A post-mortem analysis tool for raw disk/partition images
Fossil is a linux command line collector based on pre-configured or customizable collection profiles.
It uses sleuthkit tools under the hood.
It can be used to perform various forensic tasks during the post-mortem examination of raw disk or partition images, such as computing image content digests or creating collections based on generaptor collection targets.
Tip
If your disk image is not a raw disk image, you can use tools such as affuse from afflib-tools to create a mountpoint exposing a read-only raw disk image.
Fossil releases are available on Github and Pypi. Using a Python virtual environment is recommended.
# Setup sleuthkit toolkit
sudo apt install sleuthkit
# Setup fossil
python3 -m pip install edf-fossil
# Setup generaptor configuration files w/o fetching velociraptor binaries
generaptor update --do-no-fetch
# List partitions
fossil windows disk.img partitions
# List file system entries (see options to include deleted files and directories)
fossil windows disk.img fs_entries
# List file system entries in a raw partition instead
fossil --image-is-partition windows part.img fs_entries
# Perform default data collection on disk.img raw disk image
fossil windows disk.img collect
# Perform custom collection based on a collection profile
echo '{"targets":["WebServer/IIS"]}' > iis_server.json
fossil windows disk.img collect --custom-profile iis_server.json
# Hash all existing files in the disk
fossil windows disk.img digest > result.csv
# Include deleted files (warning, sleuthkit is prone to errors when extracting deleted data)
fossil windows disk.img digest --deleted > result.csvFossil does not need any configuration file, it relies on Generaptor configuration files instead.
Distributed under the MIT License.
Contributions are welcome. See CONTRIBUTING.md.
To report a (suspected) security issue, see SECURITY.md.