GitBook: [master] 511 pages and one asset modified

SUMMARY.md

@@ -450,7 +450,7 @@
     * [NTFS](forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md)
   * [Pcap Inspection](forensics/basic-forensic-methodology/pcap-inspection/README.md)
     * [DNSCat pcap analysis](forensics/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md)
-    * [USB Keyboard pcap analysis](forensics/basic-forensic-methodology/pcap-inspection/usb-keyboard-pcap-analysis.md)
+    * [USB Keystrokes](forensics/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md)
     * [Wifi Pcap Analysis](forensics/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md)
     * [Wireshark tricks](forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md)
   * [Specific Software/File-Type Tricks](forensics/basic-forensic-methodology/specific-software-file-type-tricks/README.md)

blockchain/blockchain-and-crypto-currencies.md

@@ -179,6 +179,9 @@ This offers a new level of privacy, however, **some** **transactions** where som
 
 Examples of \(likely\) CoinJoin transactions IDs on bitcoin's blockchain are `402d3e1df685d1fdf82f36b220079c1bf44db227df2d676625ebcbee3f6cb22a` and `85378815f6ee170aa8c26694ee2df42b99cff7fa9357f073c1192fff1f540238`.
 
+[**https://coinjoin.io/en**](https://coinjoin.io/en)  
+**Similar to coinjoin but better and for ethereum you have** [**Tornado Cash**](https://tornado.cash/) **\(the money is given from miners, so it jus appear in your waller\).**
+
 ### PayJoin
 
 The type of CoinJoin discussed in the previous section can be easily identified as such by checking for the multiple outputs with the same value. 

forensics/basic-forensic-methodology/pcap-inspection/README.md

@@ -1,7 +1,7 @@
 # Pcap Inspection
 
 {% hint style="info" %}
-A note about **PCAP** vs **PCAPNG**: there are two versions of the PCAP file format; P**CAPNG is newer and not supported by all tools**. You may need to convert a file from PCAPNG to PCAP using Wireshark or another compatible tool, in order to work with it in some other tools.
+A note about **PCAP** vs **PCAPNG**: there are two versions of the PCAP file format; **PCAPNG is newer and not supported by all tools**. You may need to convert a file from PCAPNG to PCAP using Wireshark or another compatible tool, in order to work with it in some other tools.
 {% endhint %}
 
 ## Online tools for pcaps
@@ -212,7 +212,9 @@ rita show-exploded-dns -H --limit 10 zeek_logs
 
 {% page-ref page="dnscat-exfiltration.md" %}
 
-{% page-ref page="usb-keyboard-pcap-analysis.md" %}
-
 {% page-ref page="wifi-pcap-analysis.md" %}
 
+{% page-ref page="usb-keystrokes.md" %}
+
+
+

forensics/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md

@@ -0,0 +1,20 @@
+# USB Keystrokes
+
+If you have a pcap containing the communication via USB of a keyboard like the following one:
+
+![](../../../.gitbook/assets/image%20%28567%29.png)
+
+You can use the tool [**ctf-usb-keyboard-parser**](https://github.com/carlospolop-forks/ctf-usb-keyboard-parser) to get what was written in the communication:
+
+```bash
+tshark -r ./usb.pcap -Y 'usb.capdata && usb.data_len == 8' -T fields -e usb.capdata | sed 's/../:&/g2' > keystrokes.txt
+python3 usbkeyboard.py ./keystrokes.txt
+```
+
+
+
+You can read more information and find some scripts about how to analyse this in:
+
+* [https://medium.com/@ali.bawazeeer/kaizen-ctf-2018-reverse-engineer-usb-keystrok-from-pcap-file-2412351679f4](https://medium.com/@ali.bawazeeer/kaizen-ctf-2018-reverse-engineer-usb-keystrok-from-pcap-file-2412351679f4)
+* [https://github.com/tanc7/HacktheBox\_Deadly\_Arthropod\_Writeup](https://github.com/tanc7/HacktheBox_Deadly_Arthropod_Writeup)
+