So in order to run that MD five deep command, the first thing that you're gonna want to do is open up a command prompt from your forensic machine
on Dhe. You can see it. They're running a traitor.
So now that we have that set up,
we would essentially navigate to where we have our MD five
program up and running.
I also have one on my desktop, and we have one here on this H drive
go into the MD five folder.
I think it's one more level down,
and then we would essentially want to run the MD five
64 e x e. Since we're on a 64 bit system
and we're gonna want to hash this Enola *** file up here, that is in the e. Dr.
So we would essentially tell it to hash that file.
Another like a dot meme. So here we have the
directory where RMB five dot e x e program is,
and then we have the file that we want to hash,
and then we will enter,
and then just to save some time,
I've already done this.
a result that looks like this. So here is our file. The H drive file
here is the Enola *** dot meme, and this essentially is the hash of that.
So you would want to go ahead and export that out to the note pad
on, then copy that over to your notes. And that way you have the integrity of that file throughout the course of your investigation.
So that's just a couple of different ways. Thio. Look at some of the volatile memory, and this promised I will go into the Mandy It red line a cz well, just so you could see what that looks like.
So we'll close some of these windows out,
and then we will open up the Mandy it red Line programs. Get Mandy a red line,
one of things that you could do.
and you'll go to the
And then from here, you can fill out your personal information and click download,
and you will receive a copy of Mandy. It's red line,
and it's a pretty powerful software. It allows you to collect that volatile memory and do that analysis kind of in a one stop shop,
so I like free. So we've already got Mandy it Red Line installed our desktop,
I said, Well, just go ahead and launch that
once you launch red line, you come up with
so you have a few options to choose from. You can collect Ah, standard collector. You can create a comprehensive collector, or you can create a IOC search collector just for demonstration purposes. We're going to create a standard collector,
and as you look at this, it gives you a couple options. You can go in and edit your script.
Eso When looking at memory,
it will essentially look at all of these different options that you select,
and then you can go down and ask for different hash values
for all of these different processes. It will also acquire a memory image.
If you so choose again, it will take a little bit of time. That's that's something that you want to select, especially a machine that has a large amount of ram.
Uh, you could look at the disc
us and choose different options under the the desk. You could look at the system
and then you can go over and network,
and then the other tape has some
other types of searches that you may want to do.
So those were just some basic searches. Uh, really. Depends on what you're looking for, how you would want to set this tool up,
but it is again very powerful tool for searching.
So after that, uh, you would then want to save this collector to a location,
we could save this to our forensic thumb drive that way. Wanted to,
and then put that into our victim's system and essentially run the capture program
in order for it to work. So
we will just create if we have to create a folder on the forensic thumb drive so we'll just create a new folder.
Just call a red line
so we know what it iss.
And then what? Okay,
then creates that portable collector package
gives you instructions saying that your collector packages creative and saved to that location where we specified on are some dry
and then on the machine that we want to audit or collect from. You're going to run the read
run Red line on dot that script
and then they say, preferably on removable media
on the script will run. And then it's going to create essentially the results sessions 123 However many sessions that you
have going our have analyzed, it will just depend a new number on the back of that. And then when it's finished, you can transfer the results back to our analysis machine, and then we can go back in and look at the files and folders that we have.
forensic drive where we say that we can see that we now have the footwork, old red line,
and that we do have a run Red Line audit
batch file. And then once we insert that into our victim machine, we could run the redline program, and then it would essentially execute
and, uh, and produce some results for us to look at.
So I'm already done this just to save some time, because it is quite time consuming
for that process to run, and we will go ahead and look at some of these examples.
So one of the examples that Iran was this Analysis Session three. So we could just go ahead and pull that up,
and it will take all of the information that we had our system.
I ran it on my own system.
Eso it essentially will identify the system here, So it says that we're running Windows 10 professional
domains and a work group. The host name is Little Boy, and the primary I P address is my internal I feei drafts of 192168 So that gives you all of that information.
Click on this and then essentially just provides an overall view of the system so it provides how much physical memory we have. It provides the time that our system is in the identity of the processor
How many drives we have in
again, the operating system system directories for product ID's,
how many bits it iss
the type of user that's logged in
so again, a very powerful tool you can look at the The
essentially service is that you have running
some of the registry keys,
the persistent registry information
on. Then you can scroll down through and look at event logs,
D N s history browser history. So again, it's a
It's a very powerful tool, and it makes the analysis of this data very easy.
I like it a lot. I use it whenever I can. However, this shouldn't be your primary go to method every single time. Because, like any tool, something can go wrong. It will go wrong serves of knowing how to do some of these other methods eyes very important.
So once you have this, this essentially the dump file that we created earlier
If the analysis portion were to fail,
you could go back in and use a python scripting
To essentially look at literature, you're dot meme file
and get a little bit more information through the use of volatility
so that that is an option. However, the Mandate Redline program will also look at that dot Memphis. So again, there's numerous options on how to go about doing this process. It's good to know more than one option. It's good to use more than one tool
when you're doing your forensic investigation.
That way, you can go and correlate some of the answers that you get, and then some tools. They just provide different information that other tools can provide. And some of them just have better user interfaces. So again, don't just stick with one tool. There are literally hundreds of tools out there,