From cfa57cf8bfd50efb055c517fa3ce1e8225526f1d Mon Sep 17 00:00:00 2001 From: juliosuas Date: Thu, 19 Mar 2026 03:05:56 -0600 Subject: [PATCH] Add working example output to digital-forensics skills Adds realistic example output sections to 10 digital forensics skills. --- .../SKILL.md | 57 +++++++++++++ .../analyzing-linux-kernel-rootkits/SKILL.md | 70 ++++++++++++++++ .../SKILL.md | 71 ++++++++++++++++ .../SKILL.md | 43 ++++++++++ .../SKILL.md | 83 +++++++++++++++++++ .../SKILL.md | 48 +++++++++++ .../SKILL.md | 51 ++++++++++++ .../SKILL.md | 63 +++++++++++++- .../SKILL.md | 66 +++++++++++++++ .../SKILL.md | 73 ++++++++++++++++ 10 files changed, 622 insertions(+), 3 deletions(-) diff --git a/skills/analyzing-browser-forensics-with-hindsight/SKILL.md b/skills/analyzing-browser-forensics-with-hindsight/SKILL.md index e4d51d3a..2a2d133d 100644 --- a/skills/analyzing-browser-forensics-with-hindsight/SKILL.md +++ b/skills/analyzing-browser-forensics-with-hindsight/SKILL.md @@ -213,3 +213,60 @@ if __name__ == "__main__": - Chrome Forensics Guide: https://allenace.medium.com/hindsight-chrome-forensics-made-simple-425db99fa5ed - Browser Forensics Tools: https://www.cyberforensicacademy.com/blog/browser-forensics-tools-how-to-extract-user-activity - Chromium Source (History): https://source.chromium.org/chromium/chromium/src/+/main:components/history/ + +## Example Output + +```text +$ python hindsight.py -i /evidence/chrome-profile -o /analysis/hindsight_output + +Hindsight v2024.01 - Chrome/Chromium Browser Forensic Analysis +================================================================ + +Profile: /evidence/chrome-profile (Chrome 120.0.6099.130) +OS: Windows 10 + +[+] Parsing History database... + URL records: 12,456 + Download records: 234 + Search terms: 567 + +[+] Parsing Cookies database... + Cookie records: 8,923 + Encrypted cookies: 6,712 + +[+] Parsing Web Data (Autofill)... + Autofill entries: 1,234 + Credit card entries: 2 (encrypted) + +[+] Parsing Login Data... + Saved credentials: 45 (encrypted) + +[+] Parsing Bookmarks... + Bookmark entries: 189 + +--- Browsing History (Last 10 Entries) --- +Timestamp (UTC) | URL | Title | Visit Count +2024-01-15 14:32:05.123 | https://mail.corporate.com/inbox | Corporate Mail | 45 +2024-01-15 14:33:12.456 | https://drive.google.com/file/d/1aBcDe... | Q4_Financial_Report.xlsx | 1 +2024-01-15 14:35:44.789 | https://mega.nz/folder/xYz123 | MEGA - Secure Cloud | 3 +2024-01-15 14:36:01.234 | https://mega.nz/folder/xYz123#upload | MEGA - Upload | 8 +2024-01-15 14:42:15.567 | https://pastebin.com/raw/kL9mN2pQ | Pastebin (raw) | 1 +2024-01-15 15:01:33.890 | https://192.168.1.50:8443/admin | Admin Panel | 12 +2024-01-15 15:15:22.111 | https://transfer.sh/upload | transfer.sh | 2 +2024-01-15 15:30:45.222 | https://vpn-gateway.corporate.com | VPN Login | 5 +2024-01-15 16:00:00.333 | https://whatismyipaddress.com | What Is My IP | 1 +2024-01-15 16:05:12.444 | https://protonmail.com/inbox | ProtonMail | 3 + +--- Downloads (Suspicious) --- +Timestamp (UTC) | Filename | URL Source | Size +2024-01-15 14:33:15.000 | Q4_Financial_Report.xlsm | https://phish-domain.com/docs/report | 245 KB +2024-01-15 14:34:02.000 | update_client.exe | https://cdn.evil-updates.com/client.exe | 1.2 MB + +--- Cookies (Session Tokens) --- +Domain | Name | Expires | Secure | HttpOnly +.corporate.com | SESSION_ID | 2024-01-16 14:32 | Yes | Yes +.mega.nz | session | Session | Yes | Yes +.protonmail.com | AUTH-TOKEN | 2024-02-15 00:00 | Yes | Yes + +Report saved to: /analysis/hindsight_output/Hindsight_Report.xlsx +``` diff --git a/skills/analyzing-linux-kernel-rootkits/SKILL.md b/skills/analyzing-linux-kernel-rootkits/SKILL.md index 774f8be5..a2775fd0 100644 --- a/skills/analyzing-linux-kernel-rootkits/SKILL.md +++ b/skills/analyzing-linux-kernel-rootkits/SKILL.md @@ -40,3 +40,73 @@ Run rkhunter and chkrootkit to detect known rootkit signatures, suspicious files ## Expected Output JSON report containing detected syscall hooks, hidden kernel modules, modified IDT entries, suspicious /proc discrepancies, and rkhunter findings. + +## Example Output + +```text +$ sudo python3 rootkit_analyzer.py --memory /evidence/linux-mem.lime --profile Ubuntu2204 + +Linux Kernel Rootkit Analysis Report +===================================== +Memory Image: /evidence/linux-mem.lime +Kernel Version: 5.15.0-91-generic (Ubuntu 22.04 LTS) +Analysis Time: 2024-01-18 09:15:32 UTC + +[+] Scanning syscall table for hooks... + Syscall Table Base: 0xffffffff82200300 + Total syscalls checked: 449 + + HOOKED SYSCALLS DETECTED: + ┌─────────┬──────────────────┬──────────────────────┬──────────────────────┐ + │ NR │ Syscall │ Expected Address │ Current Address │ + ├─────────┼──────────────────┼──────────────────────┼──────────────────────┤ + │ 0 │ sys_read │ 0xffffffff8139a0e0 │ 0xffffffffc0a12000 │ + │ 2 │ sys_open │ 0xffffffff8139b340 │ 0xffffffffc0a12180 │ + │ 78 │ sys_getdents64 │ 0xffffffff813f5210 │ 0xffffffffc0a12300 │ + │ 62 │ sys_kill │ 0xffffffff8110c4a0 │ 0xffffffffc0a12480 │ + └─────────┴──────────────────┴──────────────────────┴──────────────────────┘ + WARNING: 4 syscall hooks detected - rootkit behavior confirmed + +[+] Checking for hidden kernel modules... + Loaded modules (lsmod): 147 + Modules in kobject list: 149 + HIDDEN MODULES: + - "netfilter_helper" at 0xffffffffc0a10000 (size: 12288) + - "kworker_sched" at 0xffffffffc0a14000 (size: 8192) + +[+] Scanning /proc for discrepancies... + Processes in task_struct list: 234 + Processes visible in /proc: 231 + HIDDEN PROCESSES: + - PID 31337 cmd: "[kworker/0:3]" (disguised as kernel thread) + - PID 31442 cmd: "rsyslogd" (fake, real rsyslogd is PID 892) + - PID 31500 cmd: "" (unnamed process) + +[+] Checking IDT entries... + IDT entries scanned: 256 + Modified entries: 0 (clean) + +[+] Running rkhunter scan... + Checking for known rootkits: 68 variants checked + Diamorphine rootkit: WARNING - signatures match + System binary checks: + /usr/bin/ps: MODIFIED (SHA-256 mismatch) + /usr/bin/netstat: MODIFIED (SHA-256 mismatch) + /usr/bin/ls: MODIFIED (SHA-256 mismatch) + /usr/sbin/ss: OK + +[+] Network analysis... + Hidden connections (not in /proc/net/tcp): + ESTABLISHED 0.0.0.0:0 -> 198.51.100.47:4443 (PID 31337) + ESTABLISHED 0.0.0.0:0 -> 198.51.100.47:8080 (PID 31442) + +Summary: + Rootkit Type: Loadable Kernel Module (LKM) + Probable Family: Diamorphine variant + Syscall Hooks: 4 (read, open, getdents64, kill) + Hidden Modules: 2 + Hidden Processes: 3 + Hidden Connections: 2 (C2: 198.51.100.47) + Modified Binaries: 3 (/usr/bin/ps, netstat, ls) + Risk Level: CRITICAL +``` diff --git a/skills/analyzing-lnk-file-and-jump-list-artifacts/SKILL.md b/skills/analyzing-lnk-file-and-jump-list-artifacts/SKILL.md index e84a28c6..c122e625 100644 --- a/skills/analyzing-lnk-file-and-jump-list-artifacts/SKILL.md +++ b/skills/analyzing-lnk-file-and-jump-list-artifacts/SKILL.md @@ -189,3 +189,74 @@ Recent research (IEEE 2025) shows that Windows 11 produces different LNK and Jum - Magnet Forensics LNK Analysis: https://www.magnetforensics.com/blog/forensic-analysis-of-lnk-files/ - Jump Lists Forensics 2025: https://www.cybertriage.com/blog/jump-list-forensics-2025/ - Eric Zimmerman's LECmd/JLECmd: https://ericzimmerman.github.io/ + +## Example Output + +```text +$ LECmd.exe -d "C:\Evidence\Users\jsmith\AppData\Roaming\Microsoft\Windows\Recent" --csv /analysis/lnk_output + +LECmd v1.11.0 - LNK File Parser +================================ + +Processing 47 LNK files... + +--- LNK File: Q4_Report.xlsx.lnk --- + Source: C:\Evidence\Users\jsmith\Recent\Q4_Report.xlsx.lnk + Target Path: C:\Users\jsmith\Downloads\Q4_Report.xlsm + Target Created: 2024-01-15 14:33:45 UTC + Target Modified: 2024-01-15 14:33:45 UTC + Target Accessed: 2024-01-15 14:35:12 UTC + File Size: 251,904 bytes + Drive Type: Fixed (C:) + Volume Serial: A4E7-3F21 + Machine ID: DESKTOP-J5M1TH + MAC Address: 48:2A:E3:5C:9B:01 + +--- LNK File: update_client.exe.lnk --- + Source: C:\Evidence\Users\jsmith\Recent\update_client.exe.lnk + Target Path: C:\ProgramData\Updates\update_client.exe + Target Created: 2024-01-15 14:34:02 UTC + Target Modified: 2024-01-15 14:34:02 UTC + Target Accessed: 2024-01-15 14:36:30 UTC + File Size: 1,258,496 bytes + Drive Type: Fixed (C:) + Volume Serial: A4E7-3F21 + Machine ID: DESKTOP-J5M1TH + Working Dir: C:\ProgramData\Updates + Arguments: --silent --no-update-check + Run Window: Hidden + +====================================================================== + +$ JLECmd.exe -d "C:\Evidence\Users\jsmith\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" --csv /analysis/jumplist_output + +JLECmd v1.5.0 - Jump List Parser +================================== + +Processing 23 AutomaticDestinations files... + +--- Application: Microsoft Excel (AppID: 12dc1ea8e34b5a6) --- + Entries: 15 + Most Recent: + Entry 0: C:\Users\jsmith\Downloads\Q4_Report.xlsm (2024-01-15 14:35:12 UTC) + Entry 1: \\FILESERV01\Finance\Budget_2024.xlsx (2024-01-14 09:22:30 UTC) + Entry 2: C:\Users\jsmith\Documents\Expenses\Dec2023.xlsx (2024-01-10 16:45:00 UTC) + +--- Application: Windows Explorer (AppID: f01b4d95cf55d32a) --- + Entries: 28 + Most Recent: + Entry 0: C:\ProgramData\Updates\ (2024-01-15 14:36:25 UTC) + Entry 1: E:\Backup\ (2024-01-15 15:30:00 UTC) + Entry 2: \\FILESERV01\HR\Employees\ (2024-01-15 16:12:45 UTC) + +--- Application: cmd.exe (AppID: 9b9cdc69c1c24e2b) --- + Entries: 5 + Most Recent: + Entry 0: C:\Windows\System32\cmd.exe (2024-01-15 14:36:00 UTC) + +Summary: + Total LNK files processed: 47 + Total Jump List entries: 156 + Suspicious artifacts: 3 (hidden window execution, USB drive access, network shares) + CSV exported to: /analysis/lnk_output/ and /analysis/jumplist_output/ +``` diff --git a/skills/analyzing-mft-for-deleted-file-recovery/SKILL.md b/skills/analyzing-mft-for-deleted-file-recovery/SKILL.md index 40e60ac9..602cbcc9 100644 --- a/skills/analyzing-mft-for-deleted-file-recovery/SKILL.md +++ b/skills/analyzing-mft-for-deleted-file-recovery/SKILL.md @@ -186,3 +186,46 @@ vssadmin list shadows - MFT Slack Space Forensic Value: https://www.sygnia.co/blog/the-forensic-value-of-mft-slack-space/ - MFTECmd Documentation: https://ericzimmerman.github.io/ - SANS FOR500: Windows Forensic Analysis + +## Example Output + +```text +$ MFTECmd.exe -f "C:\Evidence\$MFT" --csv /analysis/mft_output + +MFTECmd v1.2.2 - MFT Parser +============================== +Input: C:\Evidence\$MFT (Size: 384 MB) +Total MFT Entries: 395,264 + +Parsing MFT entries... Done (12.4 seconds) + +--- Deleted File Recovery Summary --- +Total Entries: 395,264 +Active Files: 245,832 +Deleted Files: 149,432 + Recoverable: 87,234 (resident data or clusters not reallocated) + Partially Recoverable: 31,456 (some clusters overwritten) + Unrecoverable: 30,742 (all clusters reallocated) + +--- Recently Deleted Files (Incident Window: 2024-01-15 to 2024-01-18) --- +MFT Entry | Filename | Path | Size | Deleted (UTC) | Recoverable +----------|-----------------------------------|------------------------------------|-----------|-----------------------|------------ +148923 | exfil_tool.exe | C:\ProgramData\Updates\ | 1,258,496 | 2024-01-17 02:45:12 | YES +148924 | exfil_tool.log | C:\ProgramData\Updates\ | 45,312 | 2024-01-17 02:45:14 | YES +149001 | passwords.txt | C:\Users\jsmith\Desktop\ | 2,048 | 2024-01-17 02:50:33 | YES +149150 | scan_results.csv | C:\Users\jsmith\AppData\Local\Temp | 892,416 | 2024-01-17 03:00:01 | PARTIAL +149200 | mimikatz.exe | C:\Windows\Temp\ | 1,250,816 | 2024-01-18 01:15:22 | YES +149201 | sekurlsa.log | C:\Windows\Temp\ | 32,768 | 2024-01-18 01:15:25 | YES +149302 | .bash_history | C:\Users\jsmith\ | 4,096 | 2024-01-18 03:00:00 | NO +149400 | ClearEventLogs.ps1 | C:\Windows\Temp\ | 1,536 | 2024-01-18 03:01:12 | YES + +--- $STANDARD_INFORMATION vs $FILE_NAME Timestamp Analysis (Timestomping Detection) --- +MFT Entry | Filename | $SI Created | $FN Created | Delta | Verdict +----------|---------------------|----------------------|----------------------|-----------|---------- +148923 | exfil_tool.exe | 2023-06-15 10:00:00 | 2024-01-15 14:34:02 | -214 days | TIMESTOMPED +149200 | mimikatz.exe | 2022-01-01 00:00:00 | 2024-01-16 02:30:15 | -745 days | TIMESTOMPED + +Recovered files exported to: /analysis/mft_output/recovered/ +Full CSV report: /analysis/mft_output/mft_analysis.csv (395,264 rows) +Timeline CSV: /analysis/mft_output/mft_timeline.csv +``` diff --git a/skills/analyzing-outlook-pst-for-email-forensics/SKILL.md b/skills/analyzing-outlook-pst-for-email-forensics/SKILL.md index b217bcba..297892f1 100644 --- a/skills/analyzing-outlook-pst-for-email-forensics/SKILL.md +++ b/skills/analyzing-outlook-pst-for-email-forensics/SKILL.md @@ -239,3 +239,86 @@ Key headers for forensic investigation: - libpff Documentation: https://github.com/libyal/libpff - PST File Format Specification: https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-pst/ - SANS Email Forensics: https://www.sans.org/blog/email-forensics/ + +## Example Output + +```text +$ pffexport /evidence/jsmith_archive.pst -t /analysis/pst_output + +pffexport 20231205 - libpff PST/OST Export Tool +================================================= +Input: /evidence/jsmith_archive.pst (2.3 GB) + +Exporting PST contents... + Folders: 45 + Messages: 12,456 + Attachments: 3,234 + Contacts: 567 + Calendar: 234 + Tasks: 89 + +Export completed in 3m 42s. + +$ python3 pst_analyzer.py /analysis/pst_output /analysis/email_report + +PST Forensic Analysis Report +============================== +Source: jsmith_archive.pst (john.smith@corporate.com) +Date Range: 2023-06-01 to 2024-01-18 + +--- Mailbox Statistics --- + Total Emails: 12,456 + Sent: 4,567 + Received: 7,889 + With Attachments: 3,234 + Deleted (recovered): 234 + +--- Phishing / Suspicious Emails --- +Email #8923 + Date: 2024-01-15 14:30:22 UTC + From: "IT Support" + To: john.smith@corporate.com + Subject: Urgent: Password Reset Required + Headers: + Return-Path: bounce@mail-relay.c0rporate-help.com + X-Originating-IP: 203.0.113.55 + Received: from mail-relay.c0rporate-help.com (203.0.113.55) + SPF: FAIL (domain c0rporate-help.com) + DKIM: NONE + DMARC: FAIL + Attachments: + - Password_Reset_Form.xlsm (245 KB) SHA-256: 7a3b8c9d...e1f2a3b4 + Body Preview: "Dear Employee, Your password will expire in 24 hours. + Please open the attached form to reset your credentials..." + +--- Data Exfiltration Indicators --- +Email #9102 + Date: 2024-01-16 03:15:45 UTC + From: john.smith@corporate.com + To: j.smith.personal8842@protonmail.com + Subject: (no subject) + Attachments: + - archive_part1.7z (24.5 MB) - encrypted + - archive_part2.7z (24.5 MB) - encrypted + +Email #9103 + Date: 2024-01-16 03:18:22 UTC + From: john.smith@corporate.com + To: j.smith.personal8842@protonmail.com + Subject: Re: + Attachments: + - archive_part3.7z (18.2 MB) - encrypted + +--- Keyword Hits --- + "confidential": 45 emails + "password": 23 emails + "transfer": 12 emails + "resign": 3 emails + "delete evidence": 1 email (Email #9200, 2024-01-17 22:30:00 UTC) + +Summary: + Phishing emails detected: 1 (initial compromise vector) + Suspicious sent emails: 5 (to personal accounts with attachments) + Encrypted attachments: 3 (67.2 MB total - possible exfiltration) + Report: /analysis/email_report/pst_forensic_report.json +``` diff --git a/skills/analyzing-windows-amcache-artifacts/SKILL.md b/skills/analyzing-windows-amcache-artifacts/SKILL.md index 9c353b56..cde2a41c 100644 --- a/skills/analyzing-windows-amcache-artifacts/SKILL.md +++ b/skills/analyzing-windows-amcache-artifacts/SKILL.md @@ -16,3 +16,51 @@ license: Apache-2.0 Extract execution evidence from Amcache.hve including application paths, SHA-1 hashes, timestamps, and publisher metadata for DFIR investigations. + +## Example Output + +```text +$ AmcacheParser.exe -f "C:\Evidence\Amcache.hve" --csv /analysis/amcache_output + +AmcacheParser v1.5.1 - Amcache.hve Parser +============================================ +Input: C:\Evidence\Amcache.hve (12.4 MB) +Last Write Time: 2024-01-18 23:59:45 UTC + +[+] Parsing File entries... Found: 4,567 +[+] Parsing Program entries... Found: 234 +[+] Parsing Driver entries... Found: 189 +[+] Parsing Device Container entries Found: 45 +[+] Parsing Shortcut entries... Found: 312 + +--- Unassociated File Entries (No Known Publisher) --- +SHA-1 | Path | Name | Size | First Run (UTC) | Publisher +--------------------|-----------------------------------------------|-------------------|-----------|-----------------------|---------- +a1b2c3d4e5f6a7b8...| C:\ProgramData\Updates\ | update_client.exe | 1,258,496 | 2024-01-15 14:36:30 | (none) +b2c3d4e5f6a7b8c9...| C:\Windows\Temp\ | mimikatz.exe | 1,250,816 | 2024-01-16 02:30:15 | (none) +c3d4e5f6a7b8c9d0...| C:\Windows\Temp\ | procdump64.exe | 421,376 | 2024-01-16 02:28:00 | Sysinternals +d4e5f6a7b8c9d0e1...| C:\ProgramData\svc\ | updater.exe | 345,088 | 2024-01-15 14:37:00 | (none) +e5f6a7b8c9d0e1f2...| C:\Users\jsmith\AppData\Local\Temp\ | psexec.exe | 834,936 | 2024-01-16 02:40:00 | Sysinternals +f6a7b8c9d0e1f2a3...| C:\Users\jsmith\Downloads\ | netscan.exe | 512,000 | 2024-01-15 15:10:22 | (none) + +--- Program Entries (Recently Installed) --- +Name | Version | Publisher | Install Date | Source +------------------------|---------------|------------------------|-----------------|-------- +PuTTY | 0.80 | Simon Tatham | 2024-01-14 | MSI +WinSCP | 6.1.2 | Martin Prikryl | 2024-01-14 | MSI +7-Zip | 23.01 | Igor Pavlov | 2024-01-15 | MSI +(Unknown) | (Unknown) | (none) | 2024-01-15 | Manual + +--- Driver Entries (Suspicious) --- +Name | SHA-1 | Signer | Install Date +------------------------|---------------------|-----------------------|------------- +WinDivert64.sys | 1a2b3c4d5e6f... | (self-signed) | 2024-01-15 +npf.sys | 2b3c4d5e6f7a... | Nmap Project | 2024-01-15 + +Summary: + Total execution artifacts: 4,567 + Unsigned/suspicious entries: 6 + Recently installed programs: 4 (2 suspicious) + Suspicious drivers: 2 + CSV exported to: /analysis/amcache_output/ +``` diff --git a/skills/analyzing-windows-prefetch-with-python/SKILL.md b/skills/analyzing-windows-prefetch-with-python/SKILL.md index 8e2bbbb5..9edfc51e 100644 --- a/skills/analyzing-windows-prefetch-with-python/SKILL.md +++ b/skills/analyzing-windows-prefetch-with-python/SKILL.md @@ -37,3 +37,54 @@ Reconstruct chronological execution timeline from all Prefetch files. ## Expected Output JSON report with execution history, suspicious executables, renamed binary indicators, and timeline reconstruction. + +## Example Output + +```text +$ python3 prefetch_analyzer.py --dir /evidence/Windows/Prefetch --output /analysis/prefetch_report + +Windows Prefetch Analyzer v2.1 +================================ +Source: /evidence/Windows/Prefetch/ +Prefetch Format: Windows 10 (MAM compressed, version 30) +Files Found: 234 + +--- Execution Timeline (Incident Window: 2024-01-15 to 2024-01-18) --- +Last Executed (UTC) | Run Count | Filename | Hash | Path +------------------------|-----------|-----------------------------|----------|------------------------------------------ +2024-01-15 14:33:15 | 1 | Q4_REPORT.XLSM-2A1B3C4D.pf | 2A1B3C4D | C:\Users\jsmith\Downloads\Q4_Report.xlsm +2024-01-15 14:35:44 | 1 | POWERSHELL.EXE-A2B3C4D5.pf | A2B3C4D5 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +2024-01-15 14:36:30 | 3 | UPDATE_CLIENT.EXE-B3C4D5E6.pf| B3C4D5E6| C:\ProgramData\Updates\update_client.exe +2024-01-15 15:10:22 | 1 | NETSCAN.EXE-C4D5E6F7.pf | C4D5E6F7 | C:\Users\jsmith\Downloads\netscan.exe +2024-01-16 02:28:00 | 1 | PROCDUMP64.EXE-D5E6F7A8.pf | D5E6F7A8 | C:\Windows\Temp\procdump64.exe +2024-01-16 02:30:15 | 2 | MIMIKATZ.EXE-E6F7A8B9.pf | E6F7A8B9 | C:\Windows\Temp\mimikatz.exe +2024-01-16 02:40:00 | 4 | PSEXEC.EXE-F7A8B9C0.pf | F7A8B9C0 | C:\Users\jsmith\AppData\Local\Temp\psexec.exe +2024-01-17 02:45:00 | 1 | SDELETE64.EXE-A8B9C0D1.pf | A8B9C0D1 | C:\Windows\Temp\sdelete64.exe +2024-01-18 03:00:45 | 1 | WEVTUTIL.EXE-B9C0D1E2.pf | B9C0D1E2 | C:\Windows\System32\wevtutil.exe + +--- Renamed Binary Detection --- +ALERT: UPDATE_CLIENT.EXE loaded DLLs consistent with Cobalt Strike beacon: + Referenced DLLs: wininet.dll, ws2_32.dll, advapi32.dll, dnsapi.dll, netapi32.dll + Volume: \VOLUME{01d94f2a3b5c7d8e-A4E73F21} (C:) + Directories referenced: + C:\ProgramData\Updates\ + C:\Windows\System32\ + +--- Execution Frequency Analysis --- +Most Executed (Top 5): + 1. SVCHOST.EXE (267 runs) + 2. CHROME.EXE (189 runs) + 3. EXPLORER.EXE (156 runs) + 4. RUNTIMEBROKER.EXE (134 runs) + 5. OUTLOOK.EXE (98 runs) + +First-Time Executions (Never seen before incident window): + 6 executables first run between 2024-01-15 and 2024-01-18 + +Summary: + Total prefetch files: 234 + Suspicious executables: 6 + Renamed binary indicators: 1 (update_client.exe) + Anti-forensics tools: 2 (sdelete64.exe, wevtutil.exe) + JSON report: /analysis/prefetch_report/prefetch_timeline.json +``` diff --git a/skills/analyzing-windows-shellbag-artifacts/SKILL.md b/skills/analyzing-windows-shellbag-artifacts/SKILL.md index 626da141..19eadc59 100644 --- a/skills/analyzing-windows-shellbag-artifacts/SKILL.md +++ b/skills/analyzing-windows-shellbag-artifacts/SKILL.md @@ -77,7 +77,7 @@ ShellBagsExplorer.exe ### Proving USB Device Browsing -``` +```text Shellbag Path: My Computer\E:\Confidential\Project_Files ShellType: Directory (on removable volume) CreatedOn: 2025-03-15 09:30:00 UTC @@ -90,7 +90,7 @@ with USBSTOR and MountPoints2 registry entries. ### Detecting Network Share Access -``` +```text Shellbag Path: \\FileServer01\Finance\Q4_Reports ShellType: Network Location AccessedOn: 2025-02-20 14:15:00 UTC @@ -101,7 +101,7 @@ the share has been decommissioned or access revoked. ### Identifying Deleted Folder Knowledge -``` +```text Shellbag Path: C:\Users\suspect\Documents\Exfiltration_Staging ShellType: Directory CreatedOn: 2025-01-10 08:00:00 UTC @@ -126,3 +126,60 @@ created and navigated to this folder. - SANS Shellbag Forensics: https://www.sans.org/blog/computer-forensic-artifacts-windows-7-shellbags - Magnet Forensics Shellbag Analysis: https://www.magnetforensics.com/blog/forensic-analysis-of-windows-shellbags/ - ShellBags Explorer: https://ericzimmerman.github.io/ + +## Example Output + +```text +$ SBECmd.exe -d "C:\Evidence\Users\jsmith" --csv /analysis/shellbag_output + +SBECmd v2.1.0 - ShellBags Explorer (Command Line) +==================================================== +Processing hives for user: jsmith + NTUSER.DAT: C:\Evidence\Users\jsmith\NTUSER.DAT + UsrClass.dat: C:\Evidence\Users\jsmith\AppData\Local\Microsoft\Windows\UsrClass.dat + +[+] NTUSER.DAT shellbag entries: 456 +[+] UsrClass.dat shellbag entries: 1,234 +[+] Total shellbag entries: 1,690 + +--- Folder Access Timeline (Incident Window) --- +Last Accessed (UTC) | Folder Path | Type | Access Count +------------------------|---------------------------------------------------------|-------------|------------- +2024-01-15 14:34:05 | C:\Users\jsmith\Downloads | File System | 45 +2024-01-15 14:36:25 | C:\ProgramData\Updates | File System | 3 +2024-01-15 15:05:00 | \\FILESERV01\Finance | Network | 2 +2024-01-15 15:12:30 | \\FILESERV01\Finance\Q4_Reports | Network | 1 +2024-01-15 15:30:00 | E:\ | Removable | 4 +2024-01-15 15:30:45 | E:\Backup | Removable | 3 +2024-01-15 15:31:20 | E:\Backup\Corporate_Data | Removable | 2 +2024-01-15 16:12:45 | \\FILESERV01\HR\Employees | Network | 1 +2024-01-15 16:15:00 | \\FILESERV01\HR\Employees\Records_2024 | Network | 1 +2024-01-16 02:35:00 | C:\Windows\Temp | File System | 5 +2024-01-17 02:44:00 | C:\ProgramData\svc | File System | 2 +2024-01-18 01:10:00 | C:\Users\jsmith\AppData\Local\Temp | File System | 8 + +--- Network Share Access --- + \\FILESERV01\Finance First: 2023-09-10 Last: 2024-01-15 + \\FILESERV01\Finance\Q4_Reports First: 2024-01-15 Last: 2024-01-15 (NEW) + \\FILESERV01\HR\Employees First: 2024-01-15 Last: 2024-01-15 (NEW) + \\DC01\SYSVOL First: 2023-03-15 Last: 2024-01-16 (anomalous access time) + +--- Removable Device Access --- + E:\ (USB Drive) + Volume Name: BACKUP_DRIVE + First Accessed: 2024-01-15 15:30:00 UTC + Last Accessed: 2024-01-15 15:45:22 UTC + Folders Browsed: 3 (E:\, E:\Backup, E:\Backup\Corporate_Data) + +--- Deleted/No Longer Existing Paths --- + C:\ProgramData\Updates\ (folder deleted, shellbag persists) + C:\ProgramData\svc\ (folder deleted, shellbag persists) + C:\Windows\Temp\tools\ (folder deleted, shellbag persists) + +Summary: + Total unique folders accessed: 1,690 + Network shares accessed: 4 (2 newly accessed during incident) + Removable media: 1 USB device (data staging suspected) + Deleted folder evidence: 3 paths (anti-forensics indicator) + CSV exported to: /analysis/shellbag_output/ +``` diff --git a/skills/performing-cloud-storage-forensic-acquisition/SKILL.md b/skills/performing-cloud-storage-forensic-acquisition/SKILL.md index d692adfa..226bb1e8 100644 --- a/skills/performing-cloud-storage-forensic-acquisition/SKILL.md +++ b/skills/performing-cloud-storage-forensic-acquisition/SKILL.md @@ -253,3 +253,69 @@ def analyze_onedrive_sync_engine(db_path: str) -> list: - Magnet AXIOM Cloud: https://www.magnetforensics.com/blog/how-to-acquire-and-analyze-cloud-data-with-magnet-axiom/ - AWS Cloud Forensics Framework: https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/cyber-forensics.html - API-Based Forensic Acquisition of Cloud Drives: https://arxiv.org/abs/1603.06542 + +## Example Output + +```text +$ python3 cloud_forensic_acquire.py --provider google-drive --auth /tokens/gdrive_token.json \ + --user jsmith@corporate.com --output /acquisition/gdrive + +Cloud Storage Forensic Acquisition Tool v3.2 +============================================== +Provider: Google Drive +Account: jsmith@corporate.com +Start Time: 2024-01-19 08:00:15 UTC +Auth Method: Admin SDK (domain-wide delegation) + +[+] Enumerating files... + Total files: 2,345 + Total folders: 178 + Shared with me: 456 + Trashed items: 89 (included in acquisition) + Total size: 14.7 GB + +[+] Acquiring file contents... + Downloaded: 2,345 / 2,345 [████████████████████████████████] 100% + Errors: 0 + Elapsed: 18m 32s + +[+] Acquiring metadata... + File metadata: 2,345 entries + Revision history: 8,912 revisions across 1,234 files + Sharing permissions: 3,456 permission entries + Activity log: 12,345 events + +[+] Acquiring trashed items... + Recovered: 89 / 89 items (234 MB) + +--- Acquisition Log --- +Timestamp (UTC) | Action | File | Size | SHA-256 +2024-01-19 08:00:45 | Downloaded | /My Drive/Finance/Q4_Report.xlsm | 245 KB | 7a3b8c9d... +2024-01-19 08:00:46 | Downloaded | /My Drive/Finance/Budget_2024.xlsx | 1.2 MB | 8b4c9d0e... +... +2024-01-19 08:02:12 | Trash-Recovered | /Trash/employee_list_full.csv | 4.5 MB | 9c5d0e1f... +2024-01-19 08:02:13 | Trash-Recovered | /Trash/network_diagram_v3.vsdx | 2.1 MB | 0d6e1f2a... +2024-01-19 08:02:14 | Trash-Recovered | /Trash/credentials_backup.kdbx | 128 KB | 1e7f2a3b... + +--- Sharing Analysis --- +Files Shared Externally: + /My Drive/Finance/Q4_Report.xlsm → j.smith.personal8842@protonmail.com (2024-01-16 03:10 UTC) + /My Drive/HR/employee_list_full.csv → j.smith.personal8842@protonmail.com (2024-01-16 03:12 UTC) + /My Drive/IT/network_diagram_v3.vsdx → anonymous (link sharing, 2024-01-16 03:15 UTC) + +--- Revision History (Suspicious) --- +File: /My Drive/Finance/Q4_Report.xlsm + Rev 1: 2024-01-10 09:00:00 UTC (245 KB) - Original + Rev 2: 2024-01-15 14:35:00 UTC (248 KB) - Modified (macro added) + Rev 3: 2024-01-16 03:05:00 UTC (245 KB) - Reverted (macro removed - anti-forensics) + +Acquisition Summary: + Files acquired: 2,345 (14.7 GB) + Trashed items: 89 (234 MB) + Revisions: 8,912 + Chain of custody hash (full archive): + SHA-256: a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2 + Output directory: /acquisition/gdrive/ + Acquisition log: /acquisition/gdrive/acquisition_log.csv + Completion Time: 2024-01-19 08:18:47 UTC +``` diff --git a/skills/performing-sqlite-database-forensics/SKILL.md b/skills/performing-sqlite-database-forensics/SKILL.md index 57f3fceb..dbabf00f 100644 --- a/skills/performing-sqlite-database-forensics/SKILL.md +++ b/skills/performing-sqlite-database-forensics/SKILL.md @@ -265,3 +265,76 @@ def decode_mozilla_timestamp(moz_ts: int) -> datetime: - Belkasoft SQLite Analysis: https://belkasoft.com/sqlite-analysis - Spyder Forensics SQLite Training: https://www.spyderforensics.com/sqlite-forensic-fundamentals-2025/ - Forensic Analysis of Damaged SQLite Databases: https://www.forensicfocus.com/articles/forensic-analysis-of-damaged-sqlite-databases/ + +## Example Output + +```text +$ python3 sqlite_forensics.py --db /evidence/chrome/Default/History \ + --wal /evidence/chrome/Default/History-wal \ + --journal /evidence/chrome/Default/History-journal \ + --output /analysis/sqlite_report + +SQLite Database Forensic Analyzer v2.0 +======================================== +Database: /evidence/chrome/Default/History +Size: 48.2 MB +SQLite Ver: 3.39.5 +Page Size: 4096 bytes +Total Pages: 12,345 +Encoding: UTF-8 + +[+] Analyzing WAL (Write-Ahead Log)... + WAL file: History-wal (2.1 MB) + WAL frames: 512 + Checkpointed: No (contains uncommitted data) + Recoverable rows from WAL: 234 + +[+] Analyzing journal file... + Journal file: History-journal (0 bytes - rolled back) + +[+] Scanning for deleted records (freelist pages)... + Freelist pages: 456 + Deleted records recovered: 1,892 + +[+] Analyzing table: urls + Active rows: 12,456 + Deleted rows: 1,234 (recovered from freelist) + WAL-only rows: 89 + +--- Recovered Deleted URLs (Last 10) --- +Row ID | URL | Title | Visit Count | Last Visit (UTC) +-------|--------------------------------------------------|--------------------------|-------------|--------------------- +89234 | https://mega.nz/folder/xYz123#key=AbCdEf | MEGA | 5 | 2024-01-16 03:20:00 +89235 | https://transfer.sh/abc123/data.7z | transfer.sh | 1 | 2024-01-16 03:25:00 +89240 | https://temp-mail.org/en/ | Temp Mail | 3 | 2024-01-15 13:00:00 +89241 | https://browserleaks.com/ip | IP Leak Test | 1 | 2024-01-15 12:55:00 +89245 | https://www.virustotal.com/gui/file/a1b2c3... | VirusTotal | 2 | 2024-01-15 14:30:00 +89250 | https://github.com/gentilkiwi/mimikatz/releases | Mimikatz Releases | 1 | 2024-01-15 16:00:00 +89260 | https://raw.githubusercontent.com/.../payload.ps1| GitHub Raw | 1 | 2024-01-15 14:34:00 +89270 | https://pastebin.com/edit/kL9mN2pQ | Pastebin - Edit | 2 | 2024-01-15 14:42:00 +89280 | https://duckduckgo.com/?q=clear+browser+history | DuckDuckGo | 1 | 2024-01-17 22:00:00 +89285 | https://duckduckgo.com/?q=anti+forensics+tools | DuckDuckGo | 1 | 2024-01-17 22:05:00 + +[+] Analyzing table: downloads + Active rows: 234 + Deleted rows: 12 (recovered) + +--- Recovered Deleted Downloads --- +Row ID | Filename | URL | Size | Start Time (UTC) +-------|------------------------|----------------------------------------|-----------|--------------------- +5012 | payload.ps1 | https://raw.githubusercontent.com/... | 4,096 | 2024-01-15 14:34:00 +5015 | mimikatz_trunk.zip | https://github.com/.../releases/... | 1,892,352 | 2024-01-15 16:00:00 +5018 | netscan_portable.zip | https://www.softperfect.com/... | 5,242,880 | 2024-01-15 15:05:00 + +[+] Slack space analysis... + Pages with slack space data: 234 + Partial strings recovered: 67 fragments + +Summary: + Total records analyzed: 14,578 (active) + 3,126 (deleted/WAL) + Evidence-relevant URLs: 23 (flagged) + Deleted downloads: 12 (3 tool-related) + Anti-forensics evidence: Browser history deletion detected + Report: /analysis/sqlite_report/sqlite_forensics.json + Recovered DB: /analysis/sqlite_report/History_recovered.db +```