Tools
All the useful tools interesting to be used
DFIR tools:
| Tool | Description |
|---|---|
| ArtifactExtractor | This tool extract Windows artifacts (registry, windows events, some logs) from raw disk image |
| Autopsy | Disk image browser and parser (you could parse for .exe files, email messages, IP addresses, URL links, disk indexing,...) and you could browse the file system |
| log2timeline | Generate super timeline (how to use it: Here) |
| Yara | Tool primarily used in malware research and detection using some rules (for a great Yara rules Here ) |
| YaraGenerator | Generate a yara rule for a given samples on automated way |
| ZipDump | Tool could be used to search using Yara rules inside given archive file |
| FTK Imager | Tool used to take disk/memory image of the machine |
| RegistryChangesView | Registry change viewer, give the changes happen to the registry |
| VirusTotalHashScanner | Check a list of hashes in VirusTotal for any malicious file |
| Prefetch Parser | Prefetch file parser, get execution time and execution count. |
| Eric Zimmerman | List of useful tools for DFIR |
| OfficeParser | parse office documents, good to extract the VBA files inside them |
| CDIR | Artifacts ccollector |
| Glogg | GUI version for grep command across multiple platform |
| Rekall | Memory analysis framework, (similar to volatility) |
| bulk_volatility_scanner | This is a great easy to use script that runs all volatility plugins on all memory images provided. it takes the path of the images and the path of the output dir. Run it and sip tea or do something else until it is done (wink) |
| BMC viewer | viewer for pictures of .bmc files |
| PC Hunter | GUI tool gives detailed information of processes, dlls, hooks both ring 0 and 3, (similar to process hacker) |
| MemProcFS | Accesses memory as a mounted filesystem. It can be used as an API as well. Can be used on live memory or a memory dump file. |
| TC4shell | Decompress most of compressed files, such as AD1, etc. |
| Recyclebin | Recyclebin parser for ($I) files |
Malware Analysis and Reverse Engineer:
| Tool | Description |
|---|---|
| PEStudio | Malware Initial Assessment, give file information, strings, resources, imports,... |
| dnSpy | dnSpy is a debugger and .NET assembly editor |
| Sysinternals | windows sysinternals utilities to monitor the system |
| DLLExportViewer | Show all the export functions for any DLL file |
| PDF-Parser & pdfid | Python script to parse PDF files |
| Snowman | Is an executable decompiler to C/C++ |
| exiftool | Tool extract the metadata for a given file |
| PE-Sieve | Tool take PID and check if the original file same as the file loaded in memory |
| Jmp2it | Tool used to load a shellcode into executable, and attach IDA to debug the shellcode |
| File Signature | Website contain a list of file extensions and signature |
Unpackers/Obfuscators
| Tool | Description |
|---|---|
| UPXEasyGUI | UPX Packer and Unpacker |
| RDGPackerDetector | Detect the type of the packer for a given program |
| ConfuserEx-DeObfuscate | These tools could be used to deobfuscate executables packed by ConfuserEx |
| Scylla | A great tool used to rebuild the import address table of executable (useful for manual unpacking of executables) |
| Protection_ID.eXe | tool used to detect the obfuscation type |
Helpful links
| link | Description |
|---|---|
| XSS cheat sheet | include a list of XSS technquies could be used. |
| Stego tools | List of stego tools |
Helpful Commands
for f in */Logs/*.evtx ; do echo "$f" ; mkdir -p $(echo "./Events/$f" | awk -F '/' '{print $1 "/" $2 "/" $3 "/" $4 "/"}') ; evtx_dump.py "$f" > "./Events/${f%.xml}.xml" ; echo " Done ..." ; done
this command will read all evtx files on */Logs/ folders and convert them into xml files under the folder ./Events with same directories from the original one.
for f in */Logs/*.evtx ; do echo "$f" ; mkdir -p $(echo "./Events/$f" | awk -F '/' '{print $1 "/" $2 "/" $3 "/"
$4 "/"}') ; test ! $ (wc -c "$f" | awk '{print$1 }' ) -le 550000000; $ ([[ $? -eq 1 ]] && evtx_dump.py "$f" > "./Events/${f%.xml}.xml") ; echo " Done ..." ; done
Same command but, this will check the file size not more than 550000000 bytes
fast command:
for f in ./*.evtx ; do echo "$f" ; evtx_dump.py "$f" > "./Events/${f%.xml}.xml" ; echo " Done ..." ; done
copy files and show the progress
rsync -r --info=progress2 source destination
Extract VBA macro from a list of document files
for f in * ; do echo "$f" ; mkdir -p $(echo "./output/$f") ; officeparser --extract-macros $f -o "./output/$f" ; echo " Done ..." ; done
How to use xargs to do multiprocessing commands:
find ./ -name '*.log' | xargs -rtP 20 -L1 grep "pattern" > output.txt
-P 20: number of processes at the same time
-t: print the command
-r: run only if there is argument
-L1: one argument at the same time, means one file per command
Note: if you use -L1 and write output on text file, the result might be missed up, so it is better not using it if there are many input files
How to set Linux Forwarder machine from one interface to another
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -d 0/0 -s 10.0.1.0/24 -j MASQUERADE
iptables -A FORWARD -s 10.0.1.0/24 -d 0/0 -j ACCEPT
iptables -A FORWARD -s 0/0 -d 10.0.1.0/24 -j ACCEPT
If one use zgrep just like you use grep. If many:
find -iname "*.gz" | xargs zgrep <options like -P or -i ...> "<str or regex if using -P>"
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent