windows event log fast forensics timeline generator and threat hunting tool created by the Yamato Security.
  • VT-CLI - Github Repository

    • VirusTotal Command Line Interface
  • Nikto - Github Repository

    • Nikto web server scanner
  • Nuclei - Github Repository

    • Fast and customisable vulnerability scanner based on simple YAML based DSL.
  • ioc-scanner - Github Repository

    • Cybersecurity and Infrastructure Security Agency IoC scanner
  • yara - Github Repository

    • Pattern matching swiss knife for malware researchers

Sensitive Data / Secrets Scanners:

  • Nosey Parker - Github Repository

    • Nosey Parker is a command-line program that finds secrets and sensitive information in textual data.
  • Trufflehog - Github Repository

    • TruffleHog is an open-source secret scanning engine that detects and helps resolve exposed secrets across your entire tech stack.

Text Manipulation Tools:

Python Libs and Tools:

  • peepdf - Github Repository - tool to explore PDF files, it can parse different versions of a file, object streams and encrypted files.
  • pdfid - Github Repository - Didier Stevens’s tool to test a PDF file
  • dfir_ntfs - Github Repository - an NTFS/FAT parser for digital forensics & incident response
  • oletools - Github Repository - oletools is a package of python tools to analyze Microsoft OLE2 files
  • hindsight - Github Repository - web artefacts and browsing history from Chromium-based web browsers
  • browserexport - Github Repository - web artefacts and browsing history from Chrome-based web browsers,Firefox, Safari and more.
  • windowsprefetch - Github Repository - Parser for Windows XP - Windows 10 Prefetch files
  • xlsxgrep - Github Repository - tool to search text in XLSX, XLS, CSV, TSV and ODS files.
  • flare-capa - Github Repository - capa detects capabilities in executable files. You run it against a PE, ELF, .NET module, shellcode file, or a sandbox report
  • DomainTools - Github Repository - The DomainTools Python API Wrapper provides an interface to work with cybersecurity and related data tools provided by the Iris Investigate.

Optional Tools:

  • azure-cli - Github Repository - Azure Command-Line Interface

    • run installazurecli to install the package
  • gcloud-cli - Home Page - Google Cloud Command Line Interface

    • run installgcloudcli to install the package
  • PowerShell 7.4 - Home Page - Microsoft PowerShell

    • run installpwsh to install the package

Linux Packages:

  • aeskeyfind - tool for locating AES keys in a captured memory image
  • afflib-tools - Advanced Forensics Format Library (utilities)
  • binwalk - tool library for analyzing binary blobs and executable code
  • cewl - custom word list generator
  • dc3dd - patched version of GNU dd with forensic features
  • dislocker - read/write encrypted BitLocker volumes
  • dnsrecon - DNS enumeration script
  • ewf-tools - collection of tools for reading and writing EWF (E01) files
  • exifprobe - read metadata from digital pictures
  • extundelete - utility to recover deleted files from ext3/ext4 partition
  • fcrackzip - password cracker for zip archives
  • forensic-artifacts - knowledge base of forensic artifacts (data files)
  • forensics-colorize - show differences between files using color graphics
  • galleta - Internet Explorer cookie forensic analysis tool
  • getxattr - getxattr() retrieves the value of the extended attribute identified by name and associated with the given path in the file system.
  • hashdeep - recursively compute hashsums or piecewise hashings
  • pff-tools - utilities for MS Outlook PAB, PST and OST files
  • mc - MidnightCommander File Manager
  • recoverdm - recover files on disks with damaged sectors
  • scrounge-ntfs - Data recovery program for NTFS filesystems
  • sleuthkit - tools for forensics analysis on volume and filesystem data
  • ssdeep - recursive piecewise hashing tool
  • ext3grep - tool to help recover deleted files on ext3 filesystems
  • libimage-exiftool-perl - Exiftool - program to read and write meta information in multimedia files
  • unblob - unblob is an accurate, fast, and easy-to-use extraction suite. It parses unknown binary blobs for more than 30 different archive, compression, and file-system formats, extracts their content recursively.
  • binvis - project to visualize binary-file structures in unique ways
  • testdisk - partition scanner and disk recovery tool, and PhotoRec file recovery tool
  • chntpw - NT SAM password recovery utility
  • geoip-bin - IP lookup command line tools that use the GeoIP library
  • mblaze - UNIX utilities to deal with Maildir
  • mboxgrep - grep through mailboxes
  • pev - text-based tool to analyze PE files
  • tshark - network traffic analyzer - console version
  • unar - unarchiver for a variety of file formats
  • libvshadow-utils - libvshadow is a library to access the Volume Shadow Snapshot (VSS) format.
  • dotnet-runtime-6.0 - .NET runtime v 6.0 for Linux
  • python3.12-venv - Python Virtual Environments
  • python3-pip - package installer for Python
  • tesseract-ocr - Tesseract 4 adds a new neural net (LSTM) based OCR engine
  • readpe - readpe is a toolkit designed to analyze Microsoft Windows PE (Portable Executable) binary files. Its tools can parse and compare PE32/PE32+ executable files (EXE, DLL, OCX, etc), and analyze them in search of suspicious characteristics
  • parallel - GNU parallel is a shell tool for executing jobs in parallel using one or more computers.