Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2025-02-16 14:08:26 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [master] 46 pages modified

Browse source
This commit is contained in:
CPol 2021-05-28 17:27:17 +00:00 committed by gitbook-bot
parent 4d089a6b37
commit 8c458fbbd7
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
24 changed files with 52 additions and 51 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

45
SUMMARY.md
View file

@ -421,29 +421,28 @@
* [USB Keyboard pcap analysis](forensics/pcaps-analysis/usb-keyboard-pcap-analysis.md)
* [DNSCat pcap analysis](forensics/pcaps-analysis/dnscat-exfiltration.md)
* [Wireshark tricks](forensics/pcaps-analysis/wireshark-tricks.md)
* [Basic Forensics \(ESP\)](forensics/basic-forensics-esp/README.md)
* [Memory dump analysis](forensics/basic-forensics-esp/memory-dump-analysis/README.md)
* [Volatility - CheatSheet](forensics/basic-forensics-esp/memory-dump-analysis/volatility-examples.md)
* [Specific Software/File-Type Tricks](forensics/basic-forensics-esp/specific-software-file-type-tricks/README.md)
* [.pyc](forensics/basic-forensics-esp/specific-software-file-type-tricks/.pyc.md)
* [Browser Artifacts](forensics/basic-forensics-esp/specific-software-file-type-tricks/browser-artifacts.md)
* [Desofuscation vbs \(cscript.exe\)](forensics/basic-forensics-esp/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md)
* [Local Cloud Storage](forensics/basic-forensics-esp/specific-software-file-type-tricks/local-cloud-storage.md)
* [Office file analysis](forensics/basic-forensics-esp/specific-software-file-type-tricks/office-file-analysis.md)
* [PDF File analysis](forensics/basic-forensics-esp/specific-software-file-type-tricks/pdf-file-analysis.md)
* [PNG tricks](forensics/basic-forensics-esp/specific-software-file-type-tricks/png-tricks.md)
* [Video and Audio file analysis](forensics/basic-forensics-esp/specific-software-file-type-tricks/video-and-audio-file-analysis.md)
* [ZIPs tricks](forensics/basic-forensics-esp/specific-software-file-type-tricks/zips-tricks.md)
* [Partitions/File Systems/Carving](forensics/basic-forensics-esp/partitions-file-systems-carving/README.md)
* [File/Data Carving Tools](forensics/basic-forensics-esp/partitions-file-systems-carving/file-data-carving-tools.md)
* [NTFS](forensics/basic-forensics-esp/partitions-file-systems-carving/ntfs.md)
* [Windows Artifacts](forensics/basic-forensics-esp/windows-forensics/README.md)
* [Interesting Windows Registry Keys](forensics/basic-forensics-esp/windows-forensics/interesting-windows-registry-keys.md)
* [Anti-Forensic Techniques](forensics/basic-forensics-esp/anti-forensic-techniques.md)
* [USB logs analysis](forensics/basic-forensics-esp/usb-logs-analysis.md)
* [Image Adquisition & Mount](forensics/basic-forensics-esp/image-adquisition-and-mount.md)
* [Docker Forensics](forensics/basic-forensics-esp/docker-forensics.md)
* [Linux Forensics](forensics/basic-forensics-esp/linux-forensics.md)
* [Basic Forensic Methodology](forensics/basic-forensic-methodology/README.md)
* [Memory dump analysis](forensics/basic-forensic-methodology/memory-dump-analysis/README.md)
* [Volatility - CheatSheet](forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md)
* [Specific Software/File-Type Tricks](forensics/basic-forensic-methodology/specific-software-file-type-tricks/README.md)
* [.pyc](forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md)
* [Browser Artifacts](forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md)
* [Desofuscation vbs \(cscript.exe\)](forensics/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md)
* [Local Cloud Storage](forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md)
* [Office file analysis](forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md)
* [PDF File analysis](forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md)
* [PNG tricks](forensics/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md)
* [Video and Audio file analysis](forensics/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md)
* [ZIPs tricks](forensics/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md)
* [Partitions/File Systems/Carving](forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md)
* [File/Data Carving Tools](forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-tools.md)
* [NTFS](forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md)
* [Windows Artifacts](forensics/basic-forensic-methodology/windows-forensics/README.md)
* [Interesting Windows Registry Keys](forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md)
* [Anti-Forensic Techniques](forensics/basic-forensic-methodology/anti-forensic-techniques.md)
* [Image Adquisition & Mount](forensics/basic-forensic-methodology/image-adquisition-and-mount.md)
* [Docker Forensics](forensics/basic-forensic-methodology/docker-forensics.md)
* [Linux Forensics](forensics/basic-forensic-methodology/linux-forensics.md)
## Physical attacks

6
forensics/basic-forensics-esp/README.md → forensics/basic-forensic-methodology/README.md
View file

@ -1,4 +1,4 @@
# Basic Forensics \(ESP\)
# Basic Forensic Methodology
In this section of the book we are going to learn about some **useful forensics tricks**.
We are going to talk about partitions, file-systems, carving, memory, logs, backups, OSs, and much more.
@ -30,6 +30,10 @@ I want to do a special mention to the page:
{% page-ref page="specific-software-file-type-tricks/browser-artifacts.md" %}
## Memory Dump Inspection
{% page-ref page="memory-dump-analysis/" %}

0
forensics/basic-forensics-esp/anti-forensic-techniques.md → forensics/basic-forensic-methodology/anti-forensic-techniques.md
View file

0
forensics/basic-forensics-esp/docker-forensics.md → forensics/basic-forensic-methodology/docker-forensics.md
View file

0
forensics/basic-forensics-esp/image-adquisition-and-mount.md → forensics/basic-forensic-methodology/image-adquisition-and-mount.md
View file

25
forensics/basic-forensics-esp/linux-forensics.md → forensics/basic-forensic-methodology/linux-forensics.md
View file

@ -298,6 +298,31 @@ Note that you can also **take a look to this information reading the logs**.
* **MySQL**: User accounts may have a _**/.mysql\_history**_ file that contains queries executed using MySQL.
* **Less**: User accounts may have a _**/.lesshst**_ file that contains details about the use of less, including search string history and shell commands executed via less
### USB Logs
[**usbrip**](https://github.com/snovvcrash/usbrip) is a small piece of software written in pure Python 3 which parses Linux log files \(`/var/log/syslog*` or `/var/log/messages*` depending on the distro\) for constructing USB event history tables.
It is interesting to **know all the USBs that have been used** and it will be more useful if you have an authorized list of USB to find "violation events" \(the use of USBs that aren't inside that list\).
### Installation
```text
pip3 install usbrip
usbrip ids download #Downloal USB ID database
```
### Examples
```text
usbrip events history #Get USB history of your curent linux machine
usbrip events history --pid 0002 --vid 0e0f --user kali #Search by pid OR vid OR user
#Search for vid and/or pid
usbrip ids download #Downlaod database
usbrip ids search --pid 0002 --vid 0e0f #Search for pid AND vid
```
More examples and info inside the github: [https://github.com/snovvcrash/usbrip](https://github.com/snovvcrash/usbrip)
## Review User Accounts and Logon Activities
Examine the _**/etc/passwd**_, _**/etc/shadow**_ and **security logs** for unusual names or accounts created and/or used in close proximity to known unauthorized events. Also check possible sudo brute-force attacks.

0
forensics/basic-forensics-esp/memory-dump-analysis/README.md → forensics/basic-forensic-methodology/memory-dump-analysis/README.md
View file

0
forensics/basic-forensics-esp/memory-dump-analysis/volatility-examples.md → forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md
View file

0
forensics/basic-forensics-esp/partitions-file-systems-carving/README.md → forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md
View file

0
forensics/basic-forensics-esp/partitions-file-systems-carving/file-data-carving-tools.md → forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-tools.md
View file

0
forensics/basic-forensics-esp/partitions-file-systems-carving/ntfs.md → forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md
View file

0
forensics/basic-forensics-esp/specific-software-file-type-tricks/.pyc.md → forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md
View file

0
forensics/basic-forensics-esp/specific-software-file-type-tricks/README.md → forensics/basic-forensic-methodology/specific-software-file-type-tricks/README.md
View file

0
forensics/basic-forensics-esp/specific-software-file-type-tricks/browser-artifacts.md → forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md
View file

0
forensics/basic-forensics-esp/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md → forensics/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md
View file

0
forensics/basic-forensics-esp/specific-software-file-type-tricks/local-cloud-storage.md → forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md
View file

0
forensics/basic-forensics-esp/specific-software-file-type-tricks/office-file-analysis.md → forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md
View file

0
forensics/basic-forensics-esp/specific-software-file-type-tricks/pdf-file-analysis.md → forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md
View file

0
forensics/basic-forensics-esp/specific-software-file-type-tricks/png-tricks.md → forensics/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md
View file

0
forensics/basic-forensics-esp/specific-software-file-type-tricks/video-and-audio-file-analysis.md → forensics/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md
View file

0
forensics/basic-forensics-esp/specific-software-file-type-tricks/zips-tricks.md → forensics/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md
View file

0
forensics/basic-forensics-esp/windows-forensics/README.md → forensics/basic-forensic-methodology/windows-forensics/README.md
View file

0
forensics/basic-forensics-esp/windows-forensics/interesting-windows-registry-keys.md → forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md
View file

27
forensics/basic-forensics-esp/usb-logs-analysis.md
View file

@ -1,27 +0,0 @@
# USB logs analysis
## USBrip
**usbrip** is a small piece of software written in pure Python 3 which parses Linux log files \(`/var/log/syslog*` or `/var/log/messages*` depending on the distro\) for constructing USB event history tables.
It is interesting to know all the USBs that have been used and it will be more usefull if you have an authorized list of USB to find "violation events" \(the use of USBs that aren't inside that list\).
### Installation
```text
pip3 install usbrip
usbrip ids download #Downloal USB ID database
```
### Examples
```text
usbrip events history #Get USB history of your curent linux machine
usbrip events history --pid 0002 --vid 0e0f --user kali #Search by pid OR vid OR user
#Search for vid and/or pid
usbrip ids download #Downlaod database
usbrip ids search --pid 0002 --vid 0e0f #Search for pid AND vid
```
More examples and info inside the github: [https://github.com/snovvcrash/usbrip](https://github.com/snovvcrash/usbrip)