179 shaares
LIST
ffmpeg -codecs # list all codecs
ffmpeg -encoders # list all encoders
ffmpeg -decoders # lis tall decoders
ffmpeg -formats # list all formatsTRIM
ffmpeg -accurate_seek -ss $SECONDS -i $FILE -frames:v 1 -quality 100 image.png # Extract frame to image
ffmpeg -i "${file}" -ss 00:00:30 -t 00:00:05 -codec copy ${fileout} # Extract a part a video from -ss for a duration -t
ffmpeg -i "${file}" -ss 00:00:00 -to 00:56:33 -c copy "${fileout}" # trim outside of -ss & -to
ffmpeg -f concat -safe 0 -i <(echo -e "file \"${file1}\"\nfile \"${file2}\"") -c copy ${fileout}
ffmpeg -i "concat:${file1}|${file2}" -codec copy "${fileout}" # join filesAUDIO & VIDEO
ffmpeg -i "${file}" -c:v libx265 -codec:a libopus -b:a 64k -vbr on -compression_level 10 "${path}/${file%.*}.mp4"batch to encode audio & video
path="/ext/shared/Videos/ffmpeg" && path2="/tmp/ffmpeg-batch-$(date +%s)" && while read file; do echo "ffmpeg -i \"${file}\" -c:v libx265 -codec:a libopus -b:a 64k -vbr on -compression_level 10 \"${file%.*}-resized.mp4\"" >> "${path2}"; done < <(find "${path}" -name "*.*") && chmod +x "${path2}" && echo "Launch: ${path2}"batch to encode audio video with crop & scale
crop="W:H:X:Y"
scale="800x720"
scale="800:-1"
path="/home/nikita/Downloads/.tmp/ffmpeg" && path2="/tmp/ffmpeg-batch-$(date +%s)" && while read file; do echo "ffmpeg -i \"${file}\" -filter:v crop=${crop},scale=${scale} -c:v libx265 -codec:a libopus -b:a 64k -vbr on -compression_level 10 \"${file%.*}-resized.mp4\"" >> "${path2}"; done < <(find "${path}" -name "*.webm") && chmod +x "${path2}" && echo "Launch: ${path2}"AUDIO
# replace audio in video
ffmpeg -i "$file" -i "${file%.mp4}.opus" -c:v copy -c:a copy -map 0:v:0 -map 1:a:0 "${file%.mp4}-audio.mp4"
# batch to replace audio
path="/home/nikita/Downloads/.tmp/ffmpeg" && path2="/tmp/ffmpeg-batch-$(date +%s)" && while read file; do echo "ffmpeg -i \"${file}\" -i \"${file%.mp4}.opus\" -c:v copy -c:a copy -map 0:v:0 -map 1:a:0 \"${file%.mp4}-audio.mp4\"" >> "${path2}"; done < <(find "${path}" -name "*.mp4") && chmod +x "${path2}" && echo "Launch: ${path2}"
# compress audio
ffmpeg -i "$file" -codec:a libopus -b:a 64k -vbr on -compression_level 10 "${file%.*}.opus"
# batch to compress audio
path="/home/nikita/Downloads/.tmp/ffmpeg" && path2="/tmp/ffmpeg-batch-$(date +%s)" && while read file; do echo "ffmpeg -i \"$file\" -c:v copy -codec:a libopus -b:a 64k -vbr on -compression_level 10 \"${file%.mp4}-audio.mp4\"" >> "${path2}"; done < <(find "${path}" -name "*.mp4") && chmod +x "${path2}" && echo "Launch: ${path2}"ENCODE
ffmpeg -i "$file" -vn -acodec copy $file_out # extract audio
ffmpeg -i "$file" -filter:v scale=720:-1 -c:a copy "$file_out" # resize video, -1 asks to ffmpeg to keep proportion
ffmpeg -i "$file" -filter:v crop=w:h:x:y -c:a copy "$file_out" # crop to w-width:h-height:x-left:y-top, passthru audio
ffmpeg -i "$file" -filter:v crop=w:h:x:y -c:v libx265 -c:a copy "$file_out" # crop & encode encode with h265, passthru audio
ffmpeg -i "$file" -filter:v "crop=w:h:x:y,scale=w_max:h_max530" -c:v libx265 -c:a copy "$file_out" # crop > scale to max w_max/h_max (-1 keeps proportion), encode h265, passthru audioOTHERS
ffmpeg -i $file -hide_banner # info
ffmpeg -accurate_seek -ss $SECONDS -i $FILE -frames:v 1 image.bmp # Extract frame to imageFFPROBE
gt info from file
ffprobe -i $fileexamples
create batch & launch it to crope, scale & encode files from file list
crop="W:H:X:Y"
scale="800x720"
scale="800:-1"
path="/home/nikita/_new/ffmpeg" && path2="/tmp/ffmpeg-batch-$(date +%s)" && while read file; do name="${file##*/}"; path="${file%/*}"; echo "ffmpeg -i \"${file}\" -filter:v "crop=${crop},scale=${scale}" -c:v libx265 -c:a copy \"${path}/${name%.*}-resized.mp4\"" >> "${path2}"; done < <(find "${path}" -name "*.mp4") && chmod +x "${path2}" && echo "Launch: ${path2}"create batch & launch it to only encode files searching
path="/home/nikita/_new/ffmpeg" && path2="/tmp/ffmpeg-batch-$(date +%s)" && while read file; do name="${file##*/}"; path="${file%/*}"; echo "ffmpeg -i \"${file}\" -c:v libx265 -c:a copy \"${path}/${name%.*}.mp4\"" >> "${path2}"; done < <(find "${path}" -name "*.mkv") && chmod +x "${path2}" && echo "Launch: ${path2}"AUDACITY
Export /Export Audio/(external program)
ffmpeg -i - -codec:a libopus -b:a 64k -vbr on -compression_level 10 "%f" # whithout space in path filestart
log mimikatz.loglsadump
cd {$path_hive}
log c:\lsadump.log
lsadump::sam /system:SYSTEM /sam:SAM
exithivexsh
hivexsh [-options] [hivefile]
Provides a simple shell for navigating Windows Registry 'hive' files
options
-d # Enable lots of debug messages. If you find a Registry file that this program cannot parse, please enable this option and post the complete output and the Registry hive file in your bug report.
-f filename # Read commands from "filename" instead of stdin. To write a hivexsh script, use: #!/usr/bin/hivexsh -f
-u # Use heuristics to tolerate certain levels of corruption within hives. This is unsafe but may allow to export/merge valid keys/values in an othewise corrupted hive.
-w # If this option is given, then writes are allowed to the hive (see "commit" command below, and the discussion of modifying hives in "WRITING TO HIVE FILES" in hivex(3)). Important Note: Even if you specify this option, nothing is written to a hive unless you call the "commit" command. If you exit the shell without committing, all changes will be discarded. If this option is not given, then write commands are disabled.commands
add name # Add a subkey named "name" below the current node. The name may contain spaces and punctuation characters, and does not need to be quoted.
cd path # Change to the subkey "path". Use Windows-style backslashes to separate path elements, and start with a backslash in order to start from the root of the hive. For example:
close | unload # Close the currently loaded hive. If you modified the hive, all uncommitted writes are lost when you call this command (or if the shell exits). You have to call "commit" to write changes.
commit [newfile] # Commit changes to the hive. If the optional "newfile" parameter is supplied, then the hive is written to that file, else the original file is overwritten.
del # Delete the current node and everything beneath it. The current directory is moved up one level (as if you did "cd ..") after this command.
exit | quit # Exit the shell.
load hivefile # Load the binary hive named "hivefile". The currently loaded hive, if any, is closed. The current directory is changed back to the root node.
ls # List the subkeys of the current hive Registry key. Note this command does not take any arguments.
lsval [key] # List the (key, value) pairs of the current hive Registry key. If no argument is given then all pairs are displayed. If "key" is given, then the value of the named key is displayed. If "@" is given, then the value of the default key is displayed.
setval nrvals # This command replaces all (key, value) pairs at the current node with the values in subsequent input. "nrvals" is the number of values (ie. (key, value) pairs), and any existing values at this node are deleted. So "setval 0" just deletes any values at the current node.hivexget
hivexget hivefile PATH [NAME]
Get subkey from a Windows Registry binary "hive" file
example
hivexget ${path_hive}/SAM "SAM\Domains\Account\Users\000003E9" Vhivexml
hivexml [-dk] HIVE > FILE
Convert Windows Registry binary "hive" into XML
options
-d # Enable lots of debug messages. If you find a Registry file that this program cannot parse, please enable this option and post the complete output and the Registry file in your bug report.
-k # Keep going even if we find errors in the Registry file. This skips over any parts of the Registry that we cannot read.
-u # Use heuristics to tolerate certain levels of corruption within hives. This is unsafe but may allow to export/merge valid keys/values in an othewise corrupted hive.Install
sudo apt install -y libhivex-binhttps://helpmanual.io/man8/chntpw/
chntpw
chntpw [options] <samfile> [systemfile] [securityfile] [otherreghive] [...]
Utility to overwrite passwords of Windows systems
usage
chntpw -i $hiveoptions
-u username # Username or username ID (RID) to change. The default is 'Administrator'.
-l # List all users in the SAM database and exit.
-i # Interactive Menu system: list all users (as per -l option) and then ask for the user to change.
-e # Registry editor with limited capabilities (but it does include write support). For a slightly more powerful editor see reged
-d # Use buffer debugger instead (hex editor)
-L # Log all changed filenames to /tmp/changed. When this option is set the program automatically saves the changes in the hive files without rompting the user. Be careful when using the -L option as a root user in a multiuser system. The filename is fixed and this can be used by alicious users (dropping a symlink with the same name) to overwrite system files.
-N # Do not allocate more information, only allow the editing of existing values with same size.
-E # Do not expand the hive file (safe mode). commands
hive [<n>] # list loaded hives or switch to hive numer n
cd <key> # change current key
ls | dir [<key>] # show subkeys & values,
cat | type <value> # show key value
dpi <value> # show decoded DigitalProductId value
hex <value> # hexdump of value data
ck [<keyname>] # Show keys class data, if it has any
nk <keyname> # add key
dk <keyname> # delete key (must be empty)
ed <value> # Edit value
nv <type#> <valuename> # Add value
dv <valuename> # Delete value
delallv # Delete all values in current key
rdel <keyname> # Recursively delete key & subkeys
ek <filename> <prefix> <keyname> # export key to <filename> (Windows .reg file format)
debug # enter buffer hexeditor
st [<hexaddr>] # debug function: show struct info
q # quitreged
reged [options] -x<registryhivefile><prefixstring><key><output.reg>
reged [options] -I<registryhivefile><prefixstring><input.reg>
reged [options] -e<registryhivefile>
Utility to export/import and edit a Windows registry hives
usage
reged -x SYSTEM 'HKEY_LOCAL_MACHINE\SYSTEM' 'ControlSet001\Control\Lsa\Skew1' test.regmodes
-x <registryhivefile> <prefixstring> <key> <output.reg> # Xport. Where <prefixstring> for example is HKEY_LOCAL_MACHINE\SOFTWARE <key> is key o dump (recursively), \ or \\ means all keys in hive. Only one .reg and one hive file supported at the same time
-I <registryhivefile> <prefixstring> <input.reg> # Import from .reg file. Where <prefixstring> for example is HKEY_LOCAL_MACHINE\SOFTWARE. Only one .reg and one hive file supported at the same time
-e <registryhive> ... # Interactive edit one or more of registry filesoptions
-L # Log changed filenames to /tmp/changed, also auto-saves
-C # Auto-save (commit) changed hives without asking
-N # No allocate mode, only allow edit of existing values with same size
-E # No expand mode, do not expand hive file (safe mode)
-t # Debug trace of allocated blocks
-v # Some more verbose messagessampasswd
sampasswd [options] -uuser <samfile>
Reset passwords of users in the SAM user database
options
-r # Reset the user's password.
-a # Reset all the users. If this option is used there is no need to specify the next option.
-u <user> # User to change. The user value can be provided as a username, or a RID number in hexadecimal (if the username is preceded with '0x').
-l # Lists the users in the SAM database.
-H # Output human readable output. The program by default will print a parsable table unless this option is used.
-N # Do not allocate more information, only allow the editing of existing values with same size.
-E # Do not expand the hive file (safe mode).
-t # Print debug information of allocated blocks.
-v # Print verbose information and debug messages. ```Install
sudo apt install -y chntpwxubuntu 20.04 - focal
virt-manager
host
<filesystem type="mount" accessmode="mapped" fmode="0660" dmode="0770">
<source dir="/vms/share"/>
<target dir="/hostshare"/>
<address type="pci" domain="0x0000" bus="0x07" slot="0x00" function="0x0"/>
</filesystem>#sudo usermod -G libvirtd -a $USER
sudo usermod -G libvirt-qemu -a $USER
hostpath=/vms/share
sudo chown -R libvirt-qemu:libvirt-qemu $hostpath
sudo setfacl -Rm g:libvirt-qemu:rwx $hostpath
sudo setfacl -d -Rm g:libvirt-qemu:rwx $hostpathguest
sudo sh -c 'echo "9p
9pnet
9pnet_virtio" >> /etc/initramfs-tools/modules'
sudo update-initramfs -u
sudo sh -c 'echo "# qemu share
hostshare /share 9p trans=virtio,version=9p2000.L,rw,umask=002 0 0" >> /etc/fstab'global
install
update
sudo apt remove -y gimp* libreoffice-* thunderbird* transmission-gtk
sudo apt update
sudo apt list --upgradable
sudo apt -y dist-upgrade
sudo apt -y autoremovesystem
sudo apt install -y binutils-common bsdmainutils curl debconf-utils exfat git gnupg2 gparted hfsprogs htop kpartx lnav most net-tools p7zip-full p7zip-rar pv rar sysstat testdisk tmux tree unrar vim xsysinfo # openssh-server
sudo apt install -y dconf-editor firefox-locale-fr galculator gpicview meld plank qt5ct qt5-gtk2-platformtheme thunar-media-tags-plugin tumbler-plugins-extraconf
qt5-ct to fusionglobal
sudo swapoff -av && sudo sh -c 'echo vm.swappiness=10 > /etc/sysctl.d/99-swappiness.conf' # limit swap
sudo rm /etc/localtime && sudo ln -sv /usr/share/zoneinfo/Etc/UTC /etc/localtime
software-properties-gtk # add canonical partners
export QT_QPA_PLATFORMTHEME=gtk2
echo "\n# QT\nexport QT_QPA_PLATFORMTHEME=gtk2" >> ~/.profile
echo -e "\n#JAVA\nexport _JAVA_OPTIONS=\"-Dawt.useSystemAAFontSettings=on -Dswing.aatext=true -Dswing.defaultlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel -Dswing.crossplatformlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel \${_JAVA_OPTIONS}\"" >> ~/.profile
menulibre # edit menu
path=~/.config/autostart
[ -d ${path} ] || mkdir ${path}
echo '[Desktop Entry]
Encoding=UTF-8
Version=0.9.4
Type=Application
Name=plank
Comment=plank
Exec=plank
OnlyShowIn=XFCE;
RunHook=0
StartupNotify=false
Terminal=false
Hidden=false' > ${path}/plank.desktop
plank --preferences &trans
# HOST
path=/vms/share/trans; [ -d ${path} ] || mkdir -p ${path}
cp -r ~/dev/ /vms/share/trans/
# GUEST
path=~/.local/share/icons; [ -d ${path} ] || mkdir -p ${path}
path=~/.local/share/applications; [ -d ${path} ] || mkdir -p ${path}
path=/share/trans/dev
path_conf=${path}/install-desktop/conf
cp ${path_conf}/foralyse/.bashrc ~/
cp ${path_conf}/foralyse/.bash_alias ~/
sudo cp ${path_conf}/foralyse/.bashrc /root/
sudo cp ${path_conf}/foralyse/.bash_alias /root/
cp ${path}/install/conf/foralyse/.vimrc ~/
sudo cp ${path}/install/conf/vim/* /usr/share/vim/vim*/colors/
sudo cp ${path_conf}/soft/meld-dark.xml /usr/share/meld/styles/
sudo cp ${path_conf}/wp/* /usr/share/xfce4/backdrops/
sudo cp ${path_conf}/bash-completion/* /usr/share/bash-completion/completions/
sudo cp ${path_conf}/icons/tmux.svg /usr/share/icons/default/
sudo cp ${path_conf}/foralyse/xfce4-terminal-tmux.desktop ~/.local/share/applications/
cp ${path_conf}/foralyse/xfce4-terminal-tmux.desktop ~/.local/share/applications/
cp ${path_conf}/icons/* ~/.local/share/icons
sudo ln -sv /usr/share/bash-completion/completions/tmux.git /usr/share/bash-completion/completions/tmux
sudo chmod +r /usr/share/icons/default/tmux.svg
sudo chmod +r /usr/share/bash-completion/completions/tmux*
sudo chmod +r /usr/share/xfce4/backdrops/*sublime text
file="/etc/hosts"
sudo sh -c "echo '\n# sublime-text hack\n127.0.0.1\tsublimetext.com\n127.0.0.1\twww.sublimetext.com\n127.0.0.1\tlicense.sublimehq.com' >> ${file}"
ips="45.55.255.55"
for ip in ${ips}; do sudo iptables -A OUTPUT -d ${ip} -j DROP; done
path=/etc/iptables
[ -d "${path}" ] || sudo mkdir "${path}"
sudo sh -c 'iptables-save > /etc/iptables/rules.v4'
cat ${S_PATH_INSTALL_CONF}/soft/sublime-text.licenseforensic
global
# network
sudo apt install -y whois
# pwd & evtx & process
sudo apt install -y john libscca-utils pev radare2
# hive
sudo apt install -y libhivex-bin chntpw reglookup
# gui
sudo apt install -y bless geany ghex gpicview gtkhash wxhexeditorconf
bless
cp /usr/share/bless/*.layout ~/.config/bless/layouts/kali
#sudo sh -c "echo '# kali\ndeb http://http.kali.org/kali kali-rolling main non-free contrib' > /etc/apt/sources.list.d/kali.list
#wget -q -O - archive.kali.org/archive-key.asc | sudo apt-key add -
#sudo apt update
#sed -i '/^deb/ s|^|#|' /etc/apt/sources.list.d/kali.list
#sudo apt updatepython
sudo apt-get install -y python3 python3-pip
. ~/.profile
sudo apt-get install -y python2 # python2-dev
cd /tmp && curl -sSL https://bootstrap.pypa.io/pip/2.7/get-pip.py -o get-pip.py
python2 get-pip.pypip2
python2 -m pip install -U balbuzardpip3
python3 -m pip install -U malcarve regrippybinwalk
dependencies
sudo apt install mtd-utils gzip bzip2 tar arj lhasa p7zip p7zip-full cabextract cramfsswap squashfs-tools lzop srecord
python3 -m pip install -U nose coverage pycryptodome pyqtgraph capstone matplotlib
. ~/.profilegithub
# Install sasquatch to extract non-standard SquashFS images
sudo apt install -y zlib1g-dev liblzma-dev liblzo2-dev
cd /tmp && git clone https://github.com/devttys0/sasquatch
cd sasquatch && ./build.sh
# Install jefferson to extract JFFS2 file systems
python3 -m pip install -U cstruct
cd /tmp && git clone https://github.com/sviehb/jefferson
cd jefferson && sudo python3 setup.py install
# Install ubi_reader to extract UBIFS file systems
sudo apt install -y liblzo2-dev
python3 -m pip install -U python-lzo
cd /tmp && git clone https://github.com/jrspruitt/ubi_reader
cd ubi_reader && sudo python3 setup.py install
# Install yaffshiv to extract YAFFS file systems
cd /tmp && git clone https://github.com/devttys0/yaffshiv
cd yaffshiv && sudo python3 setup.py install
# Install unstuff (closed source) to extract StuffIt archive files
cd /tmp && curl -sS http://downloads.tuxfamily.org/sdtraces/stuffit520.611linux-i386.tar.gz | tar -zxv
sudo cp bin/unstuff /usr/local/bin/pandoc
# sudo apt install pandoc texlive-latex-base texlive-latex-recommended texlive-latex-extra
# pandoc -s -o $fileout $fileinbinwalk
cd /tmp && git clone https://github.com/ReFirmLabs/binwalk
cd binwalk && sudo python3 setup.py installregripper
sudo apt-get install -y libparse-win32registry-perl
path=$(find /usr/share -name Win32Registry)
cd /usr/share && sudo git clone https://github.com/keydet89/RegRipper3.0.git
sudo mv RegRipper3.0 regripper
for file in WinNT/File.pm WinNT/Key.pm Base.pm; do sudo mv ${path}/${file} ${path}/${file}.$(date +%s); sudo ln -sv /usr/share/regripper/${file##*/} ${path}/${file}; done
cd regripper
sudo cp -a rip.pl rip.pl.$(date +%s)
sudo sed -i '/^my @alerts = ();/a my \$plugindir = "/usr/share/regripper/plugins/";' rip.pl
sudo sed -i "1c #! $(which perl)\nuse lib qw(/usr/lib/perl5/);" rip.pl
sudo chmod +x rip.pl
sudo ln -sv /usr/share/regripper/rip.pl /usr/bin/regripper
sudo ln -sv /usr/share/regripper/rip.pl /usr/bin/ripvolatility
volatility3
python3 -m pip install -U pefile yara-python capstone pycryptodome jsonschema leechcorepyc python-snappy
python3 -m pip install -U volatility3
cd ~/.local/bin && ln -sv vol vol3volatility2
https://github.com/volatilityfoundation/volatility/wiki/Installation
sudo apt -y install pcregrep libpcre++-dev python-dev
python2 -m pip install distorm3 ipython openpyxl pycrypto pytz ujson yara-pythonlibforensic1394
sudo apt install -y cmake
cd /tmp
git clone https://github.com/FreddieWitherden/libforensic1394
cd libforensic1394
mkdir build && cd build
cmake -G"Unix Makefiles" ../
sudo make install
cd ../python
sudo python setup.py install
sudo ln -sv /usr/local/lib/libforensic1394.so.0.3.0 /usr/lib/libforensic1394.so.2
cd
sudo rm -fR /tmp/libforensic1394
sudo apt remove cmake
sudo apt autoremovevolatility
cd /opt
git clone https://github.com/volatilityfoundation/volatility.git
cd volatility
rm -fR .git
sudo python setup.py install
cd /usr/local/bin
sudo ln -sv vol.py vol2
vol2 -hwireshark
sudo add-apt-repository -y ppa:wireshark-dev/stable
sudo apt update
sudo apt install -y tshark wiresharkautopsy
global
path_share=/share
sudo apt-get update
sudo apt install -y afflib-tools testdisk ewf-tools xmount fdupes java-common
sudo apt-get install -y imagemagick libde265-0 libheif1java
java_file=$(ls ${path_share}/jdk-8*linux-x64.tar.gz)
file=/usr/local/bin/oracle-java-installer.sh
sudo curl -sS https://raw.githubusercontent.com/labcif/oracle-java-installer/master/oracle-java-installer.sh -o ${file}
#sudo sed -i s'/update-java-alternatives -a/update-alternatives --auto java/' /usr/local/bin/oracle-java-installer.sh
#sudo sed -i s'/update-java-alternatives -l/update-alternatives --list java/' /usr/local/bin/oracle-java-installer.sh
sudo sed -i 's|tar -xvzf|tar -xzf|' /usr/local/bin/oracle-java-installer.sh
sudo chmod +x ${file}
sudo ${file} --install ${java_file}
. /etc/profile.d/jdk.sh
${file} --status ${java_file}base64sha
file=/usr/local/bin/b64sha
sudo curl -sS https://raw.githubusercontent.com/labcif/Base64SHA/master/b64sha -o ${file}
sudo chmod +x ${file}sleuthkit
sleuthkit_file=$(ls ${path_share}/sleuthkit-java_*_amd64.deb)
read sleuthkit_version_major sleuthkit_version_minor <<<$(echo ${sleuthkit_file}|sed 's|^.*/sleuthkit-java_\([0-9_\.]\+\)-\([0-9]\)_amd64.deb|\1 \2|')
sudo apt install ${sleuthkit_file}autopsy
file=$(ls ${path_share}/autopsy-*.zip)
path=${file%.zip} && path=/opt/${path##*/}
sudo unzip -q -d /opt/ ${file}
sudo chown -R ${USER}:${USER} ${path}
cd /opt && sudo ln -sv ${path##*/} autopsy
cd ${path}
sh unix_setup.sh
ln -sv ${path}/bin/autopsy ~/.local/bin/autopsy
autopsy --nosplashlauncher
echo "[Desktop Entry]
Version=1.0
Type=Application
Terminal=false
Icon=/opt/autopsy/icon.ico
Name=Autopsy
Exec=autopsy" > ~/.local/share/applications/autopsy.desktopaddons
ReportModules / ForensicExpertWitnessReport
https://github.com/chriswipat/forensic_expert_witness_report_module
IngestModules / FileHistory
https://medium.com/@markmckinnon_80619/windows-file-history-plugin-a6208da4efa5
IngestModules / Volatility
https://markmckinnon-80619.medium.com/volatility-autopsy-plugin-module-8beecea6396
install
python3 -m pip install -U pip
python3 -m pip install -U volatility3
cd /usr/local/bin && sudo ln -sv vol vol3; cdhelp
volatility [-h] [-c CONFIG] [--parallelism [{processes,threads,off}]] [-e EXTEND] [-p PLUGIN_DIRS] [-s SYMBOL_DIRS] [-v] [-l LOG] [-o OUTPUT_DIR] [-q]
[-r RENDERER] [-f FILE] [--write-config] [--clear-cache] [--cache-path CACHE_PATH] [--offline] [--single-location SINGLE_LOCATION]
[--stackers [STACKERS [STACKERS ...]]] [--single-swap-locations [SINGLE_SWAP_LOCATIONS [SINGLE_SWAP_LOCATIONS ...]]]
plugin ...An open-source memory forensics framework
-c CONFIG, --config CONFIG # Load the configuration from a json file
--parallelism [{processes,threads,off}] # Enables parallelism (defaults to off if no argument given)
-e EXTEND, --extend EXTEND # Extend the configuration with a new (or changed) setting
-p PLUGIN_DIRS, --plugin-dirs PLUGIN_DIRS # Semi-colon separated list of paths to find plugins
-s SYMBOL_DIRS, --symbol-dirs SYMBOL_DIRS # Semi-colon separated list of paths to find symbols
-v, --verbosity # Increase output verbosity
-l LOG, --log LOG # Log output to a file as well as the console
-o OUTPUT_DIR, --output-dir OUTPUT_DIR # Directory in which to output any generated files
-q, --quiet # Remove progress feedback
-r RENDERER, --renderer RENDERER # Determines how to render the output (quick, csv, pretty, json, jsonl)
-f FILE, --file FILE # Shorthand for --single-location=file:// if single-location is not defined
--write-config # Write configuration JSON file out to config.json
--clear-cache # Clears out all short-term cached items
--cache-path CACHE_PATH # Change the default path (/home/tsurugi/.cache/volatility3) used to store the cache
--offline # Do not search online for additional JSON files
--single-location SINGLE_LOCATION # Specifies a base location on which to stack
--stackers [STACKERS [STACKERS ...]] # List of stackers
--single-swap-locations [SINGLE_SWAP_LOCATIONS [SINGLE_SWAP_LOCATIONS ...]] # Specifies a list of swap layer URIs for use with single-locationwindows
windows.bigpools.BigPools # List big page pools
windows.cachedump.Cachedump # Dumps lsa secrets from memory
windows.callbacks.Callbacks # Lists kernel callbacks and notification routines
windows.cmdline.CmdLine # Lists process command line arguments
windows.crashinfo.Crashinfo
windows.dlllist.DllList # Lists the loaded modules in a particular windows memory image
windows.driverirp.DriverIrp # List IRPs for drivers in a particular windows memory image
windows.driverscan.DriverScan # Scans for drivers present in a particular windows memory image
windows.dumpfiles.DumpFiles # Dumps cached file contents from Windows memory samples
windows.envars.Envars # Display process environment variables
windows.filescan.FileScan # Scans for file objects present in a particular windows memory image
windows.getservicesids.GetServiceSIDs # Lists process token sids
windows.getsids.GetSIDs # Print the SIDs owning each process
windows.handles.Handles # Lists process open handles
windows.hashdump.Hashdump # Dumps user hashes from memory
windows.info.Info # Show OS & kernel details of the memory sample being analyzed
windows.lsadump.Lsadump # Dumps lsa secrets from memory
windows.malfind.Malfind # Lists process memory ranges that potentially contain injected code
windows.memmap.Memmap # Prints the memory map
windows.modscan.ModScan # Scans for modules present in a particular windows memory image.
windows.modules.Modules # Lists the loaded kernel modules
windows.mutantscan.MutantScan # Scans for mutexes present in a particular windows memory image
windows.netscan.NetScan # Scans for network objects present in a particular windows memory image
windows.netstat.NetStat # Traverses network tracking structures present in a particular windows memory image.
windows.poolscanner.PoolScanner # A generic pool scanner plugin
windows.privileges.Privs # Lists process token privileges
windows.pslist.PsList # Lists the processes present in a particular windows memory image
windows.psscan.PsScan # Scans for processes present in a particular windows memory image
windows.pstree.PsTree # Plugin for listing processes in a tree based on their parent process ID
windows.registry.certificates.Certificates # Lists the certificates in the registry's Certificate Store
windows.registry.hivelist.HiveList # Lists the registry hives present in a particular memory image
windows.registry.hivescan.HiveScan # Scans for registry hives present in a particular windows memory image.
windows.registry.printkey.PrintKey # Lists the registry keys under a hive or specific key value
windows.registry.userassist.UserAssist # Print userassist registry keys and information
windows.skeleton_key_check.Skeleton_Key_Check # Looks for signs of Skeleton Key malware
windows.ssdt.SSDT # Lists the system call table
windows.statistics.Statistics
windows.strings.Strings # Reads output from the strings command and indicates which process(es) each string belongs to
windows.svcscan.SvcScan # Scans for windows services
windows.symlinkscan.SymlinkScan # Scans for links present in a particular windows memory image
windows.vadinfo.VadInfo # Lists process memory ranges
windows.vadyarascan.VadYaraScan # Scans all the Virtual Address Descriptor memory maps using yara
windows.verinfo.VerInfo # Lists version information from PE files
windows.virtmap.VirtMap # Lists virtual mapped sectionslinux
linux.bash.Bash # Recovers bash command history from memory
linux.check_afinfo.Check_afinfo # Verifies the operation function pointers of network protocols
linux.check_creds.Check_creds # Checks if any processes are sharing credential structures
linux.check_idt.Check_idt # Checks if the IDT has been altered
linux.check_modules.Check_modules # Compares module list to sysfs info, if available
linux.check_syscall.Check_syscall # Check system call table for hooks
linux.elfs.Elfs # Lists all memory mapped ELF files for all processes
linux.keyboard_notifiers.Keyboard_notifiers # Parses the keyboard notifier call chain
linux.kmsg.Kmsg # Kernel log buffer reader
linux.lsmod.Lsmod # Lists loaded kernel modules
linux.lsof.Lsof # Lists all memory maps for all processes
linux.malfind.Malfind # Lists process memory ranges that potentially contain injected code
linux.proc.Maps # Lists all memory maps for all processes
linux.pslist.PsList # Lists the processes present in a particular linux memory image
linux.pstree.PsTree # Plugin for listing processes in a tree based on their parent process ID
linux.tty_check.tty_check # Checks tty devices for hooksmac
mac.bash.Bash # Recovers bash command history from memory
mac.check_syscall.Check_syscall # Check system call table for hooks
mac.check_sysctl.Check_sysctl # Check sysctl handlers for hooks
mac.check_trap_table.Check_trap_table # Check mach trap table for hooks
mac.ifconfig.Ifconfig # Lists loaded kernel modules
mac.kauth_listeners.Kauth_listeners # Lists kauth listeners and their status
mac.kauth_scopes.Kauth_scopes # Lists kauth scopes and their status
mac.kevents.Kevents # Lists event handlers registered by processes
mac.list_files.List_Files # Lists all open file descriptors for all processes
mac.lsmod.Lsmod # Lists loaded kernel modules
mac.lsof.Lsof # Lists all open file descriptors for all processes
mac.malfind.Malfind # Lists process memory ranges that potentially contain injected code
mac.mount.Mount # A module containing a collection of plugins that produce data typically foundin Mac's mount command
mac.netstat.Netstat # Lists all network connections for all processes
mac.proc_maps.Maps # Lists process memory ranges that potentially contain injected code
mac.psaux.Psaux # Recovers program command line arguments
mac.pslist.PsList # Lists the processes present in a particular mac memory image
mac.pstree.PsTree # Plugin for listing processes in a tree based on their parent process ID
mac.socket_filters.Socket_filters # Enumerates kernel socket filters
mac.timers.Timers # Check for malicious kernel timers
mac.trustedbsd.Trustedbsd # Checks for malicious trustedbsd modules
mac.vfsevents.VFSevents # Lists processes that are filtering file system eventsothers
banners.Banners # Attempts to identify potential linux banners in an image
configwriter.ConfigWriter # Runs the automagics and both prints and outputs configuration in the output directory
frameworkinfo.FrameworkInfo # Plugin to list the various modular components of Volatility
isfinfo.IsfInfo # Determines information about the currently available ISF files, or a specific one
layerwriter.LayerWriter # Runs the automagics and writes out the primary layer produced by the stacker
timeliner.Timeliner # Runs all relevant plugins that provide time related information and orders the results by time
yarascan.YaraScan # Scans kernel memory using yara rules (string or file)windows notifications
file=/vol6/Users/Angela/AppData/Local/Microsoft/Windows/Notifications/wpndatabase.db
sqlitebrowser ${file}SELECT datetime((ArrivalTime/10000000)-11644473600, 'unixepoch') AS ArrivalTime,
datetime((ExpiryTime/10000000)-11644473600, 'unixepoch') AS ExpiryTime,
Type, HandlerId, Notification.Id, Payload, Tag, 'Group', 'Order', PrimaryId, HandlerType, WNFEventName, CreatedTime as HandlerCreatedTime, ModifiedTime as HandlerModifiedTime
FROM Notification LEFT JOIN NotificationHandler ON Notification.HandlerId = NotificationHandler.RecordIdregripper [-r Reg hive file] [-f profile] [-p plugin] [options]
Parse Windows Registry files, using either a single module, or a profile
Special
regripper -l -c|sort|column -t -s, # show plugins list in table sorted by plugins
regripper -l -c|sort -t, -k3 -k1|column -t -s, # show plugins list in table sorted by hive/plugins
regripper -p winver -r SOFTWARE # get version of wnidows
regripper -p timezone -r SYSTEM # get timezone information about SYSTEM hive
regripper -a -r SYSTEM # get full analyse for SYSTEM hiveUsefull
-a # Automatically run hive-specific plugins
-l # list all plugins
-f [profile] # use the profile
-p [plugin] # use the pluginAll
-r [hive] # Registry hive file to parse
-d # Check to see if the hive is dirty
-g # Guess the hive file type
-a # Automatically run hive-specific plugins
-aT # Automatically run hive-specific TLN plugins
-f [profile] # use the profile
-p [plugin] # use the plugin
-l # list all plugins
-c # Output plugin list in CSV format (use with -l)
-s systemname # system name (TLN support)
-u username # User name (TLN support)
-uP # Update default profilesPlugins
adobe 20200522 NTUSER.DAT Gets user's Adobe app cRecentFiles values
allowedenum 20200511 NTUSER.DAT Software Extracts AllowedEnumeration values to determine hidden special folders
amcache 20200515 amcache Parse AmCache.hve file
amcache_tln 20180311 amcache Parse AmCache.hve file
appassoc 20200515 NTUSER.DAT Gets contents of user's ApplicationAssociationToasts key
appcertdlls 20200427 System Get entries from AppCertDlls key
appcompatcache 20200428 System Parse files from System hive AppCompatCache
appcompatcache_tln 20190112 System Parse files from System hive AppCompatCache
appcompatflags 20200525 NTUSER.DAT Software Extracts AppCompatFlags for Windows.
appinitdlls 20200427 Software Gets contents of AppInit_DLLs value
appkeys 20200517 NTUSER.DAT Software Extracts AppKeys entries.
appkeys_tln 20180920 NTUSER.DAT Software Extracts AppKeys entries.
applets 20200525 NTUSER.DAT Gets contents of user's Applets key
applets_tln 20120613 NTUSER.DAT Gets contents of user's Applets key (TLN)
apppaths 20200511 NTUSER.DAT Software Gets content of App Paths subkeys
apppaths_tln 20130429 NTUSER.DAT Software Gets content of App Paths subkeys (TLN)
appspecific 20200515 NTUSER.DAT Gets contents of user's Intellipoint\AppSpecific subkeys
appx 20200427 NTUSER.DAT USRCLASS.DAT Checks for persistence via Universal Windows Platform Apps
appx_tln 20191014 NTUSER.DAT USRCLASS.DAT Checks for persistence via Universal Windows Platform Apps
arpcache 20200515 NTUSER.DAT Retrieves CurrentVersion\App Management\ARPCache entries
at 20200525 Software Checks Software hive for AT jobs
attachmgr 20200525 NTUSER.DAT Checks user's keys that manage the Attachment Manager functionality
attachmgr_tln 20130425 NTUSER.DAT Checks user's keys that manage the Attachment Manager functionality (TLN)
at_tln 20140821 Software Checks Software hive for AT jobs
audiodev 20200525 Software Gets audio capture/render devices
auditpol 20200515 Security Get audit policy from the Security hive file
backuprestore 20200517 System Gets the contents of the FilesNotToSnapshot, KeysNotToRestore, and FilesNotToBackup keys
bam 20200427 System Parse files from System hive BAM Services
bam_tln 20180225 System Parse files from System hive BAM Services
base 20200427 All Parse base info from hive
baseline 20130211 All Scans a hive file, checking sizes of binary value data
btconfig 20200526 Software Determines BlueTooth devices 'seen' by BroadComm drivers
bthenum 20200515 System Get BTHENUM subkey info
bthport 20200517 System Gets Bluetooth-connected devices from System hive
bthport_tln 20180705 System Gets Bluetooth-connected devices from System hive; TLN output
cached 20200525 NTUSER.DAT Gets cached Shell Extensions from NTUSER.DAT hive
cached_tln 20150608 NTUSER.DAT Gets cached Shell Extensions from NTUSER.DAT hive (TLN)
calibrator 20200427 Software Checks DisplayCalibrator value (possible bypass assoc with LockBit ransomware)
clsid 20200526 Software USRCLASS.DAT Get list of CLSID/registered classes
clsid_tln 20200526 Software USRCLASS.DAT Get list of CLSID/registered classes
cmdproc 20200515 NTUSER.DAT Autostart - get Command Processor\AutoRun value from NTUSER.DAT hive
cmdproc_tln 20130425 NTUSER.DAT Autostart - get Command Processor\AutoRun value from NTUSER.DAT hive (TLN)
cmd_shell 20200515 Software Gets shell open cmds for various file types
codepage 20200519 system Checks codepage value
comdlg32 20200517 NTUSER.DAT Gets contents of user's ComDlg32 key
compdesc 20200511 NTUSER.DAT Gets contents of user's ComputerDescriptions key
compname 20090727 System Gets ComputerName and Hostname values from System hive
cred 20200427 system Checks for UseLogonCredential value
cred_tln 20200402 system Checks UseLogonCredential value
dafupnp 20200525 System Parses data from networked media streaming devices
dcom 20200525 Software Check DCOM Ports
ddo 20140414 NTUSER.DAT Gets user's DeviceDisplayObjects key contents
defender 20200427 Software Get Windows Defender settings
del 20200515 All Parse hive, print deleted keys/values
del_tln 20190506 All Parse hive, print deleted keys/values
devclass 20200525 System Get USB device info from the DeviceClasses keys in the System hive
direct 20200515 Software Searches Direct* keys for MostRecentApplication subkeys
direct_tln 20190911 Software Searches Direct* keys for MostRecentApplication subkeys (TLN)
disablelastaccess 20200517 System Get NTFSDisableLastAccessUpdate value
disablemru 20190924 NTUSER.DAT Software Checks settings disabling user's MRUs
disableremotescm 20200513 System Gets DisableRemoteScmEndpoints value from System hive
disablesr 20200515 Software Gets the value that turns System Restore either on or off
drivers32 20200525 Software Get values from the Drivers32 key
emdmgmt 20200511 Software Gets contents of EMDMgmt subkeys and values
environment 20200512 System NTUSER.DAT Get environment vars from NTUSER.DAT & System hives
execpolicy 20200517 Software Gets PowerShell Execution Policy
featureusage 20200511 NTUSER.DAT Extracts user's FeatureUsage data.
fileless 20200525 All Scans a hive file looking for fileless malware entries
findexes 20200525 All Scans a hive file looking for binary value data that contains MZ
gpohist 20200525 Software NTUSER.DAT Collects system/user GPO history
gpohist_tln 20150529 Software NTUSER.DAT Collects system/user GPO history (TLN)
heap 20200427 Software Checks HeapLeakDetection\DiagnosedApplications Subkeys
heidisql 20201227 NTUSER.DAT Gets user's heidisql data
ica_sessions 20200528 Software ARETE ONLY - Extracts Citrix ICA Session info
identities 20200525 NTUSER.DAT Extracts values from Identities key; NTUSER.DAT
imagedev 20140104 System --
imagefile 20200515 Software Checks ImageFileExecutionOptions subkeys values
injectdll64 20200427 NTUSER.DAT Software Retrieve values set to weaken Chrome security
inprocserver 20200427 Software Checks CLSID InProcServer32 values for indications of malware
installer 20200517 Software Determines product install information
ips 20200518 System Get IP Addresses and domains (DHCP, static)
jumplistdata 20200517 NTUSER.DAT Gets contents of user's JumpListData key
killsuit 20200427 Software Check for indications of Danderspritz Killsuit installation
killsuit_tln 20200414 Software Check for indications of Danderspritz Killsuit installation
knowndev 20200515 NTUSER.DAT Gets user's KnownDevices key contents
landesk 20200517 Software Get list of programs monitored by LANDESK - Software hive
landesk_tln 20130214 Software Get list of programs monitored by LANDESK from Software hive
lastloggedon 20200517 Software Gets LastLoggedOn* values from LogonUI key
licenses 20200526 Software Get contents of HKLM/Software/Licenses key
listsoft 20200517 NTUSER.DAT Lists contents of user's Software key
load 20200517 NTUSER.DAT Gets load and run values from user hive
logonstats 20200517 NTUSER.DAT Gets contents of user's LogonStats key
lsa 20200517 System Lists specific contents of LSA key
lxss 20200511 NTUSER.DAT Gets WSL config.
lxss_tln 20140723 NTUSER.DAT Gets WSL config.
macaddr 20200515 System Software --
mixer 20200517 NTUSER.DAT Checks user's audio mixer settings
mixer_tln 20141112 NTUSER.DAT Checks user's audio mixer info
mmc 20200517 NTUSER.DAT Get contents of user's MMC\Recent File List key
mmc_tln 20120828 NTUSER.DAT Get contents of user's MMC\Recent File List key (TLN)
mmo 20200517 NTUSER.DAT Checks NTUSER for Multimedia\Other values [malware]
mndmru 20200517 NTUSER.DAT Get contents of user's Map Network Drive MRU
mndmru_tln 20120829 NTUSER.DAT Get user's Map Network Drive MRU (TLN)
mountdev 20200517 System Return contents of System hive MountedDevices key
mountdev2 20200517 System Return contents of System hive MountedDevices key
mp2 20200526 NTUSER.DAT Gets user's MountPoints2 key contents
mp2_tln 20200525 NTUSER.DAT Gets user's MountPoints2 key contents
mpmru 20200517 NTUSER.DAT Gets user's Media Player RecentFileList values
msis 20200517 Software Determine MSI packages installed on the system
msoffice 20200518 NTUSER.DAT Get user's MSOffice content
msoffice_tln 20200518 NTUSER.DAT Get user's MSOffice content
muicache 20200525 NTUSER.DAT USRCLASS.DAT Gets EXEs from user's MUICache key
muicache_tln 20130425 NTUSER.DAT USRCLASS.DAT Gets EXEs from user's MUICache key (TLN)
nation 20200517 ntuser.dat Gets region information from HKCU
netlogon 20200515 System Parse values for machine account password changes
netsh 20200515 Software Gets list of NetSH helper DLLs
networkcards 20200518 Software Get NetworkCards Info
networklist 20200518 Software Collects network info from NetworkList key
networklist_tln 20150812 Software Collects network info from NetworkList key (TLN)
networksetup2 20191004 System Get NetworkSetup2 subkey info
nic2 20200525 System Gets NIC info from System hive
ntds 20200427 System Parse Services NTDS key for specific persistence values
null 20160119 All Check key/value names in a hive for leading null char
oisc 20091125 NTUSER.DAT Gets contents of user's Office Internet Server Cache
onedrive 20200515 NTUSER.DAT Gets contents of user's OneDrive key
onedrive_tln 20190823 NTUSER.DAT Gets contents of user's OneDrive key
osversion 20200511 NTUSER.DAT Checks for OSVersion value
osversion_tln 20120608 NTUSER.DAT Checks for OSVersion value (TLN)
outlook_homepage 20201002 NTUSER.DAT Software Retrieve values set to attack Outlook WebView Homepage
pagefile 20140505 System Get info on pagefile(s)
pending 20130711 System Gets contents of PendingFileRenameOperations value
pendinggpos 20200427 NTUSER.DAT Gets contents of user's PendingGPOs key
photos 20200525 USRCLASS.DAT Shell/BagMRU traversal in Win7 USRCLASS.DAT hives
Plugin Version Hive Description
portdev 20090118 Software Parses Windows Portable Devices key contents
powershellcore 20200525 Software Extracts PowerShellCore settings
prefetch 20200515 System Gets the the Prefetch Parameters
printdemon 20200514 Software Gets value assoc with printer ports and descriptions
printmon 20200427 System Lists installed Print Monitors
printmon_tln 20191122 System Lists installed Print Monitors
processor_architecture 20140505 System Get from the processor architecture from the System's environment key
profilelist 20200518 Software Get content of ProfileList key
profiler 20200525 NTUSER.DAwindows.memmap.MemmapT System Environment profiler information
pslogging 20200515 NTUSER.DAT Software Extracts PowerShell logging settings
psscript 20200525 Software NTUSER.DAT Get PSScript.ini values
putty 20200515 NTUSER.DAT Extracts the saved SshHostKeys for PuTTY.
rdpport 20200526 System Queries System hive for RDP Port
recentapps 20200515 NTUSER.DAT Gets contents of user's RecentApps key
recentapps_tln 20190513 NTUSER.DAT Gets contents of user's RecentApps key
recentdocs 20200427 NTUSER.DAT Gets contents of user's RecentDocs key
recentdocs_tln 20140220 NTUSER.DAT Gets contents of user's RecentDocs key (TLN)
remoteaccess 20200517 System Get RemoteAccess AccountLockout settings
rlo 20200517 All Parse hive, check key/value names for RLO character
routes 20200526 System Get persistent routes from the Registry
run 20200511 Software NTUSER.DAT [Autostart] Get autostart key contents from Software hive
runmru 20200525 NTUSER.DAT Gets contents of user's RunMRU key
runmru_tln 20120828 NTUSER.DAT Gets contents of user's RunMRU key (TLN)
runonceex 20200427 Software Gets contents of RunOnceEx values
runvirtual 20200427 NTUSER.DAT Software Gets RunVirtual entries
runvirtual_tln 20191211 NTUSER.DAT Software Gets RunVirtual entries
ryuk_gpo 20200427 Software Get GPO policy settings from Software hive related to Ryuk
samparse 20200825 SAM Parse SAM file for user & group mbrshp info
samparse_tln 20200826 SAM Parse SAM file for user acct info (TLN)
ScanButton 20131210 System Get Scan Button information
schedagent 20200518 Software Get SchedulingAgent key contents
scriptleturl 20200525 Software USRCLASS.DAT Check CLSIDs for ScriptletURL subkeys
searchscopes 20200517 NTUSER.DAT Gets contents of user's SearchScopes key
secctr 20200517 Software Get data from Security Center key
secrets 20200517 Security Get the last write time for the Policy\Secrets key
secrets_tln 20140814 Security Get the last write time for the Policy\Secrets key
securityproviders 20200526 System Gets SecurityProvider value from System hive
services 20191024 System Lists services/drivers in Services key by LastWrite times
sevenzip 20210329 NTUSER.DAT Gets records of histories from 7-Zip keys
sfc 20200517 Software Get SFC values
shares 20200525 System Get list of shares from System hive file
shc 20200427 NTUSER.DAT Gets SHC entries from user hive
shellbags 20200428 USRCLASS.DAT Shell/BagMRU traversal in Win7+ USRCLASS.DAT hives
shellbags_tln 20180702 USRCLASS.DAT Shell/BagMRU traversal in Win7 USRCLASS.DAT hives
shellfolders 20200515 NTUSER.DAT Gets user's shell folders values
shelloverlay 20100308 Software Gets ShellIconOverlayIdentifiers values
shimcache 20200428 System Parse file refs from System hive AppCompatCache data
shimcache_tln 20190112 System Parse file refs from System hive AppCompatCache data
shutdown 20200518 System Gets ShutdownTime value from System hive
sizes 20200517 All Scans a hive file looking for binary value data of a min size (5000)
slack 20200517 All Parse hive, print slack space, retrieve keys/values
slack_tln 20190506 All Parse hive, print slack space, retrieve keys/values
source_os 20200511 System Parse Source OS subkey values
speech 20200427 NTUSER.DAT Get values from user's Speech key
speech_tln 20191010 NTUSER.DAT Get values from user's Speech key
spp_clients 20130429 Software Determines volumes monitored by VSS
srum 20200518 Software Gets contents of SRUM subkeys
ssid 20200515 Software Get WZCSVC SSID Info
susclient 20200518 Software Extracts SusClient* info, including HDD SN (if avail)
svc 20200525 System Lists Services key contents by LastWrite time (CSV)
svcdll 20200525 System Lists Services keys with ServiceDll values
svc_tln 20130911 System Lists Services key contents by LastWrite time (CSV)
syscache 20200515 syscache Parse SysCache.hve file
syscache_csv 20200515 syscache
syscache_tln 20190516 syscache
sysinternals 20080324 NTUSER.DAT Checks for SysInternals apps keys
sysinternals_tln 20080324 NTUSER.DAT Checks for SysInternals apps keys (TLN)
systemindex 20200518 Software Gets systemindex\..\Paths info from Windows Search key
taskcache 20200427 Software Checks TaskCache\Tree root keys (not subkeys)
taskcache_tln 20200416 Software Checks TaskCache\Tree root keys (not subkeys)
tasks 20200427 Software Checks TaskCache\Tasks subkeys
tasks_tln 20200416 Software Checks TaskCache\Tasks subkeys
termcert 20200526 System Gets Terminal Server certificate
termserv 20200506 System Software Gets Terminal Server settings from System and Software hives
thispcpolicy 20200511 Software Gets ThisPCPolicy values
timezone 20200518 System Get TimeZoneInformation key contents
tracing 20200511 Software Gets list of apps that can be traced
tracing_tln 20120608 Software Gets list of apps that can be traced (TLN)
tsclient 20200518 NTUSER.DAT Displays contents of user's Terminal Server Client\Default key
tsclient_tln 20120827 NTUSER.DAT Displays contents of user's Terminal Server Client key (TLN)
typedpaths 20200526 NTUSER.DAT Gets contents of user's typedpaths key
typedpaths_tln 20120828 NTUSER.DAT Gets contents of user's typedpaths key (TLN)
typedurls 20200526 NTUSER.DAT Returns contents of user's TypedURLs key.
typedurlstime 20200526 NTUSER.DAT Returns contents of user's TypedURLsTime key.
typedurlstime_tln 20120613 NTUSER.DAT Returns contents of Win8 user's TypedURLsTime key (TLN).
typedurls_tln 20120827 NTUSER.DAT Returns MRU for user's TypedURLs key (TLN)
uac 20200427 Software Get Select User Account Control (UAC) Values from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
uacbypass 20200511 USRCLASS.DAT Software Get possible UAC bypass settings
uninstall 20200525 Software NTUSER.DAT Gets contents of Uninstall keys from Software, NTUSER.DAT hives
uninstall_tln 20120523 Software NTUSER.DAT Gets contents of Uninstall keys from Software, NTUSER.DAT hives(TLN format)
usb 20200515 System Get USB key info
usbdevices 20200525 System Parses Enum\USB key for USB & WPD devices
usbstor 20200515 System Get USBStor key info
userassist 20170204 NTUSER.DAT Displays contents of UserAssist subkeys
userassist_tln 20180710 NTUSER.DAT Displays contents of UserAssist subkeys in TLN format
volinfocache 20200518 Software Gets VolumeInfoCache from Windows Search key
wab 20200427 Software Get WAB DLLPath settings
wab_tln 20191122 Software Get WAB DLLPath settings
watp 20200427 Software Gets contents of Windows Advanced Threat Protection key
wbem 20200511 Software Get some contents from WBEM key
wc_shares 20200515 NTUSER.DAT Gets contents of user's WorkgroupCrawler/Shares subkeys
winlogon_tln 20130429 Software Alerts on values from the WinLogon key (TLN)
winrar 20200526 NTUSER.DAT Get WinRAR\ArcHistory entries
winrar_tln 20120829 NTUSER.DAT Get WinRAR\ArcHistory entries (TLN)
winscp 20201227 NTUSER.DAT Gets user's WinSCP 2 data
winver 20200525 Software Get Windows version & build info
winzip 20200526 NTUSER.DAT Get WinZip extract and filemenu values
wordwheelquery 20200823 NTUSER.DAT Gets contents of user's WordWheelQuery key
wordwheelquery_tln 20200824 NTUSER.DAT Gets contents of user's WordWheelQuery key
wow64 20200515 Software Gets contents of WOW64\x86 key
wpdbusenum 20200515 System Get WpdBusEnum subkey info
wsh_settings 20200517 Software Gets WSH SettingsInstall
see foralysereglookup
reglookup [-v] [-s] [-p <PATH_FILTER>] [-t <TYPE_FILTER>] <REGISTRY_FILE>
Print windows registry elements to stdout in a CSV-like format
Special
for hive in SAM SECURITY SOFTWARE SYSTEM $(find /vol6/ -iname ntuser.dat); do echo $hive; reglookup -i $hive > /share/examen/disk/hive/reglookup_${hive//\//_}; doneUsefull
-p # restrict output to elements below this path.
-H # disables header row.
-s # enables security descriptor output.All
-v # sets verbose mode.
-h # enables header row. (default)
-H # disables header row.
-s # enables security descriptor output.
-S # disables security descriptor output. (default)
-p # restrict output to elements below this path.
-t # restrict results to this specific data type.
-i # includes parent key modification times with child values.reglookup-timeline
reglookup-timeline [-H] [-V] <REGISTRY_FILE> [<REGISTRY_FILE> ...]
Builds timelines for forensic investigations, a wrapper for reglookup
Special
cd /vol6/Windows/System32/config && hives="SAM SECURITY SOFTWARE SYSTEM $(find /vol6/ -iname ntuser.dat)" && reglookup-timeline -v $hives > /share/examen/disk/hive/reglookup-tl # complete timeline
sed -n '/^2021-09-09 18:1/,$p' reglookup-tl > reglookup-tl-select # select part of timelineAll
-H # Omit header line
-V # Include values with parent timestampsreglookup-recover
reglookup-recover [options] <REGISTRY_FILE>
Attempts to scour a Windows registry hive for deleted data structures and outputs those found in a CSV-like format
All
-v # sets verbose mode.
-h # enables header row. (default)
-H # disables header row.
-l # enables leftover(raw) cell output.
-L # disables leftover(raw) cell output. (default)
-r # enables raw cell output for parsed cells.
-R # disables raw cell output for parsed cells. (default)Install
sudo apt install reglookuptheme
windows version
regripper -p winver -r $path_hive/SOFTWARE
reglookup -p Software/Microsoft $path_hive/SYSTEM | column -t -s,user password
path_hive=/vol6/Windows/System32/config
path2=/cases/examen/artefacts
# get user id
reglookup -p SAM/Domains/Account/Users ${path_hive}/SAM | grep -i angela # select 0x.....
# data
uid=000003E9
hivexget ${path_hive}/SAM "SAM\Domains\Account\Users\000003E9" V | hexdump -ve '8/1 "%02X"' > ${path2}/sam-user-v.hexdump
hivexget ${path_hive}/SAM "SAM\Domains\Account" F | hexdump -ve '8/1 "%02X"' > ${path2}/sam-f.hexdump
hivexget ${path_hive}/SYSTEM "ControlSet001\Control\Lsa\JD" lookup | hexdump -ve '8/1 "%02X"' > ${path2}/system-jd.hexdump
hivexget ${path_hive}/SYSTEM "ControlSet001\Control\Lsa\Skew1" SkewMatrix | hexdump -ve '8/1 "%02X"' > ${path2}/system-skew.hexdump
hivexget ${path_hive}/SYSTEM "ControlSet001\Control\Lsa\GBG" GrafBlumGroup | hexdump -ve '8/1 "%02X"' > ${path2}/system-gbg.hexdump
hivexget ${path_hive}/SYSTEM "ControlSet001\Control\Lsa\Data" Pattern | hexdump -ve '8/1 "%02X"' > ${path2}/system-data.hexdump
for file in $(ls ${path2}); do echo $file; cat $file; echo; doneregripper
reglookup
reglookup-timeline
pathhive=$device/Windows/System32/config
pathreport=/share/examen/disk
cd $path
reglookup-timeline SAM SECURITY SOFTWARE SYSTEM > $pathreport/reglookup-timelinewindows
security center
disable
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService]"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]"Start"=dword:00000004enable
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService]"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]"Start"=dword:00000002cmp [OPTION]... FILE1 [FILE2 [SKIP1 [SKIP2]]]
Compare two files byte by byte
Special
cmp $file1 $file2 # compare 2 binary files
cmp -l $file1 $file2 | wc -l # get number of diferrencesUsefull
-b, --print-bytes # print differing bytes
-n, --bytes=LIMIT # compare at most LIMIT bytesAll
-b, --print-bytes # print differing bytes
-i, --ignore-initial=SKIP # skip first SKIP bytes of both inputs
-i, --ignore-initial=SKIP1:SKIP2 # skip first SKIP1 bytes of FILE1 and first SKIP2 bytes of FILE2
-l, --verbose # output byte numbers and differing byte values
-n, --bytes=LIMIT # compare at most LIMIT bytes
-s, --quiet, --silent # suppress all normal outputmount
info
file ${file} # show informations
fdisk -x ${file} # show informations
qemu-img info ${file} # show informations on virtual disk
guestfish --rw -a $file
run
list-filesystems
sudo modprobe nbd
sudo qemu-nbd -c /dev/nbd0 ${file} -f qcow2
sudo fdisk /dev/nbd0 -l
sudo qemu-nbd -d /dev/nbd0
parted ${file}
print
losetup -a # show mounted devices in /dev/loopXresize
qemu-img resize -f raw ${file} 20972568064 # resize disk to 20972568064 bytes (correct disk size)
parted ${file}
select # select disk (interactive menu)
resizepart # resize partition (interactive menu)mount/umount
guestmount --add %f --mount /dev/sda1 /vms/data
guestunmount /vms/data
sudo modprobe nbd
sudo qemu-nbd -c /dev/nbd0 ${file} -f qcow2
sudo fdisk /dev/nbd0 -l
sudo mount /dev/nbd0p1 /vms/data
sudo umount /vms/data
sudo qemu-nbd -d /dev/nbd0
sudo mount -o ro,loop,offset=$((1126400*512)) ${file} /mnt # mount disk partition with the partition offset
sudo mount -o ro,loop,offset=$((1126400*512)) ${file} /mnt # mount disk partition with the partition offset
sudo umount /mnt # umount disk
sudo losetup --find --show ${file} # mount disk in /dev/loopX and show /dev/loopX
sudo losetup --find --show --offset ${offset} ${file} # mount partition/disk with offset in /dev/loopX and show /dev/loopX
sudo losetup -d /dev/loopX # umount diskinfo
https://opensource.com/article/18/3/creating-bash-completion-script
COMPREPLY
an array variable used to store the completions. The completion mechanism uses this variable to display its contents as completions
COMPREPLY=( $(compgen -W "now tomorrow never" -- ${COMP_WORDS[COMP_CWORD]}) ) # propose given words at each let choose the first completion from given words and repeat it after (replace)
COMPREPLY=( $(compgen -W "now tomorrow never" "${COMP_WORDS[1]}") ) # let choose the first completion from given words and repeat it after (replace)complete
complete command to register this list for completion
complete -A directory $cmd # provide completion for directory
complete -d $cmd # provide completion for directory
complete -D $cmd # provide completion for directory
complete -f $cmd # provide completion for file
complete -W "$words" $cmd # Wordlist, provide the list of words for completion to command $cmd
complete -F _foo $cmd # use function _foo_comp to register completions for command $cmdcompopt
https://helpmanual.io/man1/bash/
variables
COMP_WORDS # an array of all the words typed after the name of the program the compspec belongs to
COMP_CWORD # an index of the COMP_WORDS array pointing to the word the current cursor is at—in other words
COMP_LINE # the current command linetricks
exec bash # reload completionsexamples
qemu-img
#!/usr/bin/env bash
_qemuimg_comp()
{
COMPREPLY=()
local cur=${COMP_WORDS[COMP_CWORD]}
local prev="${COMP_WORDS[COMP_CWORD-1]}"
local opts='amend bench bitmap check commit compare convert create dd info map measure snapshot rebase resize'
local formats='blkdebug blklogwrites blkverify bochs cloop compress copy-before-write copy-on-read dmg file ftp ftps gluster host_cdrom host_device http https iscsi iser luks nbd nfs null-aio null
-co nvme parallels preallocate qcow qcow2 qed quorum raw rbd replication snapshot-access ssh throttle vdi vhdx vmdk vpc vvfat'
#echo "COMP_LINE=$COMP_LINE" >> /tmp/qemu
#echo "COMP_WORDS=$COMP_WORDS[@] | COMP_CWORD=$COMP_CWORD" >> /tmp/qemu
#echo "cur=$cur | prev=$prev" >> /tmp/qemu
if [ ${COMP_CWORD} -eq 1 ]; then
COMPREPLY=( $(compgen -W "${opts}" -- "${cur}" ) )
return 0
elif [[ $prev =~ -[oOf] ]]; then
COMPREPLY=( $(compgen -W "${formats}" -- "${cur}" ) )
else
COMPREPLY=( $(compgen -f -- "${cur}") )
if [ -d "${COMPREPLY}" ]; then
compopt -o nospace
COMPREPLY=${COMPREPLY}/
fi
fi
} &&
complete -F _qemuimg_comp qemu-imghaconf
#!/usr/bin/env bash
#
# Bash completion function for the 'haconf' command.
_haconf()
{
local cur prev path_enabled path_available opts
path_enabled="/etc/haproxy/conf-enabled"
path_available="/etc/haproxy/conf-available"
__disabled() {
local confs conf notused
confs="$(ls "${path_available}")"
for conf in ${confs}; do
! [ -h "${path_enabled}/${conf}" ] && notused="${notused} ${conf}"
done
echo ${notused}
}
__enabled() {
ls ${path_enabled}
}
COMPREPLY=()
cur=${COMP_WORDS[COMP_CWORD]}
prev=${COMP_WORDS[COMP_CWORD-1]}
# primary commans
opts='check clear enable disable list reload'
# level 1 for commands
if [ $COMP_CWORD -eq 1 ]; then
COMPREPLY=( $(compgen -W "${opts}" -- "${cur}") )
return 0
# level 2 for arguments
else
case $prev in
enable)
COMPREPLY=( $(compgen -W "$(__disabled)" -- "$cur" ) )
return 0
;;
disable)
COMPREPLY=( $(compgen -W "$(__enabled)" -- "$cur" ) )
return 0
;;
esac
fi
}
complete -F _haconf haconfxxd [options] [infile [outfile]]
xxd -r [-s [-]offset] [-c cols] [-ps] [infile [outfile]]
ASCII, decimal, hexadecimal, octal dump
Special
xxd -p -c 10000 # export in hexa with 10000 octets by column
xxd -p -u -c 10000 # export in hexa with 10000 octets by column and in uppercase
xxd -s 0x200 -l 0x200 dump.vmdk| xxd -r # print readable contentUsefull
-s [+][-]seek # start at <seek> bytes abs. (or +: rel.) infile offset
-l len # stop after <len> octets
-r # reverse operation: convert (or patch) hexdump into binary
-r -s off # revert with <off> added to file positions found in hexdump
-u # use upper case hex lettersAll
-a # toggle autoskip: A single '*' replaces nul-lines. Default off
-b # binary digit dump (incompatible with -ps,-i,-r). Default hex
-C # capitalize variable names in C include file style (-i)
-c cols # format <cols> octets per line. Default 16 (-i: 12, -ps: 30)
-E # show characters in EBCDIC. Default ASCII
-e # little-endian dump (incompatible with -ps,-i,-r)
-g bytes # number of octets per group in normal output. Default 2 (-e: 4)
-i # output in C include file style
-l len # stop after <len> octets
-o off # add <off> to the displayed file position
-ps # output in postscript plain hexdump style
-r # reverse operation: convert (or patch) hexdump into binary
-r -s off # revert with <off> added to file positions found in hexdump
-d # show offset in decimal instead of hex
-s [+][-]seek # start at <seek> bytes abs. (or +: rel.) infile offset
-u # use upper case hex lettersInstall
sudo apt install bsdmainutilssystem
sudo sh -c "echo 'fs.file-max=3253172' > /etc/sysctl.d/90-cuckoo.conf"
file=/etc/security/limits.conf
sudo cp -a ${file} ${file}.$(date +%s)
sudo sh -c "echo '
# cuckoo
* soft nofile 4096
* hard nofile 16384' >> ${file}"logout / login
mongodb
service
service=mongodb.service
systemctl is-enabled ${service} || sudo systemctl enable ${service}
systemctl is-active ${service} || sudo systemctl start ${service}
systemctl status ${service}
ss -ltn|grep 27017 users
mongodb.createUser({ user: "admin", pwd: "7Yt_Gi-sYgCsr", roles:[{ role: "userAdminAnyDatabase", db: "admin" }] })
db.getUsers()
use cuckoo
db.createUser({ user: "cuckoo", pwd: "8hm6_FevpUA5od", roles:[{ role: "dbOwner", db: "cuckoo" }] })
db.getUsers()
show dbs
exitconf
file=/etc/mongodb.conf
while read str val; do
sudo sed -i "s|#\?\(${str}\) *=.*$|\1 = ${val}|" ${file}
done <<< "port 27017
journal true
auth true
verbose true"
sudo systemctl restart ${service}postgresql
service=postgresql.service
systemctl is-enabled ${service} || sudo systemctl enable ${service}
systemctl is-active ${service} || sudo systemctl start ${service}
systemctl status ${service}
ss -ltn|grep 5432
sudo -u postgres psqlpsql
\du
CREATE DATABASE cuckoo;
CREATE USER cuckoo WITH ENCRYPTED PASSWORD '8hm6_FevpUA5od';
GRANT ALL PRIVILEGES ON DATABASE cuckoo TO cuckoo;
\du
\qguacd
service=guacd.service
systemctl is-enabled ${service} || sudo systemctl enable ${service}
systemctl is-active ${service} || sudo systemctl start ${service}
systemctl status ${service}
ss -ltn|grep 4822cuckoo
create
[ -d ~/.cuckoo ] || cuckoo -d
cp -a ~/.cuckoo ~/.cuckoo.$(date +%s)cuckoo
file=~/.cuckoo/conf/cuckoo.conf
while read str val; do
sed -i "/${str} =/ s|=.*$|= ${val}|" ${file}
done <<< "machinery kvm
memory_dump yes
ip 192.168.122.1
connection postgresql://cuckoo:8hm6_FevpUA5od@localhost:5432/cuckoo
guacd_host localhost
guacd_port 4822"auxiliary
file=~/.cuckoo/conf/auxiliary.conf
while read str val; do
sed -i "/${str} =/ s|=.*$|= ${val}|" ${file}
done <<< "tcpdump /usr/sbin/tcpdump
mitmdump /usr/local/bin/mitmdump"kvm
update VMs in ~/.cuckoo/conf/kvm.conf
memory
file=~/.cuckoo/conf/memory.conf
while read str val; do
sed -i "/${str} =/ s|=.*$|= ${val}|" ${file}
done <<< "guest_profile Win7SP1x64
delete_memdump no"processing
file=~/.cuckoo/conf/processing.conf
sed -i "/^.memory.$/,/^$/ s|^enabled = .*$|enabled = yes|" ${file}reporting
file=~/.cuckoo/conf/reporting.conf
# singlefile
sed -i "/^.singlefile.$/,/^$/ s|^enabled = .*$|enabled = yes|" ${file}
sed -i "/^.singlefile.$/,/^$/ s|^html = .*$|html = yes|" ${file}
sed -i "/^.singlefile.$/,/^$/ s|^pdf = .*$|pdf = yes|" ${file}
# mongodb
db_name=cuckoo
db_user=cuckoo
db_pwd=8hm6_FevpUA5od
sed -i "/^.mongodb.$/,/^$/ s|^enabled = .*$|enabled = yes|" ${file}
sed -i "/^.mongodb.$/,/^$/ s|^db = .*$|db = ${db_name}|" ${file}
sed -i "/^.mongodb.$/,/^$/ s|^username = .*$|username = ${db_user}|" ${file}
sed -i "/^.mongodb.$/,/^$/ s|^password = .*$|password = ${db_pwd}|" ${file}interface
user=nikita
hostbr=virbr0
vms="win7 "
for vm in win7; do
sudo tunctl -b -u ${user} -t tap_${vm}
sudo ip link set tap_${vm} master ${hostbr}
sudo ip link set dev tap_${vm} up
sudo ip link set dev ${hostbr} up
donepython
time
disable time settings from internet
set static IP address (disable DHCP)
address 192.168.122.101
gateway 192.168.122.1 / 255.255.255.0
DNS 208.67.222.222, 208.67.222.220windows
add ;c:\python27;c:\python27\script;C:\Program Files (x86)\GnuWin32\bin to PATH
install python-2.7.10.amd64.msi
install wget-1.11.4-1-setup.exe
wget https://bootstrap.pypa.io/pip/2.7/get-pip.py
python.exe get-pip.py
pip install -U setuptoolspillow
pip install --U Pillowagent
get from host: $CWD/agent.py
rename, put in guest: C:\ProgramData\Microsoft\Start Menu\programs\Startup\agent.pyw
https://cuckoo.sh/docs/installation/host/requirements.html
xubuntu 18.04 "bionic"
global
sudo apt update
sudo apt-get install -y git swig libjpeg-dev zlib1g-dev libffi-dev libssl-dev
sudo apt-get install -y virt-win-reg libhivex-bin # registrypython
Requirement
local vs global
# pip for user installation
pip=pip
# pip for root installation
pip="sudo -H pip"sudo apt install -y python python-pip python-dev
# sudo apt-get install -y python-virtualenv
$pip install -U pip setuptoolsbalbuzard
$pip install -U balbuzardpydeep
# ssdeep
sudo apt install -y ssdeep libfuzzy-dev
sudo ldconfig
# pydeep
$pip install pydeep
# sudo apt install -y git
# cd /tmp && git clone https://github.com/kbandla/pydeep && cd pydeep
# python setup.py build && python setup.py test
# sudo python setup.py installm2crypto
$pip install m2crypto # $pip install m2crypto==0.24.0volatility
https://github.com/volatilityfoundation/volatility/wiki/Installation
libforensic1394.so.2
sudo apt install -y cmake
cd /tmp
git clone https://github.com/FreddieWitherden/libforensic1394
cd libforensic1394
mkdir build && cd build
cmake -G"Unix Makefiles" ../
sudo make install
cd ../python
sudo python setup.py install
cd
sudo rm -fR /tmp/libforensic1394
sudo ln -sv /usr/local/lib/libforensic1394.so.2 /usr/lib/libforensic1394.so.2pip packages
sudo apt -y install pcregrep libpcre++-dev python-dev
$pip install pycrypto distorm3 yara-python ujson openpyxl pytz ipythonvolatility
cd /opt
git clone https://github.com/volatilityfoundation/volatility.git
cd volatility
rm -fR .git
sudo python setup.py install
cd /usr/local/bin
sudo ln -sv vol.py vol2
vol2 -hbash completion
sudo cp -a /home/shared/dev/install-desktop/conf/cuckoo/vol2 /usr/share/bash-completion/completions/
opts=$(vol2 --info|sed -n '/^Plugins/,/^$/ p'|tail -n+3|cut -f1 -d' '|xargs)
sudo sed -i "s|^\( *opts=\).*$|\1'${opts}'|" /usr/share/bash-completion/completions/vol2
exec bash # reload completionsDB
django
sudo apt-get install -y mongodbpostgresql
sudo apt-get install -y postgresql libpq-dev
$pip install psycopg2packages
guacd
sudo apt install -y libguac-client-rdp0 libguac-client-vnc0 libguac-client-ssh0 guacdtcpdump
sudo apt-get install -y tcpdump
# sudo apt-get install -y tcpdump apparmor-utils
# sudo aa-disable /usr/sbin/tcpdump
sudo groupadd pcap
sudo chgrp pcap /usr/sbin/tcpdump
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
# verification
getcap /usr/sbin/tcpdump # /usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eipmitmproxy
https://mitmproxy.org/downloads/
version=3.0.4
path=/opt/mitmproxy
[ -d ${path} ] || mkdir ${path}
cd ${path}
wget https://snapshots.mitmproxy.org/${version}/mitmproxy-v${version}-linux.tar.gz
wget https://snapshots.mitmproxy.org/${version}/pathod-v${version}-linux.tar.gz
tar xzf mitmproxy-v${version}-linux.tar.gz
tar xzf pathod-v${version}-linux.tar.gz
files="mitmdump mitmproxy mitmweb pathoc pathod"
for file in $files; do sudo ln -sv ${path}/${file} /usr/local/bin/${file}; done
for file in $files; do sudo ls -al /usr/bin/${file}; doneqemu/kvm
sudo apt-get install -y qemu-kvm libvirt-bin ubuntu-vm-builder bridge-utils python-libvirt virt-manager libguestfs-tools uml-utilities
sudo adduser ${USER} libvirt-qemu
for path in /vms/data /vms/iso; do sudo [ -d ${path} ] || sudo mkdir ${path}; done
sudo setfacl -R -m u:$USER:rw /vms/data /vms/iso
sudo setfacl -R -m d:$USER:rw /vms/data /vms/isothunar
$HOME/.config/Thunar/uca.xml
<action>
<icon>edit-copy</icon>
<name>Duplicate root</name>
<unique-id>1635257948652123-2</unique-id>
<command>pkexec cp -a %f %f.copy</command>
<description>Duplicate root</description>
<patterns>*</patterns>
<directories/>
<audio-files/>
<image-files/>
<other-files/>
<text-files/>
<video-files/>
</action>
<action>
<icon>media-import-audio-cd</icon>
<name>iso</name>
<unique-id>1653055089123473-10</unique-id>
<command>mkisofs -Jro /vms/iso/tmp.iso %F</command>
<description>make iso in vms/iso/tmp.iso</description>
<patterns>*</patterns>
<startup-notify/>
<directories/>
<audio-files/>
<image-files/>
<other-files/>
<text-files/>
<video-files/>
</action>
<action>
<icon>go-bottom</icon>
<name>mount data</name>
<unique-id>1653055065395840-9</unique-id>
<command>guestmount --add %f --mount /dev/sda1 /vms/data</command>
<description>guest mount in /vms/data</description>
<patterns>*.qcow2;*.img;*.raw</patterns>
<other-files/>
</action>
<action>
<icon>go-top</icon>
<name>unmount data</name>
<unique-id>1653055105839871-11</unique-id>
<command>guestunmount /vms/data</command>
<description>guest unmount /vms/data</description>
<patterns>*</patterns>
<startup-notify/>
<directories/>
<audio-files/>
<image-files/>
<other-files/>
<text-files/>
<video-files/>
</action>cuckoo
direct
$pip install -U cuckoovirtualenv
cd /opt
virtualenv venv
. venv/bin/activate
$pip install -U cuckooxubuntu 18.04 bionic
update
sudo apt update
sudo apt list --upgradable
sudo apt dist-upgrade
sudo apt autoremove
sudo apt autoclean
sudo apt cleansystem
https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/rtl_nic/
cd /tmp
wget https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/plain/rtl_nic/rtl8168fp-3.fw
wget https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/plain/rtl_nic/rtl8125a-3.fw
sudo cp rtl81* /lib/firmware/rtl_nic/
sudo update-initramfs -uprepare
. /server/server.conf
. /server/install.conf
sudo mount /btrfs/sys
sdate=$(date +%s)
btrfs_sys=focal
btrfs_user=user-focalgrub
# update /etc/grub/40_custom
sudo sed -i '/^GRUB_TIMEOUT=/ s|=.*|=2|' /etc/default/grub
sudo update-grubinit
path_install_conf=${S_PATH_INSTALL_CONF/install-desktop/install}
path_install_bash_completion=${S_PATH_INSTALL_CONF}/bash-completion
file_env=${S_PATH_SCRIPT_CONF}/env
file_bash_aliases=${S_PATH_SCRIPT_CONF}/.bash_aliases
file_bash_functions=${S_PATH_SCRIPT_CONF}/.bash_functions
file_vimrc="${S_PATH_SCRIPT_CONF}/.vimrc"
sudo software-properties-gtk
sudo adduser ${USER} users; sudo adduser ${USER} www-data
sudo adduser ${USER} audio; sudo adduser ${USER} video
file=~/.bash_aliases
[ -e ${file} ] && _eval rm ${file}
ln -s ${file_bash_aliases} ${file}
file=~/.bash_functions
[ -e ${file} ] && _eval rm ${file}
ln -s ${file_bash_functions} ${file}
sudo cp -a ${S_PATH_INSTALL_CONF}/bash-completion/* /usr/share/bash-completion/completions/
file=~/.bashrc
cp -a ${file} ${file}.${sdate}
sed -i 's|^\(HISTSIZE\)=.*$|\1=10000|' ${file}
sed -i 's|^\(HISTFILESIZE\)=.*$|\1=20000|' ${file}
sed -i '/^#force_color_prompt/ s|^#||' ${file}
color='\\[\\033[01;34m\\]'
sed -i 's|^\( *\)\(PS1.*033.*32m.*\)$|\1PS1="\${debian_chroot:+(\$debian_chroot)}\\['${color}'\\]\\u\\[\\e[1;37m\\]@\\['${color}'\\]\\h\\[\\e[1;37m\\]:\\W\\['${color}'\\]\$\\[\\e[0;0m\\]\"|' ${file}
sed -i 's|^#\?\(force_color_prompt\).*$|\1=yes|' ${file}
grep -q "${file_env}" ${file} || echo "
# source global variables
[ -f ${file_env} ] && . ${file_env}
[ -f ~/.bash_functions ] && . ~/.bash_functions
" >> ${file}
grep -q '. ~/.bash_aliases' ${file} || echo "[ -f ~/.bash_aliases ] && . ~/.bash_aliases
" >> ${file}
. ${file}
sudo cp -a /btrfs/sys/${btrfs_sys}/etc/hosts /etc/hosts
/home/shared/dev/keep/share-link nikitaroot
file="/root/.bashrc"
sudo cp -a /root/.bashrc /root/.bashrc$(date +%s)
color_root="\033[01;31m"
case "$S_SERVER_TYPE" in home) color='\\[\\033[01;34m\\]' ;; ovh) color='\\[\\033[01;32m\\]' ;; vz) color='\\[\\033[01;33m\\]' ;; lxd) color='\\[\\033[01;33m\\]' ;; kvm) color='"\\[\\033[01;38;5;172m\\]' ;; *) color='\\[\\033[01;34m\\]'; color_root=$color ;; esac
# force color
sudo sed -i '/^#force_color_prompt=/ s|#||' ${file}
# PS1
ps1='${debian_chroot:+($debian_chroot)}'${color}'\\h\\[\\033[00m\\]\\w\\[\\033[01;31m\\]\\$\\[\\033[00m\\]'
# no root
#ps1='${debian_chroot:+($debian_chroot)}\\[\\033[01;31m\\]\\u\\[\\033[00m\\]@\\[\\033[01;32m\\]\\h\\[\\033[00m\\]:\\w\\[\\033[01;31m\\]\\$\\[\\033[00m\\]'
sudo sed -i "\|if \[ \"\$color_prompt\" = yes \]|{n;s|=.*|='$ps1'|}" ${file}
! sudo grep -q "${S_PATH_SCRIPT_CONF}/env" ${file} && sudo sh -c "echo '
# source global variables
[ -f ${S_PATH_SCRIPT_CONF}/env ] && . ${S_PATH_SCRIPT_CONF}/env
# aliases
[ -f ~/.bash_aliases ] && . ~/.bash_aliases
# functions
[ -f ~/.bash_functions ] && . ~/.bash_functions
' >> ${file}"
file=/root/.bash_aliases
sudo [ -f ${file} ] && sudo rm ${file}
sudo ln -s "$file_bash_aliases" ${file}
file=/root/.bash_functions
sudo [ -f ${file} ] && sudo rm ${file}
sudo ln -s "$file_bash_functions" ${file}
file=/root/.vimrc
sudo [ -f ${file} ] && sudo rm ${file}
sudo ln -sv "${file_vimrc}" ${file}snap
snap list --all
# sudo snap remove --revision ${rev} ${pck}install
sudo apt install -y curl debconf-utils gnupg2 htop net-tools p7zip-full p7zip-rar pv rar testdisk tree unrar xsysinfo
sudo apt install -y meld most lnav dconf-editor galculator
sudo apt install -y binutils-common bsdmainutils pev wxhexeditor # binwalk
sudo apt install -y gpicview thunar-media-tags-plugin tumbler-plugins-extraforensic
sudo apt install -y binutils-common bsdmainutils pev radare2 bless wxhexeditor # binwalkvim
sudo apt install -y vim
cd
ln -sv "${file_vimrc}" .vimrc
sudo cp /home/shared/dev/install/conf/vim/* /usr/share/vim/vim*/colors/tmux
sudo apt install -y tmux
ln -vs /usr/local/bs/conf/.tmux.conf .tmux.conf
ln -sv /home/shared/.tmux.tmux
cd /usr/share/bash-completion/completions/
sudo rm tmux
sudo ln -sv tmux.git tmux
tmux athunar
sudo cp -a /btrfs/sys/user-pahvo/.config/Thunar/uca.xml ~/.config/Thunar/qt5
sudo apt install -y qt5ct qt5-gtk-platformtheme qt5-style-plugins
sudo sh -e 'echo "QT_QPA_PLATFORMTHEME=qt5ct" >> /etc/environment'
export QT_QPA_PLATFORMTHEME=qt5ctplank
sudo apt install -y plank
path=~/.config/autostart
[ -d ${path} ] || mkdir ${path}
echo '[Desktop Entry]
Encoding=UTF-8
Version=0.9.4
Type=Application
Name=plank
Comment=plank
Exec=plank
OnlyShowIn=XFCE;
RunHook=0
StartupNotify=false
Terminal=false
Hidden=false' > ${path}/plank.desktop
plank --preferences &sublimetext
file="/etc/hosts"
sudo sh -c "echo '\n# sublime-text hack\n127.0.0.1\tsublimetext.com\n127.0.0.1\twww.sublimetext.com\n127.0.0.1\tlicense.sublimehq.com' >> ${file}"
ips="45.55.255.55"
for ip in ${ips}; do sudo iptables -A OUTPUT -d ${ip} -j DROP; done
path=/etc/iptables
[ -d "${path}" ] || sudo mkdir "${path}"
sudo sh -c 'iptables-save > /etc/iptables/rules.v4'
cat ${S_PATH_INSTALL_CONF}/soft/sublime-text.license
path=~/.local/share/applications
[ -d "${path}" ] || sudo mkdir "${path}"
tar xzf /ext/shared/Soft/linux/backup/sublime_text_20220516-1652694297.tar.gz -C /tmp/
cd /tmp/
mv opt/sublime_text/ /opt/
mv home/nikita/.config/sublime-text-3/ ~/.config/
mv home/nikita/.sublime-project/ ~/
mv home/nikita/.local/share/applications/sublime-text.desktop ~/.local/share/applications/
[ -e ~/.local/share/applications ] || mkdir ~/.local/share/applications
mv home/nikita/.local/share/applications/sublime-text.desktop ~/.local/share/applications/
mozilla
sudo add-apt-repository -y ppa:ppa-mozillateam
sudo apt remove --purge firefox
sudo snap remove --purge firefox
sudo sh -c "echo 'Package: *
Pin: release o=LP-PPA-mozillateam
Pin-Priority: 1001' > /etc/apt/preferences.d/mozilla-firefox"
apt policy firefox
sudo apt install -y firefox
cd
cp -a /home/shared/.mozilla.ubu /home/shared/.mozilla.ubu.${sdate}
ln -sv /home/shared/.mozilla.ubu .mozilla
cp -a /home/shared/.thunderbird.ubu /home/shared/.thunderbird.ubu.${sdate}
ln -sv /home/shared/.thunderbird.ubu .thunderbirdmudita24
sudo apt install -y mudita24
echo "[Desktop Entry]
Encoding=UTF-8
Version=0.9.4
Type=Application
Name=mudita24
Comment=mudita24
Exec=mudita24
OnlyShowIn=XFCE;
StartupNotify=false
Terminal=false
Hidden=true" > ~/.config/autostart/mudita24.desktopgmusicbrowser
sudo add-apt-repository ppa:tomtomtom/gmusicbrowser
sudo apt update
sudo apt install -y gmusicbrowser
sudo cp -a /btrfs/sys/user-pahvo/.config/gmusicbrowser ~/.config/
gmusicbrowser &background
# background desktop
sudo cp /home/shared/dev/install-desktop/conf/wp/xubuntu-development-dark.jpg /usr/share/xfce4/backdrops/
# shortcut keyboard
# xfce4-terminal / shift+ctrl+alt-t
# xfce4-terminal -e "tmux a" / ctrl+alt-t
# xfce4-popup-whiskermenu / Super Lmeld
sudo cp /home/shared/dev/install-desktop/conf/soft/meld-dark.xml /usr/share/meld/styles/end
sudo apt update
sudo apt autoremove
sudo apt autoclean
sudo apt cleaninstall
dev
sudo apt install wxhexeditor tmux most libscca-utils galculatorIDA
sudo apt-get install libc6-i686:i386 libexpat1:i386 libffi7:i386 libfontconfig1:i386 libfreetype6:i386 libgcc1:i386 libglib2.0-0:i386 libice6:i386 libpcre3:i386 libpng16-16:i386 libsm6:i386 libstdc++6:i386 libuuid1:i386 libx11-6:i386 libxau6:i386 libxcb1:i386 libxdmcp6:i386 libxext6:i386 libxrender1:i386 zlib1g:i386 libx11-xcb1:i386 libdbus-1-3:i386 libxi6:i386 libsm6:i386 libcurl4:i386conf
sudo swapoff -av
sudo sh -c 'echo vm.swappiness=5 > /etc/sysctl.d/99-swappiness.conf'volatility
https://github.com/volatilityfoundation/volatility/wiki/Installation
pip
# pip for user installation
#pip=pip2
# pip for root installation
pip="sudo -H pip2"
$pip install -U pip setuptools
$pip install pycrypto distorm3 yara-python ujson openpyxl pytz ipythonlibforensic1394.so.2
sudo apt install -y cmake
cd /tmp
git clone https://github.com/FreddieWitherden/libforensic1394
cd libforensic1394
mkdir build && cd build
cmake -G"Unix Makefiles" ../
sudo make install
cd ../python
sudo python setup.py install
cd
sudo rm -fR /tmp/libforensic1394
sudo ln -sv /usr/local/lib/libforensic1394.so.2 /usr/lib/libforensic1394.so.2volatility 2.6
cd /opt
sudo [ -d volatility ] && sudo rm -fR volatility
sudo git clone https://github.com/volatilityfoundation/volatility.git
cd volatility
sudo rm -fR .git
sudo python setup.py install
cd /usr/local/bin
sudo [ -e vol2 ] && sudo rm vol2
sudo ln -sv vol.py vol2
vol2 -h
# host
cp /home/shared/dev/install-desktop/conf/cuckoo/vol2 /vms/share/
#guest
file=/usr/share/bash-completion/completions/vol2
sudo mv /share/vol2 ${file}
opts=$(vol2 --info|sed -n '/^Plugins/,/^$/ p'|tail -n+3|cut -f1 -d' '|xargs)
sudo sed -i "/^ *opts=/ s|=.*|='${opts}'|" ${file}
grep opts= ${file}
exec bashbash completion
sudo cp -a /home/shared/dev/install-desktop/conf/cuckoo/vol2 /usr/share/bash-completion/completions/
opts=$(vol2 --info|sed -n '/^Plugins/,/^$/ p'|tail -n+3|cut -f1 -d' '|xargs)
sudo sed -i "s|^\( *opts=\).*$|\1'${opts}'|" /usr/share/bash-completion/completions/vol2
exec bash # reload completionstrick
df -h ; sudo find / -type d -name .git -exec rm -fR {} \; df -hhttps://pev.sourceforge.io/doc/manual/en_us/ch06.html
ofs2rva
ofs2rva <offset> FILE
Convert raw file offset to RVA
Example
ofs2rva 0x1b9b8 calc.exepedis
pedis OPTIONS FILE
PE sections and functions (by default, until found a RET or LEAVE instruction)
--att # set AT&T syntax
-e, --entrypoint # disassemble entrypoint
-f, --format <text|csv|xml|html> change output format (default: text)
-m, --mode <16|32|64> # disassembly mode (default: auto)
-i, <number> # number of instructions to be disassembled
-n, <number> # number of bytes to be disassembled
-o, --offset <offset> # disassemble at specified file offset
-r, --rva <rva> # disassemble at specified RVA
-s, --section <section_name> # disassemble entire section givenpehash
pehash OPTIONS FILE
Calculate hashes of PE pieces
-f, --format <text|csv|xml|html> # change output format (default: text)
-a, --all # hash file, sections and headers with md5, sha1, sha256, ssdeep and imphash
-c, --content # hash only the file content (default)
-h, --header <dos|coff|optional> # hash only the header with the specified name
-s, --section <section_name> # hash only the section with the specified name
--section-index <section_index> # hash only the section at the specified index (1..n)peres
peres OPTIONS FILE
Show information about resource section and extract it
-a, --all # Show all information, statistics and extract resources
-i, --info # Show resources information
-s, --statistics # Show resources statistics
-x, --extract # Extract resources
-v, --file-version # Show File Version from PE resource directorypesec
pesec [OPTIONS] FILE
Check for security features in PE files
-f, --format <text|csv|xml|html> # change output format (default: text)
-c, --certoutform <text|pem> # specifies the certificate output format (default: text)
-o, --certout <filename> # specifies the output filename to write certificates to (default: stdout)
pescan
pescan OPTIONS FILE
Search for suspicious things in PE files
-f, --format <text|html|xml|csv|json> # change output format (default: text)
-v, --verbose # show more info about items foundreadpe
readpe OPTIONS FILE
Show PE file headers
-A, --all # full output (default)
-H, --all-headers # print all PE headers
-S, --all-sections # print all PE sections headers
-f, --format <text|csv|xml|html> change output format (default: text)
-d, --dirs # show data directories
-h, --header <dos|coff|optional> show specific header
-i, --imports # show imported functions
-e, --exports # show exported functionsrva2ofs
rva2ofs <rva> FILE
Convert RVA to raw file offset
Example
rva2ofs 0x12db cards.dllInstall
sudo apt install binwalk