RegRipper

Description

The Registry Ripper, or RegRipper, is an open-source application for extracting, correlating, and displaying information from Windows NT registry hive files.

Platform	Perl
Author	H. Carvey
License	GPLv3
URL	https://github.com/warewolf/regripper

Usage

Rip 2.8_20130801 - CLI RegRipper tool	
Rip [-r Reg hive file] [-f plugin file] [-p plugin module] [-l] [-h]
Parse Windows Registry files, using either a single module, or a plugins file.
  -r Reg hive file...Registry hive file to parse
  -g ................Guess the hive file (experimental)
  -f [profile].......use the plugin file (default: plugins\\plugins)
  -p plugin module...use only this module
  -l ................list all plugins
  -c ................Output list in CSV format (use with -l)
  -s system name.....Server name (TLN support)
  -u username........User name (TLN support)
  -h.................Help (print this information)
  
Ex: C:\\>rip -r c:\\case\\system -f system
    C:\\>rip -r c:\\case\\ntuser.dat -p userassist
    C:\\>rip -l -c
All output goes to STDOUT; use redirection (ie, > or >>) to output to a file\.
  
copyright 2013 Quantum Analytics Research, LLC

Examples

rip.pl -r SAM -f sam > /cases/sam.txt

rip.pl -r SYSTEM -f system > /cases/system.txt

Blog Posts

Volatility

Description

A memory forensics analysis platform.

Platform	Python
Author	Volatility Foundation
License	GPLv2
URL	https://www.volatilityfoundation.org/

Usage

Options:
  -h, --help            list all available options and their default values.
                        Default values may be set in the configuration file
                        (/etc/volatilityrc)
  --conf-file=/root/.volatilityrc
                        User based configuration file
  -d, --debug           Debug volatility
  --plugins=PLUGINS     Additional plugin directories to use (colon separated)
  --info                Print information about all registered objects
  --cache-directory=/root/.cache/volatility
                        Directory where cache files are stored
  --cache               Use caching
  --tz=TZ               Sets the (Olson) timezone for displaying timestamps
                        using pytz (if installed) or tzset
  -f FILENAME, --filename=FILENAME
                        Filename to use when opening an image
  --profile=WinXPSP2x86
                        Name of the profile to load (use --info to see a list
                        of supported profiles)
  -l LOCATION, --location=LOCATION
                        A URN location from which to load an address space
  -w, --write           Enable write support
  --dtb=DTB             DTB Address
  --shift=SHIFT         Mac KASLR shift address
  --output=text         Output in this format (support is module specific, see
                        the Module Output Options below)
  --output-file=OUTPUT_FILE
                        Write output in this file
  -v, --verbose         Verbose information
  -g KDBG, --kdbg=KDBG  Specify a KDBG virtual address (Note: for 64-bit
                        Windows 8 and above this is the address of
                        KdCopyDataBlock)
  --force               Force utilization of suspect profile
  --cookie=COOKIE       Specify the address of nt!ObHeaderCookie (valid for
                        Windows 10 only)
  -k KPCR, --kpcr=KPCR  Specify a specific KPCR address

Supported Plugins

Supported Plugin Commands:
 
    amcache         Print AmCache information
    apihooks        Detect API hooks in process and kernel memory
    apihooksdeep    Detect API hooks in process and kernel memory, with ssdeep for whitelisting
    atoms           Print session and window station atom tables
    atomscan        Pool scanner for atom tables
    attributeht     Find Hacking Team implants and attempt to attribute them using a watermark.
    auditpol        Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv
    autoruns        Searches the registry and memory space for applications running at system startup and maps them to running processes
    bigpools        Dump the big page pools using BigPagePoolScanner
    bioskbd         Reads the keyboard buffer from Real Mode memory
    cachedump       Dumps cached domain hashes from memory
    callbacks       Print system-wide notification routines
    chromecookies   Scans for and parses potential Chrome cookie data
    chromedownloadchains    Scans for and parses potential Chrome download chain records
    chromedownloads Scans for and parses potential Chrome download records
    chromehistory   Scans for and parses potential Chrome url history
    chromesearchterms   Scans for and parses potential Chrome keyword search terms
    chromevisits    Scans for and parses potential Chrome url visits data -- VERY SLOW, see -Q option
    clipboard       Extract the contents of the windows clipboard
    cmdline         Display process command-line arguments
    cmdscan         Extract command history by scanning for _COMMAND_HISTORY
    connections     Print list of open connections [Windows XP and 2003 Only]
    connscan        Pool scanner for tcp connections
    consoles        Extract command history by scanning for _CONSOLE_INFORMATION
    crashinfo       Dump crash-dump information
    deskscan        Poolscaner for tagDESKTOP (desktops)
    devicetree      Show device tree
    dlldump         Dump DLLs from a process address space
    dlllist         Print list of loaded dlls for each process
    driverbl        Scans memory for driver objects and compares the results with the baseline image
    driverirp       Driver IRP hook detection
    driveritem     
    drivermodule    Associate driver objects to kernel modules
    driverscan      Pool scanner for driver objects
    dumpcerts       Dump RSA private and public SSL keys
    dumpfiles       Extract memory mapped and cached files
    dumpregistry    Dumps registry files out to disk
    editbox         Dumps various data from ComCtl Edit controls (experimental: ListBox, ComboBox)
    envars          Display process environment variables
    eventhooks      Print details on windows event hooks
    evtlogs         Extract Windows Event Logs (XP/2003 only)
    fileitem       
    filescan        Pool scanner for file objects
    firefoxcookies  Scans for and parses potential Firefox cookies (cookies.sqlite moz_cookies table
    firefoxdownloads    Scans for and parses potential Firefox download records -- downloads.sqlite moz_downloads table pre FF26 only
    firefoxhistory  Scans for and parses potential Firefox url history (places.sqlite moz_places table)
    gahti           Dump the USER handle type information
    gditimers       Print installed GDI timers and callbacks
    gdt             Display Global Descriptor Table
    getservicesids  Get the names of services in the Registry and return Calculated SID
    getsids         Print the SIDs owning each process
    handles         Print list of open handles for each process
    hashdump        Dumps passwords hashes (LM/NTLM) from memory
    hibinfo         Dump hibernation file information
    hivedump        Prints out a hive
    hivelist        Print list of registry hives.
    hivescan        Pool scanner for registry hives
    hookitem       
    hpakextract     Extract physical memory from an HPAK file
    hpakinfo        Info on an HPAK file
    idt             Display Interrupt Descriptor Table
    idxparser       Scans for and parses Java IDX files
    iehistory       Reconstruct Internet Explorer cache / history
    imagecopy       Copies a physical address space out as a raw DD image
    imageinfo       Identify information for the image
    impscan         Scan for calls to imported functions
    joblinks        Print process job link information
    kdbgscan        Search for and dump potential KDBG values
    kpcrscan        Search for and dump potential KPCR values
    ldrmodules      Detect unlinked DLLs
    lsadump         Dump (decrypted) LSA secrets from the registry
    machoinfo       Dump Mach-O file format information
    malfind         Find hidden and injected code
    malfinddeep     Find hidden and injected code, whitelist with ssdeep hashes
    malprocfind     Finds malicious processes based on discrepancies from observed, normal behavior and properties
    malsysproc      Find malware hiding in plain sight as system processes
    mbrparser       Scans for and parses potential Master Boot Records (MBRs)
    memdump         Dump the addressable memory for a process
    memmap          Print the memory map
    messagehooks    List desktop and thread window message hooks
    mftparser       Scans for and parses potential MFT entries
    mimikatz        mimikatz offline
    moddump         Dump a kernel driver to an executable file sample
    modscan         Pool scanner for kernel modules
    modules         Print list of loaded modules
    multiscan       Scan for various objects at once
    mutantscan      Pool scanner for mutex objects
    ndispktscan     Extract the packets from memory
    notepad         List currently displayed notepad text
    objtypescan     Scan for Windows object type objects
    openioc_scan    Scan OpenIOC 1.1 based indicators
    openvpn         Extract OpenVPN client credentials (username, password) cached in memory.
    patcher         Patches memory based on page scans
    poolpeek        Configurable pool scanner plugin
    prefetchparser  Scans for and parses potential Prefetch files
    printkey        Print a registry key, and its subkeys and values
    privs           Display process privileges
    procdump        Dump a process to an executable file sample
    processbl       Scans memory for processes and loaded DLLs and compares the results with the baseline
    pslist          Print all running processes by following the EPROCESS lists
    psscan          Pool scanner for process objects
    pstotal         Combination of pslist,psscan & pstree --output=dot gives graphical representation
    pstree          Print process list as a tree
    psxview         Find hidden processes with various process listings
    qemuinfo        Dump Qemu information
    raw2dmp         Converts a physical memory sample to a windbg crash dump
    registryitem   
    rsakey          Extract base64/PEM encoded private RSA keys from physical memory.
    schtasks        Scans for and parses potential Scheduled Task (.JOB) files
    screenshot      Save a pseudo-screenshot based on GDI windows
    servicebl       Scans memory for service objects and compares the results with the baseline image
    servicediff     List Windows services (ala Plugx)
    serviceitem    
    sessions        List details on _MM_SESSION_SPACE (user logon sessions)
    shellbags       Prints ShellBags info
    shimcache       Parses the Application Compatibility Shim Cache registry key
    shimcachemem    Parses the Application Compatibility Shim Cache stored in kernel memory
    shutdowntime    Print ShutdownTime of machine from registry
    sockets         Print list of open sockets
    sockscan        Pool scanner for tcp socket objects
    ssdeepscan      Scan process or kernel memory with SSDeep signatures
    ssdt            Display SSDT entries
    strings         Match physical offsets to virtual addresses (may take a while, VERY verbose)
    svcscan         Scan for Windows services
    symlinkscan     Pool scanner for symlink objects
    thrdscan        Pool scanner for thread objects
    threads         Investigate _ETHREAD and _KTHREADs
    timeliner       Creates a timeline from various artifacts in memory
    timers          Print kernel timers and associated module DPCs
    truecryptmaster Recover TrueCrypt 7.1a Master Keys
    truecryptpassphrase TrueCrypt Cached Passphrase Finder
    truecryptsummary    TrueCrypt Summary
    trustrecords    Extract MS Office TrustRecords from the Registry
    uninstallinfo   Extract installed software info from Uninstall registry key
    unloadedmodules Print list of unloaded modules
    userassist      Print userassist registry keys and information
    userhandles     Dump the USER handle tables
    usnparser       Scans for and parses USN journal records
    vaddump         Dumps out the vad sections to a file
    vadinfo         Dump the VAD info
    vadtree         Walk the VAD tree and display in tree format
    vadwalk         Walk the VAD tree
    vboxinfo        Dump virtualbox information
    verinfo         Prints out the version information from PE images
    vmwareinfo      Dump VMware VMSS/VMSN information
    volshell        Shell in the memory image
    windows         Print Desktop Windows (verbose details)
    wintree         Print Z-Order Desktop Windows Tree
    wndscan         Pool scanner for window stations
    yarascan        Scan process or kernel memory with Yara signatures

Examples

Find the correct profile to use

This command will scan the memory image and attempt to guess the correct profile to use:

root@siftworkstation:~# vol.py -f ./win7-32-nromanoff-memory-raw.001 imageinfo
Volatility Foundation Volatility Framework 2.5
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP0x86, Win7SP1x86
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/sansforensics/netwars/win7-32-nromanoff-memory/win7-32-nromanoff-memory-raw.001)
                      PAE type : PAE
                           DTB : 0x185000L
                          KDBG : 0x82d29c28L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0x82d2ac00L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2012-04-06 20:52:46 UTC+0000
     Image local date and time : 2012-04-06 16:52:46 -0400

vol.py -f <image> –profile=<profile> pslist

This command will scan memory for currently running processes:

root@siftworkstation:~# vol.py -f ./win7-32-nromanoff-memory-raw.001 --profile=Win7SP0x86 pslist
Volatility Foundation Volatility Framework 2.5
Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                         
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x85c50958 System                    4      0    105      532 ------      0 2012-04-04 11:47:29 UTC+0000                                
0x86ecaa70 smss.exe                280      4      3       32 ------      0 2012-04-04 11:47:29 UTC+0000                                
0x86cfa540 csrss.exe               412    404      9      756      0      0 2012-04-04 11:47:41 UTC+0000                                
0x87d85d40 wininit.exe             464    404      3       74      0      0 2012-04-04 11:47:44 UTC+0000                                
0x86e7f030 csrss.exe               472    456      9       75      1      0 2012-04-04 11:47:44 UTC+0000                                
0x87d8fd40 winlogon.exe            520    456      3       91      1      0 2012-04-04 11:47:44 UTC+0000                                
0x87f68030 services.exe            564    464      7      243      0      0 2012-04-04 11:47:45 UTC+0000                                
0x87f79600 lsass.exe               592    464      8      888      0      0 2012-04-04 11:47:46 UTC+0000                                
0x87f8c030 lsm.exe                 600    464     10      248      0      0 2012-04-04 11:47:46 UTC+0000                                
0x87fc5590 svchost.exe             704    564     11      358      0      0 2012-04-04 11:47:48 UTC+0000                                
0x87fee6d0 svchost.exe             780    564      6      277      0      0 2012-04-04 11:47:51 UTC+0000                                
0x88000d40 svchost.exe             820    564     18      469      0      0 2012-04-04 11:47:51 UTC+0000                                
0x8800e178 LogonUI.exe             880    520      7      197      1      0 2012-04-04 11:47:51 UTC+0000                                
0x880308e8 svchost.exe             920    564     18      495      0      0 2012-04-04 11:47:51 UTC+0000                                
0x88047a58 svchost.exe             944    564     31     1213      0      0 2012-04-04 11:47:52 UTC+0000                                
0x880462b8 svchost.exe            1032    564     17      394      0      0 2012-04-04 11:47:52 UTC+0000                                
0x880a0758 svchost.exe            1184    564     20      634      0      0 2012-04-04 11:48:00 UTC+0000                                
0x88070d40 spoolsv.exe            1308    564     13      328      0      0 2012-04-04 11:48:03 UTC+0000                                
0x880e7030 svchost.exe            1344    564     17      295      0      0 2012-04-04 11:48:03 UTC+0000                                
0x88120658 armsvc.exe             1456    564      4       61      0      0 2012-04-04 11:48:04 UTC+0000                                
0x88145b38 FireSvc.exe            1516    564     22      355      0      0 2012-04-04 11:48:05 UTC+0000                                
0x881b8030 McSACore.exe           1604    564     11      199      0      0 2012-04-04 11:48:08 UTC+0000                                
0x881b4900 FireTray.exe           1624   1516      0 --------      0      0 2012-04-04 11:48:09 UTC+0000   2012-04-04 11:48:10 UTC+0000 
0x881dd770 FrameworkServi         1740    564     31      426      0      0 2012-04-04 11:48:10 UTC+0000                                
0x8820bd40 VsTskMgr.exe           1796    564     21      365      0      0 2012-04-04 11:48:11 UTC+0000                                
0x88227358 mfevtps.exe            1824    564      5      171      0      0 2012-04-04 11:48:12 UTC+0000                                
0x8821a660 mfeann.exe             1872   1796     14      181      0      0 2012-04-04 11:48:12 UTC+0000                                
0x88220d40 conhost.exe            1880    412      2       30      0      0 2012-04-04 11:48:12 UTC+0000                                
0x88235cf8 VMwareService.         1964    564      7      192      0      0 2012-04-04 11:48:14 UTC+0000                                
0x8824cd40 naPrdMgr.exe            200    704      8      252      0      0 2012-04-04 11:48:15 UTC+0000                                
0x88263648 mcshield.exe            332    564     28      459      0      0 2012-04-04 11:48:15 UTC+0000                                
0x8827d9f0 mfefire.exe             456    564      7      108      0      0 2012-04-04 11:48:23 UTC+0000                                
0x88295900 VMUpgradeHelpe          888    564      4       87      0      0 2012-04-04 11:48:24 UTC+0000                                
0x8842a4b8 svchost.exe            2980    564     12      198      0      0 2012-04-04 11:50:42 UTC+0000                                
0x885561f8 SearchIndexer.         3092    564     14      992      0      0 2012-04-04 11:50:46 UTC+0000                                
0x862709a0 csrss.exe              2132   3112      9      271      2      0 2012-04-04 14:45:30 UTC+0000                                
0x8617bd40 winlogon.exe           3836   3112      3      112      2      0 2012-04-04 14:45:30 UTC+0000                                
0x85dbcb48 taskhost.exe           1108    564      9      290      2      0 2012-04-04 14:45:43 UTC+0000                                
0x861bb8f0 rdpclip.exe            2408   1184      4       88      2      0 2012-04-04 14:45:43 UTC+0000                                
0x8625b030 dwm.exe                3924    920      3       67      2      0 2012-04-04 14:45:44 UTC+0000                                
0x8622b4b8 explorer.exe            296   2392     22      853      2      0 2012-04-04 14:45:45 UTC+0000                                
0x861d4520 VMwareTray.exe         3780    296      5       65      2      0 2012-04-04 14:45:46 UTC+0000                                
0x861b6518 VMwareUser.exe         3804    296      3       77      2      0 2012-04-04 14:45:46 UTC+0000                                
0x86272d40 UdaterUI.exe           2944   1740      6      109      2      0 2012-04-04 14:49:35 UTC+0000                                
0x863c8030 McTray.exe             2864   2944     23      341      2      0 2012-04-04 14:49:35 UTC+0000                                
0x85f98728 a.exe                  3264   3440      0 --------      2      0 2012-04-04 14:57:52 UTC+0000   2012-04-04 18:40:58 UTC+0000 
0x85e24030 OSPPSVC.EXE            4040    564      3      134      0      0 2012-04-04 15:42:01 UTC+0000                                
0x861d93a0 cmd.exe                3472   3264      0 --------      2      0 2012-04-04 15:47:47 UTC+0000   2012-04-04 15:49:07 UTC+0000 
0x862bfa40 spinlock.exe           3796   3472      0 --------      2      0 2012-04-04 15:48:18 UTC+0000   2012-04-04 18:43:25 UTC+0000 
0x8654c4a8 spinlock.exe           1208   3796      0 --------      2      0 2012-04-04 15:48:18 UTC+0000   2012-04-04 18:43:25 UTC+0000 
0x860f2578 cmd.exe                 208   1208      1       31      2      0 2012-04-04 18:43:24 UTC+0000                                
0x86136a60 conhost.exe            2840   2132      2       28      2      0 2012-04-04 18:43:25 UTC+0000                                
0x864e57c8 PSEXESVC.EXE           2100    564      6      104      0      0 2012-04-04 18:52:11 UTC+0000                                
0x862a4d40 svchost.exe            3612   2100      0 --------      0      0 2012-04-04 18:52:11 UTC+0000   2012-04-05 13:25:07 UTC+0000 
0x862bb290 spinlock.exe           2956   2100      1       26      0      0 2012-04-04 18:54:51 UTC+0000                                
0x86383c18 spinlock.exe           1328   2956      2      128      0      0 2012-04-04 18:54:51 UTC+0000                                
0x86d2b578 a.exe                  5008   4212      0 --------      0      0 2012-04-06 13:19:34 UTC+0000   2012-04-06 16:58:26 UTC+0000 
0x862f9a58 cmd.exe                5192   5008      1       28      0      0 2012-04-06 14:03:11 UTC+0000                                
0x86a1c8b8 conhost.exe            3408    412      2       31      0      0 2012-04-06 14:03:11 UTC+0000                                
0x8649d880 svchost.exe            6404   2100      8      256      0      0 2012-04-06 19:22:20 UTC+0000                                
0x86eeb430 f-response-ent         7776    564      8       75      0      0 2012-04-06 20:34:42 UTC+0000                                
0x85dde298 svchost.exe            5176    564      5       90      0      0 2012-04-06 20:34:44 UTC+0000

vol.py -f <image> –profile=<profile> netscan

This command will scan memory for net connections and their associated processes:

root@siftworkstation:~# vol.py -f ./win7-32-nromanoff-memory-raw.001 --profile=Win7SP0x86 netscan
Volatility Foundation Volatility Framework 2.5
Offset(P)          Proto    Local Address                  Foreign Address      State            Pid      Owner          Created
0x4fb90e0          UDPv4    0.0.0.0:0                      *:*                                   456      mfefire.exe    2012-04-04 11:48:37 UTC+0000
0x4fb90e0          UDPv6    :::0                           *:*                                   456      mfefire.exe    2012-04-04 11:48:37 UTC+0000
0x7d8e1b20         UDPv4    0.0.0.0:8082                   *:*                                   1740     FrameworkServi 2012-04-04 11:48:26 UTC+0000
0x7d8e2d38         UDPv4    0.0.0.0:8082                   *:*                                   1740     FrameworkServi 2012-04-04 11:48:26 UTC+0000
0x7d8e2d38         UDPv6    :::8082                        *:*                                   1740     FrameworkServi 2012-04-04 11:48:26 UTC+0000
0x7d931120         UDPv4    0.0.0.0:0                      *:*                                   456      mfefire.exe    2012-04-04 11:48:37 UTC+0000
0x7d946818         UDPv4    0.0.0.0:0                      *:*                                   1032     svchost.exe    2012-04-04 11:48:38 UTC+0000
0x7d947330         UDPv4    0.0.0.0:0                      *:*                                   1032     svchost.exe    2012-04-04 11:48:38 UTC+0000
0x7d947330         UDPv6    :::0                           *:*                                   1032     svchost.exe    2012-04-04 11:48:38 UTC+0000
0x7d984e20         UDPv4    0.0.0.0:123                    *:*                                   1032     svchost.exe    2012-04-04 11:48:39 UTC+0000
0x7d985bb0         UDPv4    0.0.0.0:123                    *:*                                   1032     svchost.exe    2012-04-04 11:48:39 UTC+0000
0x7d985bb0         UDPv6    :::123                         *:*                                   1032     svchost.exe    2012-04-04 11:48:39 UTC+0000
0x7d8b0b50         TCPv4    0.0.0.0:445                    0.0.0.0:0            LISTENING        4        System        
0x7d8b0b50         TCPv6    :::445                         :::0                 LISTENING        4        System        
0x7d8df2a8         TCPv4    0.0.0.0:8081                   0.0.0.0:0            LISTENING        1740     FrameworkServi
0x7d8e1ea8         TCPv4    0.0.0.0:8081                   0.0.0.0:0            LISTENING        1740     FrameworkServi
0x7d8e1ea8         TCPv6    :::8081                        :::0                 LISTENING        1740     FrameworkServi
0x7d93ca70         TCPv4    0.0.0.0:49186                  0.0.0.0:0            LISTENING        564      services.exe  
0x7d93ca70         TCPv6    :::49186                       :::0                 LISTENING        564      services.exe  
0x7d969ec0         TCPv4    0.0.0.0:3389                   0.0.0.0:0            LISTENING        1184     svchost.exe   
0x7d96e308         TCPv4    0.0.0.0:3389                   0.0.0.0:0            LISTENING        1184     svchost.exe   
0x7d96e308         TCPv6    :::3389                        :::0                 LISTENING        1184     svchost.exe   
0x7dab56c0         UDPv4    0.0.0.0:5355                   *:*                                   1184     svchost.exe    2012-04-04 11:48:00 UTC+0000
0x7dab6208         UDPv4    0.0.0.0:0                      *:*                                   1184     svchost.exe    2012-04-04 11:48:00 UTC+0000
0x7dab6208         UDPv6    :::0                           *:*                                   1184     svchost.exe    2012-04-04 11:48:00 UTC+0000
0x7daf8960         UDPv4    0.0.0.0:0                      *:*                                   592      lsass.exe      2012-04-04 11:48:04 UTC+0000
0x7daf8960         UDPv6    :::0                           *:*                                   592      lsass.exe      2012-04-04 11:48:04 UTC+0000
0x7db136a0         UDPv4    127.0.0.1:55829                *:*                                   592      lsass.exe      2012-04-04 11:48:04 UTC+0000
0x7db17770         UDPv4    127.0.0.1:55827                *:*                                   1184     svchost.exe    2012-04-04 11:48:04 UTC+0000
0x7db24ac8         UDPv4    0.0.0.0:0                      *:*                                   592      lsass.exe      2012-04-04 11:48:04 UTC+0000
0x7db24ac8         UDPv6    :::0                           *:*                                   592      lsass.exe      2012-04-04 11:48:04 UTC+0000
0x7db2a008         UDPv4    0.0.0.0:0                      *:*                                   592      lsass.exe      2012-04-04 11:48:04 UTC+0000
0x7db2a008         UDPv6    :::0                           *:*                                   592      lsass.exe      2012-04-04 11:48:04 UTC+0000
0x7db2af50         UDPv4    0.0.0.0:0                      *:*                                   592      lsass.exe      2012-04-04 11:48:04 UTC+0000
0x7db31320         UDPv4    0.0.0.0:0                      *:*                                   592      lsass.exe      2012-04-04 11:48:04 UTC+0000
0x7db36008         UDPv4    127.0.0.1:55832                *:*                                   944      svchost.exe    2012-04-04 11:48:04 UTC+0000
0x7da02898         TCPv4    0.0.0.0:49152                  0.0.0.0:0            LISTENING        464      wininit.exe   
0x7da03298         TCPv4    0.0.0.0:135                    0.0.0.0:0            LISTENING        780      svchost.exe   
0x7da03298         TCPv6    :::135                         :::0                 LISTENING        780      svchost.exe   
0x7da223e8         TCPv4    0.0.0.0:49153                  0.0.0.0:0            LISTENING        820      svchost.exe   
0x7da25648         TCPv4    0.0.0.0:49153                  0.0.0.0:0            LISTENING        820      svchost.exe   
0x7da25648         TCPv6    :::49153                       :::0                 LISTENING        820      svchost.exe   
0x7da96700         TCPv4    0.0.0.0:49154                  0.0.0.0:0            LISTENING        592      lsass.exe     
0x7da96700         TCPv6    :::49154                       :::0                 LISTENING        592      lsass.exe     
0x7da96de8         TCPv4    0.0.0.0:49154                  0.0.0.0:0            LISTENING        592      lsass.exe     
0x7dad06f0         TCPv4    0.0.0.0:49155                  0.0.0.0:0            LISTENING        944      svchost.exe   
0x7dad2430         TCPv4    0.0.0.0:49155                  0.0.0.0:0            LISTENING        944      svchost.exe   
0x7dad2430         TCPv6    :::49155                       :::0                 LISTENING        944      svchost.exe   
0x7ddf35a0         TCPv4    0.0.0.0:135                    0.0.0.0:0            LISTENING        780      svchost.exe   
0x7ddfb440         TCPv4    0.0.0.0:49152                  0.0.0.0:0            LISTENING        464      wininit.exe   
0x7ddfb440         TCPv6    :::49152                       :::0                 LISTENING        464      wininit.exe   
0x7db4cc10         TCPv4    -:62342                        -:80                 CLOSED           1184     svchost.exe   
0x7ec1f2b8         UDPv4    10.3.58.5:138                  *:*                                   4        System         2012-04-04 11:47:39 UTC+0000
0x7eccb7c8         UDPv4    10.3.58.5:137                  *:*                                   4        System         2012-04-04 11:47:39 UTC+0000
0x7ed807e0         TCPv4    0.0.0.0:49186                  0.0.0.0:0            LISTENING        564      services.exe  
0x7ed974b0         TCPv4    10.3.58.5:139                  0.0.0.0:0            LISTENING        4        System        
0x7f463770         UDPv4    127.0.0.1:1900                 *:*                                   2980     svchost.exe    2012-04-04 19:40:36 UTC+0000
0x7f476008         UDPv4    127.0.0.1:49724                *:*                                   2980     svchost.exe    2012-04-04 19:40:36 UTC+0000
0x7f476b40         UDPv6    ::1:49722                      *:*                                   2980     svchost.exe    2012-04-04 19:40:36 UTC+0000
0x7f47b880         UDPv4    10.3.58.5:1900                 *:*                                   2980     svchost.exe    2012-04-04 19:40:36 UTC+0000
0x7f4e5548         UDPv4    10.3.58.5:49723                *:*                                   2980     svchost.exe    2012-04-04 19:40:36 UTC+0000
0x7f5b5248         UDPv4    10.3.58.5:55261                *:*                                   7816     Skype.exe      2012-04-06 19:44:03 UTC+0000
0x7eec5a58         TCPv4    -:62344                        -:443                CLOSED           7816     Skype.exe     
0x7ef2b988         TCPv4    10.3.58.5:62619                10.3.58.4:445        CLOSED           4        System        
0x7f451df8         TCPv4    -:62331                        224.0.0.252:443      CLOSED           7816     Skype.exe     
0x7f60adf8         TCPv4    127.0.0.1:5678                 127.0.0.1:62608      CLOSED           6404     svchost.exe   
0x7f632008         TCPv4    -:62336                        69.171.229.13:443    CLOSED           7816     Skype.exe     
0x7f67a448         TCPv4    -:139                          12.190.135.235:2264  CLOSED           4        System        
0x7f693140         TCPv4    10.3.58.5:62567                10.3.58.255:80       CLOSED           6404     svchost.exe   
0x7f6fb448         TCPv4    10.3.58.5:62617                10.3.58.4:445        CLOSED           4        System        
0x7f7492f0         TCPv4    10.3.58.5:62294                10.3.58.9:135        CLOSED           4172     taskhost.exe  
0x7f760a08         TCPv4    10.3.58.5:62295                10.3.58.9:49156      CLOSED           4172     taskhost.exe  
0x7f899400         UDPv4    127.0.0.1:49290                *:*                                   1108     taskhost.exe   2012-04-04 14:45:46 UTC+0000
0x7f940568         UDPv6    ::1:1900                       *:*                                   2980     svchost.exe    2012-04-04 19:40:36 UTC+0000
0x7fd46238         UDPv4    0.0.0.0:0                      *:*                                   5176     svchost.exe    2012-04-06 20:34:44 UTC+0000
0x7fd9f688         UDPv4    0.0.0.0:0                      *:*                                   5176     svchost.exe    2012-04-06 20:34:44 UTC+0000
0x7fd9f688         UDPv6    :::0                           *:*                                   5176     svchost.exe    2012-04-06 20:34:44 UTC+0000
0x7f947098         TCPv4    0.0.0.0:3260                   0.0.0.0:0            LISTENING        7776     f-response-ent
0x7ff175f8         TCPv4    127.0.0.1:5678                 0.0.0.0:0            LISTENING        6404     svchost.exe   
0x7f837580         TCPv4    10.3.58.5:49805                10.3.58.9:445        ESTABLISHED      4        System        
0x7f89a1d0         TCPv4    10.3.58.5:50817                199.73.28.114:443    CLOSED           1328     spinlock.exe  
0x7f8c8008         TCPv4    10.3.58.5:62421                10.3.58.9:135        CLOSED           592      lsass.exe     
0x7f8f8008         TCPv4    10.3.58.5:62333                10.3.16.5:443        CLOSED           7816     Skype.exe     
0x7fa47008         TCPv4    -:62334                        184.51.253.195:443   CLOSED           7816     Skype.exe     
0x7fa559f8         TCPv4    -:62335                        184.51.255.240:443   CLOSED           7816     Skype.exe     
0x7fc6e318         TCPv4    10.3.58.5:3260                 10.3.16.5:48351      ESTABLISHED      7776     f-response-ent
0x7fe9b278         TCPv4    10.3.58.5:62380                10.3.58.9:445        CLOSED           4        System

vol.py imagecopy -f hiberfil.sys -O hiber.raw

This command will uncompress a hibernation file into raw memory dump:

root@siftworkstation:~# vol.py imagecopy -f /mnt/romanoff/hiberfil.sys -O hiber.raw
Volatility Foundation Volatility Framework 2.5
Writing data (5.00 MB chunks): |....................................................................................................................................................................................................................................................................................................................|

Blog Posts

Rekall

Description

A python memory analysis framework that can be difficult to install and setup.

Platform	Python
Author	Rekall Forensics
License	GPLv2
URL	http://www.rekall-forensic.com/

Usage

usage: rekal [-p PROFILE] [-v] [-q] [--debug] [--output_style {concise,full}]
             [--logging_level {DEBUG,INFO,WARNING,ERROR,CRITICAL}]
             [--pager PAGER] [--paging_limit PAGING_LIMIT]
             [--colors {auto,yes,no}] [-F {text,json,wide,test,data}]
             [--plugin [PLUGIN [PLUGIN ...]]] [-h]
             [--cache {file,memory,timed}]
             [--repository_path [REPOSITORY_PATH [REPOSITORY_PATH ...]]]
             [-f FILENAME] [--buffer_size BUFFER_SIZE] [--output OUTPUT]
             [--max_collector_cost MAX_COLLECTOR_COST] [--home HOME]
             [--logging_format LOGGING_FORMAT]
             [--performance {normal,fast,thorough}] [--dtb DTB]
             [-o FILE_OFFSET] [--ept EPT [EPT ...]] [--timezone TIMEZONE]
             [--cache_dir CACHE_DIR]
             [--name_resolution_strategies [{Module,Symbol,Export} [{Module,Symbol,Export} ...]]]
             [--autodetect_build_local_tracked [AUTODETECT_BUILD_LOCAL_TRACKED [AUTODETECT_BUILD_LOCAL_TRACKED ...]]]
             [--pagefile [PAGEFILE [PAGEFILE ...]]]
             [--autodetect {linux_index,nt_index,osx,pe,windows_kernel_file,rsds,ntfs,linux} [{linux_index,nt_index,osx,pe,windows_kernel_file,rsds,ntfs,linux} ...]]
             [--autodetect_threshold AUTODETECT_THRESHOLD]
             [--autodetect_build_local {full,basic,none}]
             [--autodetect_scan_length AUTODETECT_SCAN_LENGTH] [--live]
             [--version] [-]

Examples

rekal -f <image> pslist

The following output is from running the pslist plugin inside rekall:

root@siftworkstation:~# rekal -f win7-32-nromanoff-memory-raw.001 pslist
2021-07-25 21:43:58,349:WARNING:rekall.1:Inventory for repository "http://profiles.rekall-forensic.com" seems malformed. Are you behind a captive portal or proxy? If this is a custom repository, did you forget to create an inventory? You must use the tools/profiles/build_profile_repo.py tool with the --inventory flag.
2021-07-25 21:43:58,349:WARNING:rekall.1:Repository http://profiles.rekall-forensic.com will be disabled.
2021-07-25 21:43:58,422:WARNING:rekall.1:Unable to parse profile section $CONSTANT_TYPES
2021-07-25 21:43:58,423:WARNING:rekall.1:Unable to parse profile section $CONSTANT_TYPES
_EPROCESS          Name          PID   PPID   Thds    Hnds    Sess  Wow64           Start                     Exit         
---------- -------------------- ----- ------ ------ -------- ------ ------ ------------------------ ------------------------
0x85c50958 System                   4      0    105      532      - False  2012-04-04 11:47:29Z     -                      
0x8824cd40 naPrdMgr.exe           200    704      8      252      0 False  2012-04-04 11:48:15Z     -                      
0x860f2578 cmd.exe                208   1208      1       31      2 False  2012-04-04 18:43:24Z     -                      
0x86ecaa70 smss.exe               280      4      3       32      - False  2012-04-04 11:47:29Z     -                      
0x8622b4b8 explorer.exe           296   2392     22      853      2 False  2012-04-04 14:45:45Z     -                      
0x88263648 mcshield.exe           332    564     28      459      0 False  2012-04-04 11:48:15Z     -                      
0x86cfa540 csrss.exe              412    404      9      756      0 False  2012-04-04 11:47:41Z     -                      
0x8827d9f0 mfefire.exe            456    564      7      108      0 False  2012-04-04 11:48:23Z     -                      
0x87d85d40 wininit.exe            464    404      3       74      0 False  2012-04-04 11:47:44Z     -                      
0x86e7f030 csrss.exe              472    456      9       75      1 False  2012-04-04 11:47:44Z     -                      
0x87d8fd40 winlogon.exe           520    456      3       91      1 False  2012-04-04 11:47:44Z     -                      
0x87f68030 services.exe           564    464      7      243      0 False  2012-04-04 11:47:45Z     -                      
0x87f79600 lsass.exe              592    464      8      888      0 False  2012-04-04 11:47:46Z     -                      
0x87f8c030 lsm.exe                600    464     10      248      0 False  2012-04-04 11:47:46Z     -                      
0x87fc5590 svchost.exe            704    564     11      358      0 False  2012-04-04 11:47:48Z     -                      
0x87fee6d0 svchost.exe            780    564      6      277      0 False  2012-04-04 11:47:51Z     -                      
0x88000d40 svchost.exe            820    564     18      469      0 False  2012-04-04 11:47:51Z     -                      
0x8800e178 LogonUI.exe            880    520      7      197      1 False  2012-04-04 11:47:51Z     -                      
0x88295900 VMUpgradeHelpe         888    564      4       87      0 False  2012-04-04 11:48:24Z     -                      
0x880308e8 svchost.exe            920    564     18      495      0 False  2012-04-04 11:47:51Z     -                      
0x88047a58 svchost.exe            944    564     31     1213      0 False  2012-04-04 11:47:52Z     -                      
0x880462b8 svchost.exe           1032    564     17      394      0 False  2012-04-04 11:47:52Z     -                      
0x85dbcb48 taskhost.exe          1108    564      9      290      2 False  2012-04-04 14:45:43Z     -                      
0x880a0758 svchost.exe           1184    564     20      634      0 False  2012-04-04 11:48:00Z     -                      
0x8654c4a8 spinlock.exe          1208   3796      0        -      2 False  2012-04-04 15:48:18Z     2012-04-04 18:43:25Z   
0x88070d40 spoolsv.exe           1308    564     13      328      0 False  2012-04-04 11:48:03Z     -                      
0x86383c18 spinlock.exe          1328   2956      2      128      0 False  2012-04-04 18:54:51Z     -                      
0x880e7030 svchost.exe           1344    564     17      295      0 False  2012-04-04 11:48:03Z     -                      
0x88120658 armsvc.exe            1456    564      4       61      0 False  2012-04-04 11:48:04Z     -                      
0x88145b38 FireSvc.exe           1516    564     22      355      0 False  2012-04-04 11:48:05Z     -                      
0x881b8030 McSACore.exe          1604    564     11      199      0 False  2012-04-04 11:48:08Z     -                      
0x881b4900 FireTray.exe          1624   1516      0        -      0 False  2012-04-04 11:48:09Z     2012-04-04 11:48:10Z   
0x881dd770 FrameworkServi        1740    564     31      426      0 False  2012-04-04 11:48:10Z     -                      
0x8820bd40 VsTskMgr.exe          1796    564     21      365      0 False  2012-04-04 11:48:11Z     -                      
0x88227358 mfevtps.exe           1824    564      5      171      0 False  2012-04-04 11:48:12Z     -                      
0x8821a660 mfeann.exe            1872   1796     14      181      0 False  2012-04-04 11:48:12Z     -                      
0x88220d40 conhost.exe           1880    412      2       30      0 False  2012-04-04 11:48:12Z     -                      
0x88235cf8 VMwareService.        1964    564      7      192      0 False  2012-04-04 11:48:14Z     -                      
0x864e57c8 PSEXESVC.EXE          2100    564      6      104      0 False  2012-04-04 18:52:11Z     -                      
0x862709a0 csrss.exe             2132   3112      9      271      2 False  2012-04-04 14:45:30Z     -                      
0x861bb8f0 rdpclip.exe           2408   1184      4       88      2 False  2012-04-04 14:45:43Z     -                      
0x86136a60 conhost.exe           2840   2132      2       28      2 False  2012-04-04 18:43:25Z     -                      
0x863c8030 McTray.exe            2864   2944     23      341      2 False  2012-04-04 14:49:35Z     -                      
0x86272d40 UdaterUI.exe          2944   1740      6      109      2 False  2012-04-04 14:49:35Z     -                      
0x862bb290 spinlock.exe          2956   2100      1       26      0 False  2012-04-04 18:54:51Z     -                      
0x8842a4b8 svchost.exe           2980    564     12      198      0 False  2012-04-04 11:50:42Z     -                      
0x885561f8 SearchIndexer.        3092    564     14      992      0 False  2012-04-04 11:50:46Z     -                      
0x85f98728 a.exe                 3264   3440      0        -      2 False  2012-04-04 14:57:52Z     2012-04-04 18:40:58Z   
0x86a1c8b8 conhost.exe           3408    412      2       31      0 False  2012-04-06 14:03:11Z     -                      
0x861d93a0 cmd.exe               3472   3264      0        -      2 False  2012-04-04 15:47:47Z     2012-04-04 15:49:07Z   
0x862a4d40 svchost.exe           3612   2100      0        -      0 False  2012-04-04 18:52:11Z     2012-04-05 13:25:07Z   
0x861d4520 VMwareTray.exe        3780    296      5       65      2 False  2012-04-04 14:45:46Z     -                      
0x862bfa40 spinlock.exe          3796   3472      0        -      2 False  2012-04-04 15:48:18Z     2012-04-04 18:43:25Z   
0x861b6518 VMwareUser.exe        3804    296      3       77      2 False  2012-04-04 14:45:46Z     -                      
0x8617bd40 winlogon.exe          3836   3112      3      112      2 False  2012-04-04 14:45:30Z     -                      
0x8625b030 dwm.exe               3924    920      3       67      2 False  2012-04-04 14:45:44Z     -                      
0x85e24030 OSPPSVC.EXE           4040    564      3      134      0 False  2012-04-04 15:42:01Z     -                      
0x86d2b578 a.exe                 5008   4212      0        -      0 False  2012-04-06 13:19:34Z     2012-04-06 16:58:26Z   
0x85dde298 svchost.exe           5176    564      5       90      0 False  2012-04-06 20:34:44Z     -                      
0x862f9a58 cmd.exe               5192   5008      1       28      0 False  2012-04-06 14:03:11Z     -                      
0x8649d880 svchost.exe           6404   2100      8      256      0 False  2012-04-06 19:22:20Z     -                      
0x86eeb430 f-response-ent        7776    564      8       75      0 False  2012-04-06 20:34:42Z     -

rekal -f <image> messagehooks

This command is useful for identifying keyloggers:

root@siftworkstation:~# rekal -f ./Post_Malware.raw messagehooks
2021-08-05 01:11:02,745:WARNING:rekall.1:Inventory for repository "http://profiles.rekall-forensic.com" seems malformed. Are you behind a captive portal or proxy? If this is a custom repository, did you forget to create an inventory? You must use the tools/profiles/build_profile_repo.py tool with the --inventory flag.
2021-08-05 01:11:02,746:WARNING:rekall.1:Repository http://profiles.rekall-forensic.com will be disabled.
  tagHOOK(V)   Sess             Owner                          Thread                 Filter        Flags       Function    Module
-------------- ---- ------------------------------ ------------------------------ --------------- ---------- -------------- ------
0xf900c06011d0 0    wininit.exe (388)              <any>                          WH_CALLWNDPROC                     0x12d8 C:\Windows\system32\wls0wndh.dll
0xf900c0620ce0 1    SysNative.exe (2676)           <any>                          WH_KEYBOARD_LL                   0xf013c0 sysnative+0x13c0
0xf900c06254f0 1    conhost.exe (352)              2016 (conhost.exe 352)         WH_MSGFILTER                   0xff350ed0 conhost!DialogHookProc

Blog Posts

fsstat

Description

Display general details of a file system.

Platform	Windows and Linux
Author	Brian Carrier
License	Common Public License 1.0
URL	https://www.sleuthkit.org/

Usage

usage: fsstat [-tvV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] image
    -t: display type only
    -i imgtype: The format of the image file (use '-i list' for supported types)
    -b dev_sector_size: The size (in bytes) of the device sectors
    -f fstype: File system type (use '-f list' for supported types)
    -o imgoffset: The offset of the file system in the image (in sectors)
    -v: verbose output to stderr
    -V: Print version

Examples

fsstat <disk image>

This is the default output from a disk image:

root@siftworkstation:/mnt/romanoff# fsstat win7-32-nromanoff-c-drive.E01
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: NTFS
Volume Serial Number: 2EAC03A3AC036525
OEM Name: NTFS   
Version: Windows XP
 
METADATA INFORMATION
--------------------------------------------
First Cluster of MFT: 786432
First Cluster of MFT Mirror: 2
Size of MFT Entries: 1024 bytes
Size of Index Records: 4096 bytes
Range: 0 - 115968
Root Directory: 5
 
CONTENT INFORMATION
--------------------------------------------
Sector Size: 512
Cluster Size: 4096
Total Cluster Range: 0 - 6488830
Total Sector Range: 0 - 51910654
 
$AttrDef Attribute Values:
$STANDARD_INFORMATION (16)   Size: 48-72   Flags: Resident
$ATTRIBUTE_LIST (32)   Size: No Limit   Flags: Non-resident
$FILE_NAME (48)   Size: 68-578   Flags: Resident,Index
$OBJECT_ID (64)   Size: 0-256   Flags: Resident
$SECURITY_DESCRIPTOR (80)   Size: No Limit   Flags: Non-resident
$VOLUME_NAME (96)   Size: 2-256   Flags: Resident
$VOLUME_INFORMATION (112)   Size: 12-12   Flags: Resident
$DATA (128)   Size: No Limit   Flags:
$INDEX_ROOT (144)   Size: No Limit   Flags: Resident
$INDEX_ALLOCATION (160)   Size: No Limit   Flags: Non-resident
$BITMAP (176)   Size: No Limit   Flags: Non-resident
$REPARSE_POINT (192)   Size: 0-16384   Flags: Non-resident
$EA_INFORMATION (208)   Size: 8-8   Flags: Resident
$EA (224)   Size: 0-65536   Flags:
$LOGGED_UTILITY_STREAM (256)   Size: 0-65536   Flags: Non-resident

Blog Posts

exiftool

Description

Read and write meta information in files.

Platform	Windows and Linux
Author	Phil Harvey
License	GPLv3
URL	https://exiftool.org/

Usage

exiftool [OPTIONS] [-TAG...] [--TAG...] FILE...
exiftool [OPTIONS] -TAG[+-<]=[VALUE]... FILE...
exiftool [OPTIONS] -tagsFromFile SRCFILE [-SRCTAG[>DSTTAG]...] FILE...
exiftool [ -ver | -list[w|f|r|wf|g[NUM]|d|x] ]

Examples

exiftool <file>

The following output is from running exiftool with default options against a Windows powerpoint file:

root@siftworkstation:/mnt/romanoff# exiftool "./Users/nromanoff/Documents/Ninja Files/PPT/StickNinja.ppt"
ExifTool Version Number         : 9.46
File Name                       : StickNinja.ppt
Directory                       : ./Users/nromanoff/Documents/Ninja Files/PPT
File Size                       : 2.2 MB
File Modification Date/Time     : 2012:03:16 21:42:18+00:00
File Access Date/Time           : 2012:03:16 21:42:11+00:00
File Inode Change Date/Time     : 2012:04:04 15:21:06+00:00
File Permissions                : rwxrwxrwx
File Type                       : PPT
MIME Type                       : application/vnd.ms-powerpoint
Current User                    : Magy Seif El-Nasr
Title                           : Stick Ninja.
Subject                         :
Author                          :
Keywords                        :
Comments                        :
Last Modified By                : Cody Sawatsky
Revision Number                 : 1
Total Edit Time                 : 8.0 minutes
Modify Date                     : 2007:09:16 23:10:29
Pages                           : 0
Words                           : 510
Characters                      : 0
Code Page                       : Unicode (UTF-8)
Presentation Target             : Custom
Bytes                           : 301358
Lines                           : 0
Paragraphs                      : 75
Slides                          : 16
Notes                           : 16
Hidden Slides                   : 0
MM Clips                        : 0
App Version                     : 11.0512
Scale Crop                      : No
Links Up To Date                : No
Shared Doc                      : No
Hyperlinks Changed              : No
Title Of Parts                  : Helvetica Neue Light, ヒラギノ角ゴ Pro W3, Helvetica Neue, Title & Subtitle, Stick Ninja., Overview., Overview., User Description., Description of Gameplay Mechanics, Storyboard., Prototype., Features + Functionality., Justifications for Design., Justifications for Design., User Testing., Shortcomings of Design., Possibilities for expansion., Next Steps., Summary., PowerPoint Presentation
Heading Pairs                   : Fonts Used, 3, Design Template, 1, Slide Titles, 16

Blog Posts

istat

Description

Displays details of a meta-data structure (inode or MFT).

Platform	Linux and Windows
Author	Brian Carrier
License	Common Public License 1.0
URL	http://sleuthkit.org

Usage

usage: istat [-B num] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-z zone] [-s seconds] [-vV] image inum
    -B num: force the display of NUM address of block pointers
    -z zone: time zone of original machine (i.e. EST5EDT or GMT)
    -s seconds: Time skew of original machine (in seconds)
    -i imgtype: The format of the image file (use '-i list' for supported types)
    -b dev_sector_size: The size (in bytes) of the device sectors
    -f fstype: File system type (use '-f list' for supported types)
    -o imgoffset: The offset of the file system in the image (in sectors)
    -v: verbose output to stderr
    -V: print version

Examples

istat <disk image> <entry number>

This example parses the $MFT in the provided image and displays data associated with entry number 48869:

root@siftworkstation:/home/sansforensics/netwars# istat ./romanoff/win7-32-nromanoff-c-drive.E01 48869
MFT Entry Header Values:
Entry: 48869        Sequence: 2
$LogFile Sequence Number: 8642056225
Allocated File
Links: 2
 
$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0
Security ID: 1723  (S-1-5-21-2036804247-3058324640-2116585241-1109)
Last User Journal Update Sequence Number: 1919383144
Created:        2011-08-28 22:33:18.571266300 (UTC)
File Modified:  2011-08-28 22:35:24.545830100 (UTC)
MFT Modified:   2012-04-04 15:21:06.753530300 (UTC)
Accessed:       2011-08-28 22:33:18.571266300 (UTC)
 
$FILE_NAME Attribute Values:
Flags: Archive
Name: adberdr813.exe
Parent MFT Entry: 42171         Sequence: 2
Allocated Size: 21807104        Actual Size: 21806256
Created:        2011-08-28 22:33:18.571266300 (UTC)
File Modified:  2011-08-28 22:33:28.007175500 (UTC)
MFT Modified:   2011-08-28 22:33:28.034520300 (UTC)
Accessed:       2011-08-28 22:33:18.571266300 (UTC)
 
Attributes:
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $FILE_NAME (48-7)   Name: N/A   Resident   size: 90
Type: $FILE_NAME (48-6)   Name: N/A   Resident   size: 94
Type: $DATA (128-4)   Name: N/A   Non-Resident   size: 21806256  init_size: 21806256
467370 467371 467372 467373 467374 467375 467376 467377
467378 467379 467380 467381 467382 467383 467384 467385
...
472690 472691 472692 472693
Type: $DATA (128-5)   Name: Zone.Identifier   Resident   size: 26

Blog Posts

ewfmount

Description

A command line tool for creating a mount file from a disk image. Use ewfmount to mount the EWF format (Expert Witness
Compression Format)

Platform	Linux
Author	Joachim Metz
License	GPLv3
URL	ewfmount.c

Usage

Usage: ewfmount [ -f format ] [ -X extended_options ] [ -hvV ]
                ewf_files mount_point
 
    ewf_files:   the first or the entire set of EWF segment files
 
    mount_point: the directory to serve as mount point
 
    -f:          specify the input format, options: raw (default),
                 files (restricted to logical volume files)
    -h:          shows this help
    -v:          verbose output to stderr
                 ewfmount will remain running in the foreground
    -V:          print version
    -X:          extended options to pass to sub system

Examples

ewfmount win7-32-nromanoff-c-drive.E01 /mnt/ewf_mount

This command creates a mount file.

root@siftworkstation:/home/sansforensics/netwars/romanoff# cd /mnt/ewf_mount
root@siftworkstation:/mnt/ewf_mount# ll
total 4
drwxr-xr-x  2 root root           0 Jan  1  1970 ./
drwxr-xr-x 23 root root        4096 Jul 25  2016 ../
-r--r--r--  1 root root 26578255872 Jul 24 17:54 ewf1

You can then mount it with this command:

root@siftworkstation:/mnt/ewf_mount# mount -o ro,loop,show_sys_files,streams_interface=windows ewf1 /mnt/romanoff/
root@siftworkstation:/mnt/ewf_mount# cd /mnt/romanoff/
root@siftworkstation:/mnt/romanoff# ll
total 3736025
drwxrwxrwx  1 root root       4096 Apr  4  2012 ./
drwxr-xr-x 24 root root       4096 Jul 24 17:55 ../
-rwxrwxrwx  1 root root       2560 Nov 10  2010 $AttrDef*
-rwxrwxrwx  1 root root         24 Jun 10  2009 autoexec.bat*
-rwxrwxrwx  1 root root          0 Nov 10  2010 $BadClus*
-rwxrwxrwx  1 root root     811104 Nov 10  2010 $Bitmap*
drwxrwxrwx  1 root root       8192 Sep 17  2011 Boot/
-rwxrwxrwx  1 root root       8192 Nov 10  2010 $Boot*
-rwxrwxrwx  1 root root     383786 Nov 20  2010 bootmgr*
-rwxrwxrwx  1 root root       8192 Nov 10  2010 BOOTSECT.BAK*
-rwxrwxrwx  1 root root         10 Jun 10  2009 config.sys*
lrwxrwxrwx  2 root root         60 Jul 14  2009 Documents and Settings -> /mnt/romanoff//Users/
drwxrwxrwx  1 root root          0 Nov 10  2010 $Extend/
-rwxrwxrwx  1 root root 1610211328 Apr  4  2012 hiberfil.sys*
-rwxrwxrwx  1 root root   67108864 Nov 10  2010 $LogFile*
-rwxrwxrwx  1 root root       4096 Nov 10  2010 $MFTMirr*
drwxrwxrwx  1 root root          0 Nov 10  2010 MSOCache/
-rwxrwxrwx  1 root root 2146951168 Apr  4  2012 pagefile.sys*
drwxrwxrwx  1 root root          0 Jul 14  2009 PerfLogs/
drwxrwxrwx  1 root root       4096 Aug 30  2011 ProgramData/
drwxrwxrwx  1 root root       8192 Mar 15  2012 Program Files/
drwxrwxrwx  1 root root          0 Nov 10  2010 Recovery/
drwxrwxrwx  1 root root       4096 Apr  4  2012 $Recycle.Bin/
----------  1 root root          0 Nov 10  2010 $Secure
drwxrwxrwx  1 root root       8192 Apr  4  2012 System Volume Information/
-rwxrwxrwx  1 root root     131072 Nov 10  2010 $UpCase*
drwxrwxrwx  1 root root       4096 Apr  3  2012 Users/
-rwxrwxrwx  1 root root          0 Nov 10  2010 $Volume*
drwxrwxrwx  1 root root      16384 Apr  4  2012 Windows/

Blog Posts

analyzeMFT.py

Description

This tool is designed to fully parse the MFT file from an NTFS filesystem
and present the results as accurately as possible in multiple formats.

Platform	Python
Author	David Kovar
License	Common Public License 1.0
URL	https://github.com/dkovar/analyzeMFT

Usage

Usage: analyzeMFT.py [options]
 
Options:
  -h, --help            show this help message and exit
  -v, --version         report version and exit
  -f FILE, --file=FILE  read MFT from FILE
  -o FILE, --output=FILE
                        write results to FILE
  -a, --anomaly         turn on anomaly detection
  -e, --excel           print date/time in Excel friendly format
  -b FILE, --bodyfile=FILE
                        write MAC information to bodyfile
  --bodystd             Use STD_INFO timestamps for body file rather than FN
                        timestamps
  --bodyfull            Use full path name + filename rather than just
                        filename
  -c FILE, --csvtimefile=FILE
                        write CSV format timeline file
  -l, --localtz         report times using local timezone
  -d, --debug           turn on debugging output
  -s, --saveinmemory    Save a copy of the decoded MFT in memory. Do not use
                        for very large MFTs
  -p, --progress        Show systematic progress reports.

Examples

Blog Posts

BloodHound

Description

BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. As of version 4.0, BloodHound now also supports Azure. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.

Platform	All
Author	@_wald0, @CptJesus, and @harmj0y
License	GPLv3
URL	https://github.com/BloodHoundAD/BloodHound

Usage

https://bloodhound.readthedocs.io/en/latest/index.html

Examples

Graph path from specific user to domain admin

This example shows the path from the ‘yfan_a’ account to the domain admin, by searching using a starting node and ending node (like google maps).

Shortest path to domain admin

This pre-built query shows the shortest path to get domain admin without specifying a starting point.

Blog Posts

beRoot

Description

BeRoot Project is a post exploitation tool to check common misconfigurations to find a way to escalate our privilege.

Platform	All
Author	AlessandroZ
License	?
URL	https://github.com/AlessandroZ/BeRoot

Usage

Windows:

|====================================================================|
|                                                                    |
|                    Windows Privilege Escalation                    |
|                                                                    |
|                          ! BANG BANG !                             |
|                                                                    |
|====================================================================|
 
 
usage: beRoot [-h] [-l] [-w] [-c CMD]
 
Windows Privilege Escalation
 
optional arguments:
  -h, --help         show this help message and exit
  -l, --list         list all softwares installed (not run by default)
  -w, --write        write output
  -c CMD, --cmd CMD  cmd to execute for the webclient check (default: whoami)

Linux:

|====================================================================|
|                                                                    |
|                      Linux Privilege Escalation                    |
|                                                                    |
|                          ! BANG BANG !                             |
|                                                                    |
|====================================================================|

Examples

beRoot (on Windows)

This is the default output of beRoot when run with no other arguments.

|====================================================================|
|                                                                    |
|                    Windows Privilege Escalation                    |
|                                                                    |
|                          ! BANG BANG !                             |
|                                                                    |
|====================================================================|
 
 
 
################ Service ################
 
[!] Permission to create a service with openscmanager
True
 
[!] Path containing spaces without quotes
permissions: {'change_config': False, 'start': False, 'stop': False}
Name: Video Stream
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Video Stream
Full path: C:\Program Files\VideoStream\1337 Log\checklog.exe
Writables path found:
        - C:\
        - C:\Program Files\VideoStream
 
 
[!] Binary located on a writable directory
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AarSvc
Full path: C:\WINDOWS\system32\svchost.exe -k AarSvcGroup -p
Writable directory: C:\WINDOWS\system32
Name: AarSvc
 
permissions: {'change_config': False, 'start': False, 'stop': False}
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AarSvc_1df1243
Full path: C:\WINDOWS\system32\svchost.exe -k AarSvcGroup -p
Writable directory: C:\WINDOWS\system32
Name: AarSvc_1df1243
 
permissions: {'change_config': False, 'start': False, 'stop': False}
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AJRouter
Full path: C:\WINDOWS\system32\svchost.exe -k LocalServiceNetworkRestricted -p
Writable directory: C:\WINDOWS\system32
Name: AJRouter
 
permissions: {'change_config': False, 'start': False, 'stop': False}
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ALG
Full path: C:\WINDOWS\System32\alg.exe
Writable directory: C:\WINDOWS\System32
Name: ALG
...
permissions: {'change_config': False, 'start': False, 'stop': False}
Name: Sense
Writable directory: C:\Program Files\Windows Defender Advanced Threat Protection
Full path: "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe"
 
 
 
################ Startup Keys ################
 
[!] Registry key with writable access
HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
 
[!] Binary located on a writable directory
Name: SecurityHealth
Key: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
Writable directory: C:\WINDOWS\system32
Full path: %windir%\system32\SecurityHealthSystray.exe
 
Name: VMware User Process
Key: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
Writable directory: C:\Program Files\VMware\VMware Tools
Full path: "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
 
 
 
################ Taskscheduler ################
 
[!] Permission to write on the task directory: c:\windows\system32\tasks
True
 
-------------- Get System Priv with WebClient --------------
 
[!] Checking WebClient vulnerability
 
################ Error on: check_webclient ################
Traceback (most recent call last):
  File "beroot\run_checks.py", line 315, in check_all
  File "beroot\run_checks.py", line 277, in check_webclient
  File "beroot\modules\checks\webclient\webclient.py", line 206, in run
  File "beroot\modules\checks\webclient\webclient.py", line 101, in startWebclient
ValueError: Procedure probably called with not enough arguments (4 bytes missing)
 
 
[!] Elapsed time = 0.729000091553

Additional Details

beroot-1

Blog Posts

Tag: linux tools