Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/cookiengineer/forensics-tools

:hammer: My personal forensics tools :wrench:
https://github.com/cookiengineer/forensics-tools

Last synced: 14 days ago
JSON representation

:hammer: My personal forensics tools :wrench:

Host: GitHub
URL: https://github.com/cookiengineer/forensics-tools
Owner: cookiengineer
Created: 2023-09-25T04:21:29.000Z (about 1 year ago)
Default Branch: master
Last Pushed: 2024-10-16T18:29:26.000Z (27 days ago)
Last Synced: 2024-10-18T16:51:17.730Z (25 days ago)
Language: Go
Size: 1.18 MB
Stars: 2
Watchers: 2
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# Forensics Tools

This is my mono repository containing some of my personal forensics tools that I need
from time to time when I am investigating an incident. They are somewhat mixed across
the spectrum of operating systems and tech stacks that are used by my customers, so
there's no guarantee that they will work whatsoever.

# Building

Install `go`, `gzip` and `wget` as dependencies. Then execute the `build.sh` file.

```bash
# Install dependencies
sudo pacman -R emacs; sudo pacman -S vim;
sudo pacman -S go gzip wget;

# Build all tools into ./build folder
bash build.sh;
```

## CRX Tools

The [CRX Tools](./crx) are useful to extract packed chrome extensions in a `.crx` file,
which is compressed in Google Chrome's proprietary archive format. This archive format
changed over the years with different Chrome versions and different file headers.

```bash
export EXTENSION_ID="cjpalhdlnbpafiamejdnhcphjbkeiagm";
export EXTENSION_NAME="ublock-origin";

wget -O "$EXTENSION_NAME.crx" "https://clients2.google.com/service/update2/crx?response=redirect&acceptformat=crx2,crx3&prodversion=100&x=id%3D$EXTENSION_ID%26uc";

uncrx "$EXTENSION_NAME.crx": # creates the $EXTENSION_NAME.zip file in the same folder
unzip "$EXTENSION_NAME.zip" -d "./$EXTENSION_NAME"; # unpack the extension, so that it can be loaded in Developer Mode
```

## SQL Tools

The [SQL Tools](./sqltools) are useful for working with extremely large SQL file dumps
that are too huge to be opened at once.

```bash
sql-tables large-dump.sql; # list of table names
sql-extract large-dump.sql table-name; # extracts a specific table and its data
```

## Torrent Tools

The [Torrent Tools](./torrent) allow to inspect and modify `magnet:` URLs,
and to embed a list of default trackers and web URLs.

```bash
magnetify magnet:?...link; # embed default trackers if they're missing
```

## TOTP Tools

The [TOTP Tools](./totp) allow to export encoded `otp-migration://` 2FA seeds.
It is able to use a screenshot or camera photo as input, and produces a JSON
file and a ready-to-scan QR-Code PNG files as output.

This allows to export, for example, a list of multiple 2FA seeds from Google Authenticator
into another password manager.

```bash
totp-extract ./path/to/camera-photo-of-qrcode.jpg;
```

## ZIP Tools

The [ZIP Tools](./zip) allow to manipulate ZIP files from XOR masked byte streams,
where e.g. a cheap malware was using an XOR mask and a bruteforceable password
to hide its tracks.

```bash
zip-bruteforce ./path/to/dictionary.txt ./path/to/file.zip; # bruteforces passwords via rockyou.txt
zip-unmask ./path/to/xor-masked-file.zip.crypt; # generates original ZIP file candidates
```

## MEMDUMP Tools

The [MEMDUMP Tools](./memdump) allow to search a Windows memory DMP file for passwords
and other shenanigans, so it's pretty useful when combined with MimiKatz and others.

```bash
memdump-find-keepassword ./path/to/memory-dump.dmp; # shows potential passwords
```

## License

GPL3