1. tools
1.1 collect
| Evidence | Tool |
|---|---|
| ๐ฟ Harddisk image | guymanager, dc3dd |
| ๐ฅ๏ธ Live Windows | dfir-orc, doc |
| ๐ฅ๏ธ Live Windows | KAPE |
| ๐ฅ๏ธ Live Windows | fastir |
1.2 triage
| Evidence | Tool | Description |
|---|---|---|
| ๐ฟ Harddisk image | sleuthkit, doc | Forensics tools to investigate volume and file system data: img_stat, mmls, ils, blkls, fls, fsstat |
| ๐ NTFS METAfiles | analyzeMFT, MFTExplorer | ADS, Anti-forensics (SNI,FN), Downloads from the internet. Process($LogFile, $UsnJrnl, AmCache) & Network Acivity ($LogFmt). |
| ๐ Logs Security KDC | LogonTracer | Generates graphs of the Logons Activity. |
| ๐ Logs Security Windows | evtx_dump, fd, timeline explorer | Multi-threaded EVTX parser supporting both XML and JSON EVTX. |
| ๐ฅ๏ธ Live Windows | cmd, powershell | PSsession, WinRegistry, ADQuery, Transfer with Powershell, Logs. |
| ๐ฅ๏ธ Live Linux | bash, bash2, logs | bash and logs manipulation. |
| ๐ Web browsing | hindsight | chromium, firefox, safari. |
| ๐พ File OLE | /dfir/mlw/ole | editing in progressโฆ |
| ๐พ File PDF | /dfir/mlw/pdf | Cheatsheet for dist67/malicious PDF workshop with โpdfid.pyโ and โpdf-parser.pyโ tools. |
| ๐พ File LNK | /dfir/mlw/lnk | editing in progressโฆ |
| ๐พ File PNG | /dfir/mlw/png | editing in progressโฆ |
| ๐พ ADS Motw | PS live: Get-Item, Get-Content -Stream | Covers also, bypass with softwares unsupporting-ADS (7Z,CSPROJ) & container files (ISO,VHD). |
2. kb
| Operating System | KnowledgeBase (KB) | Description |
|---|---|---|
| ๐ Windows | Project Windows Events | ARTIFACT: Exhaustive artifacts list tagged with categories: File Download, Program Execution, Deleted File or File Knowledge, Network Activity, Physical Location File/Folder, Opening Account, Usage External Device/USB, Usage Browser Usage. |
| ๐ Windows | UltimateWindowsSecurity | LOGS: Encyclopedia for the Windows Security Logs. |
| ๐๏ธ Windows | STRONTIC | EXE: First place to look for what is a binary about. |
| ๐๏ธ Windows | Project Windows Drivers | SYS: CuratedList of LOL drivers used adversaries to bypass sec contorlsand carry out attacks. |
| ๐๏ธ Windows | Project LOLBAS | LOLBAS: Windows LOLBAS offensive security techniques used for download, execute and bypass. |
| ๐๏ธ Windows | Project wadcoms | AD: Windows/AD offensive security techniques. |
| ๐๏ธ Windows | Project Hickjack Libs | LIB: โฆ |
| ๐๏ธ Windows | csandker.io - redteam TTPs over Windows Named Pipes | PIPES: Advanced project on security informations regarding Windows Named pipes. |
| ๐ง Linux | Project GTFO | GTFO: Linux GTFO offensive security techniques used for download, execute and bypass. |
| ๐ง Linux | explainshell | SHELL: explain command-lines FU. |