All the useful tools interesting to be used
| Tool | Description |
|---|---|
| ArtifactExtractor | This tool extract Windows artifacts (registry, windows events, some logs) from raw disk image |
| Autopsy | Disk image browser and parser (you could parse for .exe files, email messages, IP addresses, URL links, disk indexing,...) and you could browse the file system |
| log2timeline | Generate super timeline (how to use it: Here) |
| Yara | Tool primarily used in malware research and detection using some rules (for a great Yara rules Here ) |
| YaraGenerator | Generate a yara rule for a given samples on automated way |
| ZipDump | Tool could be used to search using Yara rules inside given archive file |
| FTK Imager | Tool used to take disk/memory image of the machine |
| RegistryChangesView | Registry change viewer, give the changes happen to the registry |
| VirusTotalHashScanner | Check a list of hashes in VirusTotal for any malicious file |
| Prefetch Parser | Prefetch file parser, get execution time and execution count. |
| Eric Zimmerman | List of useful tools for DFIR |
| OfficeParser | parse office documents, good to extract the VBA files inside them |
| CDIR | Artifacts ccollector |
| Glogg | GUI version for grep command across multiple platform |
| Rekall | Memory analysis framework, (similar to volatility) |
| bulk_volatility_scanner | This is a great easy to use script that runs all volatility plugins on all memory images provided. it takes the path of the images and the path of the output dir. Run it and sip tea or do something else until it is done (wink) |
| BMC viewer | viewer for pictures of .bmc files |
| PC Hunter | GUI tool gives detailed information of processes, dlls, hooks both ring 0 and 3, (similar to process hacker) |
| MemProcFS | Accesses memory as a mounted filesystem. It can be used as an API as well. Can be used on live memory or a memory dump file. |
| TC4shell | Decompress most of compressed files, such as AD1, etc. |
| Recyclebin | Recyclebin parser for ($I) files |
| Linux_Forensic_Harvester | fast triage tool for linux |
| Tool | Description |
|---|---|
| PEStudio | Malware Initial Assessment, give file information, strings, resources, imports,... |
| dnSpy | dnSpy is a debugger and .NET assembly editor |
| Sysinternals | windows sysinternals utilities to monitor the system |
| DLLExportViewer | Show all the export functions for any DLL file |
| PDF-Parser & pdfid | Python script to parse PDF files |
| Snowman | Is an executable decompiler to C/C++ |
| exiftool | Tool extract the metadata for a given file |
| PE-Sieve | Tool take PID and check if the original file same as the file loaded in memory |
| Jmp2it | Tool used to load a shellcode into executable, and attach IDA to debug the shellcode |
| File Signature | Website contain a list of file extensions and signature |
| ProcDOT | Visualization for process monitor logs |
| TcpLogView | store the logs for all opened tcp connections on the machine as well as the corresponding process |
| PE Capture | Capture PE files, such as executables, DLLs and drivers, loaded in the system |
| PolarProxy | Intercept and decrypt TLS encrypted traffic from malware that is run in a controlled environment |
| Thug | Honeyclient tool designed to mimic the behavior of a user-driven network client application, such as a web browser |
| SpiderMonkey | useful tool to analyze a javascript malwares (not embedded in html), in REMNux use command line js |
| Box-js | Emulate a Windows JScript environment, it should what the JavaScript would do if it is in actual environment (list urls, IoCs, codes, etc.) |
| scdbg | scdbg is a shellcode analysis application built around the libemu emulation library. When run it will display to the user all of the Windows API the shellcode attempts to call. |
| Shellcode2exe | Convert a binary shellcode to Windows executable file |
| FLOSS | Uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries |
| Thug | Honeyclient tools to mimic client-side applications such as web browser |
| Tool | Description |
|---|---|
| UPXEasyGUI | UPX Packer and Unpacker |
| RDGPackerDetector | Detect the type of the packer for a given program |
| ConfuserEx-DeObfuscate | These tools could be used to deobfuscate executables packed by ConfuserEx |
| Scylla | A great tool used to rebuild the import address table of executable (useful for manual unpacking of executables) |
| Protection_ID.eXe | tool used to detect the obfuscation type |
| link | Description |
|---|---|
| XSS cheat sheet | include a list of XSS technquies could be used. |
| Stego tools | List of stego tools |
for f in */Logs/*.evtx ; do echo "$f" ; mkdir -p $(echo "./Events/$f" | awk -F '/' '{print $1 "/" $2 "/" $3 "/" $4 "/"}') ; evtx_dump.py "$f" > "./Events/${f%.xml}.xml" ; echo " Done ..." ; done
this command will read all evtx files on */Logs/ folders and convert them into xml files under the folder ./Events with same directories from the original one.
for f in */Logs/*.evtx ; do echo "$f" ; mkdir -p $(echo "./Events/$f" | awk -F '/' '{print $1 "/" $2 "/" $3 "/"
$4 "/"}') ; test ! $ (wc -c "$f" | awk '{print$1 }' ) -le 550000000; $ ([[ $? -eq 1 ]] && evtx_dump.py "$f" > "./Events/${f%.xml}.xml") ; echo " Done ..." ; done
Same command but, this will check the file size not more than 550000000 bytes
fast command:
for f in ./*.evtx ; do echo "$f" ; evtx_dump.py "$f" > "./Events/${f%.xml}.xml" ; echo " Done ..." ; done
copy files and show the progress
rsync -r --info=progress2 source destination
Extract VBA macro from a list of document files
for f in * ; do echo "$f" ; mkdir -p $(echo "./output/$f") ; officeparser --extract-macros $f -o "./output/$f" ; echo " Done ..." ; done
How to use xargs to do multiprocessing commands:
find ./ -name '*.log' | xargs -rtP 20 -L1 grep "pattern" > output.txt
-P 20: number of processes at the same time
-t: print the command
-r: run only if there is argument
-L1: one argument at the same time, means one file per command
Note: if you use -L1 and write output on text file, the result might be missed up, so it is better not using it if there are many input files
How to set Linux Forwarder machine from one interface to another
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -d 0/0 -s 10.0.1.0/24 -j MASQUERADE
iptables -A FORWARD -s 10.0.1.0/24 -d 0/0 -j ACCEPT
iptables -A FORWARD -s 0/0 -d 10.0.1.0/24 -j ACCEPT
If one use zgrep just like you use grep. If many:
find -iname "*.gz" | xargs zgrep <options like -P or -i ...> "<str or regex if using -P>"
check this splunk