179 shaares
9 results
tagged
disk
start
log mimikatz.loglsadump
cd {$path_hive}
log c:\lsadump.log
lsadump::sam /system:SYSTEM /sam:SAM
exithivexsh
hivexsh [-options] [hivefile]
Provides a simple shell for navigating Windows Registry 'hive' files
options
-d # Enable lots of debug messages. If you find a Registry file that this program cannot parse, please enable this option and post the complete output and the Registry hive file in your bug report.
-f filename # Read commands from "filename" instead of stdin. To write a hivexsh script, use: #!/usr/bin/hivexsh -f
-u # Use heuristics to tolerate certain levels of corruption within hives. This is unsafe but may allow to export/merge valid keys/values in an othewise corrupted hive.
-w # If this option is given, then writes are allowed to the hive (see "commit" command below, and the discussion of modifying hives in "WRITING TO HIVE FILES" in hivex(3)). Important Note: Even if you specify this option, nothing is written to a hive unless you call the "commit" command. If you exit the shell without committing, all changes will be discarded. If this option is not given, then write commands are disabled.commands
add name # Add a subkey named "name" below the current node. The name may contain spaces and punctuation characters, and does not need to be quoted.
cd path # Change to the subkey "path". Use Windows-style backslashes to separate path elements, and start with a backslash in order to start from the root of the hive. For example:
close | unload # Close the currently loaded hive. If you modified the hive, all uncommitted writes are lost when you call this command (or if the shell exits). You have to call "commit" to write changes.
commit [newfile] # Commit changes to the hive. If the optional "newfile" parameter is supplied, then the hive is written to that file, else the original file is overwritten.
del # Delete the current node and everything beneath it. The current directory is moved up one level (as if you did "cd ..") after this command.
exit | quit # Exit the shell.
load hivefile # Load the binary hive named "hivefile". The currently loaded hive, if any, is closed. The current directory is changed back to the root node.
ls # List the subkeys of the current hive Registry key. Note this command does not take any arguments.
lsval [key] # List the (key, value) pairs of the current hive Registry key. If no argument is given then all pairs are displayed. If "key" is given, then the value of the named key is displayed. If "@" is given, then the value of the default key is displayed.
setval nrvals # This command replaces all (key, value) pairs at the current node with the values in subsequent input. "nrvals" is the number of values (ie. (key, value) pairs), and any existing values at this node are deleted. So "setval 0" just deletes any values at the current node.hivexget
hivexget hivefile PATH [NAME]
Get subkey from a Windows Registry binary "hive" file
example
hivexget ${path_hive}/SAM "SAM\Domains\Account\Users\000003E9" Vhivexml
hivexml [-dk] HIVE > FILE
Convert Windows Registry binary "hive" into XML
options
-d # Enable lots of debug messages. If you find a Registry file that this program cannot parse, please enable this option and post the complete output and the Registry file in your bug report.
-k # Keep going even if we find errors in the Registry file. This skips over any parts of the Registry that we cannot read.
-u # Use heuristics to tolerate certain levels of corruption within hives. This is unsafe but may allow to export/merge valid keys/values in an othewise corrupted hive.Install
sudo apt install -y libhivex-binhttps://helpmanual.io/man8/chntpw/
chntpw
chntpw [options] <samfile> [systemfile] [securityfile] [otherreghive] [...]
Utility to overwrite passwords of Windows systems
usage
chntpw -i $hiveoptions
-u username # Username or username ID (RID) to change. The default is 'Administrator'.
-l # List all users in the SAM database and exit.
-i # Interactive Menu system: list all users (as per -l option) and then ask for the user to change.
-e # Registry editor with limited capabilities (but it does include write support). For a slightly more powerful editor see reged
-d # Use buffer debugger instead (hex editor)
-L # Log all changed filenames to /tmp/changed. When this option is set the program automatically saves the changes in the hive files without rompting the user. Be careful when using the -L option as a root user in a multiuser system. The filename is fixed and this can be used by alicious users (dropping a symlink with the same name) to overwrite system files.
-N # Do not allocate more information, only allow the editing of existing values with same size.
-E # Do not expand the hive file (safe mode). commands
hive [<n>] # list loaded hives or switch to hive numer n
cd <key> # change current key
ls | dir [<key>] # show subkeys & values,
cat | type <value> # show key value
dpi <value> # show decoded DigitalProductId value
hex <value> # hexdump of value data
ck [<keyname>] # Show keys class data, if it has any
nk <keyname> # add key
dk <keyname> # delete key (must be empty)
ed <value> # Edit value
nv <type#> <valuename> # Add value
dv <valuename> # Delete value
delallv # Delete all values in current key
rdel <keyname> # Recursively delete key & subkeys
ek <filename> <prefix> <keyname> # export key to <filename> (Windows .reg file format)
debug # enter buffer hexeditor
st [<hexaddr>] # debug function: show struct info
q # quitreged
reged [options] -x<registryhivefile><prefixstring><key><output.reg>
reged [options] -I<registryhivefile><prefixstring><input.reg>
reged [options] -e<registryhivefile>
Utility to export/import and edit a Windows registry hives
usage
reged -x SYSTEM 'HKEY_LOCAL_MACHINE\SYSTEM' 'ControlSet001\Control\Lsa\Skew1' test.regmodes
-x <registryhivefile> <prefixstring> <key> <output.reg> # Xport. Where <prefixstring> for example is HKEY_LOCAL_MACHINE\SOFTWARE <key> is key o dump (recursively), \ or \\ means all keys in hive. Only one .reg and one hive file supported at the same time
-I <registryhivefile> <prefixstring> <input.reg> # Import from .reg file. Where <prefixstring> for example is HKEY_LOCAL_MACHINE\SOFTWARE. Only one .reg and one hive file supported at the same time
-e <registryhive> ... # Interactive edit one or more of registry filesoptions
-L # Log changed filenames to /tmp/changed, also auto-saves
-C # Auto-save (commit) changed hives without asking
-N # No allocate mode, only allow edit of existing values with same size
-E # No expand mode, do not expand hive file (safe mode)
-t # Debug trace of allocated blocks
-v # Some more verbose messagessampasswd
sampasswd [options] -uuser <samfile>
Reset passwords of users in the SAM user database
options
-r # Reset the user's password.
-a # Reset all the users. If this option is used there is no need to specify the next option.
-u <user> # User to change. The user value can be provided as a username, or a RID number in hexadecimal (if the username is preceded with '0x').
-l # Lists the users in the SAM database.
-H # Output human readable output. The program by default will print a parsable table unless this option is used.
-N # Do not allocate more information, only allow the editing of existing values with same size.
-E # Do not expand the hive file (safe mode).
-t # Print debug information of allocated blocks.
-v # Print verbose information and debug messages. ```Install
sudo apt install -y chntpwxubuntu 20.04 - focal
virt-manager
host
<filesystem type="mount" accessmode="mapped" fmode="0660" dmode="0770">
<source dir="/vms/share"/>
<target dir="/hostshare"/>
<address type="pci" domain="0x0000" bus="0x07" slot="0x00" function="0x0"/>
</filesystem>#sudo usermod -G libvirtd -a $USER
sudo usermod -G libvirt-qemu -a $USER
hostpath=/vms/share
sudo chown -R libvirt-qemu:libvirt-qemu $hostpath
sudo setfacl -Rm g:libvirt-qemu:rwx $hostpath
sudo setfacl -d -Rm g:libvirt-qemu:rwx $hostpathguest
sudo sh -c 'echo "9p
9pnet
9pnet_virtio" >> /etc/initramfs-tools/modules'
sudo update-initramfs -u
sudo sh -c 'echo "# qemu share
hostshare /share 9p trans=virtio,version=9p2000.L,rw,umask=002 0 0" >> /etc/fstab'global
install
update
sudo apt remove -y gimp* libreoffice-* thunderbird* transmission-gtk
sudo apt update
sudo apt list --upgradable
sudo apt -y dist-upgrade
sudo apt -y autoremovesystem
sudo apt install -y binutils-common bsdmainutils curl debconf-utils exfat git gnupg2 gparted hfsprogs htop kpartx lnav most net-tools p7zip-full p7zip-rar pv rar sysstat testdisk tmux tree unrar vim xsysinfo # openssh-server
sudo apt install -y dconf-editor firefox-locale-fr galculator gpicview meld plank qt5ct qt5-gtk2-platformtheme thunar-media-tags-plugin tumbler-plugins-extraconf
qt5-ct to fusionglobal
sudo swapoff -av && sudo sh -c 'echo vm.swappiness=10 > /etc/sysctl.d/99-swappiness.conf' # limit swap
sudo rm /etc/localtime && sudo ln -sv /usr/share/zoneinfo/Etc/UTC /etc/localtime
software-properties-gtk # add canonical partners
export QT_QPA_PLATFORMTHEME=gtk2
echo "\n# QT\nexport QT_QPA_PLATFORMTHEME=gtk2" >> ~/.profile
echo -e "\n#JAVA\nexport _JAVA_OPTIONS=\"-Dawt.useSystemAAFontSettings=on -Dswing.aatext=true -Dswing.defaultlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel -Dswing.crossplatformlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel \${_JAVA_OPTIONS}\"" >> ~/.profile
menulibre # edit menu
path=~/.config/autostart
[ -d ${path} ] || mkdir ${path}
echo '[Desktop Entry]
Encoding=UTF-8
Version=0.9.4
Type=Application
Name=plank
Comment=plank
Exec=plank
OnlyShowIn=XFCE;
RunHook=0
StartupNotify=false
Terminal=false
Hidden=false' > ${path}/plank.desktop
plank --preferences &trans
# HOST
path=/vms/share/trans; [ -d ${path} ] || mkdir -p ${path}
cp -r ~/dev/ /vms/share/trans/
# GUEST
path=~/.local/share/icons; [ -d ${path} ] || mkdir -p ${path}
path=~/.local/share/applications; [ -d ${path} ] || mkdir -p ${path}
path=/share/trans/dev
path_conf=${path}/install-desktop/conf
cp ${path_conf}/foralyse/.bashrc ~/
cp ${path_conf}/foralyse/.bash_alias ~/
sudo cp ${path_conf}/foralyse/.bashrc /root/
sudo cp ${path_conf}/foralyse/.bash_alias /root/
cp ${path}/install/conf/foralyse/.vimrc ~/
sudo cp ${path}/install/conf/vim/* /usr/share/vim/vim*/colors/
sudo cp ${path_conf}/soft/meld-dark.xml /usr/share/meld/styles/
sudo cp ${path_conf}/wp/* /usr/share/xfce4/backdrops/
sudo cp ${path_conf}/bash-completion/* /usr/share/bash-completion/completions/
sudo cp ${path_conf}/icons/tmux.svg /usr/share/icons/default/
sudo cp ${path_conf}/foralyse/xfce4-terminal-tmux.desktop ~/.local/share/applications/
cp ${path_conf}/foralyse/xfce4-terminal-tmux.desktop ~/.local/share/applications/
cp ${path_conf}/icons/* ~/.local/share/icons
sudo ln -sv /usr/share/bash-completion/completions/tmux.git /usr/share/bash-completion/completions/tmux
sudo chmod +r /usr/share/icons/default/tmux.svg
sudo chmod +r /usr/share/bash-completion/completions/tmux*
sudo chmod +r /usr/share/xfce4/backdrops/*sublime text
file="/etc/hosts"
sudo sh -c "echo '\n# sublime-text hack\n127.0.0.1\tsublimetext.com\n127.0.0.1\twww.sublimetext.com\n127.0.0.1\tlicense.sublimehq.com' >> ${file}"
ips="45.55.255.55"
for ip in ${ips}; do sudo iptables -A OUTPUT -d ${ip} -j DROP; done
path=/etc/iptables
[ -d "${path}" ] || sudo mkdir "${path}"
sudo sh -c 'iptables-save > /etc/iptables/rules.v4'
cat ${S_PATH_INSTALL_CONF}/soft/sublime-text.licenseforensic
global
# network
sudo apt install -y whois
# pwd & evtx & process
sudo apt install -y john libscca-utils pev radare2
# hive
sudo apt install -y libhivex-bin chntpw reglookup
# gui
sudo apt install -y bless geany ghex gpicview gtkhash wxhexeditorconf
bless
cp /usr/share/bless/*.layout ~/.config/bless/layouts/kali
#sudo sh -c "echo '# kali\ndeb http://http.kali.org/kali kali-rolling main non-free contrib' > /etc/apt/sources.list.d/kali.list
#wget -q -O - archive.kali.org/archive-key.asc | sudo apt-key add -
#sudo apt update
#sed -i '/^deb/ s|^|#|' /etc/apt/sources.list.d/kali.list
#sudo apt updatepython
sudo apt-get install -y python3 python3-pip
. ~/.profile
sudo apt-get install -y python2 # python2-dev
cd /tmp && curl -sSL https://bootstrap.pypa.io/pip/2.7/get-pip.py -o get-pip.py
python2 get-pip.pypip2
python2 -m pip install -U balbuzardpip3
python3 -m pip install -U malcarve regrippybinwalk
dependencies
sudo apt install mtd-utils gzip bzip2 tar arj lhasa p7zip p7zip-full cabextract cramfsswap squashfs-tools lzop srecord
python3 -m pip install -U nose coverage pycryptodome pyqtgraph capstone matplotlib
. ~/.profilegithub
# Install sasquatch to extract non-standard SquashFS images
sudo apt install -y zlib1g-dev liblzma-dev liblzo2-dev
cd /tmp && git clone https://github.com/devttys0/sasquatch
cd sasquatch && ./build.sh
# Install jefferson to extract JFFS2 file systems
python3 -m pip install -U cstruct
cd /tmp && git clone https://github.com/sviehb/jefferson
cd jefferson && sudo python3 setup.py install
# Install ubi_reader to extract UBIFS file systems
sudo apt install -y liblzo2-dev
python3 -m pip install -U python-lzo
cd /tmp && git clone https://github.com/jrspruitt/ubi_reader
cd ubi_reader && sudo python3 setup.py install
# Install yaffshiv to extract YAFFS file systems
cd /tmp && git clone https://github.com/devttys0/yaffshiv
cd yaffshiv && sudo python3 setup.py install
# Install unstuff (closed source) to extract StuffIt archive files
cd /tmp && curl -sS http://downloads.tuxfamily.org/sdtraces/stuffit520.611linux-i386.tar.gz | tar -zxv
sudo cp bin/unstuff /usr/local/bin/pandoc
# sudo apt install pandoc texlive-latex-base texlive-latex-recommended texlive-latex-extra
# pandoc -s -o $fileout $fileinbinwalk
cd /tmp && git clone https://github.com/ReFirmLabs/binwalk
cd binwalk && sudo python3 setup.py installregripper
sudo apt-get install -y libparse-win32registry-perl
path=$(find /usr/share -name Win32Registry)
cd /usr/share && sudo git clone https://github.com/keydet89/RegRipper3.0.git
sudo mv RegRipper3.0 regripper
for file in WinNT/File.pm WinNT/Key.pm Base.pm; do sudo mv ${path}/${file} ${path}/${file}.$(date +%s); sudo ln -sv /usr/share/regripper/${file##*/} ${path}/${file}; done
cd regripper
sudo cp -a rip.pl rip.pl.$(date +%s)
sudo sed -i '/^my @alerts = ();/a my \$plugindir = "/usr/share/regripper/plugins/";' rip.pl
sudo sed -i "1c #! $(which perl)\nuse lib qw(/usr/lib/perl5/);" rip.pl
sudo chmod +x rip.pl
sudo ln -sv /usr/share/regripper/rip.pl /usr/bin/regripper
sudo ln -sv /usr/share/regripper/rip.pl /usr/bin/ripvolatility
volatility3
python3 -m pip install -U pefile yara-python capstone pycryptodome jsonschema leechcorepyc python-snappy
python3 -m pip install -U volatility3
cd ~/.local/bin && ln -sv vol vol3volatility2
https://github.com/volatilityfoundation/volatility/wiki/Installation
sudo apt -y install pcregrep libpcre++-dev python-dev
python2 -m pip install distorm3 ipython openpyxl pycrypto pytz ujson yara-pythonlibforensic1394
sudo apt install -y cmake
cd /tmp
git clone https://github.com/FreddieWitherden/libforensic1394
cd libforensic1394
mkdir build && cd build
cmake -G"Unix Makefiles" ../
sudo make install
cd ../python
sudo python setup.py install
sudo ln -sv /usr/local/lib/libforensic1394.so.0.3.0 /usr/lib/libforensic1394.so.2
cd
sudo rm -fR /tmp/libforensic1394
sudo apt remove cmake
sudo apt autoremovevolatility
cd /opt
git clone https://github.com/volatilityfoundation/volatility.git
cd volatility
rm -fR .git
sudo python setup.py install
cd /usr/local/bin
sudo ln -sv vol.py vol2
vol2 -hwireshark
sudo add-apt-repository -y ppa:wireshark-dev/stable
sudo apt update
sudo apt install -y tshark wiresharkautopsy
global
path_share=/share
sudo apt-get update
sudo apt install -y afflib-tools testdisk ewf-tools xmount fdupes java-common
sudo apt-get install -y imagemagick libde265-0 libheif1java
java_file=$(ls ${path_share}/jdk-8*linux-x64.tar.gz)
file=/usr/local/bin/oracle-java-installer.sh
sudo curl -sS https://raw.githubusercontent.com/labcif/oracle-java-installer/master/oracle-java-installer.sh -o ${file}
#sudo sed -i s'/update-java-alternatives -a/update-alternatives --auto java/' /usr/local/bin/oracle-java-installer.sh
#sudo sed -i s'/update-java-alternatives -l/update-alternatives --list java/' /usr/local/bin/oracle-java-installer.sh
sudo sed -i 's|tar -xvzf|tar -xzf|' /usr/local/bin/oracle-java-installer.sh
sudo chmod +x ${file}
sudo ${file} --install ${java_file}
. /etc/profile.d/jdk.sh
${file} --status ${java_file}base64sha
file=/usr/local/bin/b64sha
sudo curl -sS https://raw.githubusercontent.com/labcif/Base64SHA/master/b64sha -o ${file}
sudo chmod +x ${file}sleuthkit
sleuthkit_file=$(ls ${path_share}/sleuthkit-java_*_amd64.deb)
read sleuthkit_version_major sleuthkit_version_minor <<<$(echo ${sleuthkit_file}|sed 's|^.*/sleuthkit-java_\([0-9_\.]\+\)-\([0-9]\)_amd64.deb|\1 \2|')
sudo apt install ${sleuthkit_file}autopsy
file=$(ls ${path_share}/autopsy-*.zip)
path=${file%.zip} && path=/opt/${path##*/}
sudo unzip -q -d /opt/ ${file}
sudo chown -R ${USER}:${USER} ${path}
cd /opt && sudo ln -sv ${path##*/} autopsy
cd ${path}
sh unix_setup.sh
ln -sv ${path}/bin/autopsy ~/.local/bin/autopsy
autopsy --nosplashlauncher
echo "[Desktop Entry]
Version=1.0
Type=Application
Terminal=false
Icon=/opt/autopsy/icon.ico
Name=Autopsy
Exec=autopsy" > ~/.local/share/applications/autopsy.desktopaddons
ReportModules / ForensicExpertWitnessReport
https://github.com/chriswipat/forensic_expert_witness_report_module
IngestModules / FileHistory
https://medium.com/@markmckinnon_80619/windows-file-history-plugin-a6208da4efa5
IngestModules / Volatility
https://markmckinnon-80619.medium.com/volatility-autopsy-plugin-module-8beecea6396
regripper [-r Reg hive file] [-f profile] [-p plugin] [options]
Parse Windows Registry files, using either a single module, or a profile
Special
regripper -l -c|sort|column -t -s, # show plugins list in table sorted by plugins
regripper -l -c|sort -t, -k3 -k1|column -t -s, # show plugins list in table sorted by hive/plugins
regripper -p winver -r SOFTWARE # get version of wnidows
regripper -p timezone -r SYSTEM # get timezone information about SYSTEM hive
regripper -a -r SYSTEM # get full analyse for SYSTEM hiveUsefull
-a # Automatically run hive-specific plugins
-l # list all plugins
-f [profile] # use the profile
-p [plugin] # use the pluginAll
-r [hive] # Registry hive file to parse
-d # Check to see if the hive is dirty
-g # Guess the hive file type
-a # Automatically run hive-specific plugins
-aT # Automatically run hive-specific TLN plugins
-f [profile] # use the profile
-p [plugin] # use the plugin
-l # list all plugins
-c # Output plugin list in CSV format (use with -l)
-s systemname # system name (TLN support)
-u username # User name (TLN support)
-uP # Update default profilesPlugins
adobe 20200522 NTUSER.DAT Gets user's Adobe app cRecentFiles values
allowedenum 20200511 NTUSER.DAT Software Extracts AllowedEnumeration values to determine hidden special folders
amcache 20200515 amcache Parse AmCache.hve file
amcache_tln 20180311 amcache Parse AmCache.hve file
appassoc 20200515 NTUSER.DAT Gets contents of user's ApplicationAssociationToasts key
appcertdlls 20200427 System Get entries from AppCertDlls key
appcompatcache 20200428 System Parse files from System hive AppCompatCache
appcompatcache_tln 20190112 System Parse files from System hive AppCompatCache
appcompatflags 20200525 NTUSER.DAT Software Extracts AppCompatFlags for Windows.
appinitdlls 20200427 Software Gets contents of AppInit_DLLs value
appkeys 20200517 NTUSER.DAT Software Extracts AppKeys entries.
appkeys_tln 20180920 NTUSER.DAT Software Extracts AppKeys entries.
applets 20200525 NTUSER.DAT Gets contents of user's Applets key
applets_tln 20120613 NTUSER.DAT Gets contents of user's Applets key (TLN)
apppaths 20200511 NTUSER.DAT Software Gets content of App Paths subkeys
apppaths_tln 20130429 NTUSER.DAT Software Gets content of App Paths subkeys (TLN)
appspecific 20200515 NTUSER.DAT Gets contents of user's Intellipoint\AppSpecific subkeys
appx 20200427 NTUSER.DAT USRCLASS.DAT Checks for persistence via Universal Windows Platform Apps
appx_tln 20191014 NTUSER.DAT USRCLASS.DAT Checks for persistence via Universal Windows Platform Apps
arpcache 20200515 NTUSER.DAT Retrieves CurrentVersion\App Management\ARPCache entries
at 20200525 Software Checks Software hive for AT jobs
attachmgr 20200525 NTUSER.DAT Checks user's keys that manage the Attachment Manager functionality
attachmgr_tln 20130425 NTUSER.DAT Checks user's keys that manage the Attachment Manager functionality (TLN)
at_tln 20140821 Software Checks Software hive for AT jobs
audiodev 20200525 Software Gets audio capture/render devices
auditpol 20200515 Security Get audit policy from the Security hive file
backuprestore 20200517 System Gets the contents of the FilesNotToSnapshot, KeysNotToRestore, and FilesNotToBackup keys
bam 20200427 System Parse files from System hive BAM Services
bam_tln 20180225 System Parse files from System hive BAM Services
base 20200427 All Parse base info from hive
baseline 20130211 All Scans a hive file, checking sizes of binary value data
btconfig 20200526 Software Determines BlueTooth devices 'seen' by BroadComm drivers
bthenum 20200515 System Get BTHENUM subkey info
bthport 20200517 System Gets Bluetooth-connected devices from System hive
bthport_tln 20180705 System Gets Bluetooth-connected devices from System hive; TLN output
cached 20200525 NTUSER.DAT Gets cached Shell Extensions from NTUSER.DAT hive
cached_tln 20150608 NTUSER.DAT Gets cached Shell Extensions from NTUSER.DAT hive (TLN)
calibrator 20200427 Software Checks DisplayCalibrator value (possible bypass assoc with LockBit ransomware)
clsid 20200526 Software USRCLASS.DAT Get list of CLSID/registered classes
clsid_tln 20200526 Software USRCLASS.DAT Get list of CLSID/registered classes
cmdproc 20200515 NTUSER.DAT Autostart - get Command Processor\AutoRun value from NTUSER.DAT hive
cmdproc_tln 20130425 NTUSER.DAT Autostart - get Command Processor\AutoRun value from NTUSER.DAT hive (TLN)
cmd_shell 20200515 Software Gets shell open cmds for various file types
codepage 20200519 system Checks codepage value
comdlg32 20200517 NTUSER.DAT Gets contents of user's ComDlg32 key
compdesc 20200511 NTUSER.DAT Gets contents of user's ComputerDescriptions key
compname 20090727 System Gets ComputerName and Hostname values from System hive
cred 20200427 system Checks for UseLogonCredential value
cred_tln 20200402 system Checks UseLogonCredential value
dafupnp 20200525 System Parses data from networked media streaming devices
dcom 20200525 Software Check DCOM Ports
ddo 20140414 NTUSER.DAT Gets user's DeviceDisplayObjects key contents
defender 20200427 Software Get Windows Defender settings
del 20200515 All Parse hive, print deleted keys/values
del_tln 20190506 All Parse hive, print deleted keys/values
devclass 20200525 System Get USB device info from the DeviceClasses keys in the System hive
direct 20200515 Software Searches Direct* keys for MostRecentApplication subkeys
direct_tln 20190911 Software Searches Direct* keys for MostRecentApplication subkeys (TLN)
disablelastaccess 20200517 System Get NTFSDisableLastAccessUpdate value
disablemru 20190924 NTUSER.DAT Software Checks settings disabling user's MRUs
disableremotescm 20200513 System Gets DisableRemoteScmEndpoints value from System hive
disablesr 20200515 Software Gets the value that turns System Restore either on or off
drivers32 20200525 Software Get values from the Drivers32 key
emdmgmt 20200511 Software Gets contents of EMDMgmt subkeys and values
environment 20200512 System NTUSER.DAT Get environment vars from NTUSER.DAT & System hives
execpolicy 20200517 Software Gets PowerShell Execution Policy
featureusage 20200511 NTUSER.DAT Extracts user's FeatureUsage data.
fileless 20200525 All Scans a hive file looking for fileless malware entries
findexes 20200525 All Scans a hive file looking for binary value data that contains MZ
gpohist 20200525 Software NTUSER.DAT Collects system/user GPO history
gpohist_tln 20150529 Software NTUSER.DAT Collects system/user GPO history (TLN)
heap 20200427 Software Checks HeapLeakDetection\DiagnosedApplications Subkeys
heidisql 20201227 NTUSER.DAT Gets user's heidisql data
ica_sessions 20200528 Software ARETE ONLY - Extracts Citrix ICA Session info
identities 20200525 NTUSER.DAT Extracts values from Identities key; NTUSER.DAT
imagedev 20140104 System --
imagefile 20200515 Software Checks ImageFileExecutionOptions subkeys values
injectdll64 20200427 NTUSER.DAT Software Retrieve values set to weaken Chrome security
inprocserver 20200427 Software Checks CLSID InProcServer32 values for indications of malware
installer 20200517 Software Determines product install information
ips 20200518 System Get IP Addresses and domains (DHCP, static)
jumplistdata 20200517 NTUSER.DAT Gets contents of user's JumpListData key
killsuit 20200427 Software Check for indications of Danderspritz Killsuit installation
killsuit_tln 20200414 Software Check for indications of Danderspritz Killsuit installation
knowndev 20200515 NTUSER.DAT Gets user's KnownDevices key contents
landesk 20200517 Software Get list of programs monitored by LANDESK - Software hive
landesk_tln 20130214 Software Get list of programs monitored by LANDESK from Software hive
lastloggedon 20200517 Software Gets LastLoggedOn* values from LogonUI key
licenses 20200526 Software Get contents of HKLM/Software/Licenses key
listsoft 20200517 NTUSER.DAT Lists contents of user's Software key
load 20200517 NTUSER.DAT Gets load and run values from user hive
logonstats 20200517 NTUSER.DAT Gets contents of user's LogonStats key
lsa 20200517 System Lists specific contents of LSA key
lxss 20200511 NTUSER.DAT Gets WSL config.
lxss_tln 20140723 NTUSER.DAT Gets WSL config.
macaddr 20200515 System Software --
mixer 20200517 NTUSER.DAT Checks user's audio mixer settings
mixer_tln 20141112 NTUSER.DAT Checks user's audio mixer info
mmc 20200517 NTUSER.DAT Get contents of user's MMC\Recent File List key
mmc_tln 20120828 NTUSER.DAT Get contents of user's MMC\Recent File List key (TLN)
mmo 20200517 NTUSER.DAT Checks NTUSER for Multimedia\Other values [malware]
mndmru 20200517 NTUSER.DAT Get contents of user's Map Network Drive MRU
mndmru_tln 20120829 NTUSER.DAT Get user's Map Network Drive MRU (TLN)
mountdev 20200517 System Return contents of System hive MountedDevices key
mountdev2 20200517 System Return contents of System hive MountedDevices key
mp2 20200526 NTUSER.DAT Gets user's MountPoints2 key contents
mp2_tln 20200525 NTUSER.DAT Gets user's MountPoints2 key contents
mpmru 20200517 NTUSER.DAT Gets user's Media Player RecentFileList values
msis 20200517 Software Determine MSI packages installed on the system
msoffice 20200518 NTUSER.DAT Get user's MSOffice content
msoffice_tln 20200518 NTUSER.DAT Get user's MSOffice content
muicache 20200525 NTUSER.DAT USRCLASS.DAT Gets EXEs from user's MUICache key
muicache_tln 20130425 NTUSER.DAT USRCLASS.DAT Gets EXEs from user's MUICache key (TLN)
nation 20200517 ntuser.dat Gets region information from HKCU
netlogon 20200515 System Parse values for machine account password changes
netsh 20200515 Software Gets list of NetSH helper DLLs
networkcards 20200518 Software Get NetworkCards Info
networklist 20200518 Software Collects network info from NetworkList key
networklist_tln 20150812 Software Collects network info from NetworkList key (TLN)
networksetup2 20191004 System Get NetworkSetup2 subkey info
nic2 20200525 System Gets NIC info from System hive
ntds 20200427 System Parse Services NTDS key for specific persistence values
null 20160119 All Check key/value names in a hive for leading null char
oisc 20091125 NTUSER.DAT Gets contents of user's Office Internet Server Cache
onedrive 20200515 NTUSER.DAT Gets contents of user's OneDrive key
onedrive_tln 20190823 NTUSER.DAT Gets contents of user's OneDrive key
osversion 20200511 NTUSER.DAT Checks for OSVersion value
osversion_tln 20120608 NTUSER.DAT Checks for OSVersion value (TLN)
outlook_homepage 20201002 NTUSER.DAT Software Retrieve values set to attack Outlook WebView Homepage
pagefile 20140505 System Get info on pagefile(s)
pending 20130711 System Gets contents of PendingFileRenameOperations value
pendinggpos 20200427 NTUSER.DAT Gets contents of user's PendingGPOs key
photos 20200525 USRCLASS.DAT Shell/BagMRU traversal in Win7 USRCLASS.DAT hives
Plugin Version Hive Description
portdev 20090118 Software Parses Windows Portable Devices key contents
powershellcore 20200525 Software Extracts PowerShellCore settings
prefetch 20200515 System Gets the the Prefetch Parameters
printdemon 20200514 Software Gets value assoc with printer ports and descriptions
printmon 20200427 System Lists installed Print Monitors
printmon_tln 20191122 System Lists installed Print Monitors
processor_architecture 20140505 System Get from the processor architecture from the System's environment key
profilelist 20200518 Software Get content of ProfileList key
profiler 20200525 NTUSER.DAwindows.memmap.MemmapT System Environment profiler information
pslogging 20200515 NTUSER.DAT Software Extracts PowerShell logging settings
psscript 20200525 Software NTUSER.DAT Get PSScript.ini values
putty 20200515 NTUSER.DAT Extracts the saved SshHostKeys for PuTTY.
rdpport 20200526 System Queries System hive for RDP Port
recentapps 20200515 NTUSER.DAT Gets contents of user's RecentApps key
recentapps_tln 20190513 NTUSER.DAT Gets contents of user's RecentApps key
recentdocs 20200427 NTUSER.DAT Gets contents of user's RecentDocs key
recentdocs_tln 20140220 NTUSER.DAT Gets contents of user's RecentDocs key (TLN)
remoteaccess 20200517 System Get RemoteAccess AccountLockout settings
rlo 20200517 All Parse hive, check key/value names for RLO character
routes 20200526 System Get persistent routes from the Registry
run 20200511 Software NTUSER.DAT [Autostart] Get autostart key contents from Software hive
runmru 20200525 NTUSER.DAT Gets contents of user's RunMRU key
runmru_tln 20120828 NTUSER.DAT Gets contents of user's RunMRU key (TLN)
runonceex 20200427 Software Gets contents of RunOnceEx values
runvirtual 20200427 NTUSER.DAT Software Gets RunVirtual entries
runvirtual_tln 20191211 NTUSER.DAT Software Gets RunVirtual entries
ryuk_gpo 20200427 Software Get GPO policy settings from Software hive related to Ryuk
samparse 20200825 SAM Parse SAM file for user & group mbrshp info
samparse_tln 20200826 SAM Parse SAM file for user acct info (TLN)
ScanButton 20131210 System Get Scan Button information
schedagent 20200518 Software Get SchedulingAgent key contents
scriptleturl 20200525 Software USRCLASS.DAT Check CLSIDs for ScriptletURL subkeys
searchscopes 20200517 NTUSER.DAT Gets contents of user's SearchScopes key
secctr 20200517 Software Get data from Security Center key
secrets 20200517 Security Get the last write time for the Policy\Secrets key
secrets_tln 20140814 Security Get the last write time for the Policy\Secrets key
securityproviders 20200526 System Gets SecurityProvider value from System hive
services 20191024 System Lists services/drivers in Services key by LastWrite times
sevenzip 20210329 NTUSER.DAT Gets records of histories from 7-Zip keys
sfc 20200517 Software Get SFC values
shares 20200525 System Get list of shares from System hive file
shc 20200427 NTUSER.DAT Gets SHC entries from user hive
shellbags 20200428 USRCLASS.DAT Shell/BagMRU traversal in Win7+ USRCLASS.DAT hives
shellbags_tln 20180702 USRCLASS.DAT Shell/BagMRU traversal in Win7 USRCLASS.DAT hives
shellfolders 20200515 NTUSER.DAT Gets user's shell folders values
shelloverlay 20100308 Software Gets ShellIconOverlayIdentifiers values
shimcache 20200428 System Parse file refs from System hive AppCompatCache data
shimcache_tln 20190112 System Parse file refs from System hive AppCompatCache data
shutdown 20200518 System Gets ShutdownTime value from System hive
sizes 20200517 All Scans a hive file looking for binary value data of a min size (5000)
slack 20200517 All Parse hive, print slack space, retrieve keys/values
slack_tln 20190506 All Parse hive, print slack space, retrieve keys/values
source_os 20200511 System Parse Source OS subkey values
speech 20200427 NTUSER.DAT Get values from user's Speech key
speech_tln 20191010 NTUSER.DAT Get values from user's Speech key
spp_clients 20130429 Software Determines volumes monitored by VSS
srum 20200518 Software Gets contents of SRUM subkeys
ssid 20200515 Software Get WZCSVC SSID Info
susclient 20200518 Software Extracts SusClient* info, including HDD SN (if avail)
svc 20200525 System Lists Services key contents by LastWrite time (CSV)
svcdll 20200525 System Lists Services keys with ServiceDll values
svc_tln 20130911 System Lists Services key contents by LastWrite time (CSV)
syscache 20200515 syscache Parse SysCache.hve file
syscache_csv 20200515 syscache
syscache_tln 20190516 syscache
sysinternals 20080324 NTUSER.DAT Checks for SysInternals apps keys
sysinternals_tln 20080324 NTUSER.DAT Checks for SysInternals apps keys (TLN)
systemindex 20200518 Software Gets systemindex\..\Paths info from Windows Search key
taskcache 20200427 Software Checks TaskCache\Tree root keys (not subkeys)
taskcache_tln 20200416 Software Checks TaskCache\Tree root keys (not subkeys)
tasks 20200427 Software Checks TaskCache\Tasks subkeys
tasks_tln 20200416 Software Checks TaskCache\Tasks subkeys
termcert 20200526 System Gets Terminal Server certificate
termserv 20200506 System Software Gets Terminal Server settings from System and Software hives
thispcpolicy 20200511 Software Gets ThisPCPolicy values
timezone 20200518 System Get TimeZoneInformation key contents
tracing 20200511 Software Gets list of apps that can be traced
tracing_tln 20120608 Software Gets list of apps that can be traced (TLN)
tsclient 20200518 NTUSER.DAT Displays contents of user's Terminal Server Client\Default key
tsclient_tln 20120827 NTUSER.DAT Displays contents of user's Terminal Server Client key (TLN)
typedpaths 20200526 NTUSER.DAT Gets contents of user's typedpaths key
typedpaths_tln 20120828 NTUSER.DAT Gets contents of user's typedpaths key (TLN)
typedurls 20200526 NTUSER.DAT Returns contents of user's TypedURLs key.
typedurlstime 20200526 NTUSER.DAT Returns contents of user's TypedURLsTime key.
typedurlstime_tln 20120613 NTUSER.DAT Returns contents of Win8 user's TypedURLsTime key (TLN).
typedurls_tln 20120827 NTUSER.DAT Returns MRU for user's TypedURLs key (TLN)
uac 20200427 Software Get Select User Account Control (UAC) Values from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
uacbypass 20200511 USRCLASS.DAT Software Get possible UAC bypass settings
uninstall 20200525 Software NTUSER.DAT Gets contents of Uninstall keys from Software, NTUSER.DAT hives
uninstall_tln 20120523 Software NTUSER.DAT Gets contents of Uninstall keys from Software, NTUSER.DAT hives(TLN format)
usb 20200515 System Get USB key info
usbdevices 20200525 System Parses Enum\USB key for USB & WPD devices
usbstor 20200515 System Get USBStor key info
userassist 20170204 NTUSER.DAT Displays contents of UserAssist subkeys
userassist_tln 20180710 NTUSER.DAT Displays contents of UserAssist subkeys in TLN format
volinfocache 20200518 Software Gets VolumeInfoCache from Windows Search key
wab 20200427 Software Get WAB DLLPath settings
wab_tln 20191122 Software Get WAB DLLPath settings
watp 20200427 Software Gets contents of Windows Advanced Threat Protection key
wbem 20200511 Software Get some contents from WBEM key
wc_shares 20200515 NTUSER.DAT Gets contents of user's WorkgroupCrawler/Shares subkeys
winlogon_tln 20130429 Software Alerts on values from the WinLogon key (TLN)
winrar 20200526 NTUSER.DAT Get WinRAR\ArcHistory entries
winrar_tln 20120829 NTUSER.DAT Get WinRAR\ArcHistory entries (TLN)
winscp 20201227 NTUSER.DAT Gets user's WinSCP 2 data
winver 20200525 Software Get Windows version & build info
winzip 20200526 NTUSER.DAT Get WinZip extract and filemenu values
wordwheelquery 20200823 NTUSER.DAT Gets contents of user's WordWheelQuery key
wordwheelquery_tln 20200824 NTUSER.DAT Gets contents of user's WordWheelQuery key
wow64 20200515 Software Gets contents of WOW64\x86 key
wpdbusenum 20200515 System Get WpdBusEnum subkey info
wsh_settings 20200517 Software Gets WSH SettingsInstall
see foralysereglookup
reglookup [-v] [-s] [-p <PATH_FILTER>] [-t <TYPE_FILTER>] <REGISTRY_FILE>
Print windows registry elements to stdout in a CSV-like format
Special
for hive in SAM SECURITY SOFTWARE SYSTEM $(find /vol6/ -iname ntuser.dat); do echo $hive; reglookup -i $hive > /share/examen/disk/hive/reglookup_${hive//\//_}; doneUsefull
-p # restrict output to elements below this path.
-H # disables header row.
-s # enables security descriptor output.All
-v # sets verbose mode.
-h # enables header row. (default)
-H # disables header row.
-s # enables security descriptor output.
-S # disables security descriptor output. (default)
-p # restrict output to elements below this path.
-t # restrict results to this specific data type.
-i # includes parent key modification times with child values.reglookup-timeline
reglookup-timeline [-H] [-V] <REGISTRY_FILE> [<REGISTRY_FILE> ...]
Builds timelines for forensic investigations, a wrapper for reglookup
Special
cd /vol6/Windows/System32/config && hives="SAM SECURITY SOFTWARE SYSTEM $(find /vol6/ -iname ntuser.dat)" && reglookup-timeline -v $hives > /share/examen/disk/hive/reglookup-tl # complete timeline
sed -n '/^2021-09-09 18:1/,$p' reglookup-tl > reglookup-tl-select # select part of timelineAll
-H # Omit header line
-V # Include values with parent timestampsreglookup-recover
reglookup-recover [options] <REGISTRY_FILE>
Attempts to scour a Windows registry hive for deleted data structures and outputs those found in a CSV-like format
All
-v # sets verbose mode.
-h # enables header row. (default)
-H # disables header row.
-l # enables leftover(raw) cell output.
-L # disables leftover(raw) cell output. (default)
-r # enables raw cell output for parsed cells.
-R # disables raw cell output for parsed cells. (default)Install
sudo apt install reglookuptheme
windows version
regripper -p winver -r $path_hive/SOFTWARE
reglookup -p Software/Microsoft $path_hive/SYSTEM | column -t -s,user password
path_hive=/vol6/Windows/System32/config
path2=/cases/examen/artefacts
# get user id
reglookup -p SAM/Domains/Account/Users ${path_hive}/SAM | grep -i angela # select 0x.....
# data
uid=000003E9
hivexget ${path_hive}/SAM "SAM\Domains\Account\Users\000003E9" V | hexdump -ve '8/1 "%02X"' > ${path2}/sam-user-v.hexdump
hivexget ${path_hive}/SAM "SAM\Domains\Account" F | hexdump -ve '8/1 "%02X"' > ${path2}/sam-f.hexdump
hivexget ${path_hive}/SYSTEM "ControlSet001\Control\Lsa\JD" lookup | hexdump -ve '8/1 "%02X"' > ${path2}/system-jd.hexdump
hivexget ${path_hive}/SYSTEM "ControlSet001\Control\Lsa\Skew1" SkewMatrix | hexdump -ve '8/1 "%02X"' > ${path2}/system-skew.hexdump
hivexget ${path_hive}/SYSTEM "ControlSet001\Control\Lsa\GBG" GrafBlumGroup | hexdump -ve '8/1 "%02X"' > ${path2}/system-gbg.hexdump
hivexget ${path_hive}/SYSTEM "ControlSet001\Control\Lsa\Data" Pattern | hexdump -ve '8/1 "%02X"' > ${path2}/system-data.hexdump
for file in $(ls ${path2}); do echo $file; cat $file; echo; doneregripper
reglookup
reglookup-timeline
pathhive=$device/Windows/System32/config
pathreport=/share/examen/disk
cd $path
reglookup-timeline SAM SECURITY SOFTWARE SYSTEM > $pathreport/reglookup-timelinewindows
security center
disable
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService]"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]"Start"=dword:00000004enable
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService]"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]"Start"=dword:00000002mount
info
file ${file} # show informations
fdisk -x ${file} # show informations
qemu-img info ${file} # show informations on virtual disk
guestfish --rw -a $file
run
list-filesystems
sudo modprobe nbd
sudo qemu-nbd -c /dev/nbd0 ${file} -f qcow2
sudo fdisk /dev/nbd0 -l
sudo qemu-nbd -d /dev/nbd0
parted ${file}
print
losetup -a # show mounted devices in /dev/loopXresize
qemu-img resize -f raw ${file} 20972568064 # resize disk to 20972568064 bytes (correct disk size)
parted ${file}
select # select disk (interactive menu)
resizepart # resize partition (interactive menu)mount/umount
guestmount --add %f --mount /dev/sda1 /vms/data
guestunmount /vms/data
sudo modprobe nbd
sudo qemu-nbd -c /dev/nbd0 ${file} -f qcow2
sudo fdisk /dev/nbd0 -l
sudo mount /dev/nbd0p1 /vms/data
sudo umount /vms/data
sudo qemu-nbd -d /dev/nbd0
sudo mount -o ro,loop,offset=$((1126400*512)) ${file} /mnt # mount disk partition with the partition offset
sudo mount -o ro,loop,offset=$((1126400*512)) ${file} /mnt # mount disk partition with the partition offset
sudo umount /mnt # umount disk
sudo losetup --find --show ${file} # mount disk in /dev/loopX and show /dev/loopX
sudo losetup --find --show --offset ${offset} ${file} # mount partition/disk with offset in /dev/loopX and show /dev/loopX
sudo losetup -d /dev/loopX # umount diskDEVICES
list
lshw -class disk -short # list shortly all available disks
lshw -class disk # detailed list of all available disks
blkid
parted $device print list # print partitions list
parted $device print free # print list of free space of partitionsFDISK
partition type of fdisk
8e : lvm
bf : solaris (zfs)
EXT
e2label $devive $label # label
tune2fs -m 0 $devive # reserved block to 0
mkfs.ext4 -m 0 -L $label $devive # format
mkfs.ext4 -E lazy_itable_init $devive # format quicklyFAT
fatlabel $devive $label # label