FOR508 Extra Applis PDF

EXTRA :
- Investigations Methodology................................508.1 P38

- MBR.......................................................508.1 P65
- Table des partitions......................................508.1 P69
- FAT 12/16/32..............................................508.1 P100
- exFAT.....................................................508.1 P115
- NTFS......................................................508.1 P130
- MFT : Master File Table...................................508.1 P140
- ADS : Alternate Data Streams..............................508.1 P157
- $I30......................................................508.1 P160
- NTF : What Data Still Exists Upon File Deletion ?.........508.1 P169
- exFAT (compléments).......................................508.1 Annexe 1-B
- Questionnaire FOR408......................................508.1 end
- Volatile Data Collection..................................508.2 P6

- Fast forensics : If you can'it image the drive............508.2 P26
- Acquiring Remote Data.....................................508.2 P27
- Calculating te partition byte Offset......................508.2 P46
- Memory Forenscis Agenda...................................508.2 P88
- Windows Memory Acquisition................................508.2 P96
- Virtual Machine Memory Acquisition........................508.2 P99
- What is Memory Forenscis..................................508.2 P108
- WMandiant Redline.........................................508.2 P112
- Volatility guide..........................................508.2 P197
- Evidence Acquisition......................................508.2 Annexe 1-A
- Timeline Analysis.........................................508.3 P11

- "Pivot" point in timeline analysis........................508.3 P12
- Filesystem timeline Overview..............................508.3 P22
- Timezone (zone horraire pour Timeline)....................508.3 P42
- SuperTimeLine.............................................508.3 P48
- Windows XP Restore Points.................................508.4 P6

- Volume Shadow.............................................508.4 P23
- Convert raw image to vmdk.................................508.4 P39
- Shadow timeline...........................................508.4 P52
- Filesystem Forensic Analy? and Intrusion Analysis Agenda..508.4 P69
- Sleuthkit.................................................508.4 P89
- Data Layer Overview : blk*,foremost,sigfind...............508.4 P103
- Sleuthkit utilisation.....................................508.4 P122
- Sleuthkit utilisation 2...................................508.4 P135
- Sleuthkit utilisation 3...................................508.4 P144
- Malware search............................................508.4 P167
- LVL1 CORE Investigation...................................508.4 P235
- LVL2 ADVANCED Investigation...............................508.4 P250
- LVL3 INTRUSION CASES......................................508.4 P270
A
ARM Active Registry Monitor
Windows GUI for vérifier la différence avec un snapshot et l'état actuel du registre.
Autoruns
voir 508.2 p 13
Sysinternals suite, permet de vérifier la signature des fichiers
B
beviewer
bulk_extractor GUI.
blkcalc
voir 508.4 p108
blkcalc [-dsu unit_addr] [-vV] [-f fstype] [-i imgtype] [-b dev_sector_size]
[-o imgoffset] image [images]
Slowly calculates the opposite block number
One of the following must be given:
-d: The given address is from a 'dd' image
-s: The given address is from a 'blkls -s' (slack) image
-u: The given address is from a 'blkls' (unallocated) image
-f fstype: The file system type (use '-f list' for supported types)
-i imgtype: The format of the image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-o imgoffset: The offset of the file system in the image (in sectors)
-v: verbose output to stderr
-V: Print version
blkcat
display content of data unit.
blkcat image.raw 500 3
blkcat <image> <bloc_to_start> [optionnal : <nb_block>]
blkcat [-ahsvVw] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset]
[-u usize] image [images] unit_addr [num]
-a: displays in all ASCII
-h: displays in hexdump-like fashion
-f fstype: File system type (use '-f list' for supported types)
-s: display basic block stats such as unit size, fragments, etc.
-V: display version
-w: displays in web-like (html) fashion
-u usize: size of each data unit in image (for raw, blkls, swap)
[num] is the number of data units to display (default is 1)
blkls
voir 508.4 p106
opens the named image(s) and copies file system data units (blocks). By default,
blkls copies the contents of unallocated data blocks. blkls was called dls
in TSK versions prior to 3.0.0. blkls was called unrm in TCT.
exemple : blkls <image.raw> <image.raw_resultat>
usage: blkls [-aAelvV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset]
image [images] [start-stop]
-e: every block (including file system metadata blocks)
-l: print details in time machine list format
-a: Display allocated blocks
-A: Display unallocated blocks
-s: print slack space only (other flags are ignored
-v: verbose to stderr
-V: print version
bulk_extractor
voir 508.4 p72
scans a disk image, a file, or a directory of files and extracts useful information
without parsing the file system or file system structures.
exemple : bulk_extractor -F keyword.txt -o resultats <image.raw>
-R <output_repertoire>
C
chattr
chattr +i => protection d'un fichier/dossier en activant le paramètre immuable
D
dc3dd
voir 508.2 annexe 23-A
type dd avec un hash en live de la partition
dc3dd [OPTION 1] [OPTION 2] ... [OPTION N]
if=FILE Read input from the device or regular file FILE
(see note #1 below). This option can only be used
once and cannot be combined with ifs=, pat=,
or tpat=.
ifs=BASE.FMT Read input from a set of files with base name
BASE and sequential file name extensions
conforming to the format specifier FMT (see
note #4 below). This option can only be used once
and cannot be combined with if=, pat=, or
tpat=.
of=FILE Write output to FILE (see note #2 below). This
option can be used more than once (see note #3
below).
hof=FILE Write output to FILE and verify FILE after writing
it by hashing it and comparing the output hash(es)
to the input hash(es). This option can be used more
than once (see note #3 below).
ofs=BASE.FMT Write output to a set of files with base name BASE
and sequential file name extensions generated from
the format specifier FMT (see note #4 below). This
option can be used more than once (see note #3
below). Specify the maximum size of each file
in the set using ofsz=.
hofs=BASE.FMT Write output to a set of files with base name BASE
and sequential file name extensions generated from
the format specifier FMT (see note #4 below).
Verify the files after writing them by hashing
them and comparing the output hash(es) to the input
hash(es). This option can be used more than once
(see note #3 below). Specify the maximum size of
each file in the set using ofsz=.
ofsz=BYTES Set the maximum size of each file in the sets of
files specified using ofs= or hofs= to
BYTES (see note #5 below). A default value for
this option may be set at compile time using
-DDEFAULT_OUTPUT_FILE_SIZE followed by the desired
value in BYTES.
hash=ALGORITHM Compute an ALGORITHM hash of the input and also
of any outputs specified using hof= or hofs=,
where ALGORITHM is one of md5, sha1, sha256, or
sha512. This option may be used once for each
supported ALGORITHM. Alternatively, hashing can
be activated at compile time using one or more of
-DDEFAULT_HASH_MD5,-DDEFAULT_HASH_SHA1,
-DDEFAULT_HASH_SHA256, and -DDEFAULT_HASH_SHA512.
log=FILE Log I/O statistcs, diagnostics, and total hashes
of input and output to FILE. If hlog= is not
specified, piecewise hashes of multiple file
input and output are also logged to FILE.
hlog=FILE Log total hashes and piecewise hashes to FILE.
rec=off By default, zeros are written to the output(s) in
place of bad sectors when the input is a device.
Use this option to cause the program to instead
exit when a bad sector is encountered.
wipe=DEVICE Wipe DEVICE by writing zeros (default) or a
pattern specified by pat= or tpat=.
vwipe=DEVICE Wipe DEVICE by writing zeros (default) or a
pattern specified by pat= or tpat=.
Verify DEVICE after writing it by hashing it
and comparing the hash(es) to the input hash(es).
pat=HEX Use pattern as input, writing HEX to every byte
of the output. This option can only be used once
and cannot be combined with if=, ifs=, or
tpat=.
tpat=TEXT Use text pattern as input, writing the string TEXT
repeatedly to the output. This option can only be
used once and cannot be combined with if=, ifs=,
or pat=.
cnt=SECTORS Input only SECTORS input sectors. Must be used with
pat= or tpat= if not using the pattern
with wipe= or vwipe= to wipe a device.
iskip=SECTORS Skip SECTORS sectors at start of the input device
or file.
oskip=SECTORS Skip SECTORS sectors at start of the output
file. Specifying oskip= automatically
sets app=on.
app=on Do not overwrite an output file specified with
of= if it already exists, appending output instead.
ssz=BYTES Unconditionally use BYTES (see note #5 below) bytes
for sector size. If ssz= is not specified,
sector size is determined by probing the device;
if the probe fails or the target is not a device,
a sector size of 512 bytes is assumed.
bufsz=BYTES Set the size of the internal byte buffers to BYTES
(see note #5 below). This effectively sets the
maximum number of bytes that may be read at a time
from the input. BYTES must be a multiple of sector
size. Use this option to fine-tune performance.
verb=on Activate verbose reporting, where sectors in/out
are reported for each file in sets of files
specified using ifs=, ofs=, or hofs=.
Alternatively, verbose reporting may be
activated at compile time using
-DDEFAULT_VERBOSE_REPORTING.
nwspc=on Activate compact reporting, where the use
of white space to divide log output into
logical sections is suppressed. Alternatively,
compact reporting may be activated at compile
time using -DDEFAULT_COMPACT_REPORTING.
b10=on Activate base 10 bytes reporting, where the
progress display reports 1000 bytes instead
of 1024 bytes as 1 KB. Alternatively, base 10
bytes reporting may be activated at compile
time using -DDEFAULT_BASE_TEN_BYTES_REPORTING.
corruptoutput=on For verification testing and demonstration
purposes, corrupt the output file(s) with extra
bytes so a hash mismatch is guaranteed.
deleted.pl
recovery deleted registry key
deleted.pl <HIVEFILE>
dumpit
extraction de la mémoire locale de manière automatique.
E
exiftool
Read and write meta information in files
exiftool <fichier>
F
ffind
voir 508.4 p140
finds the names of files or directories that are allocated to inode on disk image
image. By default it only will only return the first name it finds. With
some file systems, this will find deleted file names.
exemple : ffind <image.raw>
usage: ffind [-aduvV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset]
image [images] inode
-a: Find all occurrences
-d: Find deleted entries ONLY
-u: Find undeleted entries ONLY
-f fstype: Image file system type (use '-f list' for supported types)
-v: Verbose output to stderr
-V: Print version
file
type de fichier
file <fichier>
fls
voir 508.3 p40
voir 508.4 p52
voir 508.4 p141
lists the files and directory names in the image and can display file names of
recently deleted files for the directory using the given inode. If the inode
argument is not given, the inode value for the root directory is used. For example,
on an NTFS file system it would be 5 and on a Ext3 file system it would be 2.
fls -r -m c: /cases/image > /image_res
usage: fls [-adDFlpruvV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-m dir/]
[-o imgoffset] [-z ZONE] [-s seconds] image [images] [inode]
If [inode] is not given, the root directory is used
-a: Display "." and ".." entries
-d: Display deleted entries only
-D: Display only directories
-F: Display only files
-l: Display long version (like ls -l)
-i imgtype: Format of image file (use '-i list' for supported types)
-m: Display output in mactime input format with
dir/ as the actual mount point of the image
-o imgoffset: Offset into image file (in sectors)
-p: Display full path for each file
-r: Recurse on directory entries
-u: Display undeleted entries only
-V: Print version
-z: Time zone of original machine (i.e. EST5EDT or GMT) (only useful with -l)
-s seconds: Time skew of original machine (in seconds) (only useful with -l & -m)
foremost
voir 508.4 p112
file carving by signature
foremost [-v|-V|-h|-T|-Q|-q|-a|-w-d] [-t <type>] [-s <blocks>] [-k <size>]
[-b <size>] [-c <file>] [-o <dir>] [-i <file]
-V - display copyright information and exit

-t - specify file type. (-t jpeg,pdf ...)
-d - turn on indirect block detection (for UNIX file-systems)
-i - specify input file (default is stdin)
-a - Write all headers, perform no error detection (corrupted files)
-w - Only write the audit file, do not write any detected files to the disk
-o - set output directory (defaults to output)
-c - set configuration file to use (defaults to foremost.conf)
-q - enables quick mode. Search are performed on 512 byte boundaries.
-Q - enables quiet mode. Suppress output messages.
-v - verbose mode. Logs all messages to screen
fsstat
voir 508.4 p95
displays the details associated with a file system. The output of this command is
file system specific. At a minimum, the range of meta-data values (inode numbers)
and content units (blocks or clusters) are given. Also given are details from the
Super Block, such as mount times and and features. For file systems
that use groups (FFS and EXT2FS), the layout of each group is listed.
exemple : fsstat <image.raw>
fsstat [-tvV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] image
-t: display type only
-V: Print version
H
hfind
voir 508.4 p157
création d'index pour parsing et recherche par exemple pour des hash
hfind [-eqV] [-f lookup_file] [-i db_type] db_file [hashes]

-e: Extended mode - where values other than just the name are printed
-q: Quick mode - where a 1 is printed if it is found, else 0
-V: Print version to STDOUT
-f lookup_file: File with one hash per line to lookup
-i db_type: Create index file for a given hash database type
db_file: The location of the original hash database
[hashes]: hashes to lookup (STDIN is used otherwise)
Supported types: nsrl-md5, nsrl-sha1, md5sum, hk
hibr2bin
508.2 p103
aquisition de la mémoire physique de la machine.
hibr2bin.exe <inputfile> <outputfile>
I
icat
voir 508.4 P134
extraction de fichier à partir d'une image
icat image.raw inum > fichier_extrait.doc
icat [-hHsvV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset]
image [images] inum[-typ[-id]]
-h: Do not display holes in sparse files
-r: Recover deleted file
-R: Recover deleted file and suppress recovery errors
-s: Display slack space at end of file
-v: verbose to stderr
-V: Print version
INDEXParse.py
voir 508.1 - P162
dumping all content of $I30 indexes
ifind
voir 508.2 P77
voir 508.4 P128
finds the meta-data structure that has data_unit allocated a data unit or has a
given file name. In some cases any of the structures can be unallocated and
this will still find the results.
exemple : ifind <image.raw> -d (original_cluster/cluster_size)
usage: ifind [-alvV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset]
[-d unit_addr] [-n file] [-p par_addr] [-z ZONE] image [images]
-a: find all inodes
-d unit_addr: Find the meta data given the data unit
-l: long format when -p is given
-n file: Find the meta data given the file name
-p par_addr: Find UNALLOCATED MFT entries given the parent's meta address (NTFS
only)
-v: Verbose output to stderr
-V: Print version
-z ZONE: Time zone setting when -l -p is given
iscsiadm
The iscsiadm utility is a command-line tool allowing discovery and
login to iSCSI targets, as well as access and management of the open-
iscsi database.
iscsiadm -m discovery [ -hV ] [ -d debug_level ] [-P printlevel]
[ -t type -p ip:port -I ifaceN ... [ -l ] ] | [ -p ip:port ] [ -o operation ]
[ -n name ] [ -v value ]
iscsiadm -m node [ -hV ] [ -d debug_level ] [ -P printlevel ]
[ -L all,manual,automatic ] [ -U all,manual,automatic ] [ -S ]
[ [ -T targetname -p ip:port -I ifaceN ] [ -l | -u | -R | -s] ] [ [ -o operation ]
[ -n name ] [ -v value ] ]
iscsiadm -m session [ -hV ] [ -d debug_level ] [ -P printlevel]
[ -r sessionid | sysfsdir [ -R | -u | -s ] [ -o operation ] [ -n name ]
[ -v value ] ]
iscsiadm -m iface [ -hV ] [ -d debug_level ] [ -P printlevel ] [ -I ifacename ]
[ [ -o operation ] [ -n name ] [ -v value ] ]
iscsiadm -m fw [ -l ]
iscsiadm -m host [ -P printlevel ] [ -H hostno ]
iscsiadm -k priority
exemple : iscsiadm -m node --targetname=image:disk --login
istat
voir 508.4 P129
displays the uid, gid, mode, size, link number, modified , accessed, changed times,
and all the disk units a structure has allocated.
exemple : istat <image.raw>

usage: istat [-B num] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset]
[-z zone] [-s seconds] [-vV] image inum
-B num: force the display of NUM address of block pointers
-z zone: time zone of original machine (i.e. EST5EDT or GMT)
-s seconds: Time skew of original machine (in seconds)
J
jp
voir 508.1 - P166
Windows Journal Parser,
usage:
./jp32 -file <extracted $UsnJrnl:$J file> [-v] [-a] [format options]
./jp32 -image <disk image> [-offset <offset>] [-v] [-a] [format options]
-v = verbose output [includes MFT entry of file]
-a = all records, not just those closed
-memory = will use minimal memory to run
-base10 = output numbers in base10 vice hex
output format options

-csv = output in csv format [default]
-xml = output in xml format
-bodyfile = output in sleuth kit body-file format
-csvl2t = output in log2timeline format
example of redirecting the output of change journal on c partition

./jp32 -partition c > output.txt
L
l2t_process
voir 508.3 P81
A small script to process the CSV output from log2timeline, sorts and extracts
sorten dates
pour réduire/filtrer les enregistrement et la taille de la timeline
Usage:
l2t_process [OPTIONS] -b CSV_FILE [DATE_RANGE]
Where DATE_RANGE is MM-DD-YYYY or MM-DD-YYYY..MM-DD-YYYY
libpff
voir pffexport
librairie utilisé par pff export :
mail *.pst et *ost examination tool
log2timeline
voir 508.3 P66
log file parser that produces a body file used to create timelines
(for forensic investigations).
Exemple :
log2timeline -z EST5EDT -p 0 -i /fichier_image.raw
Usage:
log2timeline [OPTIONS] [-f FORMAT] [-z TIMEZONE] [-o OUTPUT MODULE] [-w
BODYFILE] LOG_FILE/LOG_DIR [--] [FORMAT FILE OPTIONS]
Options:
-s|-skew TIME
Time skew of original machine. The format of the variable TIME
is: X | Xs | Xm | Xh, where X is a integer and s represents
seconds, m minutes and h hours (default behaviour is seconds)
-m TEXT Prepend the filename with the TEXT. That is TEXT is a string
that is prepended in front of the file name to provide a path.
Examples are -m C: to prepend the C:/ in front of each file name
to indicate the partition the file came from.
-f|-format FORMAT
Use the following log file format to parse the content of the
file. Use -f list to see the list of supported log files.
Omitting this options make log2timeline attempt to guess the
fo
-u|-upgrade
Check the latest available version of log2timeline and compare
it to current version (use to check if there is an available
update)
-name HOST
Define the host name that the information is extracted from.
-o|-output FORMAT
Use the following output format. By default log2timeline uses
the CSV output. To see a list of all available output formats,
use -o list
-d|-detail
Some input modules have the capability to include very detailed
amount of information (such as MFT, setupapi and prefetch). This
switch will instruct modules to include those details in the
timeline, so for instance to tell the MFT module to include the
$FN timestamps, or the prefetch one to include loaded DLLs.
-w|-write FILENAME
Specify a file to write output to (otherwise STDOUT will be
chosen).
-z|-zone TIMEZONE
This option defines the timezone that was used on the computer
that the log files belonged to. The default value for this
variable is the local timezone of the computer log2timeline is
run on. There is an option to define -z list to get a list of
all available timezones.
-Z|-Zone TIMEZONE
This option defines the timezone that is used in the output
module of the tool. The default value for this variable is the
same value that is defined in the -z option or the timezone of
the host. This option is used so that output modules can output
in a different timezone than the host is in, for instance to
output in UTC even though the timezone of the host is in another
timezone.
-t|-temp DIR
This option defines the temporary directory the tool uses. By
default the front-end does not set the temporary directory, but
allows the engine to automatically detect it. This option
therefore overwrites the default temporary directory location.
The engine checks the operating system in question, if it is

Windows, it will try to determine the temporary path based on
the Win32::API (so this might fail on 64-bit systems, perhaps
better to use this option to set it manually on those systems).
Otherwise it will use /tmp/ as the temporary directory (should
work on *NIX systems).
-log FILENAME
Specify a file to write error and information messages from the
log2timeline to a file, otherwise STDERR will be used.
-c|-calculate
If this option is used then a MD5 sum is calculated for the file
and stored in the timestamp object
-x Make log2timeline skip some more detailed tests to see if a file
truly is in the correct input module. The tool should work
faster with this option, however it might miss some files.
-e|-exclude LIST
A comma separated list of files to exclude from the scan. If a
particular file has caused the tool to crash or not work, or you
simply want to exclude some documents from the scan it is
possible to exclude some
-r|-recursive
This option makes log2timeline work in a recursive way, the same
behaviour as timescanner.
-p|-preprocess
If log2timeline is working in recursive mode (-r) it is possible
to use the -p option to run a set of pre-processors agains the
image file. Preprocessors are modules that search through the
suspect drive and extract needed information that can be used in
other modules, such as hostname, etc.
-v|-verbose
Add debugging information. Possible to use with -v -v to
increase some error messages.
logparser
voir 508.4 P1-D
utilitaire permettant de faire des recherches sous windows.
M
mactime
creates an ASCII time line of file activity based on the body file specified by '-b'
or from STDIN. The time line is written to STDOUT. The body file must be in the
time machine format that is created by 'ils -m', 'fls -m', or the mac-robber tool.
mactime [-b body_file] [-p password_file] [-g group_file] [-i day|hour idx_file]
[-d] [-h] [-V] [-y] [-z TIME_ZONE] [DATE]
-b: Specifies tqhe body file location, else STDIN is used
-d: Output timeline and index file in comma delimited format
-h: Display a header with session information
-i [day | hour] file: Specifies the index file with a summary of results
-g: Specifies the group file location, else GIDs are used
-p: Specifies the password file location, else UIDs are used
-V: Prints the version to STDOUT
-y: Dates have year first (yyyy/mm/dd) instead of (mm/dd/yyyy)
-m: Dates have month as number instead of word (can be used with -y)
-z: Specify the timezone the data came from (in the local system format)
[DATE]: starting date (yyyy-mm-dd) or range (yyyy-mm-dd..yyyy-mm-dd)
md5deep
voire 508.4 P156
création d'une liste de hash à partir d'une arborescence
md5deep version 3.9.1 by Jesse Kornblum.

$ md5deep [OPTION]... [FILE]...
See the man page or README.txt file for the full list of options
-p <size> - piecewise mode. Files are broken into blocks for hashing
-r - recursive mode. All subdirectories are traversed
-e - compute estimated time remaining for each file
-s - silent mode. Suppress all error messages
-S - displays warnings on bad hashes only
-z - display file size before hash
-m <file> - enables matching mode. See README/man page
-x <file> - enables negative matching mode. See README/man page
-M and -X are the same as -m and -x but also print hashes of each file
-w - displays which known file generated a match
-n - displays known hashes that did not match any input files
-a and -A add a single hash to the positive or negative matching set
-b - prints only the bare name of files; all path information is omitted
-l - print relative paths for filenames
-k - print asterisk before filename
-t - print GMT timestamp
-i/I- only process files smaller than the given threshold
-o - only process certain types of files. See README/manpage
-v - display version number and exit
md5sum
fait un hash md5 d'un fichier
exemple : md5sum <fichier>
-b, --binary écrit en binaire sur la console

-c, --check lit les sommes MD5 à partir des FILEs et les
vérifie
-t, --text lit en mode texte (par défaut)
--quiet n'affiche pas OK à chaque vérification correcte de
fichier
--status n'affiche rien, sauf le code de statut indiquant le
succès
-w, --warn avertit en cas de lignes de contrôle mal formatées
mklink
ccréé un racourcis à partir de vista
peut serveir pour accéder à une image shadow
accès à l'image :
mklink /d c:\shadow_copy_rep_acces \\?\\...volume
mount
voire 508.2 P35
montage pour physical disks
mount_ewf
voir 508.2 P39
montage de partition ewf E01
mmls
voir 508.2 P44
informations sur une partition
mmls [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-BrvV] [-aAmM]
[-t vstype] image [images]
-t vstype: The type of volume system (use '-t list' for list of supported types)
-i imgtype: The format of the image file (use '-i list' for list supported types)
-o imgoffset: Offset to the start of the volume that contains the partition system
(in sectors)
-B: print the rounded length in bytes
-r: recurse and look for other partition tables in partitions (DOS Only)
-v: verbose output
-V: print the version
Unless any of these are specified, all volume types are shown
-a: Show allocated volumes
-A: Show unallocated volumes
-m: Show metadata volumes
-M: Hide metadata volumes
N
nc / netcat
voire 508.2 P27
listener : nc -l -p <port> > outputfile
client : tool.exe | nc <IP listener> <port> -w 3
P
pasco
index.dat parser of IE history.
pf
analyse de fichier prefetch windows
pf -v <FICHIER>.pf
pffexport
voir 508.1 : P30
export des mails contenus dans les contenaires Outlook
pffexport fichier_outlook.pst
psexec
voir 508.2 : P21
exécution de commande à distance vers un Windows
R
regripper
voir 508.4 p17
rip.pl -r <HIVEFILE> -f <HIVETYPE>
rip.pl -r NTUSER.DAT -f ntuser > resultats.txt
-r = fichier ruche
-f = type de fichier ruche : sam, security, software, system, ntuser
ripxp.pl : exémen restore point
rifiuti
parser de fichier info2 d'état de la corbeille sous windows
S
sigfind
voir 508.4 p110
permet d'identifier des types de fichier dans une image.
sigfind [-b bsize] [-o offset] [-t template] [-lV] [hex_signature] file
-b bsize: Give block size (default 512)
-o offset: Give offset into block where signature should exist (default 0)
-l: Signature will be little endian in image
-V: Version
-t template: The name of a data structure template:
dospart, ext2, ext3, fat, hfs, hfs+, ntfs, ufs1, ufs2
sorter
voir 508.4 p155
sorter [-b size] [-E] [-e] [-h] [-l] [-md5] [-s] [-sha1] [-U] [-v] [-V]
[-a hash_alert] [-c config] [-C config] [-d dir] [-m mnt] [-n nsrl_db]
[-x hash_exclude] [-o imgoffset] [-f fstype] [-i imgtype] image [images]
[dir_meta_addr]
-b size: Minimum size. Ignore files smaller than 'size'

-E: Perform category indexing only (no extension checks - was '-i')
-e: Perform extension checks only (no category index files)
-h: HTML Format
-l: List index to STDOUT (no files are ever written)
-md5: Print the MD5 value with the index output
-s: Save files to category directories
-sha1: Print the SHA-1 value with the index output
-U: Ignore the unknown category - only save catgories in config files
-v: verbose debugging output
-V: print version information
-a hash_alert: hash database of hashes to alert on
-c config: specify a config file to use (in addition to default files)
NOTE: This config file has priority over default files
-C config: specify the ONLY config file to use
-d dir: Save category index files in the specified directory
-f fstype: file system type (Sleuth Kit types) of image
-i imgtype: Format of image file
-o imgoffset: Offset of file system in image (in sectors)
-m mnt: The mounting point of the image
-n nsrl_db: The NIST NSRL database file (NSRLFile.txt) (hashes to ignore)
-x hash_exclude: hash database of hashes to ignore
dir_meta_addr: Address of directory to start analyzing from
image: image to analyze
srch_strings
voire 508.2 p106
voire 508.4 p65
Recherche de chaine sur une image et indique l'emplacement du fichier
(fonctionne sur les parties non allouée, effacée et fichiers)
src_strings -t d ipcase_ntf.img
grep -i EVIL ipcase_ntf.img.str
ssdeep
voire 508.4 p160
permet la validation de hash par comparaison / comparaison partiel...
ssdeep [-m file] [-k file] [-vprdsblcxa] [-t val] [-h|-V] [FILES]
-m - Match FILES against known hashes in file
-k - Match signatures in FILES against signatures in file
-v - Verbose mode. Displays filename as its being processed
-p - Pretty matching mode. Similar to -d but includes all matches
-r - Recursive mode
-d - Directory mode, compare all files in a directory
-s - Silent mode; all errors are supressed
-b - Uses only the bare name of files; all path information omitted
-l - Uses relative paths for filenames
-c - Prints output in CSV format
-x - Compare FILES as signature files
-a - Display all matches, regardless of score
-t - Only displays matches above the given threshold
V
vol.py
voire 508.2 p202
Volatility (extraction de données à partir de la mémoire)
--conf-file=/root/.volatilityrc
User based configuration file
-d, --debug Debug volatility
--plugins=PLUGINS Additional plugin directories to use (colon separated)
--info Print information about all registered objects
--cache-directory=/root/.cache/volatility
Directory where cache files are stored
--cache Use caching
--tz=TZ Sets the timezone for displaying timestamps
-f FILENAME, --filename=FILENAME
Filename to use when opening an image
--profile=WinXPSP2x86
Name of the profile to load
-l LOCATION, --location=LOCATION
A URN location from which to load an address space
-w, --write Enable write support
--use-old-as Use the legacy address spaces
--dtb=DTB DTB Address
--cache-dtb Cache virtual to physical mappings
--output=text Output in this format (format support is module
specific)
--output-file=OUTPUT_FILE
write output in this file
-v, --verbose Verbose information
-k KPCR, --kpcr=KPCR Specify a specific KPCR address
-g KDBG, --kdbg=KDBG Specify a specific KDBG virtual address
Supported Plugin Commands:

apihooks Detect API hooks in process and kernel memory
bioskbd Reads the keyboard buffer from Real Mode memory
callbacks Print system-wide notification routines
cmdscan Extract command history by scanning for _COMMAND_HISTORY
connections Print list of open connections [Windows XP and 2003 Only]
connscan Scan Physical memory for _TCPT_OBJECT objects
(tcp connections)
connscanx Vista/2008/7 Connections via Partitions and Dynamic Hash
Tables
consoles Extract command history by scanning for _CONSOLE_INFORMATION
crashinfo Dump crash-dump information
devicetree Show device tree
dlldump Dump DLLs from a process address space
dlllist Print list of loaded dlls for each process
driverirp Driver IRP hook detection
driverscan Scan for driver objects _DRIVER_OBJECT
envars Display process environment variables
filescan Scan Physical memory for _FILE_OBJECT pool allocations
gdt Display Global Descriptor Table
getsids Print the SIDs owning each process
handles Print list of open handles for each process
hashdump Dumps passwords hashes (LM/NTLM) from memory
hibinfo Dump hibernation file information
hivedump Prints out a hive
hivelist Print list of registry hives.
hivescan Scan Physical memory for _CMHIVE objects (registry hives)
idt Display Interrupt Descriptor Table
imagecopy Copies a physical address space out as a raw DD image
imageinfo Identify information for the image
impscan Scan for calls to imported functions
kdbgscan Search for and dump potential KDBG values
kpcrscan Search for and dump potential KPCR values
ldrmodules Detect unlinked DLLs
lsadump Dump (decrypted) LSA secrets from the registry
malfind Find hidden and injected code
memdump Dump the addressable memory for a process
memmap Print the memory map
moddump Dump a kernel driver to an executable file sample
modscan Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects
modules Print list of loaded modules
mutantscan Scan for mutant objects _KMUTANT
patcher Patches memory based on page scans
printkey Print a registry key, and its subkeys and values
procexedump Dump a process to an executable file sample
procmemdump Dump a process to an executable memory sample
pslist print all running processes by following the EPROCESS lists
psscan Scan Physical memory for _EPROCESS pool allocations
pstree Print process list as a tree
psxview Find hidden processes with various process listings
raw2dmp Converts a physical memory sample to a windbg crash dump
reglist Registry Lister
shimcache Parses the Application Compatibility Shim Cache registry key
sockets Print list of open sockets
sockscan Scan Physical memory for _ADDRESS_OBJECT objects (tcp sockets)
ssdt Display SSDT entries
strings Match physical offsets to virtual addresses (may take a while,
VERY verbose)
svcscan Scan for Windows services
symlinkscan Scan for symbolic link objects
thrdscan Scan physical memory for _ETHREAD objects
threads Investigate _ETHREAD and _KTHREADs
timers Print kernel timers and associated module DPCs
userassist Print userassist registry keys and information
vaddump Dumps out the vad sections to a file
vadinfo Dump the VAD info
vadtree Walk the VAD tree and display in tree format
vadwalk Walk the VAD tree
volshell Shell in the memory image
yarascan Scan process or kernel memory with Yara signatures
vssadmin
commande native à partir de vista pour exploiter la shadow copy
liste des images : vssadmin list shadow /for=c:
accès à l'image :
mklink /d c:\shadow_copy_rep_acces \\?\\...volume
W
win64dd.exe/win32dd.exe
capture de la mémoire
win32dd /d /f physmem.dmp
Y
YARU
Yet an other Registry
Outil graphique windows : affiche les clés délete et la zone binnaire

FOR508 Extra Applis PDF

Uploaded by

Copyright:

Available Formats

You might also like

FOR508 Extra Applis PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FOR508 Extra Applis PDF

Uploaded by

Copyright:

Available Formats

EXTRA :

- Investigations Methodology................................508.1 P38

- Volatile Data Collection..................................508.2 P6

- Timeline Analysis.........................................508.3 P11

- Windows XP Restore Points.................................508.4 P6

exemple : blkls <image.raw> <image.raw_resultat>

exemple : ffind <image.raw>

-V - display copyright information and exit

exemple : fsstat <image.raw>

hfind [-eqV] [-f lookup_file] [-i db_type] db_file [hashes]

Supported types: nsrl-md5, nsrl-sha1, md5sum, hk

exemple : ifind <image.raw> -d (original_cluster/cluster_size)

exemple : istat <image.raw>

output format options

example of redirecting the output of change journal on c partition

Where DATE_RANGE is MM-DD-YYYY or MM-DD-YYYY..MM-DD-YYYY

The engine checks the operating system in question, if it is

md5deep version 3.9.1 by Jesse Kornblum.

-b, --binary écrit en binaire sur la console

ripxp.pl : exémen restore point

-b size: Minimum size. Ignore files smaller than 'size'

Supported Plugin Commands:

You might also like