Home

Awesome

Summary:

Automating forensic artifact extraction, reduction, and analysis of cold disk and memory images. So far has only been tested on NTFS .E01 disk images. This tool essentially automates the data collection and processing for the majority of what's taught in SANS FOR508, then some..

fTriage leverages dozens of popular, open source tools to triage suspect memory/disk images. Each module automates a step in the investigation an analyst would otherwise perform manually. Moreover, I've written a wrapper (ftriage.sh) to execute collections of these modules. There is no limit to how many modules you can run at once, but naturally there are some that need to be run before others, review the "Recommended Usage" section for example usage of prebuilt modlists.

NOTE: This suite is being built on and developed for use with the SANS SIFT Workstation. Assuming you install every tool it depends on then it will work on other Linux distros, but I recommend downloading the VM.

Setup:

  1. Install dependencies:
sudo ./dependencies.sh
  1. Download NSRL hashlist if you will not be providing your own via baseline build + md5deep:
cd ./conf/nsrl/
./pull.sh
unzip rds_modernm.zip -d ./rds_modernm
./build_nsrl_idx.sh
  1. (OPTIONAL) Setup shared host directory using VMware
# NOTE: It is unwise to share your output directory with the host - if fTriage carves out malware samples then you don't want them being exposed to your host. This is more to easily share timelines, and other benign forensic artifacts for analysis with Windows tools. I also tend to place my disk and memory images in this directory.

Create directory in desired location on host...
Share directory with SIFT guest by focusing the VM and selecting VM --> Settings --> Options --> Shared Folders
  1. Edit ./conf/ftriage.conf and make sure all variables have been filled in.
  2. Run modules individually, or in batches using ftriage.sh with modlists.
  3. (OPTIONAL) Download 3rd party tools - These tools aren't yet integrated with fTriage, but they will be eventually and the scripts are nice shortcuts so we don't need to browse to the download site(s):
#NOTE: pescan requires a license from tzworks, you can request one by emailing "info@tzworks.net" or filling out the "demo" form at "https://www.tzworks.net/store/product_page.php"

cd ./3rd_party/
./wget_pescan.sh
./wget_autoruns.sh
./wget_sigcheck.sh
cp ~/<license> ./3rd_party/pescan*-*

Recommended Usage:

#NOTE: Each bulk acquisition will probably generate 30-80GB content, keep that in mind
#NOTE: Probably going to wrap all this into one script, but I think this helps visualize the process.

./ftriage.sh ./conf/ftriage.conf ./modlists/bulk.conf &&
./modules/analysis/aggregate_carved_exes.sh ./conf/ftriage.conf &&
./ftriage.sh ./conf/ftriage.conf ./modlists/process_files.conf &&
./modules/analysis/analyze_density_results.sh ./conf/ftriage.conf

ftriage.sh (wrapper for running an array of modules & scripts):

Modules (targeted scripts):

Disk:

Memory:

Hybrid:

Analysis:

Custom:

Devtools:

Notes:

Suite is still under development, but coming along quickly!