Skip to main content Link Menu Expand (external link) Document Search Copy Copied

dfir / bookmarks

Last update:

1. tools

1.1 collect

Evidence Tool
๐Ÿ’ฟ Harddisk image guymanager, dc3dd
๐Ÿ–ฅ๏ธ Live Windows dfir-orc, doc
๐Ÿ–ฅ๏ธ Live Windows KAPE
๐Ÿ–ฅ๏ธ Live Windows fastir

1.2 triage

Evidence Tool Description
๐Ÿ’ฟ Harddisk image sleuthkit, doc Forensics tools to investigate volume and file system data: img_stat, mmls, ils, blkls, fls, fsstat
๐Ÿ“‚ NTFS METAfiles analyzeMFT, MFTExplorer ADS, Anti-forensics (SNI,FN), Downloads from the internet. Process($LogFile, $UsnJrnl, AmCache) & Network Acivity ($LogFmt).
๐Ÿ“ƒ Logs Security KDC LogonTracer Generates graphs of the Logons Activity.
๐Ÿ“ƒ Logs Security Windows evtx_dump, fd, timeline explorer Multi-threaded EVTX parser supporting both XML and JSON EVTX.
๐Ÿ–ฅ๏ธ Live Windows cmd, powershell PSsession, WinRegistry, ADQuery, Transfer with Powershell, Logs.
๐Ÿ–ฅ๏ธ Live Linux bash, bash2, logs bash and logs manipulation.
๐ŸŒ Web browsing hindsight chromium, firefox, safari.
๐Ÿ‘พ File OLE /dfir/mlw/ole editing in progressโ€ฆ
๐Ÿ‘พ File PDF /dfir/mlw/pdf Cheatsheet for dist67/malicious PDF workshop with โ€˜pdfid.pyโ€™ and โ€˜pdf-parser.pyโ€™ tools.
๐Ÿ‘พ File LNK /dfir/mlw/lnk editing in progressโ€ฆ
๐Ÿ‘พ File PNG /dfir/mlw/png editing in progressโ€ฆ
๐Ÿ‘พ ADS Motw PS live: Get-Item, Get-Content -Stream Covers also, bypass with softwares unsupporting-ADS (7Z,CSPROJ) & container files (ISO,VHD).

2. kb

Operating System KnowledgeBase (KB) Description
๐Ÿ“ƒ Windows Project Windows Events ARTIFACT: Exhaustive artifacts list tagged with categories: File Download, Program Execution, Deleted File or File Knowledge, Network Activity, Physical Location File/Folder, Opening Account, Usage External Device/USB, Usage Browser Usage.
๐Ÿ“ƒ Windows UltimateWindowsSecurity LOGS: Encyclopedia for the Windows Security Logs.
๐Ÿ—‘๏ธ Windows STRONTIC EXE: First place to look for what is a binary about.
๐Ÿ—‘๏ธ Windows Project Windows Drivers SYS: CuratedList of LOL drivers used adversaries to bypass sec contorlsand carry out attacks.
๐Ÿ—‘๏ธ Windows Project LOLBAS LOLBAS: Windows LOLBAS offensive security techniques used for download, execute and bypass.
๐Ÿ—‘๏ธ Windows Project wadcoms AD: Windows/AD offensive security techniques.
๐Ÿ—‘๏ธ Windows Project Hickjack Libs LIB: โ€ฆ
๐Ÿ—‘๏ธ Windows csandker.io - redteam TTPs over Windows Named Pipes PIPES: Advanced project on security informations regarding Windows Named pipes.
๐Ÿง Linux Project GTFO GTFO: Linux GTFO offensive security techniques used for download, execute and bypass.
๐Ÿง Linux explainshell SHELL: explain command-lines FU.