-
Show system files which were changed after installation. dpkg --verify Check various security related issues: checksecurity Tools
-
Memory analyzation softwrae to see physical memory as files in a virtual file system. GitHub — ufrisk/MemProcFS: MemProcFS
-
Forensic tools
-
Dissect is a forensic tool for file system images,
-
Get hidden content from password fields Scenario: Use JavaScript for extraction. Copy and pase the following into the web browser’s console: Extract keystrokes live from a Browser Scenario: Do: Extract Cookies Scenario: Inject/Do: Extract local / session storage Like above: Stealing site passwords Scenario: Then, inject JS which adds an invisible user/username/name text field and…
-
See also MemProcFS The forensic memory framework Volatility (Version 3 since 2019) offers a wide range of methods to analyse memory. See the blog post Retrieving memory for methods and techniques to obtain memory. Start by getting general information about a memory dump: volatility -f image.mem imageinfo Now use the following commands to get more information:…
-
Addresses within the memory are referenced with @ General Starting with directly analysing all referenced code. r2 -A $file ... e emu.str = true Starting with enabled debugger (only when I want to execute the program) r2 -AA -e dbg.follow.child=true -e dbg.forks=true -d $file ... e emu.str = true Fork parameter: If the process forks, the debugger halts Type…
-
General tools Imaging tools dd, of course. Note that it makes sense to set the proper block size (sometimes 4k, but most hard drives are using 512), so that, when an error occued, the exact sector is shown which can afterwards be skipped. dd if=/dev/sda of=/external/file.md5 bs=512 ewfacquire sudo ewfacquire /dev/sda Advantages: aff4 advanced forensic…
-
Afterwards: See Analyzing memory Linux Prozess memory dump Find out which memory segments are used by an application via its PID: cat /proc/<pid>/maps Dump the used memory from an application: (credit) #!/bin/bash grep rw-p /proc/$1/maps \ | sed -n 's/^\([0-9a-f]*\)-\([0-9a-f]*\) .*$/\1 \2/p' \ | while read start stop; do \ gdb --batch --pid $1 -ex \…
-
Like OSXcollector, but for Windows. Collects information on a host for later analyzation. https://www.fireeye.com/services/freeware/redline.html
-
osxcollector http://yelp.github.io/osxcollector/ Stand alone python script. Execute it on a Mac which should be analysed. It creates an archive with “everything” interessting which the victim can hand over an expert. See redline for Windows