Disk Utility & Packer (dup)

Introduction

dup is a command line tool that was designed for clients with an enterprise license to assist their incident responders in the collection of artifacts from live endpoints. Later, after all data is collected, they can process and analyze those artifacts on a forensic workstation.

Still in the prototype/testing stages, the tool can: (a) generate disk stats, (b) extract and analyze the master boot record data, (c) image a drive, volume or a specific set of clusters, (d) target just the volume shadows and (e) copy files or folders. If targeting NTFS type volumes, the tool can use its NTFS engine to copy files that are locked down by the operating system by accessing their underlying data clusters.

Originally architected for Windows, the tool also has compiled versions for Linux and OS-X to extract artifacts from 'dd' type images of NTFS volumes. The tool makes use of the zlib v.1.2.11 library from Jean-loup Gailly and Mark Adler for general compression.

Below is a screenshot of the menu of various options.

dup menu

MBR Scan

If desiring to review the Master Boot Record (MBR) of a disk, one can quickly scan and extract it using the -mbr option. This option does a quick look analysis of the master boot data, and determines if any strange jumps occur. The output includes a hex dump of the MBR data along with an enumeration of the primary partitions.

In the user's guide, there is an example of a boot record infected by a MBR Bootkit, and how dup shows this type of data when it is detected.

For companies with a standard base image of their computers, one can extract the MBR from this known good image and use that to compare it to the MBR of a target box. With 2 versions of the MBR (a known good version and one from the endpoint being analyzed), one can easily see if there are differences with any reasonable hex editor. However, if desiring to do it live on a target box, one can use dup via the -mbr_compare option.

Imaging Options

dup can either image a device either by specifying a volume letter or a disk number. Each option has their respective command: -copyvolume <letter> or -copydrive <disk number>. The imaging algorithm uses at a minimum of two threads (one for reading the device, and one for writing the output). The default option outputs the data in 'dd' format, which is just a straight bit for bit copy of the data on the device. There is also the option to compress the imaging results, via the -gzip command. The gzip option is made available by the authors of the zlib library [ref 1]. This library is statically compiled into the dup binary. When using the -gzip command, additional worker threads are spawned to service the compression and speed up the overall imaging time.

If not wishing to pull an entire image of a volume, one can just target the clusters associated with the Volume Shadow Snapshots. With this option (-copysnaps), the snapshots are enumerated along with their cluster runs, so dup can extract each snapshot in sequence.

Targeting Common Artifacts

Targeting a group of files for copying during an incident response can range from easy to hard depending on the tools available to you. Further, if the target machine can be analyzed without taking it down, this is always a plus, but will depend on whether the tools you have available and whether they can copy files that have been locked down by the operating system. Further, if one has a scripted set of instructions of what files need to be copied and has the appropriate tool to handle the script, then it can be much easier.

For the more common artifact types, the tool has the -copygroup option which can take a number of sub-options to identify which file groups to extract. There is a separate group for registry hives, event logs, prefetch files, LNK/JumpList, trash entries, and system files. One can use one or more of the sub-options in one session. The options are able to discern which operating system the tool is running on so the proper directories are targeted for the file groups selected. The other nice aspect about this option, is it will spawn multiple instances of the dup tool to go after the specific groups. This makes use of the available cores to decrease the overall collection time. For computers with multiple cores, this will result in a faster copy. Results can either be tar'd into a packed archived file or gzip into a compressed archived file. Below are the sub-options currently available:

Group Options Files Targeted
-pull_sysfiles $MFT, $Boot, $LogFile, $Bitmap, $BadClus:$Bad, &UsnJrnl:$J files
-pull_reghives User and OS level (system, software, security, etc) registry hives
-pull_evtlogs Event and setupapi logs
-pull_lnks LNK and JumpList files
-pull_pfs prefetch files
-pull_systrash Recycle Bin directory on the system drive.
-pull_all All pre-defined groups above

Targeting Volume Snapshots

There are various combinations of options when it comes to targeting Volume Snapshots. The first is using a -copygroup option discussed above and applying it to a specific snapshot index, via -vss <index>.

Since each target can any number of snapshots, to ease the pain, we also added the ability to target all volume snapshots with via the -vssall <partition>. All the volume snapshots will be analyzed and the specified artifacts designated with -copygroup option extracted.

For example, if one wanted all the registry hives on all the volume snapshots, one would invoke the following: dup -copygroup -pull_reghives -vssall c: -out <results folder> -gzip.

Miscellaneous File Utilities

There is also a few utilities to compute hashes, merge files, and combine files based on a specified offset.

For more information

The user's guide can be viewed here

If you would like more information about dup, contact us via email.

Downloads

32-bit Version64-bit Version
Windows:dup32.v.0.19.win.zipdup64.v.0.19.win.zipmd5/sha1
Linux:Not Availabledup64.v.0.19.lin.tar.gzmd5/sha1
Mac OS X:Not Availabledup.v.0.19.osx.tar.gzmd5/sha1
*32bit apps can run in a 64bit linux distribution if "ia32-libs" (and dependencies) are present.