Skip to main content Link Menu Expand (external link) Document Search Copy Copied

dfir / bookmarks

Last update:

1. tools

1.1 collect

EvidenceTool
๐Ÿ’ฟ Harddisk imageguymanager, dc3dd
๐Ÿ–ฅ๏ธ Live Windowsdfir-orc, doc
๐Ÿ–ฅ๏ธ Live WindowsKAPE
๐Ÿ–ฅ๏ธ Live Windowsfastir

1.2 triage

EvidenceToolDescription
๐Ÿ’ฟ Harddisk imagesleuthkit, docForensics tools to investigate volume and file system data: img_stat, mmls, ils, blkls, fls, fsstat
๐Ÿ“‚ NTFS METAfilesanalyzeMFT, MFTExplorerADS, Anti-forensics (SNI,FN), Downloads from the internet. Process($LogFile, $UsnJrnl, AmCache) & Network Acivity ($LogFmt).
๐Ÿ“ƒ Logs Security KDCLogonTracerGenerates graphs of the Logons Activity.
๐Ÿ“ƒ Logs Security Windowsevtx_dump, fd, timeline explorerMulti-threaded EVTX parser supporting both XML and JSON EVTX.
๐Ÿ–ฅ๏ธ Live Windowscmd, powershellPSsession, WinRegistry, ADQuery, Transfer with Powershell, Logs.
๐Ÿ–ฅ๏ธ Live Linuxbash, bash2, logsbash and logs manipulation.
๐ŸŒ Web browsinghindsightchromium, firefox, safari.
๐Ÿ‘พ File OLE/dfir/mlw/oleediting in progressโ€ฆ
๐Ÿ‘พ File PDF/dfir/mlw/pdfCheatsheet for dist67/malicious PDF workshop with โ€˜pdfid.pyโ€™ and โ€˜pdf-parser.pyโ€™ tools.
๐Ÿ‘พ File LNK/dfir/mlw/lnkediting in progressโ€ฆ
๐Ÿ‘พ File PNG/dfir/mlw/pngediting in progressโ€ฆ
๐Ÿ‘พ ADS MotwPS live: Get-Item, Get-Content -StreamCovers also, bypass with softwares unsupporting-ADS (7Z,CSPROJ) & container files (ISO,VHD).

2. kb

Operating SystemKnowledgeBase (KB)Description
๐Ÿ“ƒ WindowsProject Windows EventsARTIFACT: Exhaustive artifacts list tagged with categories: File Download, Program Execution, Deleted File or File Knowledge, Network Activity, Physical Location File/Folder, Opening Account, Usage External Device/USB, Usage Browser Usage.
๐Ÿ“ƒ WindowsUltimateWindowsSecurityLOGS: Encyclopedia for the Windows Security Logs.
๐Ÿ—‘๏ธ WindowsSTRONTICEXE: First place to look for what is a binary about.
๐Ÿ—‘๏ธ WindowsProject Windows DriversSYS: CuratedList of LOL drivers used adversaries to bypass sec contorlsand carry out attacks.
๐Ÿ—‘๏ธ WindowsProject LOLBASLOLBAS: Windows LOLBAS offensive security techniques used for download, execute and bypass.
๐Ÿ—‘๏ธ WindowsProject wadcomsAD: Windows/AD offensive security techniques.
๐Ÿ—‘๏ธ WindowsProject Hickjack LibsLIB: โ€ฆ
๐Ÿ—‘๏ธ Windowscsandker.io - redteam TTPs over Windows Named PipesPIPES: Advanced project on security informations regarding Windows Named pipes.
๐Ÿง LinuxProject GTFOGTFO: Linux GTFO offensive security techniques used for download, execute and bypass.
๐Ÿง LinuxexplainshellSHELL: explain command-lines FU.