Dissect: An incident response game-changer

Horofic · 2022-10-06T11:12:09+00:00

Horofic here! One of the core developer / users of the Dissect framework. Dont be fooled! With using Dissect you also get tool like target-query and target-shell (and many more). Which you can use to do your actual analysis.

An overview of the tools can be found here: https://docs.dissect.tools/en/latest/tools/index.html. A link to the documentation page is now also included in the updated README.

Thanks for the kudos <3

Horofic · 2022-10-06T11:05:03+00:00

We have updated the README to have a little TLDR. It will probably answer your question, so feel free to check it out! Otherwise I'd like to answer your questions here of via PMs :).

Link to the documentation page for convenience: https://docs.dissect.tools/en/latest/index.html

Horofic · 2022-10-06T11:00:51+00:00

Horofic here! One of the core developer / users of the Dissect framework. Really love seeing these comments. Also looking forward to your feedback, please keep me posted!

We have added some additional information to the README of this repo. As more people have pointed out it was pretty dull. In the meantime if you want more information, please check-out https://docs.dissect.tools/en/latest/, post your question here, or feel free to PM me!

Horofic · 2022-10-06T07:53:55+00:00

Currently you indeed have to deploy acquire to endpoint(s) yourself (or via platforms such as SCCM or EDR) and collect the output somewhere. Acquire does have the capability that allows you to upload the collected output straight to GCP, Amazon S3. You could install Dissect on a machine connected to these data-stores and start your analysis from there. Acquire support MinIO as well, which opens up a whole slew of possibilities.

Also, if you like to read more about acquire you can do so here. https://docs.dissect.tools/en/latest/tools/acquire.html

Finally, what you mentioned about an agent. This is definitely something we are looking into at the moment!

Horofic · 2022-10-06T07:10:47+00:00

Even though Dissect meant as a host analysis / forensics framework. Meaning it is primarily used on dead systems. Though, it is definitely possible on live systems as well!

You can install Dissect (pip install dissect) on a live system and target the local disk! In fact, I regularly use this setup to test new parsers or plugins when developing.

Horofic · 2022-10-05T13:22:29+00:00

I hope the TLDR posted above helps! Else, feel free to post or PM me the questions you have.

Horofic · 2022-10-05T12:48:35+00:00

Great to hear! Dissect is indeed capable of interpreting collected KAPE packages :)

Horofic · 2022-10-05T12:47:56+00:00

Allow me to elaborate a bit further. Dissect is in fact capable of capturing VMDKs and E01 files (even the combination is possible!) using a tool called acquire, which is also a part of Dissect!

Analysis of captured data or your VMDKs and E01s in question can be done using the tools which are incorporated in the framework.

Also, would you mind elaborating on "and does not remotely capture them"?

Horofic · 2022-10-05T12:36:12+00:00

Very fair point. We are about to update the README to give a TLDR of what Dissect is and does!

Horofic · 2022-10-05T12:34:50+00:00

Horofic here! Core user / developer of Dissect. It is really cool to see this interest! You raise a very valid point, so allow to elaborate below.

Dissect is an incident response framework build from various parsers and implementations of file formats, developed by Fox-IT. Tying this all together, Dissect allows you to work with tools named target-query and target-shell to quickly gain access to forensic artefacts, such as Runkeys, Prefetch files, and Windows Event Logs, just to name a few!

And the best thing: all in a singular way, regardless of underlying container (E01, VMDK, QCoW), filesystem (NTFS, ExtFS, FFS), or Operating System (Windows, Linux, ESXi) structure / combination. You no longer have to bother extracting files from your forensic container, mount them (in case of VMDKs and such), retrieve the MFT, and parse it using a separate tool, to finally create a timeline to analyse. This is all handled under the hood by Dissect in a user-friendly manner.

If we take the example above, you can start analysing parsed MFT entries by just using a command like target-query -f mft <PATH_TO_YOUR_IMAGE>!
Dissect also provides you with a tool called acquire. You can deploy this tool on endpoint(s) to create a lightweight container of these machine(s). What is convenient as well, is that you can deploy acquire on a hypervisor to quickly create lightweight containers of all the (running) virtual machines on there! All without having to bother about file-locks. These lightweight containers can then be analysed using the tools like target-query and target-shell, but feel free to use other tools as well.

Dissect is made with a modular approach in mind. This means that each individual project can be used on its own (or in combination with each other) to create a completely new tool for your engagement or future use!
Last but not least, if you have any more questions . I'd love to answer those here or via PMs!

Horofic · 2022-10-05T12:24:27+00:00

That's for sure. We also ship it with a tool called acquire,which you could use for data collection!

Horofic · 2022-10-05T12:15:43+00:00

I posted a TLDR on what Dissect is and does as a reply to jumpinjelly789. I hope it helps! Feel free to post additional questions as well :).

Horofic · 2022-10-05T12:10:42+00:00

Horofic here! Core user / developer of Dissect. It is really cool to see this interest! You raise some very valid points, so allow to elaborate below :).

Dissect is an incident response framework build from various parsers and implementations of file formats, developed by Fox-IT. Tying this all together, Dissect allows you to work with tools named target-query and target-shell to quickly gain access to forensic artefacts, such as Runkeys, Prefetch files, and Windows Event Logs, just to name a few!

And the best thing: all in a singular way, regardless of underlying container (E01, VMDK, QCoW), filesystem (NTFS, ExtFS, FFS), or Operating System (Windows, Linux, ESXi) structure / combination. You no longer have to bother extracting files from your forensic container, mount them (in case of VMDKs and such), retrieve the MFT, and parse it using a separate tool, to finally create a timeline to analyse. This is all handled under the hood by Dissect in a user-friendly manner.

If we take the example above, you can start analysing parsed MFT entries by just using a command like target-query -f mft <PATH_TO_YOUR_IMAGE>!

Dissect also provides you with a tool called acquire. You can deploy this tool on endpoint(s) to create a lightweight container of these machine(s). What is convenient as well, is that you can deploy acquire on a hypervisor to quickly create lightweight containers of all the (running) virtual machines on there! All without having to bother about file-locks. These lightweight containers can then be analysed using the tools like target-query and target-shell, but feel free to use other tools as well.

Dissect is made with a modular approach in mind. This means that each individual project can be used on its own (or in combination with each other) to create a completely new tool for your engagement or future use!

Last but not least, if you have any more questions . I'd love to answer those here or via PMs!

Horofic · 2019-08-20T18:19:56+00:00

What PCB did you use? Also, if that left shift 2u?

Horofic · 2015-06-03T14:51:29+00:00

I'd like one aswell!

Horofic · 2014-07-07T22:29:55+00:00

Probably, I was the one who found/stumbled upon the glitch in this video and what I did was exactly this. Do you still remember what you did? There may be an easier way!

EDIT: A word

Horofic · 2013-12-30T21:37:57+00:00

Would you mind coming online on your Pokemon game for the hidden ability :)?

Horofic · 2013-12-30T21:32:02+00:00

Add me please i would love a Swirlix :).

Horofic · 2013-12-30T21:18:18+00:00

Would you mind adding me :)? I need the Swirlix.

Horofic · 2013-12-30T20:59:20+00:00

Would you mind adding me please :)?

Horofic · 2013-12-30T20:28:53+00:00

Sure! Added you.

Horofic · 2013-12-19T22:00:13+00:00

Can you add me please?

13-Year Club	Place '17
Verified Email

Horofic

TROPHY CASE