• Abstract and Figures
• Public Full-text

Copy of RECON LAB Full Manual Copy of RECON LAB Full Manual by SUMURI 1 / 62 Copy of RECON LAB Full Manual 1. INTRODUCTION ............................................................................................ 6 1.1. WHY USE A MAC FOR FORENSIC ANALYSIS? ......................................... 6 1.1.1. APPLE EXTENDED ATTRIBUTES ............................................................ 6 1.1.2. VIEWING PROPER TIMESTAMPS ........................................................... 7 1.1.3. VIEWING FILES NATIVELY ..................................................................... 7 1.1.4. APPLE FILE SYSTEM (APFS) .................................................................. 7 1.1.5. LOCAL TIME MACHINE SNAPSHOTS (APFS) ........................................... 7 1.1.6. FILEVAULT ........................................................................................... 8 1.1.7. SUPPORT FOR OTHER FILE SYSTEMS .................................................. 8 1.2. HYBRID PROCESSING ENGINE ................................................................ 8 1.3. THREE STAGE ANALYSIS ......................................................................... 8 1.4. SUPPORT FOR OVER 270 TIMESTAMPS .................................................. 8 1.5. ADVANCED TIMELINES ............................................................................ 9 1.6. ADVANCED DATA CORRELATION ............................................................ 9 1.7. ADVANCED REPORTING WITH FULL CONTROL ...................................... 9 2. RECOMMENDED MINIMUM REQUIREMENTS ............................................ 9 3. HELPFUL HINTS .......................................................................................... 10 4. GETTING SUPPORT .................................................................................... 10 5. RENEWING RECON LAB ............................................................................. 11 6. TRAINING ..................................................................................................... 11 7. INSTALLATION ............................................................................................ 11 7.1. INSTALLING XCODE AND COMMAND LINE TOOLS ................................. 12 7.2. INSTALLING FUSE FOR macOS ............................................................... 12 7.3. INSTALLING PARAGON DRIVERS ........................................................... 12 7.4. DOWNLOADING RECON LAB UPDATES .................................................. 13 7.5. INSTALLING RECON LAB ......................................................................... 13 7.6. GRANTING PRIVILEGES ......................................................................... 16 7.6.1. FULL DISK ACCESS ............................................................................ 16 7.7. ENERGY AND SLEEP SETTINGS ............................................................ 18 8. STARTING RECON LAB ............................................................................. 20 8.1. ADDING YOUR LICENSE ......................................................................... 20 8.2. INSTALLING PYTHON ............................................................................. 23 8.3. ADMIN PASSWORD ................................................................................ 23 8.4. ACCESS WARNING MESSAGES ............................................................. 23 8.5. RECON LAB WELCOME SCREEN ........................................................... 24 9. CONFIGURATION ....................................................................................... 25 9.1. EXAMINER DETAILS ............................................................................... 26 9.2. ARTIFACTS AND PLUGINS ..................................................................... 27 2 / 62 Copy of RECON LAB Full Manual 9.3. USER DEFINED EXTENSIONS ................................................................ 30 9.4. USER DEFINED FILE SIGNATURES ........................................................ 31 9.5. KEYWORD LISTS .................................................................................... 33 9.6. TEXT INDEXING FILTERS ....................................................................... 35 9.7. APPLE METADATA FILTERS ................................................................... 37 9.8. EXIF METADATA FILTERS ...................................................................... 38 9.9. VOLATILITY PATH ................................................................................... 39 9.10. SYSTEM PASSWORD ........................................................................... 39 9.11. TEXT VIEW SETTINGS .......................................................................... 40 9.12. EXTERNAL APPLICATIONS ................................................................... 41 10. STARTING A NEW CASE ......................................................................... 41 10.1. CASE INFO ............................................................................................ 41 10.2. ADDING SOURCE DATA TO PROCESS ................................................. 43 10.2.1. MOUNTED VOLUMES ........................................................................ 43 10.2.2. FORENSICS IMAGES ......................................................................... 43 10.2.3. FILEVAULT IMAGE ............................................................................ 44 10.2.4. FUSION IMAGE ................................................................................. 44 10.2.5. OPTICAL DISC IMAGE ....................................................................... 45 10.2.6. RAM IMAGE ...................................................................................... 46 10.2.7. IOS BACKUP ..................................................................................... 46 10.2.8. TIME MACHINE BACKUP .................................................................... 46 10.2.9. GOOGLE TAKEOUT ........................................................................... 47 10.2.10. MACOS HOME DIRECTORY .............................................................. 48 10.2.11. FOLDER ......................................................................................... 48 10.2.12. FILE ............................................................................................... 48 10.2.13. ADB ANDROID BACKUP ................................................................... 49 10.2.14. RECON LOGICAL IMAGE .................................................................. 49 10.3. ADDING SOURCE INFORMATION ......................................................... 49 10.4. ADDING MULTIPLE SOURCES .............................................................. 50 10.5. CASE DIRECTORY ................................................................................ 50 10.6. DATE AND TIME SETTINGS .................................................................. 50 10.7. FILE SYSTEM MODULES SELECTION .................................................. 50 10.7.1. APPLE METADATA MODULE .............................................................. 50 10.7.2. MIME TYPES MODULE ....................................................................... 50 10.7.3. SIGNATURE ANALYSIS MODULE ........................................................ 51 10.7.4. EXIF METADATA Module .................................................................... 51 10.7.5. HASHES MODULE ............................................................................. 51 10.8. ARTIFACT PLUGIN SELECTION MODULE ............................................. 51 3 / 62 Copy of RECON LAB Full Manual 11. RELOADING A CASE ................................................................................ 51 12. RECON LAB INTERFACE ......................................................................... 52 12.1. PROCESSING STATUS WINDOW .......................................................... 52 12.2. CASE VIEW ........................................................................................... 52 12.3. TOP MENU ............................................................................................ 52 12.4. MAIN COLUMNS .................................................................................... 52 12.5. CASE SIDEBAR ..................................................................................... 52 12.6. MAIN VIEWER WINDOW ....................................................................... 53 12.6.1. TABLE VIEW ..................................................................................... 53 12.6.1.1. RECURSIVE VIEW .......................................................................... 53 12.6.1.2. EXPORT TO CSV ........................................................................... 53 12.6.1.3. TABLE VIEW FILTER AND SEARCH ................................................... 53 12.6.1.4. NAVIGATION BUTTONS ................................................................... 53 12.6.2. GALLERY VIEW ................................................................................. 53 12.7. MULTIMEDIA PREVIEW PANE ............................................................... 53 12.8. VIEWER PANES .................................................................................... 53 12.8.1. DETAILED INFORMATION PANE ......................................................... 53 12.8.2. HEX VIEW PANE ..............................................................................

Load more

  62

Copy Link