Codeby web-security - новый курс от Codeby Security School

Представляем вашему вниманию новый курс от команды The Codeby - "Тестирование Веб-Приложений на проникновение с нуля". Общая теория, подготовка рабочего окружения, пассивный фаззинг и фингерпринт, Активный фаззинг, Уязвимости, Пост-эксплуатация, Инструментальные средства, Social Engeneering и многое другое. Подробнее ...


PowerForensics - цифровая криминалистика PowerShell

Цифровая криминалистика PowerShell: PowerForensics 

Цель PowerForensics — предоставить всеохватывающую структуру для криминалистического анализа жесткого диска. В настоящее время PowerForensics поддерживает файловые системы NTFS и FAT, и началась работа по поддержке расширенной файловой системы (Extended File System) и HFS +. PowerForensics построена на библиотеке классов C # (C# Class Library (Assembly)), которая предоставляет общедоступный криминалистический API. Все cmdlets этого модуля построены на этом общедоступном API, и задачи могут легко расширяться для создании новых cmdlets.


Paranoid - курс от Codeby Security School

Представляем вашему вниманию курс от команды codeby - "Комплекс мер по защите персональных данных, анонимности в интернете и не только" Подробнее ...


Cmdlets

Boot Sector:

Get-ForensicMasterBootRecord - gets the MasterBootRecord from the first sector of the hard drive
Get-ForensicGuidPartitionTable - gets the GuidPartitionTable from the first sector of the hard drive
Get-ForensicBootSector - gets the appropriate boot sector (MBR or GPT) from the specified drive
Get-ForensicPartitionTable - gets the partition table for the specified drive

Extended File System 4 (ext4):

Get-ForensicSuperblock - returns the ext4 SuperBlock object
Get-ForensicBlockGroupDescriptor - returns the Block Group Descriptor Table entries
Get-ForensicInode - returns the Inode Table entries

Файловая система новой технологии (New Technology File System (NTFS)):

Get-ForensicAttrDef - gets definitions of MFT Attributes (parses $AttrDef)
Get-ForensicBitmap - determines if a cluster is marked as in use (parses $Bitmap)
Get-ForensicFileRecord - gets Master File Table entries (parses $MFT)
Get-ForensicFileRecordIndex - gets a file's MFT record index number
Get-ForensicUsnJrnl - getss Usn Journal Entries (parses $UsnJrnl:$J)
Get-ForensicUsnJrnlInformation - getss UsnJrnl Metadata (parses $UsnJrnl:$Max)
Get-ForensicVolumeBootRecord - gets the VolumeBootRecord from the first sector of the volume (parses $Boot)
Get-ForensicVolumeInformation - gets the $Volume file's $VOLUME_INFORMATION attribute
Get-ForensicVolumeName - gets the $Volume file's $VOLUME_NAME attribute
Get-ForensicFileSlack - gets the specified volume's slack space
Get-ForensicMftSlack - gets the Master File Table (MFT) slack space for the specified volume
Get-ForensicUnallocatedSpace - gets the unallocated space on the specified partition/volume (parses $Bitmap)

Артефакты Windows

Get-AlternateDataStream - gets the NTFS Alternate Data Streams on the specified volume
Get-ForensicEventLog - gets the events in an event log or in all event logs
Get-ForensicExplorerTypedPath - gets the file paths that have been typed into the Windows Explorer application
Get-ForensicNetworkList - gets a list of networks that the system has previously been connected to
Get-ForensicOfficeFileMru - gets a files that have been recently opened in Microsoft Office
Get-ForensicOfficeOutlookCatalog - gets a Outlook pst file paths
Get-ForensicOfficePlaceMru - gets a directories that have recently been opened in Microsoft Office
Get-ForensicOfficeTrustRecord - gets files that have been explicitly trusted within MicrosoftOffice
Get-ForensicPrefetch - gets Windows Prefetch artifacts by parsing the file's binary structure
Get-ForensicRunKey - gets the persistence mechanism stored in registry run keys
Get-ForensicRunMostRecentlyUsed - gets the commands that were issued by the user to the run dialog
Get-ForensicScheduledJob - gets Scheduled Jobs (at jobs) by parsing the file's binary structures
Get-ForensicShellLink - gets ShellLink (.lnk) artifacts by parsing the file's binary structure
Get-ForensicSid - gets the machine Security Identifier from the SAM hive
Get-ForensicTimezone - gets the system's timezone based on the registry setting
Get-ForensicTypedUrl - gets the Universal Resource Locators (URL) that have been typed into Internet Explorer
Get-ForensicUserAssist - gets the UserAssist entries from the specified volume
Get-ForensicWindowsSearchHistory - gets the terms that have been searched for using the Windows Search feature

Кэш совместимости приложений

Get-ForensicAmcache - gets previously run commands from the Amcache.hve registry hive
Get-ForensicRecentFileCache - gets previously run commands from the RecentFileCache.bcf file
Get-ForensicShimcache - gets previously run commands from the AppCompatCache (AppCompatibility on XP) registry key

Реестр Windows

Get-ForensicRegistryKey - gets the keys of the specified registry hive
Get-ForensicRegistryValue - gets the values of the specified registry key

Криминальная хроника

ConvertTo-ForensicTimeline - converts an object to a ForensicTimeline object
Get-ForensicTimeline - creates a forensic timeline

Утилиты

ConvertFrom-BinaryData - implements PowerForensics' BinShred API to parse binary data into an object
Copy-ForensicFile - creates a copy of a file from its raw bytes on disk
Get-ForensicChildItem - returns a directory's contents by parsing the MFT structures
Get-ForensicContent - gets the content of a file from its raw bytes on disk
Invoke-ForensicDD - provides a bit for bit copy of a specified device

Перевод: Анна Давыдова
Источник: n0where.net


Codeby Market от Сodeby

Мы запустили свой магазин CodebyMarket Equipment for InfoSec. Уже добавили RaspberryAlfa Long-RangeOrange PiArduino и многое другое. Купить Pentesting Devices