{"id":17998083,"url":"https://github.com/cookiengineer/forensics-tools","last_synced_at":"2025-03-26T04:31:38.926Z","repository":{"id":196461840,"uuid":"696093661","full_name":"cookiengineer/forensics-tools","owner":"cookiengineer","description":":hammer: My personal forensics tools :wrench:","archived":false,"fork":false,"pushed_at":"2025-03-19T19:19:50.000Z","size":1243,"stargazers_count":5,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-19T20:29:13.295Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cookiengineer.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"cookiengineer"}},"created_at":"2023-09-25T04:21:29.000Z","updated_at":"2025-03-19T19:19:54.000Z","dependencies_parsed_at":null,"dependency_job_id":"fa1fa11b-75d2-4436-bbe9-8df08763e06e","html_url":"https://github.com/cookiengineer/forensics-tools","commit_stats":null,"previous_names":["cookiengineer/forensics-tools"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cookiengineer%2Fforensics-tools","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cookiengineer%2Fforensics-tools/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cookiengineer%2Fforensics-tools/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cookiengineer%2Fforensics-tools/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cookiengineer","download_url":"https://codeload.github.com/cookiengineer/forensics-tools/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245589265,"owners_count":20640254,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-29T21:23:54.960Z","updated_at":"2025-03-26T04:31:38.906Z","avatar_url":"https://github.com/cookiengineer.png","language":"Go","funding_links":["https://github.com/sponsors/cookiengineer"],"categories":[],"sub_categories":[],"readme":"\n# Forensics Tools\n\n\u003cimg align=\"right\" width=\"128\" height=\"128\" src=\"https://raw.githubusercontent.com/cookiengineer/forensics-tools/master/assets/forensics-tools.jpg\"\u003e\n\nThis is my mono repository containing some of my personal forensics tools that I need\nfrom time to time when I am investigating an incident. They are somewhat mixed across\nthe spectrum of operating systems and tech stacks that are used by my customers, so\nthere's no guarantee that they will work whatsoever.\n\n\n# Building\n\nInstall `go`, `gzip` and `wget` as dependencies. Then execute the `build.sh` file.\n\n```bash\n# Install dependencies\nsudo pacman -R emacs; sudo pacman -S vim;\nsudo pacman -S go gzip wget;\n\n# Build all tools into ./build folder\nbash build.sh;\n```\n\n\n## CRX Tools\n\nThe [CRX Tools](./crx) are useful to extract packed chrome extensions in a `.crx` file,\nwhich is compressed in Google Chrome's proprietary archive format. This archive format\nchanged over the years with different Chrome versions and different file headers.\n\n```bash\nexport EXTENSION_ID=\"cjpalhdlnbpafiamejdnhcphjbkeiagm\";\nexport EXTENSION_NAME=\"ublock-origin\";\n\nwget -O \"$EXTENSION_NAME.crx\" \"https://clients2.google.com/service/update2/crx?response=redirect\u0026acceptformat=crx2,crx3\u0026prodversion=100\u0026x=id%3D$EXTENSION_ID%26uc\";\n\nuncrx \"$EXTENSION_NAME.crx\":                        # creates the $EXTENSION_NAME.zip file in the same folder\nunzip \"$EXTENSION_NAME.zip\" -d \"./$EXTENSION_NAME\"; # unpack the extension, so that it can be loaded in Developer Mode\n```\n\n## DynDNS Tools\n\nThe [DynDNS Tools](./dyndns) are useful for creating an IPv4/IPv6 tunnel through a DynDNS\ndomain. Currently it only support goip as a backend API.\n\n```bash\n# update IPv6 entry\ngoip-updater --username=john_doe --password=password123 --subdomain=whatever;\n```\n\n## SQL Tools\n\nThe [SQL Tools](./sqltools) are useful for working with extremely large SQL file dumps\nthat are too huge to be opened at once.\n\n```bash\nsql-tables large-dump.sql;             # list of table names\nsql-extract large-dump.sql table-name; # extracts a specific table and its data\n```\n\n## Torrent Tools\n\nThe [Torrent Tools](./torrent) allow to inspect and modify `magnet:` URLs,\nand to embed a list of default trackers and web URLs.\n\n```bash\nmagnetify magnet:?...link; # embed default trackers if they're missing\n```\n\n## TOTP Tools\n\nThe [TOTP Tools](./totp) allow to export encoded `otp-migration://` 2FA seeds.\nIt is able to use a screenshot or camera photo as input, and produces a JSON\nfile and a ready-to-scan QR-Code PNG files as output.\n\nThis allows to export, for example, a list of multiple 2FA seeds from Google Authenticator\ninto another password manager.\n\n```bash\ntotp-extract ./path/to/camera-photo-of-qrcode.jpg;\n```\n\n## ZIP Tools\n\nThe [ZIP Tools](./zip) allow to manipulate ZIP files from XOR masked byte streams,\nwhere e.g. a cheap malware was using an XOR mask and a bruteforceable password\nto hide its tracks.\n\n```bash\nzip-bruteforce ./path/to/dictionary.txt ./path/to/file.zip; # bruteforces passwords via rockyou.txt\nzip-unmask ./path/to/xor-masked-file.zip.crypt;             # generates original ZIP file candidates\n```\n\n## MEMDUMP Tools\n\nThe [MEMDUMP Tools](./memdump) allow to search a Windows memory DMP file for passwords\nand other shenanigans, so it's pretty useful when combined with MimiKatz and others.\n\n```bash\nmemdump-find-keepassword ./path/to/memory-dump.dmp; # shows potential passwords\n```\n\n\n## License\n\nGPL3\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcookiengineer%2Fforensics-tools","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcookiengineer%2Fforensics-tools","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcookiengineer%2Fforensics-tools/lists"}