Record all three β they are useful for crossβreferencing with public repositories, VirusTotal, or internal hash databases. # Use isoinfo (part of genisoimage / cdrkit) isoinfo -d -i emp-hl.iso # General volume descriptor isoinfo -l -i emp-hl.iso # List files (ISOβ9660) isoinfo -J -i emp-hl.iso # Joliet (Unicode filenames) isoinfo -U -i emp-hl.iso # UDF (if present) Look for flags such as βRock Ridgeβ (POSIX extensions) or βEl Toritoβ (bootable). Note the volume ID, publisher, application ID, and creation date. 3.4. Mount the ISO (readβonly) Linux
Mount-DiskImage -ImagePath .\emp-hl.iso # Get the drive letter assigned: Get-DiskImage -ImagePath .\emp-hl.iso | Get-Volume emp-hl.iso
hdiutil attach -readonly -mountpoint /Volumes/emp-hl emp-hl.iso Always mount with the readβonly flag to avoid accidental writes that could modify timestamps or file integrity. 3.5. Enumerate the File System # Recursive tree view (Linux) tree -a -L 5 /mnt/emp-hl > iso_tree.txt Record all three β they are useful for
sudo mkdir /mnt/emp-hl sudo mount -o loop,ro emp-hl.iso /mnt/emp-hl Enumerate the File System # Recursive tree view
The guide is organized as a stepβbyβstep workflow, the recommended tools, the types of information you should capture, and a readyβtoβfillβin template that will turn your findings into a polished, professional document. | Item | Why it matters | Recommended Tool / Command | |------|----------------|---------------------------| | Operating System | Most ISOβanalysis tools run on Linux/Unix, but Windows/macOS are also fine. | Ubuntu 22.04 LTS (or any recent distro), Windows 10/11, macOS 13+ | | Mounting capability | To explore fileβsystem contents without extracting. | mount -o loop (Linux), PowerShell Mount-DiskImage (Windows), hdiutil attach (macOS) | | Hashing utilities | Verify integrity and generate unique identifiers. | sha256sum , md5sum , shasum -a 256 , certutil -hashfile (Win) | | Fileβsystem inspection tools | List, extract, and analyse files inside the ISO. | isoinfo , 7z , bsdtar , iso9660 libraries, PowerISO , WinISO , The Sleuth Kit (TSK) | | Staticβanalysis/forensics suite | Automate extraction of metadata, timestamps, embedded executables, etc. | Autopsy , FTK Imager , X-Ways Forensics , bulk_extractor , pefile (for PE files), exiftool | | Malware sandbox (optional) | Safely execute any suspicious binaries. | Cuckoo Sandbox, FireEye AX, any isolated VM with network disabled. | | Documentation tools | Keep notes, screenshots, and generate the final PDF/HTML report. | Markdown + Pandoc , LaTeX , Microsoft Word , Jupyter Notebook (for code snippets). | Tip: If you are working on a Windows host, consider installing the Windows Subsystem for Linux (WSL2) β it gives you a full Linux environment without leaving Windows, and all the Linux tools above work outβofβtheβbox. 2οΈβ£ HIGHβLEVEL ANALYSIS WORKFLOW βββββββββββββββββββββββββ β 1. Acquire the ISO β β (checksum verificationβ β from source) β βββββββββββββββ¬ββββββββββ β βΌ βββββββββββββββββββββββββ β 2. Compute hashes β β (SHAβ256, MD5) β βββββββββ¬ββββββββββββββββ β βΌ βββββββββββββββββββββββββ β 3. Identify ISO type β β (ISOβ9660, Joliet, β β UDF, hybrid) β βββββββββ¬ββββββββββββββββ β βΌ βββββββββββββββββββββββββ β 4. Mount / Extract β β (readβonly) β βββββββββ¬ββββββββββββββββ β βΌ βββββββββββββββββββββββββ β 5. Enumerate contents β β (directory tree, β β file sizes, dates) β βββββββββ¬ββββββββββββββββ β βΌ βββββββββββββββββββββββββ β 6. Fileβtype analysis β β (executables, docs, β β scripts, archives) β βββββββββ¬ββββββββββββββββ β βΌ βββββββββββββββββββββββββ β 7. Deep static analysisβ β (PE headers, β β embedded scripts, β β signatures) β βββββββββ¬ββββββββββββββββ β βΌ βββββββββββββββββββββββββ β 8. Dynamic analysis β β (sandbox, networkβ β β isolated VM) β βββββββββ¬ββββββββββββββββ β βΌ βββββββββββββββββββββββββ β 9. Correlation & β β threatβintel β βββββββββ¬ββββββββββββββββ β βΌ βββββββββββββββββββββββββ β 10. Reporting β β (fill template) β βββββββββββββββββββββββββ Each block is described in detail below. 3οΈβ£ STEPβBYβSTEP DETAIL 3.1. Acquire the ISO & Verify Integrity # Example (Linux) wget -O emp-hl.iso https://example.com/path/emp-hl.iso sha256sum emp-hl.iso > emp-hl.sha256 # Compare with the hash provided by the source If you received the ISO via a USB drive or email attachment, compute hashes on the original medium to confirm it hasnβt been altered. 3.2. Compute Cryptographic Hashes | Algorithm | Command (Linux) | Command (Windows) | |-----------|-----------------|-------------------| | SHAβ256 | sha256sum emp-hl.iso | certutil -hashfile emp-hl.iso SHA256 | | SHAβ1 | sha1sum emp-hl.iso | certutil -hashfile emp-hl.iso SHA1 | | MD5 | md5sum emp-hl.iso | certutil -hashfile emp-hl.iso MD5 |
Record all three β they are useful for crossβreferencing with public repositories, VirusTotal, or internal hash databases. # Use isoinfo (part of genisoimage / cdrkit) isoinfo -d -i emp-hl.iso # General volume descriptor isoinfo -l -i emp-hl.iso # List files (ISOβ9660) isoinfo -J -i emp-hl.iso # Joliet (Unicode filenames) isoinfo -U -i emp-hl.iso # UDF (if present) Look for flags such as βRock Ridgeβ (POSIX extensions) or βEl Toritoβ (bootable). Note the volume ID, publisher, application ID, and creation date. 3.4. Mount the ISO (readβonly) Linux
Mount-DiskImage -ImagePath .\emp-hl.iso # Get the drive letter assigned: Get-DiskImage -ImagePath .\emp-hl.iso | Get-Volume
hdiutil attach -readonly -mountpoint /Volumes/emp-hl emp-hl.iso Always mount with the readβonly flag to avoid accidental writes that could modify timestamps or file integrity. 3.5. Enumerate the File System # Recursive tree view (Linux) tree -a -L 5 /mnt/emp-hl > iso_tree.txt
sudo mkdir /mnt/emp-hl sudo mount -o loop,ro emp-hl.iso /mnt/emp-hl
The guide is organized as a stepβbyβstep workflow, the recommended tools, the types of information you should capture, and a readyβtoβfillβin template that will turn your findings into a polished, professional document. | Item | Why it matters | Recommended Tool / Command | |------|----------------|---------------------------| | Operating System | Most ISOβanalysis tools run on Linux/Unix, but Windows/macOS are also fine. | Ubuntu 22.04 LTS (or any recent distro), Windows 10/11, macOS 13+ | | Mounting capability | To explore fileβsystem contents without extracting. | mount -o loop (Linux), PowerShell Mount-DiskImage (Windows), hdiutil attach (macOS) | | Hashing utilities | Verify integrity and generate unique identifiers. | sha256sum , md5sum , shasum -a 256 , certutil -hashfile (Win) | | Fileβsystem inspection tools | List, extract, and analyse files inside the ISO. | isoinfo , 7z , bsdtar , iso9660 libraries, PowerISO , WinISO , The Sleuth Kit (TSK) | | Staticβanalysis/forensics suite | Automate extraction of metadata, timestamps, embedded executables, etc. | Autopsy , FTK Imager , X-Ways Forensics , bulk_extractor , pefile (for PE files), exiftool | | Malware sandbox (optional) | Safely execute any suspicious binaries. | Cuckoo Sandbox, FireEye AX, any isolated VM with network disabled. | | Documentation tools | Keep notes, screenshots, and generate the final PDF/HTML report. | Markdown + Pandoc , LaTeX , Microsoft Word , Jupyter Notebook (for code snippets). | Tip: If you are working on a Windows host, consider installing the Windows Subsystem for Linux (WSL2) β it gives you a full Linux environment without leaving Windows, and all the Linux tools above work outβofβtheβbox. 2οΈβ£ HIGHβLEVEL ANALYSIS WORKFLOW βββββββββββββββββββββββββ β 1. Acquire the ISO β β (checksum verificationβ β from source) β βββββββββββββββ¬ββββββββββ β βΌ βββββββββββββββββββββββββ β 2. Compute hashes β β (SHAβ256, MD5) β βββββββββ¬ββββββββββββββββ β βΌ βββββββββββββββββββββββββ β 3. Identify ISO type β β (ISOβ9660, Joliet, β β UDF, hybrid) β βββββββββ¬ββββββββββββββββ β βΌ βββββββββββββββββββββββββ β 4. Mount / Extract β β (readβonly) β βββββββββ¬ββββββββββββββββ β βΌ βββββββββββββββββββββββββ β 5. Enumerate contents β β (directory tree, β β file sizes, dates) β βββββββββ¬ββββββββββββββββ β βΌ βββββββββββββββββββββββββ β 6. Fileβtype analysis β β (executables, docs, β β scripts, archives) β βββββββββ¬ββββββββββββββββ β βΌ βββββββββββββββββββββββββ β 7. Deep static analysisβ β (PE headers, β β embedded scripts, β β signatures) β βββββββββ¬ββββββββββββββββ β βΌ βββββββββββββββββββββββββ β 8. Dynamic analysis β β (sandbox, networkβ β β isolated VM) β βββββββββ¬ββββββββββββββββ β βΌ βββββββββββββββββββββββββ β 9. Correlation & β β threatβintel β βββββββββ¬ββββββββββββββββ β βΌ βββββββββββββββββββββββββ β 10. Reporting β β (fill template) β βββββββββββββββββββββββββ Each block is described in detail below. 3οΈβ£ STEPβBYβSTEP DETAIL 3.1. Acquire the ISO & Verify Integrity # Example (Linux) wget -O emp-hl.iso https://example.com/path/emp-hl.iso sha256sum emp-hl.iso > emp-hl.sha256 # Compare with the hash provided by the source If you received the ISO via a USB drive or email attachment, compute hashes on the original medium to confirm it hasnβt been altered. 3.2. Compute Cryptographic Hashes | Algorithm | Command (Linux) | Command (Windows) | |-----------|-----------------|-------------------| | SHAβ256 | sha256sum emp-hl.iso | certutil -hashfile emp-hl.iso SHA256 | | SHAβ1 | sha1sum emp-hl.iso | certutil -hashfile emp-hl.iso SHA1 | | MD5 | md5sum emp-hl.iso | certutil -hashfile emp-hl.iso MD5 |