Skip to main content

Study Forensics

By 
Timeline Analysis OLD

Log 2 Timeline CheatSheet

Registry Hive Microsoft  Registry Hive Explanation
Ram Slack - File Slack One More

NTFS File Structure


1) Forensics Basics - Breach Detection (Useful)

2) Linux Inode

3) Fat and Fat Directory Entries 

4) Fat12
Offset and Advances Stuff
RSA is a protocol which is used for signing or encryption. On the other hand,
Diffie-Hellman is a protocol which is used for exchange of key. Also, the RSA 
will expect that you have all the key materials with you beforehand, which is 
not the case with Diffie-Hellman.
NTFS divides all useful place into clusters - data blocks used at a time. 
NTFS supports almost all sizes of clusters - from 512 bytes up to 64 KBytes. 
The 4 KBytes cluster is considered to be some standard. 
Modify is the time-stamp of the last time the file's content has been modified.
This is called "mtime".



"Change" is the time-stamp of the last time the file's inode has been changed, like by changing 
permissions, ownership, file name, number of hard links. It's often called "ctime".





How would you be able to tell at the hex level that a file has been deleted in FAT12?



Run fsstat against the FAT partition to gather details. Run fls to get information about the image files. This will return information about deleted files and the metatdata information.
Labels:

Comments

Post a Comment

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

By
1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds...
Post a Comment
Read more

Windows Priv Escallation

By
1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD En...
Post a Comment
Read more

Using Conda to Create Environments

By
  Installing anaconda wget https://repo.anaconda.com/archive/Anaconda3-2024.10-1-Linux-x86_64.sh Enter q yes yes source ~./bashrc #Create an env conda create -n EnvName python=3.12 #enter the env conda activate EnvName #Install the required packages now Create your directory and open visual studio code - if you are using `wsl` - make sure to install the wsl plugin and login - select the new `EnvName` at the bottom right corner in VS Code
Post a Comment
Read more