Forensics: Formats and bulk_extractor

Lab 0x04 - Working with Forensic Formats, Scripting Jobs, bulk_extractor, and Data Analysis Copyright 2021 Paul W. Poteete Overview The student will be exposed to two new forensic disk formats: AFF and E01. They will also be required to convert the formats to raw images, process the images, and collect data on the images. Part 1 - Convert Data from Expert Witness and Advanced Forensic Format to RAW Install and Inspect the EWF and AFF Tools sudo apt-get install ewf-tools afflib-tools Convert the files Individual Images: affconvert -r Drive03_Clampet.aff ewfexport Drive01_ADP.E01 -S0 -o0 -B0 -f raw -t Drive01_ADP Scripted: AFF for var_file in `ls -1 *aff`; do affconvert -r $var_file ; done E01 for var_old in `ls -1 *E01`; do var_new=`echo $var_old | sed s/.E01//g`; ewfexport $var_old -S0 -o0 -B0 -f raw -t $var_new ; done Part 2 - Recover Information Using foremost Individual Images: foremost -qvdi Drive01_ADP.raw -o Drive01_ADP.foremost Scripted: for var_file in `ls -1 *raw`; do var_dir=`echo $var_file | sed s/raw/foremost/g`; foremost -qvdi $var_file -o $var_dir ; done   Part 3 - Recover Information Using bulk_extractor Individual Images: bulk_extractor Drive03_Clampet.raw -o Drive03_Clampet.bulk Scripted: for var_file in `ls -1 *raw`; do var_dir=`echo $var_file | sed s/raw/bulk/g`; bulk_extractor $var_file -o $var_dir ; done Part 4 - Process bulk data using the Linux CLI   cd Drive03_Clampet.bulk/ cat sin.txt cat telephone.txt cat url_searches.txt   Command Summary: cat grep sort uniq awk rev wc