 Welcome back, everyone. Today, we're talking about Bento, a live forensic toolkit from the makers of the Sorugi Linux distribution. This toolkit does run only in Windows, so make sure you do have a Windows system to test on. The first thing we need to do is actually download it. So go to sorugi-linux.org, click on the Downloads tab, and then scroll down. And at the very bottom, you can see that the Bento Defer Portable Toolkit is available and then when the most recent release date is. So just keep an eye on that to check whether the software has been updated once you start using it. You can select any of these mirrors to download from, but I always select, for example, the first one. So I always download the torrent files. I can host some of the content for the developers and then hopefully give people a faster download speed. You can choose just the ISO and download it directly from wherever they're hosting at, or the torrent and kind of help the community out a little bit. We want the Bento Toolkit. Notice that you get a 7-zip file once it's downloaded. So you will need 7-zip installed. You can just go to 7-zip.org to download 7-zip, and then you should be able to extract the contents of the Bento executable. Once you've downloaded it, because I have a torrent, I have a folder, and we have our 7-zip file. I already have 7-zip installed, so I'm just going to right-click on the 7-zip file, and then under the 7-zip context menu, I'm going to extract files here. If you just open the archive, you're going to have trouble running the tool later, so make sure you do extract files here. So once everything's extracted, go ahead and take a look at the readme file. This will tell you a little bit about what Bento is, what it can do, and then give some recommendations for installing the SysInternal suite, Magnet Forensics Tools, CAPE, and Access Data FDK Imager, and some other tools. So the reason that they don't include those files is because the licenses for that software doesn't allow distribution directly, so they can't package up those tools and include it, which is what we're going to show today is how to install a couple different types of software in case you want to add custom packages to Bento. The next thing we do is you should now have a folder that just says Bento that was extracted, and this is actually where the program is, so we can really just move this to the desktop. We are going to use Bento in a live environment. So I would normally add this to either an external hard drive that I'm going to be using as my acquisition hard drive, or to a USB stick that I can write protect, and then that becomes my tool USB stick, but I still need a place to save everything that we collect during the live analysis. So make sure that you do have storage space available, that way you can download some information to it. So whenever we install Bento on a USB stick, before we go to the suspects house, we need to actually set up Bento itself. We have a couple different options here. One is the sysmenu.exe, and then another is the sysmenuadmin.exe. Sysmenuadmin is going to give you the ability to do imaging of disks, imaging of RAM, anything that you would normally require administrative privileges for, whereas sysmenu can give you, for example, system information, but you probably won't get very low level disk images. You can still collect file level, but you won't be able to collect, for example, partition images directly. Sysmenuadmin, I'm going to double click on that, and because it is running as admin, it's asking, will I allow it? I say yes. A little Bento box icon here that you can drag around. We have our Bento folder, and then I have our Bento icon. If we click and hold, we can drag it wherever we want. I usually keep it out of the way, and if I click on the Bento box, then we have a menu item with a couple different things going on here. So we have our sysmenu, we have search, so we can search for different programs that are installed. We have acquire, so this is forensic acquisition. So we're doing maybe imaging, hashing, just direct copying or burning to a CD-ROM maybe, and then an image mounter is already installed. If I go under acquire and image, you can see that a couple tools look normal, and then a couple of tools have an X over them. And the tools with the X over them have not been installed yet. Like I said, these tools cannot be distributed with Bento, you have to get them separately. So what we're going to do now is install these tools so that way Bento can use them, or we can easily access them using Bento. Other than acquire, we also have sysinfo, so this is getting information from the system that we're running on, live IR, this is incident response and live acquisition, basically getting information about the suspect's system, and then trying to acquire different types of information. So for example, doing triage, CAPE is here, but it's not installed yet, and we can change whatever we want. And then for forensics, same idea, they have, for example, shellbags view, just a bunch of forensic utilities for working in the live environment. Networking also already, a lot of tools already selected and installed, and then utilities, for example, don't sleep, so the suspect computer doesn't go into hibernation mode, seven zip if we need to compress something, a hex editor, mouse jiggle, things like that. So they've already done a good job of going through and selecting the tools that are useful for different situations and then categorizing them. But you can change any of these, you can install additional tools, you can remove tools, you can change the categories, whatever you want to do. Okay, so the first thing we want to do is click on the Bendo box. And on a computer that has access to the internet, because we're going to be downloading or checking for updates, we want to get new apps. Okay, and then get new apps, it'll look at the SysMenu suite, Nearsoft suite and Bento suite, it'll tell you what's been added. For example, it sees that there's an update for FTK image or light, and specifically you can install it from here. You can also install CAPE from here to install an app from the apps menu, just select the checkbox on the right. And then once you find all of the programs that you want to install and you've selected from the side, just click apply all. And then Bento will go out and download the software directly and install it if it's listed in this list. Make sure that you do select, for example, any licensing that you need. Okay, and then once it's done installing or updating, you can just click exit. And then now you can see that the red box has been changed to added and it's up to date. For Bento suite, we also don't have any updates, so that's okay. If we just click exit, then the Bento box will appear again. If we select the menu, go back to live IR, we can see that Gcape now doesn't have the X on it. If we go ahead and click on that, then CAPE opens up and we can use it to start processing some data. We could have installed FTK image or light directly, but let's say that that's a very old version, it's a little bit slower, it's discontinued. So we want to use the newest version of FTK imager, and we want to use magnet ram capture. Well, I have the installers for access data FTK imager 4.5. And I have magnet ram capture installer or magnet ram capture version 1.2, I think I have those already downloaded. You can get them from magnet forensics.com. And then they have their free tools, magnet ram capture. And then for FTK imager, it's just xterro.com slash FTK dash imager. And then you can download both of those. You will have to put in your contact information, but they are free downloads. Okay, let's say that we want to install these, there's a couple of different ways that I can go about it. But I usually just click on it, and then go to acquire and image. And let's say that we want to do FTK imager first, if I click on it, it'll give me an error, cannot find bento suite FTK imager FTK imager.exe. So that's the file that it's looking for. Well, if we go into our bento folder, we have program files, SPSS suite, SPS suite, and then bento suite, FTK imager. And then there's nothing in there because we didn't install yet. So if you don't have access data FTK imager already installed, then you can just install it directly here. But we already have it in our system. So I'm going to go to C drive program files, access data, FTK imager, and then I have all of the FTK imager data in here. So I'm going to select everything, copy, and then paste it into the FTK imager folder inside bento suite. All right. So now we have our FTK imager.exe where it should be in the folder. So now if we click on bento, go back to acquire image, it's still showing an X. Well, why is that? Well, we need to refresh the interface. So that way bento can detect the new FTK version. So go to the menu, go to tools, and then go to reload. Okay, so it reloaded. Click on the menu, click acquire, click image, and then now FTK imager is available if we click on it. Then we get FTK imager 4.5. So now FTK imager 4.5 is installed and we can run it on the the suspect system, and it should be portable. Next, we have the magnet RAM capture. So if I double click on this, just to see if it works, it's asking for administrative privileges, say yes, and then it's asking for the license agreement, I'm going to go ahead and click accept. You notice that the EULA is created on the desktop here because that's where I ran the executable from, and it's just asking me for the RAM capture directly. So I'm going to go ahead and close that. I know it's working. I'm going to delete that license agreement. Okay, so next, if I click on bento, if I go to acquire image, magnet RAM capture, if I click it, then we see that it's expecting it to be an SPS suite bento suite magnet RAM capture.exe. So instead of being called MRC, it's just looking for magnet RAM capture. All right, so let's go ahead and rename this magnet RAM capture.exe. All right, so I'm going to copy that, go back into bento, go into program files, SPS suite, bento suite, and then it was just in the base directory here. Okay, click on bento, click acquire image. We still don't get it detected, so let's go to tools and click reload. Acquire image. Now we have magnet RAM capture, and if we click on it, then we get asked for the license agreement again. If we click accept, then let's check the bento folder, program files, SPS suite, bento suite, then we have the EULA accepted.dat inside the bento suite folder, and we won't be asked for the license again. Now we can run those two tools, so you can see how to get new apps directly. It's just a built in app manager. Just select the apps you want, and then apply all, and it will either add or update any of the apps. It's very handy for keeping your apps up to date. The next thing is if something is missing, you can add it to the folder directly depending on where bento expects it to be installed. So if we go to ftakimager client, we see that it looks like it should be in program files, windows-cli, ftkimager, ftkimager.exe. So if we're going to install the ftkimager client CLI version, then we need to install it into that directory. Well, let's say that we never use, or we never expect to use ftkimager light because we have the newer version that's much faster. So maybe we want to remove this instead. We can go to tools and then go to configuration, and then in the configuration we have a couple different options, but you can see that we have our folders here, acquire sysinfo, live IR, forensics, networking, utility. If I expand acquire, and then I expand image, well, that looks exactly like the menu that we had, right? So we have ftkimager, it was detected, ftkimager light not detected. If we click on ftkimager light, then we can see the path that we expect ftkimager light to be in, any icon paths and the description and then the URL, and then any additional information that's available. We also have the options to run the command at different times or run the command elevated or output different pieces of information, let's say. So I don't want ftkimager light on here. So I'm just going to right click on the menu item that I don't want, and then just do remove item. That item is removed from acquire image, we still have ftkimager, but we should have removed ftkimager light. Okay, so to get rid of ftkimager light, go ahead and click save and exit, click on bento again, go to acquire image, and then we're missing our ftkimager light, it's been removed, right? Well, instead of removing tools that we are pretty confident we're not going to be using, remember you always want backups in a live environment, let's say we wanted to add something to this. So maybe in sysinfo, I want to add a command to get information about the hard drives that are attached, all right? So let's go to tools, go to configuration, go back to the menu, and we are going to do sysinfo. In this case, I'm just going to add a windows command, and I'm going to say get drives, local drives, okay. And then the command, what can we use? We can use WMIC, disk drive list brief, and then icon path, I'm just going to use the cicon, and then get local disk information, so that's it. So if we click save, and save and exit, now let's check bento again, go to sysinfo, and we have our get local drives, if I click it, then we can see that the WMIC disk drive list brief runs, and it shows me some information about the disk drives. Now, we're not outputting this information anywhere, it's literally just popping up and showing me. So for forensics, this might not be so useful. But if we needed to get some information just really quickly, and we're not worried about saving it over the long term, adding commands like this could be very useful. Notice that this is using command cmd.exe instead of powershell. But if you wanted to use powershell or run powershell scripts, you absolutely could. We have been able to remove an item, we've been able to install apps from the app manager, we've been able to install apps directly into the bento path. And then we've been able to add and remove items from the menu. So that should get you started with bento. The next or the kind of the final thing that happens is you need to copy this folder into either a live CD, a live USB, or a disk drive that you're going to use in the live environment, in the suspects environment. You'll be running tools off of this menu, and then outputting the results to some sort of storage media that is not the suspects disk. So this should give you enough information to start customizing bento and installing any additional utilities that you need. Okay, so that's it for today. Thank you very much.