Description
Event Log Explorer is an effective software solution for viewing, analyzing and monitoring events recorded in Microsoft Windows event logs. Event Log Explorer greatly simplifies and speeds up the analysis of event logs (security, application, system, setup, directory service, DNS and others).
| Platform | Windows |
| Author | FSPro Labs |
| License | Free for Home Use |
| URL | https://www.eventlogxp.com/ |
Usage
Examples
Blog Posts
Description
Parses BagMRU keys from online or offline registry hives and displays them in an Explorer like interface.
| Platform | Windows |
| Author | Eric Zimmerman |
| License | MIT License |
| URL | https://ericzimmerman.github.io/#!index.md |
Usage
SBECmd version 1.4.0.0
Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman
d Directory to look for registry hives. This or -l is required
l Process live registry. This or -d is required
csv Directory to save output to. Required
dedupe When true, SBECmd processes all hives in -d <directory> and removes duplicates. See manual for details
dt Date/time format string to use. Default is 'yyyy-MM-dd HH:mm:ss'
tz Time zone to use (Default = UTC). Enclose in quotes. Use '--tz list' for options
nl When true, ignore transaction log files for dirty hives. Default is FALSE
Examples: SBECmd.exe -d c:\temp\hives --csv c:\temp\sbeout
SBECmd.exe -d c:\temp\hives --csv c:\temp\sbeout --tz "US Eastern Standard Time"
SBECmd.exe -d c:\temp\hives --csv c:\temp\sbeout --dedupe
Short options (single letter) are prefixed with a single dash. Long commands are prefixed with two dashesExamples
Blog Posts
Description
The Registry Ripper, or RegRipper, is an open-source application for extracting, correlating, and displaying information from Windows NT registry hive files.
| Platform | Perl |
| Author | H. Carvey |
| License | GPLv3 |
| URL | https://github.com/warewolf/regripper |
Usage
Rip 2.8_20130801 - CLI RegRipper tool
Rip [-r Reg hive file] [-f plugin file] [-p plugin module] [-l] [-h]
Parse Windows Registry files, using either a single module, or a plugins file.
-r Reg hive file...Registry hive file to parse
-g ................Guess the hive file (experimental)
-f [profile].......use the plugin file (default: plugins\\plugins)
-p plugin module...use only this module
-l ................list all plugins
-c ................Output list in CSV format (use with -l)
-s system name.....Server name (TLN support)
-u username........User name (TLN support)
-h.................Help (print this information)
Ex: C:\\>rip -r c:\\case\\system -f system
C:\\>rip -r c:\\case\\ntuser.dat -p userassist
C:\\>rip -l -c
All output goes to STDOUT; use redirection (ie, > or >>) to output to a file\.
copyright 2013 Quantum Analytics Research, LLCExamples
Blog Posts
Description
A registry viewer powered by plugins.
| Platform | Windows |
| Author | Eric Zimmerman |
| License | MIT License |
| URL | https://ericzimmerman.github.io/#!index.md |
Usage
To load hives, drag and drop onto any of the three main panels. You can also use the File menu to load hives.
Once hives are loaded, Registry Explorer operates much like regedit.exe does, but with many more options.
Bookmarks
The Bookmarks menu will dynamically update to reflect which bookmarks are available in the currently selected hive.
Available Bookmarks
The available bookmarks tab displays all available bookmarks across all loaded hives.
Context menu
Right click on Nodes in the tree for various options such as exporting keys, full technical details, etc.
For full details, see the included manual.
Examples
Blog Posts
Description
Parses appcompatchcache entries from the SYSTEM hive.
| Platform | Windows |
| Author | Eric Zimmerman |
| License | MIT License |
| URL | AppCompatCacheParser |
Usage
AppCompatCache Parser version 1.4.4.0
Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/AppCompatCacheParser
c The ControlSet to parse. Default is to extract all control sets.
f Full path to SYSTEM hive to process. If this option is not specified, the live Registry will be used
t Sorts last modified timestamps in descending order
csv Directory to save CSV formatted results to. Required
csvf File name to save CSV formatted results to. When present, overrides default name
debug Debug mode
dt The custom date/time format to use when displaying timestamps. See https://goo.gl/CNVq0k for options. Default is: yyyy-MM-dd HH:mm:ss
nl When true, ignore transaction log files for dirty hives. Default is FALSE
Examples: AppCompatCacheParser.exe --csv c:\temp -t -c 2
AppCompatCacheParser.exe --csv c:\temp --csvf results.csv
Short options (single letter) are prefixed with a single dash. Long commands are prefixed with two dashesExamples
This command will search the SYSTEM hive for AppCompatCache results and save them to CSV formatted file in the Temp directory.
Blog Posts
Description
A command line prefetch parser.
| Platform | Windows |
| Author | Eric Zimmerman |
| License | MIT License |
| URL | https://github.com/EricZimmerman/PECmd |
Usage
d Directory to recursively process. Either this or -f is required
f File to process. Either this or -d is required
k Comma separated list of keywords to highlight in output. By default, 'temp' and 'tmp' are highlighted. Any additional keywords will be added to these.
o When specified, save prefetch file bytes to the given path. Useful to look at decompressed Win10 files
q Do not dump full details about each file processed. Speeds up processing when using --json or --csv. Default is FALSE
json Directory to save json representation to.
jsonf File name to save JSON formatted results to. When present, overrides default name
csv Directory to save CSV results to. Be sure to include the full path in double quotes
csvf File name to save CSV formatted results to. When present, overrides default name
html Directory to save xhtml formatted results to. Be sure to include the full path in double quotes
dt The custom date/time format to use when displaying timestamps. See https://goo.gl/CNVq0k for options. Default is: yyyy-MM-dd HH:mm:ss
mp When true, display higher precision for timestamps. Default is FALSE
vss Process all Volume Shadow Copies that exist on drive specified by -f or -d . Default is FALSE
dedupe Deduplicate -f or -d & VSCs based on SHA-1. First file found wins. Default is TRUE
debug Show debug information during processing
trace Show trace information during processing
Examples: PECmd.exe -f "C:\Temp\CALC.EXE-3FBEF7FD.pf"
PECmd.exe -f "C:\Temp\CALC.EXE-3FBEF7FD.pf" --json "D:\jsonOutput" --jsonpretty
PECmd.exe -d "C:\Temp" -k "system32, fonts"
PECmd.exe -d "C:\Temp" --csv "c:\temp" --csvf foo.csv --json c:\temp\json
PECmd.exe -d "C:\Windows\Prefetch"
Short options (single letter) are prefixed with a single dash. Long commands are prefixed with two dashesExamples
Blog Posts
Description
A memory forensics analysis platform.
| Platform | Python |
| Author | Volatility Foundation |
| License | GPLv2 |
| URL | https://www.volatilityfoundation.org/ |
Usage
Options:
-h, --help list all available options and their default values.
Default values may be set in the configuration file
(/etc/volatilityrc)
--conf-file=/root/.volatilityrc
User based configuration file
-d, --debug Debug volatility
--plugins=PLUGINS Additional plugin directories to use (colon separated)
--info Print information about all registered objects
--cache-directory=/root/.cache/volatility
Directory where cache files are stored
--cache Use caching
--tz=TZ Sets the (Olson) timezone for displaying timestamps
using pytz (if installed) or tzset
-f FILENAME, --filename=FILENAME
Filename to use when opening an image
--profile=WinXPSP2x86
Name of the profile to load (use --info to see a list
of supported profiles)
-l LOCATION, --location=LOCATION
A URN location from which to load an address space
-w, --write Enable write support
--dtb=DTB DTB Address
--shift=SHIFT Mac KASLR shift address
--output=text Output in this format (support is module specific, see
the Module Output Options below)
--output-file=OUTPUT_FILE
Write output in this file
-v, --verbose Verbose information
-g KDBG, --kdbg=KDBG Specify a KDBG virtual address (Note: for 64-bit
Windows 8 and above this is the address of
KdCopyDataBlock)
--force Force utilization of suspect profile
--cookie=COOKIE Specify the address of nt!ObHeaderCookie (valid for
Windows 10 only)
-k KPCR, --kpcr=KPCR Specify a specific KPCR addressSupported Plugin Commands:
amcache Print AmCache information
apihooks Detect API hooks in process and kernel memory
apihooksdeep Detect API hooks in process and kernel memory, with ssdeep for whitelisting
atoms Print session and window station atom tables
atomscan Pool scanner for atom tables
attributeht Find Hacking Team implants and attempt to attribute them using a watermark.
auditpol Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv
autoruns Searches the registry and memory space for applications running at system startup and maps them to running processes
bigpools Dump the big page pools using BigPagePoolScanner
bioskbd Reads the keyboard buffer from Real Mode memory
cachedump Dumps cached domain hashes from memory
callbacks Print system-wide notification routines
chromecookies Scans for and parses potential Chrome cookie data
chromedownloadchains Scans for and parses potential Chrome download chain records
chromedownloads Scans for and parses potential Chrome download records
chromehistory Scans for and parses potential Chrome url history
chromesearchterms Scans for and parses potential Chrome keyword search terms
chromevisits Scans for and parses potential Chrome url visits data -- VERY SLOW, see -Q option
clipboard Extract the contents of the windows clipboard
cmdline Display process command-line arguments
cmdscan Extract command history by scanning for _COMMAND_HISTORY
connections Print list of open connections [Windows XP and 2003 Only]
connscan Pool scanner for tcp connections
consoles Extract command history by scanning for _CONSOLE_INFORMATION
crashinfo Dump crash-dump information
deskscan Poolscaner for tagDESKTOP (desktops)
devicetree Show device tree
dlldump Dump DLLs from a process address space
dlllist Print list of loaded dlls for each process
driverbl Scans memory for driver objects and compares the results with the baseline image
driverirp Driver IRP hook detection
driveritem
drivermodule Associate driver objects to kernel modules
driverscan Pool scanner for driver objects
dumpcerts Dump RSA private and public SSL keys
dumpfiles Extract memory mapped and cached files
dumpregistry Dumps registry files out to disk
editbox Dumps various data from ComCtl Edit controls (experimental: ListBox, ComboBox)
envars Display process environment variables
eventhooks Print details on windows event hooks
evtlogs Extract Windows Event Logs (XP/2003 only)
fileitem
filescan Pool scanner for file objects
firefoxcookies Scans for and parses potential Firefox cookies (cookies.sqlite moz_cookies table
firefoxdownloads Scans for and parses potential Firefox download records -- downloads.sqlite moz_downloads table pre FF26 only
firefoxhistory Scans for and parses potential Firefox url history (places.sqlite moz_places table)
gahti Dump the USER handle type information
gditimers Print installed GDI timers and callbacks
gdt Display Global Descriptor Table
getservicesids Get the names of services in the Registry and return Calculated SID
getsids Print the SIDs owning each process
handles Print list of open handles for each process
hashdump Dumps passwords hashes (LM/NTLM) from memory
hibinfo Dump hibernation file information
hivedump Prints out a hive
hivelist Print list of registry hives.
hivescan Pool scanner for registry hives
hookitem
hpakextract Extract physical memory from an HPAK file
hpakinfo Info on an HPAK file
idt Display Interrupt Descriptor Table
idxparser Scans for and parses Java IDX files
iehistory Reconstruct Internet Explorer cache / history
imagecopy Copies a physical address space out as a raw DD image
imageinfo Identify information for the image
impscan Scan for calls to imported functions
joblinks Print process job link information
kdbgscan Search for and dump potential KDBG values
kpcrscan Search for and dump potential KPCR values
ldrmodules Detect unlinked DLLs
lsadump Dump (decrypted) LSA secrets from the registry
machoinfo Dump Mach-O file format information
malfind Find hidden and injected code
malfinddeep Find hidden and injected code, whitelist with ssdeep hashes
malprocfind Finds malicious processes based on discrepancies from observed, normal behavior and properties
malsysproc Find malware hiding in plain sight as system processes
mbrparser Scans for and parses potential Master Boot Records (MBRs)
memdump Dump the addressable memory for a process
memmap Print the memory map
messagehooks List desktop and thread window message hooks
mftparser Scans for and parses potential MFT entries
mimikatz mimikatz offline
moddump Dump a kernel driver to an executable file sample
modscan Pool scanner for kernel modules
modules Print list of loaded modules
multiscan Scan for various objects at once
mutantscan Pool scanner for mutex objects
ndispktscan Extract the packets from memory
notepad List currently displayed notepad text
objtypescan Scan for Windows object type objects
openioc_scan Scan OpenIOC 1.1 based indicators
openvpn Extract OpenVPN client credentials (username, password) cached in memory.
patcher Patches memory based on page scans
poolpeek Configurable pool scanner plugin
prefetchparser Scans for and parses potential Prefetch files
printkey Print a registry key, and its subkeys and values
privs Display process privileges
procdump Dump a process to an executable file sample
processbl Scans memory for processes and loaded DLLs and compares the results with the baseline
pslist Print all running processes by following the EPROCESS lists
psscan Pool scanner for process objects
pstotal Combination of pslist,psscan & pstree --output=dot gives graphical representation
pstree Print process list as a tree
psxview Find hidden processes with various process listings
qemuinfo Dump Qemu information
raw2dmp Converts a physical memory sample to a windbg crash dump
registryitem
rsakey Extract base64/PEM encoded private RSA keys from physical memory.
schtasks Scans for and parses potential Scheduled Task (.JOB) files
screenshot Save a pseudo-screenshot based on GDI windows
servicebl Scans memory for service objects and compares the results with the baseline image
servicediff List Windows services (ala Plugx)
serviceitem
sessions List details on _MM_SESSION_SPACE (user logon sessions)
shellbags Prints ShellBags info
shimcache Parses the Application Compatibility Shim Cache registry key
shimcachemem Parses the Application Compatibility Shim Cache stored in kernel memory
shutdowntime Print ShutdownTime of machine from registry
sockets Print list of open sockets
sockscan Pool scanner for tcp socket objects
ssdeepscan Scan process or kernel memory with SSDeep signatures
ssdt Display SSDT entries
strings Match physical offsets to virtual addresses (may take a while, VERY verbose)
svcscan Scan for Windows services
symlinkscan Pool scanner for symlink objects
thrdscan Pool scanner for thread objects
threads Investigate _ETHREAD and _KTHREADs
timeliner Creates a timeline from various artifacts in memory
timers Print kernel timers and associated module DPCs
truecryptmaster Recover TrueCrypt 7.1a Master Keys
truecryptpassphrase TrueCrypt Cached Passphrase Finder
truecryptsummary TrueCrypt Summary
trustrecords Extract MS Office TrustRecords from the Registry
uninstallinfo Extract installed software info from Uninstall registry key
unloadedmodules Print list of unloaded modules
userassist Print userassist registry keys and information
userhandles Dump the USER handle tables
usnparser Scans for and parses USN journal records
vaddump Dumps out the vad sections to a file
vadinfo Dump the VAD info
vadtree Walk the VAD tree and display in tree format
vadwalk Walk the VAD tree
vboxinfo Dump virtualbox information
verinfo Prints out the version information from PE images
vmwareinfo Dump VMware VMSS/VMSN information
volshell Shell in the memory image
windows Print Desktop Windows (verbose details)
wintree Print Z-Order Desktop Windows Tree
wndscan Pool scanner for window stations
yarascan Scan process or kernel memory with Yara signaturesExamples
This command will scan the memory image and attempt to guess the correct profile to use:
root@siftworkstation:~# vol.py -f ./win7-32-nromanoff-memory-raw.001 imageinfo
Volatility Foundation Volatility Framework 2.5
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP0x86, Win7SP1x86
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/home/sansforensics/netwars/win7-32-nromanoff-memory/win7-32-nromanoff-memory-raw.001)
PAE type : PAE
DTB : 0x185000L
KDBG : 0x82d29c28L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0x82d2ac00L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2012-04-06 20:52:46 UTC+0000
Image local date and time : 2012-04-06 16:52:46 -0400This command will scan memory for currently running processes:
root@siftworkstation:~# vol.py -f ./win7-32-nromanoff-memory-raw.001 --profile=Win7SP0x86 pslist
Volatility Foundation Volatility Framework 2.5
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x85c50958 System 4 0 105 532 ------ 0 2012-04-04 11:47:29 UTC+0000
0x86ecaa70 smss.exe 280 4 3 32 ------ 0 2012-04-04 11:47:29 UTC+0000
0x86cfa540 csrss.exe 412 404 9 756 0 0 2012-04-04 11:47:41 UTC+0000
0x87d85d40 wininit.exe 464 404 3 74 0 0 2012-04-04 11:47:44 UTC+0000
0x86e7f030 csrss.exe 472 456 9 75 1 0 2012-04-04 11:47:44 UTC+0000
0x87d8fd40 winlogon.exe 520 456 3 91 1 0 2012-04-04 11:47:44 UTC+0000
0x87f68030 services.exe 564 464 7 243 0 0 2012-04-04 11:47:45 UTC+0000
0x87f79600 lsass.exe 592 464 8 888 0 0 2012-04-04 11:47:46 UTC+0000
0x87f8c030 lsm.exe 600 464 10 248 0 0 2012-04-04 11:47:46 UTC+0000
0x87fc5590 svchost.exe 704 564 11 358 0 0 2012-04-04 11:47:48 UTC+0000
0x87fee6d0 svchost.exe 780 564 6 277 0 0 2012-04-04 11:47:51 UTC+0000
0x88000d40 svchost.exe 820 564 18 469 0 0 2012-04-04 11:47:51 UTC+0000
0x8800e178 LogonUI.exe 880 520 7 197 1 0 2012-04-04 11:47:51 UTC+0000
0x880308e8 svchost.exe 920 564 18 495 0 0 2012-04-04 11:47:51 UTC+0000
0x88047a58 svchost.exe 944 564 31 1213 0 0 2012-04-04 11:47:52 UTC+0000
0x880462b8 svchost.exe 1032 564 17 394 0 0 2012-04-04 11:47:52 UTC+0000
0x880a0758 svchost.exe 1184 564 20 634 0 0 2012-04-04 11:48:00 UTC+0000
0x88070d40 spoolsv.exe 1308 564 13 328 0 0 2012-04-04 11:48:03 UTC+0000
0x880e7030 svchost.exe 1344 564 17 295 0 0 2012-04-04 11:48:03 UTC+0000
0x88120658 armsvc.exe 1456 564 4 61 0 0 2012-04-04 11:48:04 UTC+0000
0x88145b38 FireSvc.exe 1516 564 22 355 0 0 2012-04-04 11:48:05 UTC+0000
0x881b8030 McSACore.exe 1604 564 11 199 0 0 2012-04-04 11:48:08 UTC+0000
0x881b4900 FireTray.exe 1624 1516 0 -------- 0 0 2012-04-04 11:48:09 UTC+0000 2012-04-04 11:48:10 UTC+0000
0x881dd770 FrameworkServi 1740 564 31 426 0 0 2012-04-04 11:48:10 UTC+0000
0x8820bd40 VsTskMgr.exe 1796 564 21 365 0 0 2012-04-04 11:48:11 UTC+0000
0x88227358 mfevtps.exe 1824 564 5 171 0 0 2012-04-04 11:48:12 UTC+0000
0x8821a660 mfeann.exe 1872 1796 14 181 0 0 2012-04-04 11:48:12 UTC+0000
0x88220d40 conhost.exe 1880 412 2 30 0 0 2012-04-04 11:48:12 UTC+0000
0x88235cf8 VMwareService. 1964 564 7 192 0 0 2012-04-04 11:48:14 UTC+0000
0x8824cd40 naPrdMgr.exe 200 704 8 252 0 0 2012-04-04 11:48:15 UTC+0000
0x88263648 mcshield.exe 332 564 28 459 0 0 2012-04-04 11:48:15 UTC+0000
0x8827d9f0 mfefire.exe 456 564 7 108 0 0 2012-04-04 11:48:23 UTC+0000
0x88295900 VMUpgradeHelpe 888 564 4 87 0 0 2012-04-04 11:48:24 UTC+0000
0x8842a4b8 svchost.exe 2980 564 12 198 0 0 2012-04-04 11:50:42 UTC+0000
0x885561f8 SearchIndexer. 3092 564 14 992 0 0 2012-04-04 11:50:46 UTC+0000
0x862709a0 csrss.exe 2132 3112 9 271 2 0 2012-04-04 14:45:30 UTC+0000
0x8617bd40 winlogon.exe 3836 3112 3 112 2 0 2012-04-04 14:45:30 UTC+0000
0x85dbcb48 taskhost.exe 1108 564 9 290 2 0 2012-04-04 14:45:43 UTC+0000
0x861bb8f0 rdpclip.exe 2408 1184 4 88 2 0 2012-04-04 14:45:43 UTC+0000
0x8625b030 dwm.exe 3924 920 3 67 2 0 2012-04-04 14:45:44 UTC+0000
0x8622b4b8 explorer.exe 296 2392 22 853 2 0 2012-04-04 14:45:45 UTC+0000
0x861d4520 VMwareTray.exe 3780 296 5 65 2 0 2012-04-04 14:45:46 UTC+0000
0x861b6518 VMwareUser.exe 3804 296 3 77 2 0 2012-04-04 14:45:46 UTC+0000
0x86272d40 UdaterUI.exe 2944 1740 6 109 2 0 2012-04-04 14:49:35 UTC+0000
0x863c8030 McTray.exe 2864 2944 23 341 2 0 2012-04-04 14:49:35 UTC+0000
0x85f98728 a.exe 3264 3440 0 -------- 2 0 2012-04-04 14:57:52 UTC+0000 2012-04-04 18:40:58 UTC+0000
0x85e24030 OSPPSVC.EXE 4040 564 3 134 0 0 2012-04-04 15:42:01 UTC+0000
0x861d93a0 cmd.exe 3472 3264 0 -------- 2 0 2012-04-04 15:47:47 UTC+0000 2012-04-04 15:49:07 UTC+0000
0x862bfa40 spinlock.exe 3796 3472 0 -------- 2 0 2012-04-04 15:48:18 UTC+0000 2012-04-04 18:43:25 UTC+0000
0x8654c4a8 spinlock.exe 1208 3796 0 -------- 2 0 2012-04-04 15:48:18 UTC+0000 2012-04-04 18:43:25 UTC+0000
0x860f2578 cmd.exe 208 1208 1 31 2 0 2012-04-04 18:43:24 UTC+0000
0x86136a60 conhost.exe 2840 2132 2 28 2 0 2012-04-04 18:43:25 UTC+0000
0x864e57c8 PSEXESVC.EXE 2100 564 6 104 0 0 2012-04-04 18:52:11 UTC+0000
0x862a4d40 svchost.exe 3612 2100 0 -------- 0 0 2012-04-04 18:52:11 UTC+0000 2012-04-05 13:25:07 UTC+0000
0x862bb290 spinlock.exe 2956 2100 1 26 0 0 2012-04-04 18:54:51 UTC+0000
0x86383c18 spinlock.exe 1328 2956 2 128 0 0 2012-04-04 18:54:51 UTC+0000
0x86d2b578 a.exe 5008 4212 0 -------- 0 0 2012-04-06 13:19:34 UTC+0000 2012-04-06 16:58:26 UTC+0000
0x862f9a58 cmd.exe 5192 5008 1 28 0 0 2012-04-06 14:03:11 UTC+0000
0x86a1c8b8 conhost.exe 3408 412 2 31 0 0 2012-04-06 14:03:11 UTC+0000
0x8649d880 svchost.exe 6404 2100 8 256 0 0 2012-04-06 19:22:20 UTC+0000
0x86eeb430 f-response-ent 7776 564 8 75 0 0 2012-04-06 20:34:42 UTC+0000
0x85dde298 svchost.exe 5176 564 5 90 0 0 2012-04-06 20:34:44 UTC+0000This command will scan memory for net connections and their associated processes:
root@siftworkstation:~# vol.py -f ./win7-32-nromanoff-memory-raw.001 --profile=Win7SP0x86 netscan
Volatility Foundation Volatility Framework 2.5
Offset(P) Proto Local Address Foreign Address State Pid Owner Created
0x4fb90e0 UDPv4 0.0.0.0:0 *:* 456 mfefire.exe 2012-04-04 11:48:37 UTC+0000
0x4fb90e0 UDPv6 :::0 *:* 456 mfefire.exe 2012-04-04 11:48:37 UTC+0000
0x7d8e1b20 UDPv4 0.0.0.0:8082 *:* 1740 FrameworkServi 2012-04-04 11:48:26 UTC+0000
0x7d8e2d38 UDPv4 0.0.0.0:8082 *:* 1740 FrameworkServi 2012-04-04 11:48:26 UTC+0000
0x7d8e2d38 UDPv6 :::8082 *:* 1740 FrameworkServi 2012-04-04 11:48:26 UTC+0000
0x7d931120 UDPv4 0.0.0.0:0 *:* 456 mfefire.exe 2012-04-04 11:48:37 UTC+0000
0x7d946818 UDPv4 0.0.0.0:0 *:* 1032 svchost.exe 2012-04-04 11:48:38 UTC+0000
0x7d947330 UDPv4 0.0.0.0:0 *:* 1032 svchost.exe 2012-04-04 11:48:38 UTC+0000
0x7d947330 UDPv6 :::0 *:* 1032 svchost.exe 2012-04-04 11:48:38 UTC+0000
0x7d984e20 UDPv4 0.0.0.0:123 *:* 1032 svchost.exe 2012-04-04 11:48:39 UTC+0000
0x7d985bb0 UDPv4 0.0.0.0:123 *:* 1032 svchost.exe 2012-04-04 11:48:39 UTC+0000
0x7d985bb0 UDPv6 :::123 *:* 1032 svchost.exe 2012-04-04 11:48:39 UTC+0000
0x7d8b0b50 TCPv4 0.0.0.0:445 0.0.0.0:0 LISTENING 4 System
0x7d8b0b50 TCPv6 :::445 :::0 LISTENING 4 System
0x7d8df2a8 TCPv4 0.0.0.0:8081 0.0.0.0:0 LISTENING 1740 FrameworkServi
0x7d8e1ea8 TCPv4 0.0.0.0:8081 0.0.0.0:0 LISTENING 1740 FrameworkServi
0x7d8e1ea8 TCPv6 :::8081 :::0 LISTENING 1740 FrameworkServi
0x7d93ca70 TCPv4 0.0.0.0:49186 0.0.0.0:0 LISTENING 564 services.exe
0x7d93ca70 TCPv6 :::49186 :::0 LISTENING 564 services.exe
0x7d969ec0 TCPv4 0.0.0.0:3389 0.0.0.0:0 LISTENING 1184 svchost.exe
0x7d96e308 TCPv4 0.0.0.0:3389 0.0.0.0:0 LISTENING 1184 svchost.exe
0x7d96e308 TCPv6 :::3389 :::0 LISTENING 1184 svchost.exe
0x7dab56c0 UDPv4 0.0.0.0:5355 *:* 1184 svchost.exe 2012-04-04 11:48:00 UTC+0000
0x7dab6208 UDPv4 0.0.0.0:0 *:* 1184 svchost.exe 2012-04-04 11:48:00 UTC+0000
0x7dab6208 UDPv6 :::0 *:* 1184 svchost.exe 2012-04-04 11:48:00 UTC+0000
0x7daf8960 UDPv4 0.0.0.0:0 *:* 592 lsass.exe 2012-04-04 11:48:04 UTC+0000
0x7daf8960 UDPv6 :::0 *:* 592 lsass.exe 2012-04-04 11:48:04 UTC+0000
0x7db136a0 UDPv4 127.0.0.1:55829 *:* 592 lsass.exe 2012-04-04 11:48:04 UTC+0000
0x7db17770 UDPv4 127.0.0.1:55827 *:* 1184 svchost.exe 2012-04-04 11:48:04 UTC+0000
0x7db24ac8 UDPv4 0.0.0.0:0 *:* 592 lsass.exe 2012-04-04 11:48:04 UTC+0000
0x7db24ac8 UDPv6 :::0 *:* 592 lsass.exe 2012-04-04 11:48:04 UTC+0000
0x7db2a008 UDPv4 0.0.0.0:0 *:* 592 lsass.exe 2012-04-04 11:48:04 UTC+0000
0x7db2a008 UDPv6 :::0 *:* 592 lsass.exe 2012-04-04 11:48:04 UTC+0000
0x7db2af50 UDPv4 0.0.0.0:0 *:* 592 lsass.exe 2012-04-04 11:48:04 UTC+0000
0x7db31320 UDPv4 0.0.0.0:0 *:* 592 lsass.exe 2012-04-04 11:48:04 UTC+0000
0x7db36008 UDPv4 127.0.0.1:55832 *:* 944 svchost.exe 2012-04-04 11:48:04 UTC+0000
0x7da02898 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 464 wininit.exe
0x7da03298 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 780 svchost.exe
0x7da03298 TCPv6 :::135 :::0 LISTENING 780 svchost.exe
0x7da223e8 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 820 svchost.exe
0x7da25648 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 820 svchost.exe
0x7da25648 TCPv6 :::49153 :::0 LISTENING 820 svchost.exe
0x7da96700 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 592 lsass.exe
0x7da96700 TCPv6 :::49154 :::0 LISTENING 592 lsass.exe
0x7da96de8 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 592 lsass.exe
0x7dad06f0 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 944 svchost.exe
0x7dad2430 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 944 svchost.exe
0x7dad2430 TCPv6 :::49155 :::0 LISTENING 944 svchost.exe
0x7ddf35a0 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 780 svchost.exe
0x7ddfb440 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 464 wininit.exe
0x7ddfb440 TCPv6 :::49152 :::0 LISTENING 464 wininit.exe
0x7db4cc10 TCPv4 -:62342 -:80 CLOSED 1184 svchost.exe
0x7ec1f2b8 UDPv4 10.3.58.5:138 *:* 4 System 2012-04-04 11:47:39 UTC+0000
0x7eccb7c8 UDPv4 10.3.58.5:137 *:* 4 System 2012-04-04 11:47:39 UTC+0000
0x7ed807e0 TCPv4 0.0.0.0:49186 0.0.0.0:0 LISTENING 564 services.exe
0x7ed974b0 TCPv4 10.3.58.5:139 0.0.0.0:0 LISTENING 4 System
0x7f463770 UDPv4 127.0.0.1:1900 *:* 2980 svchost.exe 2012-04-04 19:40:36 UTC+0000
0x7f476008 UDPv4 127.0.0.1:49724 *:* 2980 svchost.exe 2012-04-04 19:40:36 UTC+0000
0x7f476b40 UDPv6 ::1:49722 *:* 2980 svchost.exe 2012-04-04 19:40:36 UTC+0000
0x7f47b880 UDPv4 10.3.58.5:1900 *:* 2980 svchost.exe 2012-04-04 19:40:36 UTC+0000
0x7f4e5548 UDPv4 10.3.58.5:49723 *:* 2980 svchost.exe 2012-04-04 19:40:36 UTC+0000
0x7f5b5248 UDPv4 10.3.58.5:55261 *:* 7816 Skype.exe 2012-04-06 19:44:03 UTC+0000
0x7eec5a58 TCPv4 -:62344 -:443 CLOSED 7816 Skype.exe
0x7ef2b988 TCPv4 10.3.58.5:62619 10.3.58.4:445 CLOSED 4 System
0x7f451df8 TCPv4 -:62331 224.0.0.252:443 CLOSED 7816 Skype.exe
0x7f60adf8 TCPv4 127.0.0.1:5678 127.0.0.1:62608 CLOSED 6404 svchost.exe
0x7f632008 TCPv4 -:62336 69.171.229.13:443 CLOSED 7816 Skype.exe
0x7f67a448 TCPv4 -:139 12.190.135.235:2264 CLOSED 4 System
0x7f693140 TCPv4 10.3.58.5:62567 10.3.58.255:80 CLOSED 6404 svchost.exe
0x7f6fb448 TCPv4 10.3.58.5:62617 10.3.58.4:445 CLOSED 4 System
0x7f7492f0 TCPv4 10.3.58.5:62294 10.3.58.9:135 CLOSED 4172 taskhost.exe
0x7f760a08 TCPv4 10.3.58.5:62295 10.3.58.9:49156 CLOSED 4172 taskhost.exe
0x7f899400 UDPv4 127.0.0.1:49290 *:* 1108 taskhost.exe 2012-04-04 14:45:46 UTC+0000
0x7f940568 UDPv6 ::1:1900 *:* 2980 svchost.exe 2012-04-04 19:40:36 UTC+0000
0x7fd46238 UDPv4 0.0.0.0:0 *:* 5176 svchost.exe 2012-04-06 20:34:44 UTC+0000
0x7fd9f688 UDPv4 0.0.0.0:0 *:* 5176 svchost.exe 2012-04-06 20:34:44 UTC+0000
0x7fd9f688 UDPv6 :::0 *:* 5176 svchost.exe 2012-04-06 20:34:44 UTC+0000
0x7f947098 TCPv4 0.0.0.0:3260 0.0.0.0:0 LISTENING 7776 f-response-ent
0x7ff175f8 TCPv4 127.0.0.1:5678 0.0.0.0:0 LISTENING 6404 svchost.exe
0x7f837580 TCPv4 10.3.58.5:49805 10.3.58.9:445 ESTABLISHED 4 System
0x7f89a1d0 TCPv4 10.3.58.5:50817 199.73.28.114:443 CLOSED 1328 spinlock.exe
0x7f8c8008 TCPv4 10.3.58.5:62421 10.3.58.9:135 CLOSED 592 lsass.exe
0x7f8f8008 TCPv4 10.3.58.5:62333 10.3.16.5:443 CLOSED 7816 Skype.exe
0x7fa47008 TCPv4 -:62334 184.51.253.195:443 CLOSED 7816 Skype.exe
0x7fa559f8 TCPv4 -:62335 184.51.255.240:443 CLOSED 7816 Skype.exe
0x7fc6e318 TCPv4 10.3.58.5:3260 10.3.16.5:48351 ESTABLISHED 7776 f-response-ent
0x7fe9b278 TCPv4 10.3.58.5:62380 10.3.58.9:445 CLOSED 4 SystemThis command will uncompress a hibernation file into raw memory dump:
root@siftworkstation:~# vol.py imagecopy -f /mnt/romanoff/hiberfil.sys -O hiber.raw
Volatility Foundation Volatility Framework 2.5
Writing data (5.00 MB chunks): |....................................................................................................................................................................................................................................................................................................................|Blog Posts
Description
A python memory analysis framework that can be difficult to install and setup.
| Platform | Python |
| Author | Rekall Forensics |
| License | GPLv2 |
| URL | http://www.rekall-forensic.com/ |
Usage
usage: rekal [-p PROFILE] [-v] [-q] [--debug] [--output_style {concise,full}]
[--logging_level {DEBUG,INFO,WARNING,ERROR,CRITICAL}]
[--pager PAGER] [--paging_limit PAGING_LIMIT]
[--colors {auto,yes,no}] [-F {text,json,wide,test,data}]
[--plugin [PLUGIN [PLUGIN ...]]] [-h]
[--cache {file,memory,timed}]
[--repository_path [REPOSITORY_PATH [REPOSITORY_PATH ...]]]
[-f FILENAME] [--buffer_size BUFFER_SIZE] [--output OUTPUT]
[--max_collector_cost MAX_COLLECTOR_COST] [--home HOME]
[--logging_format LOGGING_FORMAT]
[--performance {normal,fast,thorough}] [--dtb DTB]
[-o FILE_OFFSET] [--ept EPT [EPT ...]] [--timezone TIMEZONE]
[--cache_dir CACHE_DIR]
[--name_resolution_strategies [{Module,Symbol,Export} [{Module,Symbol,Export} ...]]]
[--autodetect_build_local_tracked [AUTODETECT_BUILD_LOCAL_TRACKED [AUTODETECT_BUILD_LOCAL_TRACKED ...]]]
[--pagefile [PAGEFILE [PAGEFILE ...]]]
[--autodetect {linux_index,nt_index,osx,pe,windows_kernel_file,rsds,ntfs,linux} [{linux_index,nt_index,osx,pe,windows_kernel_file,rsds,ntfs,linux} ...]]
[--autodetect_threshold AUTODETECT_THRESHOLD]
[--autodetect_build_local {full,basic,none}]
[--autodetect_scan_length AUTODETECT_SCAN_LENGTH] [--live]
[--version] [-]Examples
The following output is from running the pslist plugin inside rekall:
root@siftworkstation:~# rekal -f win7-32-nromanoff-memory-raw.001 pslist
2021-07-25 21:43:58,349:WARNING:rekall.1:Inventory for repository "http://profiles.rekall-forensic.com" seems malformed. Are you behind a captive portal or proxy? If this is a custom repository, did you forget to create an inventory? You must use the tools/profiles/build_profile_repo.py tool with the --inventory flag.
2021-07-25 21:43:58,349:WARNING:rekall.1:Repository http://profiles.rekall-forensic.com will be disabled.
2021-07-25 21:43:58,422:WARNING:rekall.1:Unable to parse profile section $CONSTANT_TYPES
2021-07-25 21:43:58,423:WARNING:rekall.1:Unable to parse profile section $CONSTANT_TYPES
_EPROCESS Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ----- ------ ------ -------- ------ ------ ------------------------ ------------------------
0x85c50958 System 4 0 105 532 - False 2012-04-04 11:47:29Z -
0x8824cd40 naPrdMgr.exe 200 704 8 252 0 False 2012-04-04 11:48:15Z -
0x860f2578 cmd.exe 208 1208 1 31 2 False 2012-04-04 18:43:24Z -
0x86ecaa70 smss.exe 280 4 3 32 - False 2012-04-04 11:47:29Z -
0x8622b4b8 explorer.exe 296 2392 22 853 2 False 2012-04-04 14:45:45Z -
0x88263648 mcshield.exe 332 564 28 459 0 False 2012-04-04 11:48:15Z -
0x86cfa540 csrss.exe 412 404 9 756 0 False 2012-04-04 11:47:41Z -
0x8827d9f0 mfefire.exe 456 564 7 108 0 False 2012-04-04 11:48:23Z -
0x87d85d40 wininit.exe 464 404 3 74 0 False 2012-04-04 11:47:44Z -
0x86e7f030 csrss.exe 472 456 9 75 1 False 2012-04-04 11:47:44Z -
0x87d8fd40 winlogon.exe 520 456 3 91 1 False 2012-04-04 11:47:44Z -
0x87f68030 services.exe 564 464 7 243 0 False 2012-04-04 11:47:45Z -
0x87f79600 lsass.exe 592 464 8 888 0 False 2012-04-04 11:47:46Z -
0x87f8c030 lsm.exe 600 464 10 248 0 False 2012-04-04 11:47:46Z -
0x87fc5590 svchost.exe 704 564 11 358 0 False 2012-04-04 11:47:48Z -
0x87fee6d0 svchost.exe 780 564 6 277 0 False 2012-04-04 11:47:51Z -
0x88000d40 svchost.exe 820 564 18 469 0 False 2012-04-04 11:47:51Z -
0x8800e178 LogonUI.exe 880 520 7 197 1 False 2012-04-04 11:47:51Z -
0x88295900 VMUpgradeHelpe 888 564 4 87 0 False 2012-04-04 11:48:24Z -
0x880308e8 svchost.exe 920 564 18 495 0 False 2012-04-04 11:47:51Z -
0x88047a58 svchost.exe 944 564 31 1213 0 False 2012-04-04 11:47:52Z -
0x880462b8 svchost.exe 1032 564 17 394 0 False 2012-04-04 11:47:52Z -
0x85dbcb48 taskhost.exe 1108 564 9 290 2 False 2012-04-04 14:45:43Z -
0x880a0758 svchost.exe 1184 564 20 634 0 False 2012-04-04 11:48:00Z -
0x8654c4a8 spinlock.exe 1208 3796 0 - 2 False 2012-04-04 15:48:18Z 2012-04-04 18:43:25Z
0x88070d40 spoolsv.exe 1308 564 13 328 0 False 2012-04-04 11:48:03Z -
0x86383c18 spinlock.exe 1328 2956 2 128 0 False 2012-04-04 18:54:51Z -
0x880e7030 svchost.exe 1344 564 17 295 0 False 2012-04-04 11:48:03Z -
0x88120658 armsvc.exe 1456 564 4 61 0 False 2012-04-04 11:48:04Z -
0x88145b38 FireSvc.exe 1516 564 22 355 0 False 2012-04-04 11:48:05Z -
0x881b8030 McSACore.exe 1604 564 11 199 0 False 2012-04-04 11:48:08Z -
0x881b4900 FireTray.exe 1624 1516 0 - 0 False 2012-04-04 11:48:09Z 2012-04-04 11:48:10Z
0x881dd770 FrameworkServi 1740 564 31 426 0 False 2012-04-04 11:48:10Z -
0x8820bd40 VsTskMgr.exe 1796 564 21 365 0 False 2012-04-04 11:48:11Z -
0x88227358 mfevtps.exe 1824 564 5 171 0 False 2012-04-04 11:48:12Z -
0x8821a660 mfeann.exe 1872 1796 14 181 0 False 2012-04-04 11:48:12Z -
0x88220d40 conhost.exe 1880 412 2 30 0 False 2012-04-04 11:48:12Z -
0x88235cf8 VMwareService. 1964 564 7 192 0 False 2012-04-04 11:48:14Z -
0x864e57c8 PSEXESVC.EXE 2100 564 6 104 0 False 2012-04-04 18:52:11Z -
0x862709a0 csrss.exe 2132 3112 9 271 2 False 2012-04-04 14:45:30Z -
0x861bb8f0 rdpclip.exe 2408 1184 4 88 2 False 2012-04-04 14:45:43Z -
0x86136a60 conhost.exe 2840 2132 2 28 2 False 2012-04-04 18:43:25Z -
0x863c8030 McTray.exe 2864 2944 23 341 2 False 2012-04-04 14:49:35Z -
0x86272d40 UdaterUI.exe 2944 1740 6 109 2 False 2012-04-04 14:49:35Z -
0x862bb290 spinlock.exe 2956 2100 1 26 0 False 2012-04-04 18:54:51Z -
0x8842a4b8 svchost.exe 2980 564 12 198 0 False 2012-04-04 11:50:42Z -
0x885561f8 SearchIndexer. 3092 564 14 992 0 False 2012-04-04 11:50:46Z -
0x85f98728 a.exe 3264 3440 0 - 2 False 2012-04-04 14:57:52Z 2012-04-04 18:40:58Z
0x86a1c8b8 conhost.exe 3408 412 2 31 0 False 2012-04-06 14:03:11Z -
0x861d93a0 cmd.exe 3472 3264 0 - 2 False 2012-04-04 15:47:47Z 2012-04-04 15:49:07Z
0x862a4d40 svchost.exe 3612 2100 0 - 0 False 2012-04-04 18:52:11Z 2012-04-05 13:25:07Z
0x861d4520 VMwareTray.exe 3780 296 5 65 2 False 2012-04-04 14:45:46Z -
0x862bfa40 spinlock.exe 3796 3472 0 - 2 False 2012-04-04 15:48:18Z 2012-04-04 18:43:25Z
0x861b6518 VMwareUser.exe 3804 296 3 77 2 False 2012-04-04 14:45:46Z -
0x8617bd40 winlogon.exe 3836 3112 3 112 2 False 2012-04-04 14:45:30Z -
0x8625b030 dwm.exe 3924 920 3 67 2 False 2012-04-04 14:45:44Z -
0x85e24030 OSPPSVC.EXE 4040 564 3 134 0 False 2012-04-04 15:42:01Z -
0x86d2b578 a.exe 5008 4212 0 - 0 False 2012-04-06 13:19:34Z 2012-04-06 16:58:26Z
0x85dde298 svchost.exe 5176 564 5 90 0 False 2012-04-06 20:34:44Z -
0x862f9a58 cmd.exe 5192 5008 1 28 0 False 2012-04-06 14:03:11Z -
0x8649d880 svchost.exe 6404 2100 8 256 0 False 2012-04-06 19:22:20Z -
0x86eeb430 f-response-ent 7776 564 8 75 0 False 2012-04-06 20:34:42Z -This command is useful for identifying keyloggers:
root@siftworkstation:~# rekal -f ./Post_Malware.raw messagehooks
2021-08-05 01:11:02,745:WARNING:rekall.1:Inventory for repository "http://profiles.rekall-forensic.com" seems malformed. Are you behind a captive portal or proxy? If this is a custom repository, did you forget to create an inventory? You must use the tools/profiles/build_profile_repo.py tool with the --inventory flag.
2021-08-05 01:11:02,746:WARNING:rekall.1:Repository http://profiles.rekall-forensic.com will be disabled.
tagHOOK(V) Sess Owner Thread Filter Flags Function Module
-------------- ---- ------------------------------ ------------------------------ --------------- ---------- -------------- ------
0xf900c06011d0 0 wininit.exe (388) <any> WH_CALLWNDPROC 0x12d8 C:\Windows\system32\wls0wndh.dll
0xf900c0620ce0 1 SysNative.exe (2676) <any> WH_KEYBOARD_LL 0xf013c0 sysnative+0x13c0
0xf900c06254f0 1 conhost.exe (352) 2016 (conhost.exe 352) WH_MSGFILTER 0xff350ed0 conhost!DialogHookProc
Blog Posts
Description
Display general details of a file system.
| Platform | Windows and Linux |
| Author | Brian Carrier |
| License | Common Public License 1.0 |
| URL | https://www.sleuthkit.org/ |
Usage
usage: fsstat [-tvV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] image
-t: display type only
-i imgtype: The format of the image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-f fstype: File system type (use '-f list' for supported types)
-o imgoffset: The offset of the file system in the image (in sectors)
-v: verbose output to stderr
-V: Print versionExamples
This is the default output from a disk image:
root@siftworkstation:/mnt/romanoff# fsstat win7-32-nromanoff-c-drive.E01
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: NTFS
Volume Serial Number: 2EAC03A3AC036525
OEM Name: NTFS
Version: Windows XP
METADATA INFORMATION
--------------------------------------------
First Cluster of MFT: 786432
First Cluster of MFT Mirror: 2
Size of MFT Entries: 1024 bytes
Size of Index Records: 4096 bytes
Range: 0 - 115968
Root Directory: 5
CONTENT INFORMATION
--------------------------------------------
Sector Size: 512
Cluster Size: 4096
Total Cluster Range: 0 - 6488830
Total Sector Range: 0 - 51910654
$AttrDef Attribute Values:
$STANDARD_INFORMATION (16) Size: 48-72 Flags: Resident
$ATTRIBUTE_LIST (32) Size: No Limit Flags: Non-resident
$FILE_NAME (48) Size: 68-578 Flags: Resident,Index
$OBJECT_ID (64) Size: 0-256 Flags: Resident
$SECURITY_DESCRIPTOR (80) Size: No Limit Flags: Non-resident
$VOLUME_NAME (96) Size: 2-256 Flags: Resident
$VOLUME_INFORMATION (112) Size: 12-12 Flags: Resident
$DATA (128) Size: No Limit Flags:
$INDEX_ROOT (144) Size: No Limit Flags: Resident
$INDEX_ALLOCATION (160) Size: No Limit Flags: Non-resident
$BITMAP (176) Size: No Limit Flags: Non-resident
$REPARSE_POINT (192) Size: 0-16384 Flags: Non-resident
$EA_INFORMATION (208) Size: 8-8 Flags: Resident
$EA (224) Size: 0-65536 Flags:
$LOGGED_UTILITY_STREAM (256) Size: 0-65536 Flags: Non-residentBlog Posts
Description
Read and write meta information in files.
| Platform | Windows and Linux |
| Author | Phil Harvey |
| License | GPLv3 |
| URL | https://exiftool.org/ |
Usage
exiftool [OPTIONS] [-TAG...] [--TAG...] FILE...
exiftool [OPTIONS] -TAG[+-<]=[VALUE]... FILE...
exiftool [OPTIONS] -tagsFromFile SRCFILE [-SRCTAG[>DSTTAG]...] FILE...
exiftool [ -ver | -list[w|f|r|wf|g[NUM]|d|x] ]Examples
The following output is from running exiftool with default options against a Windows powerpoint file:
root@siftworkstation:/mnt/romanoff# exiftool "./Users/nromanoff/Documents/Ninja Files/PPT/StickNinja.ppt"
ExifTool Version Number : 9.46
File Name : StickNinja.ppt
Directory : ./Users/nromanoff/Documents/Ninja Files/PPT
File Size : 2.2 MB
File Modification Date/Time : 2012:03:16 21:42:18+00:00
File Access Date/Time : 2012:03:16 21:42:11+00:00
File Inode Change Date/Time : 2012:04:04 15:21:06+00:00
File Permissions : rwxrwxrwx
File Type : PPT
MIME Type : application/vnd.ms-powerpoint
Current User : Magy Seif El-Nasr
Title : Stick Ninja.
Subject :
Author :
Keywords :
Comments :
Last Modified By : Cody Sawatsky
Revision Number : 1
Total Edit Time : 8.0 minutes
Modify Date : 2007:09:16 23:10:29
Pages : 0
Words : 510
Characters : 0
Code Page : Unicode (UTF-8)
Presentation Target : Custom
Bytes : 301358
Lines : 0
Paragraphs : 75
Slides : 16
Notes : 16
Hidden Slides : 0
MM Clips : 0
App Version : 11.0512
Scale Crop : No
Links Up To Date : No
Shared Doc : No
Hyperlinks Changed : No
Title Of Parts : Helvetica Neue Light, ヒラギノ角ゴ Pro W3, Helvetica Neue, Title & Subtitle, Stick Ninja., Overview., Overview., User Description., Description of Gameplay Mechanics, Storyboard., Prototype., Features + Functionality., Justifications for Design., Justifications for Design., User Testing., Shortcomings of Design., Possibilities for expansion., Next Steps., Summary., PowerPoint Presentation
Heading Pairs : Fonts Used, 3, Design Template, 1, Slide Titles, 16Blog Posts