- Android
- bc
- binwalk
- capa
- cabextract
- dd
- emlAnalyzer
- exiftool
- file
- FOREMOST
- git-dumper
- Git
- HEX
- inetsim
- iOS
- Jamovi
- lnkparse
- ltrace
- memdump
- MemProcFS
- Microsoft Windows
- Monitor Filesystem Changes
- msiinfo
- oletools
- pngcheck
- steg_brute
- Steghide
- strings
- Sysinternals
- usbrip
- Volatility
- xxd
- zsteg
| Name | Description | URL |
|---|---|---|
| BinDiff | Quickly find differences and similarities in disassembled code | https://github.com/google/bindiff |
| CAPA | The FLARE team's open-source tool to identify capabilities in executable files. | https://github.com/mandiant/capa |
| Cheatsheet: Linux Forensics Analysis | Cheat sheet to use during Linux forensics. | https://fareedfauzi.github.io/2024/03/29/Linux-Forensics-cheatsheet.html |
| Cheatsheet: Windows Forensics Analysis | Cheat sheet to use during Windows forensics. | https://fareedfauzi.github.io/2023/12/22/Windows-Forensics-checklist-cheatsheet.html |
| Depix | Recovers passwords from pixelized screenshots | https://github.com/spipm/Depix |
| FLOSS | FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware. | https://github.com/mandiant/flare-floss |
| FOREMOST | Foremost is a console program to recover files based on their headers, footers, and internal data structures. | https://github.com/korczis/foremost |
| kbd-audio | Acoustic keyboard eavesdropping | https://github.com/ggerganov/kbd-audio |
| oletools | python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging. | https://github.com/decalage2/oletools |
| MemProcFS | MemProcFS is an easy and convenient way of viewing physical memory as files in a virtual file system. | https://github.com/ufrisk/MemProcFS |
| Process Hacker | A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware. | https://process-hacker.com |
| Process Monitor | Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. | https://learn.microsoft.com/en-us/sysinternals/downloads/procmon |
| Regshot | Regshot is a small, free and open-source registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one - done after doing system changes or installing a new software product | https://github.com/Seabreg/Regshot |
| scdbg | Visual Studio 2008 port of the libemu library that includes scdbg.exe, a modification of the sctest project, that includes more hooks, interactive debugging, reporting features, and ability to work with file format exploit shellcode. Will run under WINE | https://github.com/dzzie/VS_LIBEMU |
| Steghide | Execute a brute force attack with Steghide to file with hide information and password established. | https://github.com/Va5c0/Steghide-Brute-Force-Tool |
| Sysinternals Live | live.sysinternals.com - / | https://live.sysinternals.com |
| Sysinternals Suite | The Sysinternals Troubleshooting Utilities have been rolled up into a single Suite of tools. | https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite |
| Sysinternals Utilities | Sysinternals Utilities Index | https://docs.microsoft.com/en-us/sysinternals/downloads |
| Volatility | An advanced memory forensics framework | https://github.com/volatilityfoundation/volatility |
| Name | Description | URL |
|---|---|---|
| BinDiff | Quickly find differences and similarities in disassembled code | https://github.com/google/bindiff |
| CAPA | The FLARE team's open-source tool to identify capabilities in executable files. | https://github.com/mandiant/capa |
| Cheatsheet: Linux Forensics Analysis | Cheat sheet to use during Linux forensics. | https://fareedfauzi.github.io/2024/03/29/Linux-Forensics-cheatsheet.html |
| Cheatsheet: Windows Forensics Analysis | Cheat sheet to use during Windows forensics. | https://fareedfauzi.github.io/2023/12/22/Windows-Forensics-checklist-cheatsheet.html |
| Depix | Recovers passwords from pixelized screenshots | https://github.com/spipm/Depix |
| FLOSS | FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware. | https://github.com/mandiant/flare-floss |
| FOREMOST | Foremost is a console program to recover files based on their headers, footers, and internal data structures. | https://github.com/korczis/foremost |
| kbd-audio | Acoustic keyboard eavesdropping | https://github.com/ggerganov/kbd-audio |
| MemProcFS | MemProcFS is an easy and convenient way of viewing physical memory as files in a virtual file system. | https://github.com/ufrisk/MemProcFS |
| oletools | python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging. | https://github.com/decalage2/oletools |
| Process Hacker | A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware. | https://process-hacker.com |
| Process Monitor | Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. | https://learn.microsoft.com/en-us/sysinternals/downloads/procmon |
| Regshot | Regshot is a small, free and open-source registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one - done after doing system changes or installing a new software product | https://github.com/Seabreg/Regshot |
| scdbg | Visual Studio 2008 port of the libemu library that includes scdbg.exe, a modification of the sctest project, that includes more hooks, interactive debugging, reporting features, and ability to work with file format exploit shellcode. Will run under WINE | https://github.com/dzzie/VS_LIBEMU |
| Steghide | Execute a brute force attack with Steghide to file with hide information and password established. | https://github.com/Va5c0/Steghide-Brute-Force-Tool |
| Sysinternals Live | live.sysinternals.com - / | https://live.sysinternals.com |
| Sysinternals Suite | The Sysinternals Troubleshooting Utilities have been rolled up into a single Suite of tools. | https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite |
| Sysinternals Utilities | Sysinternals Utilities Index | https://docs.microsoft.com/en-us/sysinternals/downloads |
| Volatility | An advanced memory forensics framework | https://github.com/volatilityfoundation/volatility |
$ ( printf "\x1f\x8b\x08\x00\x00\x00\x00\x00" ; tail -c +25 <FILE>.ab ) | tar xfvz -$ echo "obase=16; ibase=2; 00000000010...00000000000000" | bc | xxd -p -r$ binwalk <FILE>
$ binwalk -e <FILE>C:\> capa <FILE> -vv$ cabextract <FILE>$ ssh root@<RHOST> "dd if=/dev/sda1 status=progress" | dd of=sda1.dmp$ emlAnalyzer -i <FILE>\:.eml --header --html -u --text --extract-all$ exiftool -AllDates='JJJJ:MM:TT HH:MM:SS' <FILE>.ext$ exiftool -b -ThumbnailImage picture.ext > <FILE>.jpg$ exiftool -p '$Filename $ImageSize' <FILE>.jpg$ exiftool -all= <FILE>.JPG$ exiftool -SerialNumber <FILE>.ext$ exiftool -P -'Filename<DateTimeOriginal' -d %Y%m%d_%Hh%Mm%Ss_Handy.%%e folder/*$ exiftool -q -r -t -f -S -n -csv -fileName -GPSPosition -Model -FocalLength -ExposureTime -FNumber -ISO -BrightnessValue -LensID "." > <FILE>.csv$ exiftool *.pdf | grep Creator | awk '{print $3}' | sort -u > users.txt$ file <FILE>$ foremost -i <FILE>$ ./git-dumper.py http://<DOMAIN>/<repo>$ git log --pretty=oneline
$ git log -p$ hexdump -C <FILE> | less#!/usr/bin/env python3
file=open('blueshadow.txt','r')
val=int(file.read(), 2)
hexfile=open('bluehadowhex','w')
hexfile.write(hex(val))
hexfile.close()
file.close()$ cat /etc/inetsim/inetsim.conf | grep dns_default_ip
# dns_default_ip
# Syntax: dns_default_ip
dns_default_ip <LHOST>$ sudo inetsim$ sudo apt-get install libplist-utils
$ plistutil -i challenge.plist -o challenge.plist.xml$ unzip <FILE>.omv$ lnkparse (FILE)$ ltrace <BINARY>#!/bin/bash
cat /proc/$1/maps | grep "rw-p" | awk '{print $1}' | ( IFS="-"
while reade a b; do
dd if=/proc/$1/mem bs=$( getconf PAGESIZE ) iflag=skip_bytes,count_bytes \
skip=$(( 0x$a )) count=$(( 0x$b - 0x$a )) of="$1_mem_$a.bin"
done )$ sudo ./memprocfs -device /PATH/TO/FILE/<FILE>.DMP -mount /mnt/ -forensic 1<USER_PROFILE>\NTUSER.DAT
<USER_PROFILE>\AppData\Local\Microsoft\Windows\UsrClass.dat- Sleuth Kit
- FTK Imager
- FTK Imager
- EnCase Forensic
- X1 Social Discovery
$ mount /dev/sda1 /mnt$ find /mnt -type f -exec sha256sum {} \; > full_filesystem_hashes.txtor
$ sha256deep -r /mnt > filesystem_hashes.txt#!/bin/bash
find /mnt -type f -exec sha256sum {} \; > current_hashes.txt
diff full_filesystem_hashes.txt current_hashes.txt > changes_detected.txtPS C:\> Get-ChildItem C:\ -Recurse -File | Get-FileHash -Algorithm SHA256 | Export-Csv -Path C:\filesystem_hashes.csvPS C:\> certutil -hashfile C:\path\to\file SHA256$ msiinfo <FILE>$ sudo -H pip install -U oletools[full]$ oledump <FILE> // first analysis
$ oledump <FILE> -s 4 // analysing datastream 4
$ oledump <FILE> -s 4 --vbadecompress // decrompress macros$ olevba <FILE>
$ mraptor <FILE>
$ msodde -l debug <FILE>
$ pyxswf <FILE>
$ oleobj -l debug <FILE>
$ rtfobj -l debug <FILE>
$ olebrowse <FILE>
$ olemeta <FILE>
$ oletimes <FILE>
$ oledir <FILE>
$ olemap <FILE>$ pngcheck -vtp7f <FILE>PS C:\> .\scdbg.exe -findsc /f \PATH\TO\FILE\<FILE>.sc$ python steg_brute.py -b -d /usr/share/wordlists/rockyou.txt -f <FILE>.wav$ steghide info <FILE>
$ steghide info <FILE> -p <PASSWORD>
$ steghide extract -sf <FILE>
$ steghide extract -sf <FILE> -p <PASSWORD>$ strings <FILE>.mem > <FILE>.strings.ascii.txt
$ strings -e l <FILE>.mem > <FILE>.strings.unicode_little_endian.txt
$ strings -e b <FILE>.mem > <FILE>.strings.unicode_big_endian.txthttps://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
PS C:\> Download-SysInternalsTools C:\SysinternalsSuite$ sudo usbrip events violations <FILE>.json -f sysloghttps://volatility3.readthedocs.io/en/stable/volatility3.plugins.html
$ volatility -f <FILE> imageinfo
$ volatility -f <FILE> filescan
$ volatility -f <FILE> psscan
$ volatility -f <FILE> dumpfiles
$ volatility -f <FILE> <FILE>.info
$ volatility -f <FILE> <FILE>.pslist
$ volatility -f <FILE> <FILE>.psscan
$ volatility -f <FILE> <FILE>.dumpfiles
$ volatility -f <FILE> <FILE>.dumpfiles --pid <ID>
$ volatility -f <FILE> windows.pstree.PsTree
$ volatility -f <FILE> windows.pslist.PsList
$ volatility -f <FILE> windows.cmdline.CmdLine
$ volatility -f <FILE> windows.filescan.FileScan
$ volatility -f <FILE> windows.dlllist.DllList
$ volatility -f <FILE> windows.malfind.Malfind
$ volatility -f <FILE> windows.psscan.PsScan$ volatility -f <FILE> --profile=Win7SP1x86 filescan
$ volatility -f <FILE> --profile=Win7SP1x64 filescan | grep <NAME>
$ volatility -f <FILE> --profile=Win7SP1x86 truecryptsummary
$ volatility -f <FILE> --profile=Win7SP1x64 psscan --output=dot --output-file=memdump.dot_
$ volatility -f <FILE> --profile=Win7SP1x64 dumpfiles -Q 0x000000001e8feb70 -D .
$ volatility -f <FILE> --profile=Win7SP1x86 dumpfiles -Q 0x000000000bbc7166 --name file -D . -vvv$ for plugin in windows.malfind.Malfind windows.psscan.PsScan windows.pstree.PsTree windows.pslist.PsList windows.cmdline.CmdLine windows.filescan.FileScan windows.dlllist.DllList; do volatility -q -f <FILE> $plugin > <FILE>.$plugin.txt; done$ xxd <FILE>$ cat <FILE> | xxd -p
$ printf <VALUE> | xxd -p$ cat <FILE> | xxd -p -r
$ curl http://<RHOST/file | xxd -r -p$ xxd -p -c 10000 <FILE>$ xxd -r -p <FILE>.txt <FILE>.gpg // gpg is just an example$ echo -n '!AD*G-KaPdSgVkY' | xxd -pu$ xxd -p <FILE> | sed 's/../\\x&/g'
\x23\x21\x2f\x62\x69\x6e\x2f\x70\x79\x74\x68\x6f\x6e\x33\x0a\x69\x6d\x70\x6f\x72\x74\x20\x72\x65\x71\x75\x65\x73\x74\x73$ xxd -r -ps <HEX_FILE> <FILE>.bin$ zsteg -a <FILE> // runs all the methods on the given file
$ zsteg -E <FILE> // extracts data from the given payload (example : zsteg -E b4,bgr,msb,xy name.png)