Professional Documents
Culture Documents
FOR508 Extra Applis PDF
FOR508 Extra Applis PDF
FOR508 Extra Applis PDF
Autoruns
voir 508.2 p 13
Sysinternals suite, permet de vérifier la signature des fichiers
B
beviewer
bulk_extractor GUI.
blkcalc
voir 508.4 p108
blkcalc [-dsu unit_addr] [-vV] [-f fstype] [-i imgtype] [-b dev_sector_size]
[-o imgoffset] image [images]
Slowly calculates the opposite block number
One of the following must be given:
-d: The given address is from a 'dd' image
-s: The given address is from a 'blkls -s' (slack) image
-u: The given address is from a 'blkls' (unallocated) image
-f fstype: The file system type (use '-f list' for supported types)
-i imgtype: The format of the image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-o imgoffset: The offset of the file system in the image (in sectors)
-v: verbose output to stderr
-V: Print version
blkcat
display content of data unit.
blkcat image.raw 500 3
blkcat <image> <bloc_to_start> [optionnal : <nb_block>]
blkcat [-ahsvVw] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset]
[-u usize] image [images] unit_addr [num]
-a: displays in all ASCII
-h: displays in hexdump-like fashion
-i imgtype: The format of the image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-o imgoffset: The offset of the file system in the image (in sectors)
-f fstype: File system type (use '-f list' for supported types)
-s: display basic block stats such as unit size, fragments, etc.
-v: verbose output to stderr
-V: display version
-w: displays in web-like (html) fashion
-u usize: size of each data unit in image (for raw, blkls, swap)
[num] is the number of data units to display (default is 1)
blkls
voir 508.4 p106
opens the named image(s) and copies file system data units (blocks). By default,
blkls copies the contents of unallocated data blocks. blkls was called dls
in TSK versions prior to 3.0.0. blkls was called unrm in TCT.
usage: blkls [-aAelvV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset]
image [images] [start-stop]
-e: every block (including file system metadata blocks)
-l: print details in time machine list format
-a: Display allocated blocks
-A: Display unallocated blocks
-f fstype: File system type (use '-f list' for supported types)
-i imgtype: The format of the image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-o imgoffset: The offset of the file system in the image (in sectors)
-s: print slack space only (other flags are ignored
-v: verbose to stderr
-V: print version
bulk_extractor
voir 508.4 p72
scans a disk image, a file, or a directory of files and extracts useful information
without parsing the file system or file system structures.
exemple : bulk_extractor -F keyword.txt -o resultats <image.raw>
-R <output_repertoire>
C
chattr
chattr +i => protection d'un fichier/dossier en activant le paramètre immuable
D
dc3dd
voir 508.2 annexe 23-A
type dd avec un hash en live de la partition
dc3dd [OPTION 1] [OPTION 2] ... [OPTION N]
if=FILE Read input from the device or regular file FILE
(see note #1 below). This option can only be used
once and cannot be combined with ifs=, pat=,
or tpat=.
ifs=BASE.FMT Read input from a set of files with base name
BASE and sequential file name extensions
conforming to the format specifier FMT (see
note #4 below). This option can only be used once
and cannot be combined with if=, pat=, or
tpat=.
of=FILE Write output to FILE (see note #2 below). This
option can be used more than once (see note #3
below).
hof=FILE Write output to FILE and verify FILE after writing
it by hashing it and comparing the output hash(es)
to the input hash(es). This option can be used more
than once (see note #3 below).
ofs=BASE.FMT Write output to a set of files with base name BASE
and sequential file name extensions generated from
the format specifier FMT (see note #4 below). This
option can be used more than once (see note #3
below). Specify the maximum size of each file
in the set using ofsz=.
hofs=BASE.FMT Write output to a set of files with base name BASE
and sequential file name extensions generated from
the format specifier FMT (see note #4 below).
Verify the files after writing them by hashing
them and comparing the output hash(es) to the input
hash(es). This option can be used more than once
(see note #3 below). Specify the maximum size of
each file in the set using ofsz=.
ofsz=BYTES Set the maximum size of each file in the sets of
files specified using ofs= or hofs= to
BYTES (see note #5 below). A default value for
this option may be set at compile time using
-DDEFAULT_OUTPUT_FILE_SIZE followed by the desired
value in BYTES.
hash=ALGORITHM Compute an ALGORITHM hash of the input and also
of any outputs specified using hof= or hofs=,
where ALGORITHM is one of md5, sha1, sha256, or
sha512. This option may be used once for each
supported ALGORITHM. Alternatively, hashing can
be activated at compile time using one or more of
-DDEFAULT_HASH_MD5,-DDEFAULT_HASH_SHA1,
-DDEFAULT_HASH_SHA256, and -DDEFAULT_HASH_SHA512.
log=FILE Log I/O statistcs, diagnostics, and total hashes
of input and output to FILE. If hlog= is not
specified, piecewise hashes of multiple file
input and output are also logged to FILE.
hlog=FILE Log total hashes and piecewise hashes to FILE.
rec=off By default, zeros are written to the output(s) in
place of bad sectors when the input is a device.
Use this option to cause the program to instead
exit when a bad sector is encountered.
wipe=DEVICE Wipe DEVICE by writing zeros (default) or a
pattern specified by pat= or tpat=.
vwipe=DEVICE Wipe DEVICE by writing zeros (default) or a
pattern specified by pat= or tpat=.
Verify DEVICE after writing it by hashing it
and comparing the hash(es) to the input hash(es).
pat=HEX Use pattern as input, writing HEX to every byte
of the output. This option can only be used once
and cannot be combined with if=, ifs=, or
tpat=.
tpat=TEXT Use text pattern as input, writing the string TEXT
repeatedly to the output. This option can only be
used once and cannot be combined with if=, ifs=,
or pat=.
cnt=SECTORS Input only SECTORS input sectors. Must be used with
pat= or tpat= if not using the pattern
with wipe= or vwipe= to wipe a device.
iskip=SECTORS Skip SECTORS sectors at start of the input device
or file.
oskip=SECTORS Skip SECTORS sectors at start of the output
file. Specifying oskip= automatically
sets app=on.
app=on Do not overwrite an output file specified with
of= if it already exists, appending output instead.
ssz=BYTES Unconditionally use BYTES (see note #5 below) bytes
for sector size. If ssz= is not specified,
sector size is determined by probing the device;
if the probe fails or the target is not a device,
a sector size of 512 bytes is assumed.
bufsz=BYTES Set the size of the internal byte buffers to BYTES
(see note #5 below). This effectively sets the
maximum number of bytes that may be read at a time
from the input. BYTES must be a multiple of sector
size. Use this option to fine-tune performance.
verb=on Activate verbose reporting, where sectors in/out
are reported for each file in sets of files
specified using ifs=, ofs=, or hofs=.
Alternatively, verbose reporting may be
activated at compile time using
-DDEFAULT_VERBOSE_REPORTING.
nwspc=on Activate compact reporting, where the use
of white space to divide log output into
logical sections is suppressed. Alternatively,
compact reporting may be activated at compile
time using -DDEFAULT_COMPACT_REPORTING.
b10=on Activate base 10 bytes reporting, where the
progress display reports 1000 bytes instead
of 1024 bytes as 1 KB. Alternatively, base 10
bytes reporting may be activated at compile
time using -DDEFAULT_BASE_TEN_BYTES_REPORTING.
corruptoutput=on For verification testing and demonstration
purposes, corrupt the output file(s) with extra
bytes so a hash mismatch is guaranteed.
deleted.pl
recovery deleted registry key
deleted.pl <HIVEFILE>
dumpit
extraction de la mémoire locale de manière automatique.
E
exiftool
Read and write meta information in files
exiftool <fichier>
F
ffind
voir 508.4 p140
finds the names of files or directories that are allocated to inode on disk image
image. By default it only will only return the first name it finds. With
some file systems, this will find deleted file names.
usage: ffind [-aduvV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset]
image [images] inode
-a: Find all occurrences
-d: Find deleted entries ONLY
-u: Find undeleted entries ONLY
-f fstype: Image file system type (use '-f list' for supported types)
-i imgtype: The format of the image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-o imgoffset: The offset of the file system in the image (in sectors)
-v: Verbose output to stderr
-V: Print version
file
type de fichier
file <fichier>
fls
voir 508.3 p40
voir 508.4 p52
voir 508.4 p141
lists the files and directory names in the image and can display file names of
recently deleted files for the directory using the given inode. If the inode
argument is not given, the inode value for the root directory is used. For example,
on an NTFS file system it would be 5 and on a Ext3 file system it would be 2.
fls -r -m c: /cases/image > /image_res
usage: fls [-adDFlpruvV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-m dir/]
[-o imgoffset] [-z ZONE] [-s seconds] image [images] [inode]
If [inode] is not given, the root directory is used
-a: Display "." and ".." entries
-d: Display deleted entries only
-D: Display only directories
-F: Display only files
-l: Display long version (like ls -l)
-i imgtype: Format of image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-f fstype: File system type (use '-f list' for supported types)
-m: Display output in mactime input format with
dir/ as the actual mount point of the image
-o imgoffset: Offset into image file (in sectors)
-p: Display full path for each file
-r: Recurse on directory entries
-u: Display undeleted entries only
-v: verbose output to stderr
-V: Print version
-z: Time zone of original machine (i.e. EST5EDT or GMT) (only useful with -l)
-s seconds: Time skew of original machine (in seconds) (only useful with -l & -m)
foremost
voir 508.4 p112
file carving by signature
foremost [-v|-V|-h|-T|-Q|-q|-a|-w-d] [-t <type>] [-s <blocks>] [-k <size>]
[-b <size>] [-c <file>] [-o <dir>] [-i <file]
fsstat
voir 508.4 p95
displays the details associated with a file system. The output of this command is
file system specific. At a minimum, the range of meta-data values (inode numbers)
and content units (blocks or clusters) are given. Also given are details from the
Super Block, such as mount times and and features. For file systems
that use groups (FFS and EXT2FS), the layout of each group is listed.
fsstat [-tvV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] image
-t: display type only
-i imgtype: The format of the image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-f fstype: File system type (use '-f list' for supported types)
-o imgoffset: The offset of the file system in the image (in sectors)
-v: verbose output to stderr
-V: Print version
H
hfind
voir 508.4 p157
création d'index pour parsing et recherche par exemple pour des hash
hibr2bin
508.2 p103
aquisition de la mémoire physique de la machine.
hibr2bin.exe <inputfile> <outputfile>
I
icat
voir 508.4 P134
extraction de fichier à partir d'une image
icat image.raw inum > fichier_extrait.doc
icat [-hHsvV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset]
image [images] inum[-typ[-id]]
-h: Do not display holes in sparse files
-r: Recover deleted file
-R: Recover deleted file and suppress recovery errors
-s: Display slack space at end of file
-i imgtype: The format of the image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-f fstype: File system type (use '-f list' for supported types)
-o imgoffset: The offset of the file system in the image (in sectors)
-v: verbose to stderr
-V: Print version
INDEXParse.py
voir 508.1 - P162
dumping all content of $I30 indexes
ifind
voir 508.2 P77
voir 508.4 P128
finds the meta-data structure that has data_unit allocated a data unit or has a
given file name. In some cases any of the structures can be unallocated and
this will still find the results.
usage: ifind [-alvV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset]
[-d unit_addr] [-n file] [-p par_addr] [-z ZONE] image [images]
-a: find all inodes
-d unit_addr: Find the meta data given the data unit
-l: long format when -p is given
-n file: Find the meta data given the file name
-p par_addr: Find UNALLOCATED MFT entries given the parent's meta address (NTFS
only)
-i imgtype: The format of the image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-f fstype: File system type (use '-f list' for supported types)
-o imgoffset: The offset of the file system in the image (in sectors)
-v: Verbose output to stderr
-V: Print version
-z ZONE: Time zone setting when -l -p is given
iscsiadm
The iscsiadm utility is a command-line tool allowing discovery and
login to iSCSI targets, as well as access and management of the open-
iscsi database.
iscsiadm -m discovery [ -hV ] [ -d debug_level ] [-P printlevel]
[ -t type -p ip:port -I ifaceN ... [ -l ] ] | [ -p ip:port ] [ -o operation ]
[ -n name ] [ -v value ]
iscsiadm -m node [ -hV ] [ -d debug_level ] [ -P printlevel ]
[ -L all,manual,automatic ] [ -U all,manual,automatic ] [ -S ]
[ [ -T targetname -p ip:port -I ifaceN ] [ -l | -u | -R | -s] ] [ [ -o operation ]
[ -n name ] [ -v value ] ]
iscsiadm -m session [ -hV ] [ -d debug_level ] [ -P printlevel]
[ -r sessionid | sysfsdir [ -R | -u | -s ] [ -o operation ] [ -n name ]
[ -v value ] ]
iscsiadm -m iface [ -hV ] [ -d debug_level ] [ -P printlevel ] [ -I ifacename ]
[ [ -o operation ] [ -n name ] [ -v value ] ]
iscsiadm -m fw [ -l ]
iscsiadm -m host [ -P printlevel ] [ -H hostno ]
iscsiadm -k priority
exemple : iscsiadm -m node --targetname=image:disk --login
istat
voir 508.4 P129
displays the uid, gid, mode, size, link number, modified , accessed, changed times,
and all the disk units a structure has allocated.
L
l2t_process
voir 508.3 P81
A small script to process the CSV output from log2timeline, sorts and extracts
sorten dates
pour réduire/filtrer les enregistrement et la taille de la timeline
Usage:
l2t_process [OPTIONS] -b CSV_FILE [DATE_RANGE]
libpff
voir pffexport
librairie utilisé par pff export :
mail *.pst et *ost examination tool
log2timeline
voir 508.3 P66
log file parser that produces a body file used to create timelines
(for forensic investigations).
Exemple :
log2timeline -z EST5EDT -p 0 -i /fichier_image.raw
Usage:
log2timeline [OPTIONS] [-f FORMAT] [-z TIMEZONE] [-o OUTPUT MODULE] [-w
BODYFILE] LOG_FILE/LOG_DIR [--] [FORMAT FILE OPTIONS]
Options:
-s|-skew TIME
Time skew of original machine. The format of the variable TIME
is: X | Xs | Xm | Xh, where X is a integer and s represents
seconds, m minutes and h hours (default behaviour is seconds)
-m TEXT Prepend the filename with the TEXT. That is TEXT is a string
that is prepended in front of the file name to provide a path.
Examples are -m C: to prepend the C:/ in front of each file name
to indicate the partition the file came from.
-f|-format FORMAT
Use the following log file format to parse the content of the
file. Use -f list to see the list of supported log files.
Omitting this options make log2timeline attempt to guess the
fo
-u|-upgrade
Check the latest available version of log2timeline and compare
it to current version (use to check if there is an available
update)
-name HOST
Define the host name that the information is extracted from.
-o|-output FORMAT
Use the following output format. By default log2timeline uses
the CSV output. To see a list of all available output formats,
use -o list
-d|-detail
Some input modules have the capability to include very detailed
amount of information (such as MFT, setupapi and prefetch). This
switch will instruct modules to include those details in the
timeline, so for instance to tell the MFT module to include the
$FN timestamps, or the prefetch one to include loaded DLLs.
-w|-write FILENAME
Specify a file to write output to (otherwise STDOUT will be
chosen).
-z|-zone TIMEZONE
This option defines the timezone that was used on the computer
that the log files belonged to. The default value for this
variable is the local timezone of the computer log2timeline is
run on. There is an option to define -z list to get a list of
all available timezones.
-Z|-Zone TIMEZONE
This option defines the timezone that is used in the output
module of the tool. The default value for this variable is the
same value that is defined in the -z option or the timezone of
the host. This option is used so that output modules can output
in a different timezone than the host is in, for instance to
output in UTC even though the timezone of the host is in another
timezone.
-t|-temp DIR
This option defines the temporary directory the tool uses. By
default the front-end does not set the temporary directory, but
allows the engine to automatically detect it. This option
therefore overwrites the default temporary directory location.
-r|-recursive
This option makes log2timeline work in a recursive way, the same
behaviour as timescanner.
-p|-preprocess
If log2timeline is working in recursive mode (-r) it is possible
to use the -p option to run a set of pre-processors agains the
image file. Preprocessors are modules that search through the
suspect drive and extract needed information that can be used in
other modules, such as hostname, etc.
-v|-verbose
Add debugging information. Possible to use with -v -v to
increase some error messages.
logparser
voir 508.4 P1-D
utilitaire permettant de faire des recherches sous windows.
M
mactime
creates an ASCII time line of file activity based on the body file specified by '-b'
or from STDIN. The time line is written to STDOUT. The body file must be in the
time machine format that is created by 'ils -m', 'fls -m', or the mac-robber tool.
mactime [-b body_file] [-p password_file] [-g group_file] [-i day|hour idx_file]
[-d] [-h] [-V] [-y] [-z TIME_ZONE] [DATE]
-b: Specifies tqhe body file location, else STDIN is used
-d: Output timeline and index file in comma delimited format
-h: Display a header with session information
-i [day | hour] file: Specifies the index file with a summary of results
-g: Specifies the group file location, else GIDs are used
-p: Specifies the password file location, else UIDs are used
-V: Prints the version to STDOUT
-y: Dates have year first (yyyy/mm/dd) instead of (mm/dd/yyyy)
-m: Dates have month as number instead of word (can be used with -y)
-z: Specify the timezone the data came from (in the local system format)
[DATE]: starting date (yyyy-mm-dd) or range (yyyy-mm-dd..yyyy-mm-dd)
md5deep
voire 508.4 P156
création d'une liste de hash à partir d'une arborescence
md5sum
fait un hash md5 d'un fichier
exemple : md5sum <fichier>
mklink
ccréé un racourcis à partir de vista
peut serveir pour accéder à une image shadow
accès à l'image :
mklink /d c:\shadow_copy_rep_acces \\?\\...volume
mount
voire 508.2 P35
montage pour physical disks
mount_ewf
voir 508.2 P39
montage de partition ewf E01
mmls
voir 508.2 P44
informations sur une partition
mmls [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-BrvV] [-aAmM]
[-t vstype] image [images]
-t vstype: The type of volume system (use '-t list' for list of supported types)
-i imgtype: The format of the image file (use '-i list' for list supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-o imgoffset: Offset to the start of the volume that contains the partition system
(in sectors)
-B: print the rounded length in bytes
-r: recurse and look for other partition tables in partitions (DOS Only)
-v: verbose output
-V: print the version
Unless any of these are specified, all volume types are shown
-a: Show allocated volumes
-A: Show unallocated volumes
-m: Show metadata volumes
-M: Hide metadata volumes
N
nc / netcat
voire 508.2 P27
listener : nc -l -p <port> > outputfile
client : tool.exe | nc <IP listener> <port> -w 3
P
pasco
index.dat parser of IE history.
pf
analyse de fichier prefetch windows
pf -v <FICHIER>.pf
pffexport
voir 508.1 : P30
export des mails contenus dans les contenaires Outlook
pffexport fichier_outlook.pst
psexec
voir 508.2 : P21
exécution de commande à distance vers un Windows
R
regripper
voir 508.4 p17
rip.pl -r <HIVEFILE> -f <HIVETYPE>
rip.pl -r NTUSER.DAT -f ntuser > resultats.txt
-r = fichier ruche
-f = type de fichier ruche : sam, security, software, system, ntuser
rifiuti
parser de fichier info2 d'état de la corbeille sous windows
S
sigfind
voir 508.4 p110
permet d'identifier des types de fichier dans une image.
sigfind [-b bsize] [-o offset] [-t template] [-lV] [hex_signature] file
-b bsize: Give block size (default 512)
-o offset: Give offset into block where signature should exist (default 0)
-l: Signature will be little endian in image
-V: Version
-t template: The name of a data structure template:
dospart, ext2, ext3, fat, hfs, hfs+, ntfs, ufs1, ufs2
sorter
voir 508.4 p155
sorter [-b size] [-E] [-e] [-h] [-l] [-md5] [-s] [-sha1] [-U] [-v] [-V]
[-a hash_alert] [-c config] [-C config] [-d dir] [-m mnt] [-n nsrl_db]
[-x hash_exclude] [-o imgoffset] [-f fstype] [-i imgtype] image [images]
[dir_meta_addr]
srch_strings
voire 508.2 p106
voire 508.4 p65
Recherche de chaine sur une image et indique l'emplacement du fichier
(fonctionne sur les parties non allouée, effacée et fichiers)
src_strings -t d ipcase_ntf.img
grep -i EVIL ipcase_ntf.img.str
ssdeep
voire 508.4 p160
permet la validation de hash par comparaison / comparaison partiel...
ssdeep [-m file] [-k file] [-vprdsblcxa] [-t val] [-h|-V] [FILES]
-m - Match FILES against known hashes in file
-k - Match signatures in FILES against signatures in file
-v - Verbose mode. Displays filename as its being processed
-p - Pretty matching mode. Similar to -d but includes all matches
-r - Recursive mode
-d - Directory mode, compare all files in a directory
-s - Silent mode; all errors are supressed
-b - Uses only the bare name of files; all path information omitted
-l - Uses relative paths for filenames
-c - Prints output in CSV format
-x - Compare FILES as signature files
-a - Display all matches, regardless of score
-t - Only displays matches above the given threshold
V
vol.py
voire 508.2 p202
Volatility (extraction de données à partir de la mémoire)
--conf-file=/root/.volatilityrc
User based configuration file
-d, --debug Debug volatility
--plugins=PLUGINS Additional plugin directories to use (colon separated)
--info Print information about all registered objects
--cache-directory=/root/.cache/volatility
Directory where cache files are stored
--cache Use caching
--tz=TZ Sets the timezone for displaying timestamps
-f FILENAME, --filename=FILENAME
Filename to use when opening an image
--profile=WinXPSP2x86
Name of the profile to load
-l LOCATION, --location=LOCATION
A URN location from which to load an address space
-w, --write Enable write support
--use-old-as Use the legacy address spaces
--dtb=DTB DTB Address
--cache-dtb Cache virtual to physical mappings
--output=text Output in this format (format support is module
specific)
--output-file=OUTPUT_FILE
write output in this file
-v, --verbose Verbose information
-k KPCR, --kpcr=KPCR Specify a specific KPCR address
-g KDBG, --kdbg=KDBG Specify a specific KDBG virtual address
vssadmin
commande native à partir de vista pour exploiter la shadow copy
liste des images : vssadmin list shadow /for=c:
accès à l'image :
mklink /d c:\shadow_copy_rep_acces \\?\\...volume
W
win64dd.exe/win32dd.exe
capture de la mémoire
win32dd /d /f physmem.dmp
Y
YARU
Yet an other Registry
Outil graphique windows : affiche les clés délete et la zone binnaire