GitBook: [master] 11 pages modified
This commit is contained in:
parent
2636a86ca3
commit
4d089a6b37
16
SUMMARY.md
16
SUMMARY.md
|
@ -416,31 +416,31 @@
|
|||
## Forensics
|
||||
|
||||
* [Malware Analysis](forensics/malware-analysis.md)
|
||||
* [Memory dump analysis](forensics/memory-dump-analysis.md)
|
||||
* [Pcaps analysis](forensics/pcaps-analysis/README.md)
|
||||
* [Wifi Pcap Analysis](forensics/pcaps-analysis/wifi-pcap-analysis.md)
|
||||
* [USB Keyboard pcap analysis](forensics/pcaps-analysis/usb-keyboard-pcap-analysis.md)
|
||||
* [DNSCat pcap analysis](forensics/pcaps-analysis/dnscat-exfiltration.md)
|
||||
* [Wireshark tricks](forensics/pcaps-analysis/wireshark-tricks.md)
|
||||
* [Volatility - CheatSheet](forensics/volatility-examples.md)
|
||||
* [Basic Forensics \(ESP\)](forensics/basic-forensics-esp/README.md)
|
||||
* [Memory dump analysis](forensics/basic-forensics-esp/memory-dump-analysis/README.md)
|
||||
* [Volatility - CheatSheet](forensics/basic-forensics-esp/memory-dump-analysis/volatility-examples.md)
|
||||
* [Specific Software/File-Type Tricks](forensics/basic-forensics-esp/specific-software-file-type-tricks/README.md)
|
||||
* [PNG tricks](forensics/basic-forensics-esp/specific-software-file-type-tricks/png-tricks.md)
|
||||
* [.pyc](forensics/basic-forensics-esp/specific-software-file-type-tricks/.pyc.md)
|
||||
* [Browser Artifacts](forensics/basic-forensics-esp/specific-software-file-type-tricks/browser-artifacts.md)
|
||||
* [Desofuscation vbs \(cscript.exe\)](forensics/basic-forensics-esp/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md)
|
||||
* [Local Cloud Storage](forensics/basic-forensics-esp/specific-software-file-type-tricks/local-cloud-storage.md)
|
||||
* [Office file analysis](forensics/basic-forensics-esp/specific-software-file-type-tricks/office-file-analysis.md)
|
||||
* [PDF File analysis](forensics/basic-forensics-esp/specific-software-file-type-tricks/pdf-file-analysis.md)
|
||||
* [PNG tricks](forensics/basic-forensics-esp/specific-software-file-type-tricks/png-tricks.md)
|
||||
* [Video and Audio file analysis](forensics/basic-forensics-esp/specific-software-file-type-tricks/video-and-audio-file-analysis.md)
|
||||
* [.pyc](forensics/basic-forensics-esp/specific-software-file-type-tricks/.pyc.md)
|
||||
* [Desofuscation vbs \(cscript.exe\)](forensics/basic-forensics-esp/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md)
|
||||
* [ZIPs tricks](forensics/basic-forensics-esp/specific-software-file-type-tricks/zips-tricks.md)
|
||||
* [USB logs analysis](forensics/basic-forensics-esp/specific-software-file-type-tricks/usb-logs-analysis.md)
|
||||
* [Browser Artifacts](forensics/basic-forensics-esp/specific-software-file-type-tricks/browser-artifacts.md)
|
||||
* [Cloud Storage](forensics/basic-forensics-esp/specific-software-file-type-tricks/cloud-storage.md)
|
||||
* [Partitions/File Systems/Carving](forensics/basic-forensics-esp/partitions-file-systems-carving/README.md)
|
||||
* [File/Data Carving Tools](forensics/basic-forensics-esp/partitions-file-systems-carving/file-data-carving-tools.md)
|
||||
* [NTFS](forensics/basic-forensics-esp/partitions-file-systems-carving/ntfs.md)
|
||||
* [Windows Artifacts](forensics/basic-forensics-esp/windows-forensics/README.md)
|
||||
* [Interesting Windows Registry Keys](forensics/basic-forensics-esp/windows-forensics/interesting-windows-registry-keys.md)
|
||||
* [Anti-Forensic Techniques](forensics/basic-forensics-esp/anti-forensic-techniques.md)
|
||||
* [USB logs analysis](forensics/basic-forensics-esp/usb-logs-analysis.md)
|
||||
* [Image Adquisition & Mount](forensics/basic-forensics-esp/image-adquisition-and-mount.md)
|
||||
* [Docker Forensics](forensics/basic-forensics-esp/docker-forensics.md)
|
||||
* [Linux Forensics](forensics/basic-forensics-esp/linux-forensics.md)
|
||||
|
|
|
@ -11,6 +11,25 @@ if you are given a **forensic image** of a device you can start **analyzing the
|
|||
|
||||
{% page-ref page="partitions-file-systems-carving/" %}
|
||||
|
||||
Depending on the used OSs and even platform different interesting artifacts should be searched:
|
||||
|
||||
{% page-ref page="windows-forensics/" %}
|
||||
|
||||
{% page-ref page="linux-forensics.md" %}
|
||||
|
||||
{% page-ref page="docker-forensics.md" %}
|
||||
|
||||
## Deep inspection of specific file-types and Software
|
||||
|
||||
If you have very **suspicious** **file**, then **depending on the file-type and software** that created it several **tricks** may be useful.
|
||||
Read the following page to learn some interesting tricks:
|
||||
|
||||
{% page-ref page="specific-software-file-type-tricks/" %}
|
||||
|
||||
I want to do a special mention to the page:
|
||||
|
||||
{% page-ref page="specific-software-file-type-tricks/browser-artifacts.md" %}
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Memory dump analysis
|
||||
|
||||
Start **searching** for **malware** inside the pcap. Use the **tools** mentioned in [**Malware Analysis**](malware-analysis.md).
|
||||
Start **searching** for **malware** inside the pcap. Use the **tools** mentioned in [**Malware Analysis**](../../malware-analysis.md).
|
||||
|
||||
## [Volatility](volatility-examples.md)
|
||||
|
||||
|
@ -11,17 +11,17 @@ From: [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.
|
|||
|
||||
When the dump is small \(just some KB, maybe a few MB\) the it's probably a mini dump crash report and not a memory dump.
|
||||
|
||||
![](../.gitbook/assets/image%20%28305%29.png)
|
||||
![](../../../.gitbook/assets/image%20%28305%29.png)
|
||||
|
||||
If you hat Visual Studio installed, you can open this file and bind some basic information like process name, architecture, exception info and modules being executed:
|
||||
|
||||
![](../.gitbook/assets/image%20%28164%29.png)
|
||||
![](../../../.gitbook/assets/image%20%28164%29.png)
|
||||
|
||||
You can also load the exception and see the decompiled instructions
|
||||
|
||||
![](../.gitbook/assets/image%20%282%29.png)
|
||||
![](../../../.gitbook/assets/image%20%282%29.png)
|
||||
|
||||
![](../.gitbook/assets/image%20%28149%29.png)
|
||||
![](../../../.gitbook/assets/image%20%28149%29.png)
|
||||
|
||||
Anyway Visual Studio isn't the best tool to perform a analysis in depth of the dump.
|
||||
|
|
@ -130,7 +130,7 @@ The plugin `banners.Banners` can be used in **vol3 to try to find linux banners*
|
|||
|
||||
## Hashes/Passwords
|
||||
|
||||
Extract SAM hashes, [domain cached credentials](../windows/stealing-credentials/credentials-protections.md#cached-credentials) and [lsa secrets](../windows/authentication-credentials-uac-and-efs.md#lsa-secrets).
|
||||
Extract SAM hashes, [domain cached credentials](../../../windows/stealing-credentials/credentials-protections.md#cached-credentials) and [lsa secrets](../../../windows/authentication-credentials-uac-and-efs.md#lsa-secrets).
|
||||
|
||||
{% tabs %}
|
||||
{% tab title="vol3" %}
|
|
@ -1,2 +1,24 @@
|
|||
# Specific Software/File-Type Tricks
|
||||
|
||||
Here you can find interesting tricks for specific file-types and/or software:
|
||||
|
||||
{% page-ref page=".pyc.md" %}
|
||||
|
||||
{% page-ref page="browser-artifacts.md" %}
|
||||
|
||||
{% page-ref page="desofuscation-vbs-cscript.exe.md" %}
|
||||
|
||||
{% page-ref page="local-cloud-storage.md" %}
|
||||
|
||||
{% page-ref page="office-file-analysis.md" %}
|
||||
|
||||
{% page-ref page="pdf-file-analysis.md" %}
|
||||
|
||||
{% page-ref page="png-tricks.md" %}
|
||||
|
||||
{% page-ref page="video-and-audio-file-analysis.md" %}
|
||||
|
||||
{% page-ref page="zips-tricks.md" %}
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# Cloud Storage
|
||||
# Local Cloud Storage
|
||||
|
||||
## OneDrive
|
||||
|
Loading…
Reference in New Issue