- Android
- bc
- binwalk
- capa
- dd
- emlAnalyzer
- exiftool
- file
- FOREMOST
- git-dumper
- Git
- HEX
- inetsim
- iOS
- Jamovi
- ltrace
- memdump
- MemProcFS
- Microsoft Windows
- oletools
- pngcheck
- steg_brute
- Steghide
- strings
- Sysinternals
- usbrip
- Volatility
- xxd
- zsteg
Name | Description | URL |
---|---|---|
BinDiff | Quickly find differences and similarities in disassembled code | https://github.com/google/bindiff |
CAPA | The FLARE team's open-source tool to identify capabilities in executable files. | https://github.com/mandiant/capa |
Cheatsheet: Linux Forensics Analysis | Cheat sheet to use during Linux forensics. | https://fareedfauzi.github.io/2024/03/29/Linux-Forensics-cheatsheet.html |
Cheatsheet: Windows Forensics Analysis | Cheat sheet to use during Windows forensics. | https://fareedfauzi.github.io/2023/12/22/Windows-Forensics-checklist-cheatsheet.html |
Depix | Recovers passwords from pixelized screenshots | https://github.com/spipm/Depix |
FLOSS | FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware. | https://github.com/mandiant/flare-floss |
FOREMOST | Foremost is a console program to recover files based on their headers, footers, and internal data structures. | https://github.com/korczis/foremost |
kbd-audio | Acoustic keyboard eavesdropping | https://github.com/ggerganov/kbd-audio |
oletools | python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging. | https://github.com/decalage2/oletools |
MemProcFS | MemProcFS is an easy and convenient way of viewing physical memory as files in a virtual file system. | https://github.com/ufrisk/MemProcFS |
Process Hacker | A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware. | https://process-hacker.com |
Process Monitor | Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. | https://learn.microsoft.com/en-us/sysinternals/downloads/procmon |
Regshot | Regshot is a small, free and open-source registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one - done after doing system changes or installing a new software product | https://github.com/Seabreg/Regshot |
scdbg | Visual Studio 2008 port of the libemu library that includes scdbg.exe, a modification of the sctest project, that includes more hooks, interactive debugging, reporting features, and ability to work with file format exploit shellcode. Will run under WINE | https://github.com/dzzie/VS_LIBEMU |
Steghide | Execute a brute force attack with Steghide to file with hide information and password established. | https://github.com/Va5c0/Steghide-Brute-Force-Tool |
Sysinternals Live | live.sysinternals.com - / | https://live.sysinternals.com |
Sysinternals Suite | The Sysinternals Troubleshooting Utilities have been rolled up into a single Suite of tools. | https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite |
Sysinternals Utilities | Sysinternals Utilities Index | https://docs.microsoft.com/en-us/sysinternals/downloads |
Volatility | An advanced memory forensics framework | https://github.com/volatilityfoundation/volatility |
$ ( printf "\x1f\x8b\x08\x00\x00\x00\x00\x00" ; tail -c +25 <FILE>.ab ) | tar xfvz -
$ echo "obase=16; ibase=2; 00000000010...00000000000000" | bc | xxd -p -r
$ binwalk <FILE>
$ binwalk -e <FILE>
C:\> capa <FILE> -vv
$ ssh root@<RHOST> "dd if=/dev/sda1 status=progress" | dd of=sda1.dmp
$ emlAnalyzer -i <FILE>\:.eml --header --html -u --text --extract-all
$ exiftool -AllDates='JJJJ:MM:TT HH:MM:SS' <FILE>.ext
$ exiftool -b -ThumbnailImage picture.ext > <FILE>.jpg
$ exiftool -p '$Filename $ImageSize' <FILE>.jpg
$ exiftool -all= <FILE>.JPG
$ exiftool -SerialNumber <FILE>.ext
$ exiftool -P -'Filename<DateTimeOriginal' -d %Y%m%d_%Hh%Mm%Ss_Handy.%%e folder/*
$ exiftool -q -r -t -f -S -n -csv -fileName -GPSPosition -Model -FocalLength -ExposureTime -FNumber -ISO -BrightnessValue -LensID "." > <FILE>.csv
$ exiftool *.pdf | grep Creator | awk '{print $3}' | sort -u > users.txt
$ file <FILE>
$ foremost -i <FILE>
$ ./git-dumper.py http://<DOMAIN>/<repo>
$ git log --pretty=oneline
$ git log -p
$ hexdump -C <FILE> | less
#!/usr/bin/env python3
file=open('blueshadow.txt','r')
val=int(file.read(), 2)
hexfile=open('bluehadowhex','w')
hexfile.write(hex(val))
hexfile.close()
file.close()
$ cat /etc/inetsim/inetsim.conf | grep dns_default_ip
# dns_default_ip
# Syntax: dns_default_ip
dns_default_ip <LHOST>
$ sudo inetsim
$ sudo apt-get install libplist-utils
$ plistutil -i challenge.plist -o challenge.plist.xml
$ unzip <FILE>.omv
$ ltrace <BINARY>
#!/bin/bash
cat /proc/$1/maps | grep "rw-p" | awk '{print $1}' | ( IFS="-"
while reade a b; do
dd if=/proc/$1/mem bs=$( getconf PAGESIZE ) iflag=skip_bytes,count_bytes \
skip=$(( 0x$a )) count=$(( 0x$b - 0x$a )) of="$1_mem_$a.bin"
done )
$ sudo ./memprocfs -device /PATH/TO/FILE/<FILE>.DMP -mount /mnt/ -forensic 1
<USER_PROFILE>\NTUSER.DAT
<USER_PROFILE>\AppData\Local\Microsoft\Windows\UsrClass.dat
$ sudo -H pip install -U oletools[full]
$ oledump <FILE> // first analysis
$ oledump <FILE> -s 4 // analysing datastream 4
$ oledump <FILE> -s 4 --vbadecompress // decrompress macros
$ olevba <FILE>
$ mraptor <FILE>
$ msodde -l debug <FILE>
$ pyxswf <FILE>
$ oleobj -l debug <FILE>
$ rtfobj -l debug <FILE>
$ olebrowse <FILE>
$ olemeta <FILE>
$ oletimes <FILE>
$ oledir <FILE>
$ olemap <FILE>
$ pngcheck -vtp7f <FILE>
PS C:\> .\scdbg.exe -findsc /f \PATH\TO\FILE\<FILE>.sc
$ python steg_brute.py -b -d /usr/share/wordlists/rockyou.txt -f <FILE>.wav
$ steghide info <FILE>
$ steghide info <FILE> -p <PASSWORD>
$ steghide extract -sf <FILE>
$ steghide extract -sf <FILE> -p <PASSWORD>
$ strings <FILE>.mem > <FILE>.strings.ascii.txt
$ strings -e l <FILE>.mem > <FILE>.strings.unicode_little_endian.txt
$ strings -e b <FILE>.mem > <FILE>.strings.unicode_big_endian.txt
https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
PS C:\> Download-SysInternalsTools C:\SysinternalsSuite
$ sudo usbrip events violations <FILE>.json -f syslog
https://volatility3.readthedocs.io/en/stable/volatility3.plugins.html
$ volatility -f <FILE> imageinfo
$ volatility -f <FILE> filescan
$ volatility -f <FILE> psscan
$ volatility -f <FILE> dumpfiles
$ volatility -f <FILE> <FILE>.info
$ volatility -f <FILE> <FILE>.pslist
$ volatility -f <FILE> <FILE>.psscan
$ volatility -f <FILE> <FILE>.dumpfiles
$ volatility -f <FILE> <FILE>.dumpfiles --pid <ID>
$ volatility -f <FILE> windows.pstree.PsTree
$ volatility -f <FILE> windows.pslist.PsList
$ volatility -f <FILE> windows.cmdline.CmdLine
$ volatility -f <FILE> windows.filescan.FileScan
$ volatility -f <FILE> windows.dlllist.DllList
$ volatility -f <FILE> windows.malfind.Malfind
$ volatility -f <FILE> windows.psscan.PsScan
$ volatility -f <FILE> --profile=Win7SP1x86 filescan
$ volatility -f <FILE> --profile=Win7SP1x64 filescan | grep <NAME>
$ volatility -f <FILE> --profile=Win7SP1x86 truecryptsummary
$ volatility -f <FILE> --profile=Win7SP1x64 psscan --output=dot --output-file=memdump.dot_
$ volatility -f <FILE> --profile=Win7SP1x64 dumpfiles -Q 0x000000001e8feb70 -D .
$ volatility -f <FILE> --profile=Win7SP1x86 dumpfiles -Q 0x000000000bbc7166 --name file -D . -vvv
$ for plugin in windows.malfind.Malfind windows.psscan.PsScan windows.pstree.PsTree windows.pslist.PsList windows.cmdline.CmdLine windows.filescan.FileScan windows.dlllist.DllList; do volatility -q -f <FILE> $plugin > <FILE>.$plugin.txt; done
$ xxd <FILE>
$ cat <FILE> | xxd -p
$ printf <VALUE> | xxd -p
$ cat <FILE> | xxd -p -r
$ curl http://<RHOST/file | xxd -r -p
$ xxd -p -c 10000 <FILE>
$ xxd -r -p <FILE>.txt <FILE>.gpg // gpg is just an example
$ echo -n '!AD*G-KaPdSgVkY' | xxd -pu
$ xxd -p <FILE> | sed 's/../\\x&/g'
\x23\x21\x2f\x62\x69\x6e\x2f\x70\x79\x74\x68\x6f\x6e\x33\x0a\x69\x6d\x70\x6f\x72\x74\x20\x72\x65\x71\x75\x65\x73\x74\x73
$ xxd -r -ps <HEX_FILE> <FILE>.bin
$ zsteg -a <FILE> // runs all the methods on the given file
$ zsteg -E <FILE> // extracts data from the given payload (example : zsteg -E b4,bgr,msb,xy name.png)