From 95442b3f105b37548914be66b045cd907ce02f7e Mon Sep 17 00:00:00 2001 From: bt3 Date: Thu, 26 Nov 2015 20:06:00 -0800 Subject: [PATCH] will finish later --- .DS_Store | Bin 10244 -> 0 bytes Forensics/README.md | 58 +++++++++++++++++++++++++++--- Forensics/osx_memory_forensics.md | 3 ++ README.md | 9 ++++- 4 files changed, 64 insertions(+), 6 deletions(-) delete mode 100644 .DS_Store create mode 100644 Forensics/osx_memory_forensics.md diff --git a/.DS_Store b/.DS_Store deleted file mode 100644 index 9015b078ae3b9fe089dab6d037fb620429fdf617..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 10244 zcmeHM&2Jk;6o2D}#*Xu``DhEIh%LDkH9}6CR5^j;B$NnBtT@VtlGg0n6K9ppuDiQV zYN7}q5#mnIl&^n)I~2Gf&T!&DPn@`bxP{-$t{s20Q3X+u!FCI#-Jz{26a$I@#eiZ!F`yVY z4Gh3%ixf|WQss&P#eia8N!K$aAMKOEIOeuIXZBJpBjg?0=DuGxZK?g2S+*@dNTq&Zu`^xIo$Zb%dXhcK zWKtXKxs}^?_j7>}RQ!zLZOC6%k(*IDYXsZ%^0MpNjj~~`SbRUPjm)}EU|0_KnxLDj zmQ!^1Gj7Ex`kT41zg4RkZ0EIeSlnl&80V)>S7*;Y`EC*p}j0<8xJ6IaLe$-{B| z;CgC$T%Ve{et4*T9FLE_IyG~1y?pr5r}sbm{EIKY`sRWBYGRS$q2cg%BmWMiUYaG3 zs#FGxE|pL=P~N6$co)*(@<-@iK9Wh|2Z37#!#?GKaHt5mijqe+kndtXqT7^u4{WKe zhXl|r^f}NzSybpi{M?4`g^K0SP49rr zS(>MJDM$0IlO4O=MtmQ%Elg8|?qZtX!UPv+N7j_ukPq9C19TG;yelWV3hX?3D3guf z*71c~eTm2od#`Dcodwz@6S_9>){#go$Y$Lke2KWk+m~bQG%d?%O3_t%jV5TKwGX)@ z@1dXmXyH6jA8Jv7u_t26D(poDmi=Bgu)k_rlZox^>mSethlWSaoxkw>3onjdd}-)q zJ+BR$Mq#Jq3FA2H+OC(eD?G0a_%Or^1=oq}<66M)2080}G!3-@mU!{@an*9Q44skV z3fbumk8@|EH^-Vc?z;_p%Ef*sS3%yttYW@oM ze8>*`+PdL+hEw91>Mh$axxMIQ+#qmw*DQR6cyl>Gu51)6r!@A)A0QSfF_soy3#n11 z9T&&KCNy>w;u>pIE<3Kn(Ni|m8cV+&smJLG&0x=O(jBVNCv=~_rf=yd`i=giBi6^x zvsc&^HqNHl>nzO{*b>`dMaEf)m05-Du@Az2Vs)o-ss0+FWFJEI!%PQoA{^$u&0cgE zZ(-!c9@L^ecp_HqJusD|taO@rIAFM0FfD9zyCoJjT<{u;czq12iP697d-U`NK^G7N zA@rG)QP4zc5&_ZlwQC529(IO7555NrNRJJJen4Y_mf)LaXbv7{9=>9iimkpPCOliS zztLpqatA)qk|h!HIKrm^9l*;4t$5+v7y=ZL#M>YkTLNMaj|U8wz7ex1=aS3XN6f15 zdM&*q(Mts$(v*li-oGMzbL-d)p;rs45Bom=q9jAN6T&`*-PwY?NGlk@#+QosHX`3F ze7S|1=3wwdPcI@2dF~yE*!b7|Hm%?Pa}d7@_D!sz9Ap7Ak`Trjp CC{a8B diff --git a/Forensics/README.md b/Forensics/README.md index c6a9a24..27cc7bf 100644 --- a/Forensics/README.md +++ b/Forensics/README.md @@ -2,6 +2,52 @@ ## Disk Forensics +### Basic useful CLI tools: + +#### ps +Show the processes for all users (a), displaying the process's user/ownser (u), and the processes that are not attached to a terminal (x): + +```shell +$ ps aux +``` + +Display the full listing of all processes (useful for finding underisable processes): + +```shell +$ ps ef +``` + +#### lsof + +Display a specific pricess in more details, by displaying the files and ports associated with that process. +```shell +$ lsof -p +``` + +Display processes running form or acessing files that have been unlinked: + +```shell +$ lsof +L1 +``` + +#### find + +```shell +$ find / -uid 0 +``` + +### arp + +Display all MAC to IP address mapping of the system (useful for finding addresses of systems that are not part of the network. + +```shell +$ arp -a +``` + + +Others: uptime, free, df. + + ### dd ### strings @@ -11,6 +57,8 @@ $ strings /tmp/mem.dump | grep BOOT_ $ BOOT_IMAGE=/vmlinuz-3.5.0-23-generic ``` + + ### scalpel ### TrID @@ -21,8 +69,6 @@ $ BOOT_IMAGE=/vmlinuz-3.5.0-23-generic ### ExifTool -### Hex editors - ### dff ### CAINE @@ -40,11 +86,13 @@ $ BOOT_IMAGE=/vmlinuz-3.5.0-23-generic ### Volatility: Analysing Dumps -* [I have a lot of material on Volatility and Memory Forensics here](volatility.md) -* I highly reccomend their training. +* [Lots of material on Volatility and Memory Forensics here](volatility.md) +* [On OSX Memory Forensics](osx_memory_forensics.md) +* I highly recommend their training. + --------------- -### Scripts +## Scripts #### PDFs Tools to test a PDF file: diff --git a/Forensics/osx_memory_forensics.md b/Forensics/osx_memory_forensics.md new file mode 100644 index 0000000..80da547 --- /dev/null +++ b/Forensics/osx_memory_forensics.md @@ -0,0 +1,3 @@ +# OSX Forensics + +(tbw) diff --git a/README.md b/README.md index 737bb80..355bfda 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# My-Gray-Hacker-Resources +# Gray Hacker Resources All in one big bag. Educational purposes. @@ -78,6 +78,13 @@ telnet localhost 3000 ### Books I Recommend #### Technical +- [Bulletproof SSL and TLS](http://www.amazon.com/gp/product/1907117040?psc=1&redirect=true&ref_=oh_aui_detailpage_o06_s00) +- [Reversing: Secrets of Reverse Engineering](http://www.amazon.com/Reversing-Secrets-Engineering-Eldad-Eilam/dp/0764574817) +- [The Art of Memory Forensics](http://www.amazon.com/gp/product/1118825098?psc=1&redirect=true&ref_=oh_aui_search_detailpage) +- [The C Programming Language](http://www.amazon.com/gp/product/0131103628?psc=1&redirect=true&ref_=oh_aui_search_detailpage) +- [The Unix Programming Environment](http://www.amazon.com/gp/product/013937681X?psc=1&redirect=true&ref_=oh_aui_search_detailpage) +- [UNIX Network Programming](http://www.amazon.com/gp/product/0139498761?psc=1&redirect=true&ref_=oh_aui_search_detailpage) +- [Threat Modeling: Designing for Security](http://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998) - [The Tangled Web](http://www.amazon.com/The-Tangled-Web-Securing-Applications/dp/1593273886) - [The Art of Exploitation](http://www.amazon.com/Hacking-The-Art-Exploitation-Edition/dp/1593271441) - [The Art of Software Security Assessment](http://www.amazon.com/The-Software-Security-Assessment-Vulnerabilities/dp/0321444426)