├── .github ├── script │ └── STEP └── workflows │ ├── 0-start.yml │ ├── 2-commit-a-file.yml │ ├── 4-merge-your-pull-request.yml │ ├── 1-create-a-branch.yml │ └── 3-open-a-pull-request.yml ├── images ├── delete-branch.png ├── create-new-file.png ├── my-first-branch.png ├── my-profile-file.png ├── Actions-to-step-4.png ├── commit-full-screen.png ├── pull-request-branches.png ├── Green-merge-pull-request.png ├── Pull-request-description.png └── compare-and-pull-request.png ├── .gitignore ├── README.md └── LICENSE /.github/script/STEP: -------------------------------------------------------------------------------- 1 | 1 2 | -------------------------------------------------------------------------------- /images/delete-branch.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abdulshareef/DFIR-Resources/HEAD/images/delete-branch.png -------------------------------------------------------------------------------- /images/create-new-file.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abdulshareef/DFIR-Resources/HEAD/images/create-new-file.png -------------------------------------------------------------------------------- /images/my-first-branch.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abdulshareef/DFIR-Resources/HEAD/images/my-first-branch.png -------------------------------------------------------------------------------- /images/my-profile-file.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abdulshareef/DFIR-Resources/HEAD/images/my-profile-file.png -------------------------------------------------------------------------------- /images/Actions-to-step-4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abdulshareef/DFIR-Resources/HEAD/images/Actions-to-step-4.png -------------------------------------------------------------------------------- /images/commit-full-screen.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abdulshareef/DFIR-Resources/HEAD/images/commit-full-screen.png -------------------------------------------------------------------------------- /images/pull-request-branches.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abdulshareef/DFIR-Resources/HEAD/images/pull-request-branches.png -------------------------------------------------------------------------------- /images/Green-merge-pull-request.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abdulshareef/DFIR-Resources/HEAD/images/Green-merge-pull-request.png -------------------------------------------------------------------------------- /images/Pull-request-description.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abdulshareef/DFIR-Resources/HEAD/images/Pull-request-description.png -------------------------------------------------------------------------------- /images/compare-and-pull-request.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/abdulshareef/DFIR-Resources/HEAD/images/compare-and-pull-request.png -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Compiled source # 2 | ################### 3 | *.com 4 | *.class 5 | *.dll 6 | *.exe 7 | *.o 8 | *.so 9 | 10 | # Packages # 11 | ############ 12 | # it's better to unpack these files and commit the raw source 13 | # git has its own built in compression methods 14 | *.7z 15 | *.dmg 16 | *.gz 17 | *.iso 18 | *.jar 19 | *.rar 20 | *.tar 21 | *.zip 22 | 23 | # Logs and databases # 24 | ###################### 25 | *.log 26 | *.sql 27 | *.sqlite 28 | 29 | # OS generated files # 30 | ###################### 31 | .DS_Store 32 | .DS_Store? 33 | ._* 34 | .Spotlight-V100 35 | .Trashes 36 | ehthumbs.db 37 | Thumbs.db 38 | -------------------------------------------------------------------------------- /.github/workflows/0-start.yml: -------------------------------------------------------------------------------- 1 | name: Step 0, Start 2 | 3 | # This step triggers after the learner creates a new repository from the template 4 | # This step sets STEP to 1 5 | # This step closes
and opens
6 | 7 | # This will run every time we create push a commit to `main` 8 | # Reference https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows 9 | on: 10 | workflow_dispatch: 11 | push: 12 | branches: 13 | - main 14 | 15 | # Reference https://docs.github.com/en/actions/security-guides/automatic-token-authentication 16 | permissions: 17 | # Need `contents: read` to checkout the repository 18 | # Need `contents: write` to update the step metadata 19 | contents: write 20 | 21 | jobs: 22 | on_start: 23 | name: On start 24 | 25 | # We will only run this action when: 26 | # 1. This repository isn't the template repository 27 | # Reference https://docs.github.com/en/actions/learn-github-actions/contexts 28 | # Reference https://docs.github.com/en/actions/learn-github-actions/expressions 29 | if: ${{ !github.event.repository.is_template }} 30 | 31 | # We'll run Ubuntu for performance instead of Mac or Windows 32 | runs-on: ubuntu-latest 33 | 34 | steps: 35 | # We'll need to check out the repository so that we can edit the README 36 | - name: Checkout 37 | uses: actions/checkout@v2 38 | with: 39 | fetch-depth: 0 # Let's get all the branches 40 | 41 | # Update README to close
and open
42 | # and set STEP to '1' 43 | - name: Update to step 1 44 | uses: skills/action-update-step@v1 45 | with: 46 | token: ${{ secrets.GITHUB_TOKEN }} 47 | from_step: 0 48 | to_step: 1 49 | branch_name: my-first-branch 50 | -------------------------------------------------------------------------------- /.github/workflows/2-commit-a-file.yml: -------------------------------------------------------------------------------- 1 | name: Step 2, Commit a file 2 | 3 | # This step listens for the learner to commit a file to branch `my-first-branch` 4 | # This step sets STEP to 3 5 | # This step closes
and opens
6 | 7 | # This action will run every time there's a push to `my-first-branch` 8 | # Reference https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows 9 | on: 10 | workflow_dispatch: 11 | push: 12 | branches: 13 | - my-first-branch 14 | 15 | # Reference https://docs.github.com/en/actions/security-guides/automatic-token-authentication 16 | permissions: 17 | # Need `contents: read` to checkout the repository 18 | # Need `contents: write` to update the step metadata 19 | contents: write 20 | 21 | jobs: 22 | on_commit_a_file: 23 | name: On commit a file 24 | 25 | # We will only run this action when: 26 | # 1. This repository isn't the template repository 27 | # Reference https://docs.github.com/en/actions/learn-github-actions/contexts 28 | # Reference https://docs.github.com/en/actions/learn-github-actions/expressions 29 | if: ${{ !github.event.repository.is_template }} 30 | 31 | # We'll run Ubuntu for performance instead of Mac or Windows 32 | runs-on: ubuntu-latest 33 | 34 | steps: 35 | # We'll need to check out the repository so that we can edit the README 36 | - name: Checkout 37 | uses: actions/checkout@v2 38 | with: 39 | fetch-depth: 0 # Let's get all the branches 40 | 41 | # Update README to close
and open
42 | # and set STEP to '3' 43 | - name: Update to step 3 44 | uses: skills/action-update-step@v1 45 | with: 46 | token: ${{ secrets.GITHUB_TOKEN }} 47 | from_step: 2 48 | to_step: 3 49 | branch_name: my-first-branch 50 | -------------------------------------------------------------------------------- /.github/workflows/4-merge-your-pull-request.yml: -------------------------------------------------------------------------------- 1 | name: Step 4, Merge your pull request 2 | 3 | # This step listens for the learner to merge a pull request with branch `my-first-branch` 4 | # This step sets STEP to x 5 | # This step closes
and opens
6 | 7 | # This will run every time we create push a commit to `main` 8 | # Reference https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows 9 | on: 10 | workflow_dispatch: 11 | push: 12 | branches: 13 | - main 14 | 15 | # Reference https://docs.github.com/en/actions/security-guides/automatic-token-authentication 16 | permissions: 17 | # Need `contents: read` to checkout the repository 18 | # Need `contents: write` to update the step metadata 19 | contents: write 20 | 21 | jobs: 22 | on_merge_your_pull_request: 23 | name: On merge your pull request 24 | 25 | # We will only run this action when: 26 | # 1. This repository isn't the template repository 27 | # Reference https://docs.github.com/en/actions/learn-github-actions/contexts 28 | # Reference https://docs.github.com/en/actions/learn-github-actions/expressions 29 | if: ${{ !github.event.repository.is_template }} 30 | 31 | # We'll run Ubuntu for performance instead of Mac or Windows 32 | runs-on: ubuntu-latest 33 | 34 | steps: 35 | # We'll need to check out the repository so that we can edit the README 36 | - name: Checkout 37 | uses: actions/checkout@v2 38 | with: 39 | fetch-depth: 0 # Let's get all the branches 40 | 41 | # Update README to close
and open
42 | # and set STEP to X 43 | - name: Update to step X 44 | uses: skills/action-update-step@v1 45 | with: 46 | token: ${{ secrets.GITHUB_TOKEN }} 47 | from_step: 4 48 | to_step: X 49 | branch_name: my-first-branch 50 | -------------------------------------------------------------------------------- /.github/workflows/1-create-a-branch.yml: -------------------------------------------------------------------------------- 1 | name: Step 1, Create a branch 2 | 3 | # This step listens for the learner to create branch `my-first-branch` 4 | # This step sets STEP to 2 5 | # This step closes
and opens
6 | 7 | # This will run every time we create a branch or tag 8 | # Reference https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows 9 | on: 10 | workflow_dispatch: 11 | create: 12 | 13 | # Reference https://docs.github.com/en/actions/security-guides/automatic-token-authentication 14 | permissions: 15 | # Need `contents: read` to checkout the repository 16 | # Need `contents: write` to update the step metadata 17 | contents: write 18 | 19 | jobs: 20 | on_create_a_branch: 21 | name: On create a branch 22 | 23 | # We will only run this action when: 24 | # 1. This repository isn't the template repository 25 | # 2. The event is a branch 26 | # 3. The branch name is `my-first-branch` 27 | # Reference https://docs.github.com/en/actions/learn-github-actions/contexts 28 | # Reference https://docs.github.com/en/actions/learn-github-actions/expressions 29 | if: ${{ !github.event.repository.is_template && github.ref_type == 'branch' && github.ref_name == 'my-first-branch' }} 30 | 31 | # We'll run Ubuntu for performance instead of Mac or Windows 32 | runs-on: ubuntu-latest 33 | 34 | steps: 35 | # We'll need to check out the repository so that we can edit the README 36 | - name: Checkout 37 | uses: actions/checkout@v2 38 | with: 39 | fetch-depth: 0 # Let's get all the branches 40 | 41 | # Update README to close
and open
42 | # and set STEP to '2' 43 | - name: Update to step 2 44 | uses: skills/action-update-step@v1 45 | with: 46 | token: ${{ secrets.GITHUB_TOKEN }} 47 | from_step: 1 48 | to_step: 2 49 | branch_name: my-first-branch 50 | -------------------------------------------------------------------------------- /.github/workflows/3-open-a-pull-request.yml: -------------------------------------------------------------------------------- 1 | name: Step 3, Open a pull request 2 | 3 | # This step listens for the learner to open a pull request with branch `my-first-branch` 4 | # This step sets STEP to 4 5 | # This step closes
and opens
6 | 7 | # This will run every time we create a branch or tag 8 | # Reference https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows 9 | on: 10 | workflow_dispatch: 11 | pull_request: 12 | types: 13 | - opened 14 | - reopened 15 | 16 | # Reference https://docs.github.com/en/actions/security-guides/automatic-token-authentication 17 | permissions: 18 | # Need `contents: read` to checkout the repository 19 | # Need `contents: write` to update the step metadata 20 | contents: write 21 | 22 | jobs: 23 | on_open_a_pull_request: 24 | name: On open a pull request 25 | 26 | # We will only run this action when: 27 | # 1. This repository isn't the template repository 28 | # 2. The head branch name is `my-first-branch` 29 | # Reference https://docs.github.com/en/actions/learn-github-actions/contexts 30 | # Reference https://docs.github.com/en/actions/learn-github-actions/expressions 31 | if: ${{ !github.event.repository.is_template && github.head_ref == 'my-first-branch' }} 32 | 33 | # We'll run Ubuntu for performance instead of Mac or Windows 34 | runs-on: ubuntu-latest 35 | 36 | steps: 37 | # We'll need to check out the repository so that we can edit the README 38 | - name: Checkout 39 | uses: actions/checkout@v2 40 | with: 41 | fetch-depth: 0 # Let's get all the branches 42 | ref: my-first-branch # Important, as normally `pull_request` event won't grab other branches 43 | 44 | # Update README to close
and open
45 | # and set STEP to '4' 46 | - name: Update to step 4 47 | uses: skills/action-update-step@v1 48 | with: 49 | token: ${{ secrets.GITHUB_TOKEN }} 50 | from_step: 3 51 | to_step: 4 52 | branch_name: my-first-branch 53 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # DFIR-Resources 2 | 3 | ------------------------------------------------- 4 | WinPMEM - an open-source memory acquisition tool. 5 | ------------------------------------------------- 6 | 7 | Download from https://github.com/Velocidex/WinPmem/releases 8 | 9 | Open CMD (run as administrator) and browse to the downloaded directory, and execute the following command as it is a command line tool. 10 | 11 | "winpmem_mini_x64_rc2.exe volatilemem.raw" 12 | 13 | ----------------------------------------------------------------------------------- 14 | Important Windows PowerShell Commands in Forensic Investigation 15 | ----------------------------------------------------------------------------------- 16 | 17 | Start Windows PowerShell (Run as Administrator) 18 | 19 | Lists all the established TCP connections in the system and output to text file:
20 | Get-NetTCPConnection –State Established >>D:\FolderName\FileName.txt 21 | 22 | Gets IP route information from the IP routing table and output to text file:
23 | Get-NetRoute >>D:\FolderName\FileName.txt 24 | 25 | All the active processes output to text file:
26 | Get-Process >>D:\FolderName\FileName.txt 27 | 28 | Output Windows Event Log (Security Events) to Text Files:
29 | Get-WinEvent -LogName "Security" >>D:\FolderName\FileName.txt 30 | 31 | Outputs Startup Program to text File:
32 | Get-CimInstance win32_service -Filter "startmode = 'auto'" >>D:\FolderName\FileName.txt 33 | 34 | File Created Time and Modified Time – Export to Text:
35 | Get-ChildItem -Recurse C:\FolderName | Select-Object Mode,CreationTime, LastWriteTime,Length,Name >>D:\FolderName\FileName.txt 36 | 37 | Hash entire file content inside a folder using SHA256 and export to text file:
38 | Get-Childitem -path "D:\FolderName" | Get-FileHash >>D:\FolderName\FileName.txt 39 | 40 | --------------------------------------------------------------------------------------- 41 | Though Chrome-URL list is huge, I have selected few from the list which can be useful for Incident Responders to quickly gather information from Chrome Browser. (Just copy paste the URL) 42 | --------------------------------------------------------------------------------------- 43 | 44 | chrome://media-engagement
45 | (Displays the media engagement score and thresholds for all sites opened in the browser. The score is used to determine video auto-play with sound)
46 | 47 | chrome://indexeddb-internals
48 | (IndexedDB information in the user profile)
49 | 50 | chrome://media-internals
51 | (Media information is displayed)
52 | 53 | chrome://net-export
54 | (Capture network activity and save it to a file on the disk)
55 | 56 | chrome://ntp-tiles-internals
57 | (Displays information about the tiles on the New Tab page and the Top sites functionality)
58 | 59 | chrome://predictors
60 | (A list of auto complete and resource prefetch predictors based on past activities)
61 | 62 | chrome://signin-internals
63 | (Displays information about the signed in account(s) such as last sign-in details or validity)
64 | 65 | chrome://site-engagement
66 | (Display's an engagement score for all sites visited in the browser)
67 | 68 | -------------------------------------------------------------------------------------------- 69 | Track registry changes (useful for remote collection and analysis as a part of IR Process) 70 | -------------------------------------------------------------------------------------------- 71 | 72 | 73 | In this example, we are tracking changes in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion"
74 | 75 | 1) Run PowerShell as admin and take 1st snapshot.
76 | "dir -rec -erroraction ignore HKLM:\Software\Microsoft\Windows\CurrentVersion | % name > C:\HKLM_Snap_Before.txt"
77 | 78 | 2) Take 2nd snapshot.
79 | "dir -rec -erroraction ignore HKLM:\Software\Microsoft\Windows\CurrentVersion | % name > C:\HKLM_Snap_of_Date-$(get-date -f dd-MM-yyyy).txt"
80 | 81 | 3) Compare 1st and 2nd.
82 | "Compare-Object (Get-Content -Path C:\HKLM_Snap_Before.txt) (Get-Content -Path [Insert path and file name of 2nd Snapshot (remove square brackets too)])"
83 | 84 | Although tools are available, this simple PS script is useful during remote collection and analysis.
85 | 86 | --------------------------------------------------------------------------------------------- 87 | Windows Registry Forensic Analysis. 88 | --------------------------------------------------------------------------------------------- 89 | Time Zone Information:
90 | SYSTEM\CurrentControlSet\Control \TimeZoneInformation
91 | 92 | Network Interfaces and Past Networks:
93 | SYSTEM\CurrentControlSet\Services\Tcpip \Parameters\Interfaces
94 | 95 | Autostart Programs:
96 | NTUSER.DAT\Software\Microsoft\Windows \CurrentVersion\Run
97 | NTUSER.DAT\Software\Microsoft\Windows \CurrentVersion\RunOnce
98 | SOFTWARE\Microsoft\Windows\CurrentVersion \RunOnce
99 | SOFTWARE\Microsoft\Windows\CurrentVersion \policies\Explorer\Run
100 | SOFTWARE\Microsoft\Windows\CurrentVersion\Run
101 | 102 | SAM hive::
103 | SAM\Domains\Account\Users
104 | 105 | USB Device history:
106 | USB device Volume Name:
107 | SOFTWARE\Microsoft\Windows Portable Devices \Devices
108 | 109 | Device identification (History)
110 | SYSTEM\CurrentControlSet\Enum\USBSTOR
111 | SYSTEM\CurrentControlSet\Enum\USB
112 | 113 | First/Last Times:
114 | SYSTEM\CurrentControlSet\Enum\USBSTOR \Ven_Prod_Version\USBSerial#\Properties \{83da6326- 115 | 97a6-4088-9453-a19231573b29}\####
116 | 0064=first connection
117 | 0066=last connection
118 | 0067=last removal
119 | 120 | Bluetooth:
121 | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Devices
122 | 123 | File / Folder Usage:
124 | Recent Files:
125 | NTUSER.DAT\Software\Microsoft\Windows
126 | \CurrentVersion\Explorer\RecentDocs
127 | 128 | Office Recent Files:
129 | NTUSER.DAT\Software\Microsoft\Office\VERSION NTUSER.DAT\Software\Microsoft\Office\VERSION
130 | \UserMRU\LiveID_####\FileMRU
131 | 132 | ShellBags:
133 | USRCLASS.DAT\Local Settings\Software\Microsoft \Windows\Shell\Bags
134 | USRCLASS.DAT\Local Settings\Software\Microsoft \Windows\Shell\BagMRU
135 | NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
136 | NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
137 | 138 | Open/Save and LastVisited Dialog MRUs:
139 | NTUSER.DAT\Software\Microsoft\Windows
140 | \CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU
141 | NTUSER.DAT\Software\Microsoft\Windows
142 | \CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
143 | 144 | Windows Explorer Address/Search Bars:
145 | NTUSER.DAT\Software\Microsoft\Windows \CurrentVersion\Explorer\TypedPaths
146 | NTUSER.DAT\Software\Microsoft\Windows \CurrentVersion\Explorer\WordWheelQuery
147 | 148 | Execution:
149 | UserAssist:
150 | NTUSER.DAT\Software\Microsoft\Windows \Currentversion\Explorer\UserAssist\{GUID}\Count
151 | 152 | ShimCache:
153 | SYSTEM\CurrentControlSet\Control\Session Manager \AppCompatCache

154 | 155 | Background Activity Moderator (BAM)
156 | Desktop Activity Monitor (DAM) (WIN8)
157 | SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}
158 | SYSTEM\CurrentControlSet\Services\dam\UserSettings \{SID}
159 | 160 | -------------------------------------------------------------------------------------------- 161 | An important location in Windows to look for deleted records. Windows search index database forensics. 162 | -------------------------------------------------------------------------------------------- 163 | 164 | Analyse Windows.edb to parse normal records and recover deleted records.
165 | 166 | Step 1 : (Stop SearchIndexer in order to copy windows.edb file):
167 | Run PowerShell as Administrator and run this command:
168 | Get-Process | Stop-Process | SearchIndexer
169 | 170 | Select [A]
171 | 172 | Step 2:
173 | In PowerShell Copy the windows.edb file to an external drive or other location
174 | copy C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb D:\FolderName
175 | 176 | Step 3:
177 | Download WinSearchDBAnalyzer by Jeonghyeon Kim (Get link from google)
178 | 179 | -------------------------------------------------------------------------------------------- 180 | Data Exfiltration Over Bluetooth. 181 | -------------------------------------------------------------------------------------------- 182 | 183 | History of Bluetooth Registry Entries to investigate (MAC address of connected bluetooth devices) After that use free utility called “Dcode” to convert windows timestamp to check date and time of the bluetooth device that was connected.
184 | 185 | “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Devices”
186 | 187 | -------------------------------------------------------------------------------------------- 188 | ETL File Analysis. 189 | -------------------------------------------------------------------------------------------- 190 | 191 | There are events that carry information about shell Items, network shares, apps that require privileges, RunKey information etc;
192 | 193 | When the system boots up, it appears that this file is created and It's location is :
194 | 195 | C:\Users\\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog.etl.
196 | 197 | You can use Tracerpt command-line utility that parses an ETL file's contents and saves them as a CSV or XML file that can be opened in Excel or any text editor.
198 | 199 | Open CMD in the folder where ExplorerStartupLog.etl is copied and run this command from there:
200 | “tracerpt ExplorerStartupLog.etl -of CSV”
201 | 202 | ------------------------------------------------------------------------------------------- 203 | 204 | Get hash of all files in a folder and export it to txt file using powershell. Run this command in powershell and remember to change the folder path. 205 | ------------------------------------------------------------------------------------------- 206 | 207 | You can change -Algorithm MD5 (to any other algorithm).
208 | 209 | ———— 210 | 211 | param ( 212 | $folders = @("C:\path\folder_name") 213 | ) 214 | $allFiles = foreach($folder in $folders) { 215 | Get-Childitem -path $folder -recurse | 216 | select FullName,Name,Length | 217 | foreach { 218 | $hash = Get-FileHash -Algorithm MD5 $_.FullName 219 | add-member -InputObject $_ -NotePropertyName Hash -NotePropertyValue $hash.Hash 220 | add-member -InputObject $_ -NotePropertyName RelativePath -NotePropertyValue $_.FullName.Replace($folder, '') -PassThru 221 | } 222 | } 223 | $allFiles | select -First 10 | ft RelativePath, Hash >> C:\path\folder_name\output_hash.txt
224 | 225 | --------------------------------------------------------------------------------------- 226 | Active Directory Forensics. 227 | --------------------------------------------------------------------------------------- 228 | 229 | Ntds.dit file, an Active Directory database that maintains information about user objects, groups, and group membership. It contains the password hashes for all domain users. All data in Active Directory is stored in the file ntds.dit (by default located in C:\Windows\NTDS\) on every domain controller.
230 | 231 | ntdsxtract tool (google with this keyword to download the tool) 232 | 233 | --------------------------------------------------------------------------------------- 234 | Wireshark - most common type of filtering. 235 | --------------------------------------------------------------------------------------- 236 | 237 | Filter by IP address: displays all traffic from IP, be it source or destination
238 | ip.addr == 192.168.1.1
239 | Filter by source address: display traffic only from IP source
240 | ip.src == 192.168.0.1
241 | Filter by destination: display traffic only form IP destination
242 | ip.dst == 192.168.0.1
243 | Filter by IP subnet: display traffic from subnet, be it source or destination
244 | ip.addr = 192.168.0.1/24
245 | Filter by protocol: filter traffic by protocol name
246 | dns
247 | http
248 | ftp
249 | arp
250 | ssh
251 | telnet
252 | icmp
253 | Exclude IP address: remove traffic from and to IP address
254 | !ip.addr ==192.168.0.1
255 | Display traffic between two specific subnet
256 | ip.addr == 192.168.0.1/24 and ip.addr == 192.168.1.1/24
257 | Display traffic between two specific workstations
258 | ip.addr == 192.168.0.1 and ip.addr == 192.168.0.2
259 | Filter by MAC
260 | eth.addr = 00:50:7f:c5:b6:78
261 | Filter TCP port
262 | tcp.port == 80
263 | Filter TCP port source
264 | tcp.srcport == 80
265 | Filter TCP port destination
266 | tcp.dstport == 80
267 | Find user agents
268 | http.user_agent contains Firefox
269 | !http.user_agent contains || !http.user_agent contains Chrome
270 | Filter broadcast traffic
271 | !(arp or icmp or dns)
272 | Filter IP address and port
273 | tcp.port == 80 && ip.addr == 192.168.0.1
274 | Filter all http get requests
275 | http.request
276 | Filter all http get requests and responses
277 | http.request or http.response
278 | Filter three way handshake
279 | tcp.flags.syn==1 or (tcp.seq==1 and tcp.ack==1 and tcp.len==0 and
280 | tcp.analysis.initial_rtt)
281 | Find files by type
282 | frame contains “(attachment|tar|exe|zip|pdf)”
283 | Find traffic based on keyword
284 | tcp contains facebook
285 | frame contains facebook
286 | Detecting SYN Floods
287 | tcp.flags.syn == 1 and tcp.flags.ack == 0
288 | 289 | --------------------------------------------------------------------------------------- 290 | Obtain hash of all running executables in Win OS using “CertUtil” while conducting Live Forensics. 291 | --------------------------------------------------------------------------------------- 292 | 293 | CertUtil in windows is mostly related to managing and viewing certificates, but very useful for getting hash value of any file using -hashfile subcommand.
294 | 295 | Here’s the command. Try this out.
296 | 297 | FOR /F %i IN ('wmic process where "ExecutablePath is not null" get ExecutablePath') DO certutil -hashfile %i SHA256 | findstr -v : >> output.txt
298 | 299 | --------------------------------------------------------------------------------------- 300 | Active Directory Ntds.dit Forensics. 301 | --------------------------------------------------------------------------------------- 302 | 303 | The Ntds.dit file is an Active Directory database that maintains information about user objects, groups, and group membership. It contains the password hashes for all domain users. All data in Active Directory is stored in the file ntds.dit (by default located in C:\Windows\NTDS\) on every domain controller.
304 | 305 | ntdsxtract is a framework to provide a solution to extract forensically important information from the main database of Microsoft Active Directory (NTDS.DIT). (Google for ntdsxtract tool) 306 | 307 | --------------------------------------------------------------------------------------- 308 | SRUM Forensics 309 | --------------------------------------------------------------------------------------- 310 | 311 | Starting with Microsoft Windows 8, there is a new tool that allows you to track system resource utilisation over time, specifically process and network data. A mechanism called System Resource Usage Monitor (SRUM). It continuously records process-related information such as process owner, CPU cycles spent, data bytes read/written, and network data (sent/received).
312 | 313 | The information is stored in the \Windows\System32\sru\ directory in a file named SRUDB.DAT. The file is in the Windows ESE (Extensible Storage Engine) database format.
314 | 315 | A forensics tool to convert the data in the Windows srum (System Resource Usage Monitor) database to an xlsx spreadsheet. Download a copy of srum-dump.exe (Google for MarkBaggett/srum-dump)
316 | 317 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Attribution 4.0 International 2 | 3 | ======================================================================= 4 | 5 | Creative Commons Corporation ("Creative Commons") is not a law firm and 6 | does not provide legal services or legal advice. Distribution of 7 | Creative Commons public licenses does not create a lawyer-client or 8 | other relationship. Creative Commons makes its licenses and related 9 | information available on an "as-is" basis. Creative Commons gives no 10 | warranties regarding its licenses, any material licensed under their 11 | terms and conditions, or any related information. Creative Commons 12 | disclaims all liability for damages resulting from their use to the 13 | fullest extent possible. 14 | 15 | Using Creative Commons Public Licenses 16 | 17 | Creative Commons public licenses provide a standard set of terms and 18 | conditions that creators and other rights holders may use to share 19 | original works of authorship and other material subject to copyright 20 | and certain other rights specified in the public license below. The 21 | following considerations are for informational purposes only, are not 22 | exhaustive, and do not form part of our licenses. 23 | 24 | Considerations for licensors: Our public licenses are 25 | intended for use by those authorized to give the public 26 | permission to use material in ways otherwise restricted by 27 | copyright and certain other rights. Our licenses are 28 | irrevocable. Licensors should read and understand the terms 29 | and conditions of the license they choose before applying it. 30 | Licensors should also secure all rights necessary before 31 | applying our licenses so that the public can reuse the 32 | material as expected. Licensors should clearly mark any 33 | material not subject to the license. This includes other CC- 34 | licensed material, or material used under an exception or 35 | limitation to copyright. More considerations for licensors: 36 | wiki.creativecommons.org/Considerations_for_licensors 37 | 38 | Considerations for the public: By using one of our public 39 | licenses, a licensor grants the public permission to use the 40 | licensed material under specified terms and conditions. If 41 | the licensor's permission is not necessary for any reason--for 42 | example, because of any applicable exception or limitation to 43 | copyright--then that use is not regulated by the license. Our 44 | licenses grant only permissions under copyright and certain 45 | other rights that a licensor has authority to grant. Use of 46 | the licensed material may still be restricted for other 47 | reasons, including because others have copyright or other 48 | rights in the material. A licensor may make special requests, 49 | such as asking that all changes be marked or described. 50 | Although not required by our licenses, you are encouraged to 51 | respect those requests where reasonable. More considerations 52 | for the public: 53 | wiki.creativecommons.org/Considerations_for_licensees 54 | 55 | ======================================================================= 56 | 57 | Creative Commons Attribution 4.0 International Public License 58 | 59 | By exercising the Licensed Rights (defined below), You accept and agree 60 | to be bound by the terms and conditions of this Creative Commons 61 | Attribution 4.0 International Public License ("Public License"). To the 62 | extent this Public License may be interpreted as a contract, You are 63 | granted the Licensed Rights in consideration of Your acceptance of 64 | these terms and conditions, and the Licensor grants You such rights in 65 | consideration of benefits the Licensor receives from making the 66 | Licensed Material available under these terms and conditions. 67 | 68 | 69 | Section 1 -- Definitions. 70 | 71 | a. Adapted Material means material subject to Copyright and Similar 72 | Rights that is derived from or based upon the Licensed Material 73 | and in which the Licensed Material is translated, altered, 74 | arranged, transformed, or otherwise modified in a manner requiring 75 | permission under the Copyright and Similar Rights held by the 76 | Licensor. For purposes of this Public License, where the Licensed 77 | Material is a musical work, performance, or sound recording, 78 | Adapted Material is always produced where the Licensed Material is 79 | synched in timed relation with a moving image. 80 | 81 | b. Adapter's License means the license You apply to Your Copyright 82 | and Similar Rights in Your contributions to Adapted Material in 83 | accordance with the terms and conditions of this Public License. 84 | 85 | c. Copyright and Similar Rights means copyright and/or similar rights 86 | closely related to copyright including, without limitation, 87 | performance, broadcast, sound recording, and Sui Generis Database 88 | Rights, without regard to how the rights are labeled or 89 | categorized. For purposes of this Public License, the rights 90 | specified in Section 2(b)(1)-(2) are not Copyright and Similar 91 | Rights. 92 | 93 | d. Effective Technological Measures means those measures that, in the 94 | absence of proper authority, may not be circumvented under laws 95 | fulfilling obligations under Article 11 of the WIPO Copyright 96 | Treaty adopted on December 20, 1996, and/or similar international 97 | agreements. 98 | 99 | e. Exceptions and Limitations means fair use, fair dealing, and/or 100 | any other exception or limitation to Copyright and Similar Rights 101 | that applies to Your use of the Licensed Material. 102 | 103 | f. Licensed Material means the artistic or literary work, database, 104 | or other material to which the Licensor applied this Public 105 | License. 106 | 107 | g. Licensed Rights means the rights granted to You subject to the 108 | terms and conditions of this Public License, which are limited to 109 | all Copyright and Similar Rights that apply to Your use of the 110 | Licensed Material and that the Licensor has authority to license. 111 | 112 | h. Licensor means the individual(s) or entity(ies) granting rights 113 | under this Public License. 114 | 115 | i. Share means to provide material to the public by any means or 116 | process that requires permission under the Licensed Rights, such 117 | as reproduction, public display, public performance, distribution, 118 | dissemination, communication, or importation, and to make material 119 | available to the public including in ways that members of the 120 | public may access the material from a place and at a time 121 | individually chosen by them. 122 | 123 | j. Sui Generis Database Rights means rights other than copyright 124 | resulting from Directive 96/9/EC of the European Parliament and of 125 | the Council of 11 March 1996 on the legal protection of databases, 126 | as amended and/or succeeded, as well as other essentially 127 | equivalent rights anywhere in the world. 128 | 129 | k. You means the individual or entity exercising the Licensed Rights 130 | under this Public License. Your has a corresponding meaning. 131 | 132 | 133 | Section 2 -- Scope. 134 | 135 | a. License grant. 136 | 137 | 1. Subject to the terms and conditions of this Public License, 138 | the Licensor hereby grants You a worldwide, royalty-free, 139 | non-sublicensable, non-exclusive, irrevocable license to 140 | exercise the Licensed Rights in the Licensed Material to: 141 | 142 | a. reproduce and Share the Licensed Material, in whole or 143 | in part; and 144 | 145 | b. produce, reproduce, and Share Adapted Material. 146 | 147 | 2. Exceptions and Limitations. For the avoidance of doubt, where 148 | Exceptions and Limitations apply to Your use, this Public 149 | License does not apply, and You do not need to comply with 150 | its terms and conditions. 151 | 152 | 3. Term. The term of this Public License is specified in Section 153 | 6(a). 154 | 155 | 4. Media and formats; technical modifications allowed. The 156 | Licensor authorizes You to exercise the Licensed Rights in 157 | all media and formats whether now known or hereafter created, 158 | and to make technical modifications necessary to do so. The 159 | Licensor waives and/or agrees not to assert any right or 160 | authority to forbid You from making technical modifications 161 | necessary to exercise the Licensed Rights, including 162 | technical modifications necessary to circumvent Effective 163 | Technological Measures. For purposes of this Public License, 164 | simply making modifications authorized by this Section 2(a) 165 | (4) never produces Adapted Material. 166 | 167 | 5. Downstream recipients. 168 | 169 | a. Offer from the Licensor -- Licensed Material. Every 170 | recipient of the Licensed Material automatically 171 | receives an offer from the Licensor to exercise the 172 | Licensed Rights under the terms and conditions of this 173 | Public License. 174 | 175 | b. No downstream restrictions. You may not offer or impose 176 | any additional or different terms or conditions on, or 177 | apply any Effective Technological Measures to, the 178 | Licensed Material if doing so restricts exercise of the 179 | Licensed Rights by any recipient of the Licensed 180 | Material. 181 | 182 | 6. No endorsement. Nothing in this Public License constitutes or 183 | may be construed as permission to assert or imply that You 184 | are, or that Your use of the Licensed Material is, connected 185 | with, or sponsored, endorsed, or granted official status by, 186 | the Licensor or others designated to receive attribution as 187 | provided in Section 3(a)(1)(A)(i). 188 | 189 | b. Other rights. 190 | 191 | 1. Moral rights, such as the right of integrity, are not 192 | licensed under this Public License, nor are publicity, 193 | privacy, and/or other similar personality rights; however, to 194 | the extent possible, the Licensor waives and/or agrees not to 195 | assert any such rights held by the Licensor to the limited 196 | extent necessary to allow You to exercise the Licensed 197 | Rights, but not otherwise. 198 | 199 | 2. Patent and trademark rights are not licensed under this 200 | Public License. 201 | 202 | 3. To the extent possible, the Licensor waives any right to 203 | collect royalties from You for the exercise of the Licensed 204 | Rights, whether directly or through a collecting society 205 | under any voluntary or waivable statutory or compulsory 206 | licensing scheme. In all other cases the Licensor expressly 207 | reserves any right to collect such royalties. 208 | 209 | 210 | Section 3 -- License Conditions. 211 | 212 | Your exercise of the Licensed Rights is expressly made subject to the 213 | following conditions. 214 | 215 | a. Attribution. 216 | 217 | 1. If You Share the Licensed Material (including in modified 218 | form), You must: 219 | 220 | a. retain the following if it is supplied by the Licensor 221 | with the Licensed Material: 222 | 223 | i. identification of the creator(s) of the Licensed 224 | Material and any others designated to receive 225 | attribution, in any reasonable manner requested by 226 | the Licensor (including by pseudonym if 227 | designated); 228 | 229 | ii. a copyright notice; 230 | 231 | iii. a notice that refers to this Public License; 232 | 233 | iv. a notice that refers to the disclaimer of 234 | warranties; 235 | 236 | v. a URI or hyperlink to the Licensed Material to the 237 | extent reasonably practicable; 238 | 239 | b. indicate if You modified the Licensed Material and 240 | retain an indication of any previous modifications; and 241 | 242 | c. indicate the Licensed Material is licensed under this 243 | Public License, and include the text of, or the URI or 244 | hyperlink to, this Public License. 245 | 246 | 2. You may satisfy the conditions in Section 3(a)(1) in any 247 | reasonable manner based on the medium, means, and context in 248 | which You Share the Licensed Material. For example, it may be 249 | reasonable to satisfy the conditions by providing a URI or 250 | hyperlink to a resource that includes the required 251 | information. 252 | 253 | 3. If requested by the Licensor, You must remove any of the 254 | information required by Section 3(a)(1)(A) to the extent 255 | reasonably practicable. 256 | 257 | 4. If You Share Adapted Material You produce, the Adapter's 258 | License You apply must not prevent recipients of the Adapted 259 | Material from complying with this Public License. 260 | 261 | 262 | Section 4 -- Sui Generis Database Rights. 263 | 264 | Where the Licensed Rights include Sui Generis Database Rights that 265 | apply to Your use of the Licensed Material: 266 | 267 | a. for the avoidance of doubt, Section 2(a)(1) grants You the right 268 | to extract, reuse, reproduce, and Share all or a substantial 269 | portion of the contents of the database; 270 | 271 | b. if You include all or a substantial portion of the database 272 | contents in a database in which You have Sui Generis Database 273 | Rights, then the database in which You have Sui Generis Database 274 | Rights (but not its individual contents) is Adapted Material; and 275 | 276 | c. You must comply with the conditions in Section 3(a) if You Share 277 | all or a substantial portion of the contents of the database. 278 | 279 | For the avoidance of doubt, this Section 4 supplements and does not 280 | replace Your obligations under this Public License where the Licensed 281 | Rights include other Copyright and Similar Rights. 282 | 283 | 284 | Section 5 -- Disclaimer of Warranties and Limitation of Liability. 285 | 286 | a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE 287 | EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS 288 | AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF 289 | ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, 290 | IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, 291 | WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR 292 | PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, 293 | ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT 294 | KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT 295 | ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. 296 | 297 | b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE 298 | TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, 299 | NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, 300 | INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, 301 | COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR 302 | USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN 303 | ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR 304 | DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR 305 | IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. 306 | 307 | c. The disclaimer of warranties and limitation of liability provided 308 | above shall be interpreted in a manner that, to the extent 309 | possible, most closely approximates an absolute disclaimer and 310 | waiver of all liability. 311 | 312 | 313 | Section 6 -- Term and Termination. 314 | 315 | a. This Public License applies for the term of the Copyright and 316 | Similar Rights licensed here. However, if You fail to comply with 317 | this Public License, then Your rights under this Public License 318 | terminate automatically. 319 | 320 | b. Where Your right to use the Licensed Material has terminated under 321 | Section 6(a), it reinstates: 322 | 323 | 1. automatically as of the date the violation is cured, provided 324 | it is cured within 30 days of Your discovery of the 325 | violation; or 326 | 327 | 2. upon express reinstatement by the Licensor. 328 | 329 | For the avoidance of doubt, this Section 6(b) does not affect any 330 | right the Licensor may have to seek remedies for Your violations 331 | of this Public License. 332 | 333 | c. For the avoidance of doubt, the Licensor may also offer the 334 | Licensed Material under separate terms or conditions or stop 335 | distributing the Licensed Material at any time; however, doing so 336 | will not terminate this Public License. 337 | 338 | d. Sections 1, 5, 6, 7, and 8 survive termination of this Public 339 | License. 340 | 341 | 342 | Section 7 -- Other Terms and Conditions. 343 | 344 | a. The Licensor shall not be bound by any additional or different 345 | terms or conditions communicated by You unless expressly agreed. 346 | 347 | b. Any arrangements, understandings, or agreements regarding the 348 | Licensed Material not stated herein are separate from and 349 | independent of the terms and conditions of this Public License. 350 | 351 | 352 | Section 8 -- Interpretation. 353 | 354 | a. For the avoidance of doubt, this Public License does not, and 355 | shall not be interpreted to, reduce, limit, restrict, or impose 356 | conditions on any use of the Licensed Material that could lawfully 357 | be made without permission under this Public License. 358 | 359 | b. To the extent possible, if any provision of this Public License is 360 | deemed unenforceable, it shall be automatically reformed to the 361 | minimum extent necessary to make it enforceable. If the provision 362 | cannot be reformed, it shall be severed from this Public License 363 | without affecting the enforceability of the remaining terms and 364 | conditions. 365 | 366 | c. No term or condition of this Public License will be waived and no 367 | failure to comply consented to unless expressly agreed to by the 368 | Licensor. 369 | 370 | d. Nothing in this Public License constitutes or may be interpreted 371 | as a limitation upon, or waiver of, any privileges and immunities 372 | that apply to the Licensor or You, including from the legal 373 | processes of any jurisdiction or authority. 374 | 375 | 376 | ======================================================================= 377 | 378 | Creative Commons is not a party to its public 379 | licenses. Notwithstanding, Creative Commons may elect to apply one of 380 | its public licenses to material it publishes and in those instances 381 | will be considered the “Licensor.” The text of the Creative Commons 382 | public licenses is dedicated to the public domain under the CC0 Public 383 | Domain Dedication. Except for the limited purpose of indicating that 384 | material is shared under a Creative Commons public license or as 385 | otherwise permitted by the Creative Commons policies published at 386 | creativecommons.org/policies, Creative Commons does not authorize the 387 | use of the trademark "Creative Commons" or any other trademark or logo 388 | of Creative Commons without its prior written consent including, 389 | without limitation, in connection with any unauthorized modifications 390 | to any of its public licenses or any other arrangements, 391 | understandings, or agreements concerning use of licensed material. For 392 | the avoidance of doubt, this paragraph does not form part of the 393 | public licenses. 394 | 395 | Creative Commons may be contacted at creativecommons.org. 396 | --------------------------------------------------------------------------------