Plaso

Verify E01 image using ewfacquire

Since the other Windows-based processes have included image verification, we'll include the use of ewfverify to verify our E01 set.

$ sudo apt install ewf-tools

user@df:~/cases/26038642$ ls -lah
total 11G
drwxrwxr-x 2 user user 4.0K Jul  7 11:37 .
drwxrwxr-x 3 user user 4.0K Jul  7 11:36 ..
-rw-rw-r-- 1 user user 1.5G Jul  5 12:04 20240212-decrypted-Windows_Server_2022.E01
-rw-rw-r-- 1 user user 1.5G Jul  5 12:04 20240212-decrypted-Windows_Server_2022.E02
-rw-rw-r-- 1 user user 1.5G Jul  5 12:04 20240212-decrypted-Windows_Server_2022.E03
-rw-rw-r-- 1 user user 1.5G Jul  5 12:04 20240212-decrypted-Windows_Server_2022.E04
-rw-rw-r-- 1 user user 1.5G Jul  5 12:04 20240212-decrypted-Windows_Server_2022.E05
-rw-rw-r-- 1 user user 1.5G Jul  5 12:04 20240212-decrypted-Windows_Server_2022.E06
-rw-rw-r-- 1 user user 1.4G Jul  5 12:04 20240212-decrypted-Windows_Server_2022.E07

You only have to specify the first of the E01 segments to verify the entire spanned set.

user@df:~/cases/26038642$ ewfverify 20240212-decrypted-Windows_Server_2022.E01
ewfverify 20140807

Verify started at: Jul 07, 2024 12:11:05
This could take a while

Verify completed at: Jul 07, 2024 12:17:48

Read: 50 GiB (53687091200 bytes) in 6 minute(s) and 43 second(s) with 127 MiB/s (133218588 bytes/second).

MD5 hash stored in file:                9a982399621826a66ff322cc87376e76
MD5 hash calculated over data:          9a982399621826a66ff322cc87376e76

ewfverify: SUCCESS

We can see the result is the data set was verified. The hash also matches the result of FTK Imager's verification process.

Setup and use log2timeline/plaso in Docker

I try to use Docker containers where I can. It helps me separate case files and reduce errors caused by software/version dependencies. You can use plaso on its own, but in this guide we'll use it in a Docker container.

Follow these steps to pull the required plaso container and verify that it's working.

One consideration with using Docker is accessing data stored on the host from within the container itself. I want to generate a super timeline (all of the parsers) for the entire E01. Take the following command for example (this is one line, it's just wrapped)

Let's break this command down;

docker run(we're invoking Docker)

-v /home/user/cases/26038642/:/data/ (we're mapping the folder /home/user/cases/26038642 on the host, to /data/ in the container)

log2timeline/plaso (the container we want to run)

log2timeline.py --storage-file /data/26038642.plaso (the command/file we're executing (log2timeline.py) along with the name/location of the file we want to store our data in)

/data/20240212-decrypted-Windows_Server_2022.E01 (our data source - which for E01s, can be the first E01 of the set)

If you execute this, you may see the following error;

As the error suggests, there are more than 1 partitions in the image. We can either append--partitions all and process all, or we can specify a specific partition. Let's quickly identify which partition we want to inspect.

So our entire command becomes;

It should start processing your image. The amount of time it takes to process is entirely dependent on the specs of your machine.

The resultant file is a 6.3GB SQLite database

Before we convert this SQLite database to a CSV, we need to use a processing option to convert our times to the local time of the victim system. Export the HKLM\SYSTEM hive from the E01 (using FTK Imager or similar) and inspect the following key;

SYSTEM\CurrentControlSet\Control\TimeZoneInformation\TimeZoneKeyName

In the above image, it's 'GMT Standard Time' which is UTC+0. We don't need to change anything when we process our image to adjust the time offset.

We can run the following command to generate a CSV of all events, using the dynamic processing option.