Thursday, 30 January 2014

Make a 'Forensics To Go' 32GB USB Flash drive

If you have a 32GB or larger USB pen and want a ready-made 'Forensic' multiboot USB Flash drive, try the (virtual disk) image provided on 'Hacking Exposed' by David Cowen\Kevin Stokes.  Download is here.


This USB disk image contains two FAT32 partitions, with XBOOT installed ISOs of...
  • SIFT 2.14
  • Kali Linux
  • Paladin 5
  • Raptor 3
on a hidden 2nd partition, and 4GB-worth of the following portable apps and tools on the first partition (which is visible to Windows):

Documents
analyzing-malicious-document-files.pdf
log2timeline-cheatsheet.pdf
Memory-Forensics-Cheat-Sheet-v1.pdf
Network Forensics Cheat Sheet.pdf
SANS-DFIR-Poster-2012.pdf
sbag.users.guide.v.0.24.pdf
SIFT Cheat Sheet and DFIR Curriculum.pdf
USB-Device-Tracking-Artifacts.pdf


Linux Tools
TZworks_64bit
TZworks_32bit
Truecrypt


Mac Tools
FortiClient_Installer.dmg
nmap-6.40-2.dmg
TrueCrypt 7.1a Mac OS X.dmg
TZworks


Portable Apps
PortableApps.com
2XClient
7-ZipPortable
AbiWordPortable
AntRenamerPortable
AutorunsPortable
BabelMapPortable
cdrtfePortable
ClamWinPortable
CommandPromptPortable
ConverberPortable
CrystalDiskInfoPortable
CubicExplorerPortable
DaphnePortable
DatabaseBrowserPortable
EraserPortable
EraserDropPortable
Explorer++Portable
FileAlyzerPortable
FileZillaPortable
FoxitReaderPortable
FrhedPortable
GetSudokuPortable
GoogleChromePortable
grepWinPortable
HDHackerPortable
HijackThisPortable
HWiNFOPortable
InfraRecorderPortable
IniTranslatorPortable
IrfanViewPortable
JkDefragPortable
KasperskyTDSSKillerPortable
KchmViewerPortable
KeePassPortable
KeepNotePortable
KiTTYPortable
McAfeeStingerPortable
Monster2Portable
CamStudioPortable
ChecksumControlPortable
ConvertAllPortable
DiffpdfPortable
Notepad++Portable
PasswordGorillaPortable
PeerBlockPortable
PidginPortable
ProcessExplorerPortable
ProcessHackerPortable
ProcessMonitorPortable
PuTTYPortable
PWGenPortable
RegshotPortable
SIWPortable
SkypePortable
SmartDefragPortable
SpybotPortable
SQLiteDatabaseBrowserPortable
SqlitemanPortable
StickiesPortable
SumatraPDFPortable
SystemExplorerPortable
TeamViewerPortable
ThunderbirdPortable
Toucan
UUID-GUIDGeneratorPortable
VLCPortable
WhoDatPortable
WindowsErrorLookupToolPortable
winMd5SumPortable
WinMTRPortable
WinSCPPortable
WiseDiskCleanerPortable
WiseProgramUninstallerPortable
WiseRegistryCleanerPortable
xpyPortable
CppcheckPortable
KompoZerPortable
NetHackPortable
PeaZipPortable
qBittorrentPortable
RevoUninstallerPortable
PortableApps.comLauncher

Windows Tools
volatility-2.3.1.standalone.exe
WiresharkPortable-1.10.5.paf.exe
Imager_Lite_3.1.1
NirSoft Tools
Password Tools
rrv2.8
Scalpel-2.0
SysinternalsSuite
Tools that require Install
TZworks 32bit
TZworks 64bit
USB Write - EnableProtect
Woanware



To make this USB Flash drive

You need a 32GB or larger USB drive.
1. Download the 8GB (!) USB_Multiboot.zip file from the blog here or the updated image here.
2. Extract the 30GB 'USB image for download.img' file to your system hard disk using 7Zip (or similar utility)
3. Run RMPrepUSB and insert your 32GB (or larger) USB Flash drive
Select the 32GB USB Flash drive in the top drive selection box and click on the File->Drive button.
Enter 1SEC for the file start sector (see screenshot), 0 for the USB start sector and 0 for the length.
After 10 -30 minutes you will have a bootable USB flash drive.

The image is from a 32GB USB Flash drive made using XBOOT. If you wish to add more files to it using XBOOT, you can must first change the partition order over as follows:

1. Run RMPrepUSB and select the 32GB drive
2. Type CTRL-O and select partition 2 when prompted

This will swap over the partitions and make visible the XBOOT 1st FAT32 partition containing the (modified) ISO files:
  • fdraptor.iso
  • hirensbootcd.iso
  • paladin.iso
  • siftworkstationrevusb.iso
You should now be able to run XBOOT and modify the contents.

When you have finished testing the USB drive, use RMPrepUSB - Ctrl-O to change back the partitions and make the applications partition visible to Windows again.

You can either boot from this USB drive on a 'live' system or boot from it (or the original .img file) with the 'target' hard-disk image in VirtualBox.

Note: XBOOT modifies the .ISO files and extracts and removes the squashfs (casper) files into a subfolder under \images. Therefore these .iso files cannot just be 'dropped' onto an Easy2Boot drive as they will not boot correctly. These XBOOT ISOs can be used if you copy the whole \images folder from the XBOOT partition to the root of a FAT32 E2B USB drive (not NTFS - it won't work!) and then move the .iso files to the \_ISO\MAINMENU folder (i.e. the E2B drive will contain a \images folder with subfolders).

Of course, you can download the original ISOs from their websites and simply add them to your Easy2Boot USB drive.

Note: There is a later download here which may have some of the files missing (I have not tested it).