diff --git a/.DS_Store b/.DS_Store deleted file mode 100644 index 9015b07..0000000 Binary files a/.DS_Store and /dev/null differ diff --git a/Forensics/README.md b/Forensics/README.md index c6a9a24..27cc7bf 100644 --- a/Forensics/README.md +++ b/Forensics/README.md @@ -2,6 +2,52 @@ ## Disk Forensics +### Basic useful CLI tools: + +#### ps +Show the processes for all users (a), displaying the process's user/ownser (u), and the processes that are not attached to a terminal (x): + +```shell +$ ps aux +``` + +Display the full listing of all processes (useful for finding underisable processes): + +```shell +$ ps ef +``` + +#### lsof + +Display a specific pricess in more details, by displaying the files and ports associated with that process. +```shell +$ lsof -p +``` + +Display processes running form or acessing files that have been unlinked: + +```shell +$ lsof +L1 +``` + +#### find + +```shell +$ find / -uid 0 +``` + +### arp + +Display all MAC to IP address mapping of the system (useful for finding addresses of systems that are not part of the network. + +```shell +$ arp -a +``` + + +Others: uptime, free, df. + + ### dd ### strings @@ -11,6 +57,8 @@ $ strings /tmp/mem.dump | grep BOOT_ $ BOOT_IMAGE=/vmlinuz-3.5.0-23-generic ``` + + ### scalpel ### TrID @@ -21,8 +69,6 @@ $ BOOT_IMAGE=/vmlinuz-3.5.0-23-generic ### ExifTool -### Hex editors - ### dff ### CAINE @@ -40,11 +86,13 @@ $ BOOT_IMAGE=/vmlinuz-3.5.0-23-generic ### Volatility: Analysing Dumps -* [I have a lot of material on Volatility and Memory Forensics here](volatility.md) -* I highly reccomend their training. +* [Lots of material on Volatility and Memory Forensics here](volatility.md) +* [On OSX Memory Forensics](osx_memory_forensics.md) +* I highly recommend their training. + --------------- -### Scripts +## Scripts #### PDFs Tools to test a PDF file: diff --git a/Forensics/osx_memory_forensics.md b/Forensics/osx_memory_forensics.md new file mode 100644 index 0000000..80da547 --- /dev/null +++ b/Forensics/osx_memory_forensics.md @@ -0,0 +1,3 @@ +# OSX Forensics + +(tbw) diff --git a/README.md b/README.md index 737bb80..355bfda 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# My-Gray-Hacker-Resources +# Gray Hacker Resources All in one big bag. Educational purposes. @@ -78,6 +78,13 @@ telnet localhost 3000 ### Books I Recommend #### Technical +- [Bulletproof SSL and TLS](http://www.amazon.com/gp/product/1907117040?psc=1&redirect=true&ref_=oh_aui_detailpage_o06_s00) +- [Reversing: Secrets of Reverse Engineering](http://www.amazon.com/Reversing-Secrets-Engineering-Eldad-Eilam/dp/0764574817) +- [The Art of Memory Forensics](http://www.amazon.com/gp/product/1118825098?psc=1&redirect=true&ref_=oh_aui_search_detailpage) +- [The C Programming Language](http://www.amazon.com/gp/product/0131103628?psc=1&redirect=true&ref_=oh_aui_search_detailpage) +- [The Unix Programming Environment](http://www.amazon.com/gp/product/013937681X?psc=1&redirect=true&ref_=oh_aui_search_detailpage) +- [UNIX Network Programming](http://www.amazon.com/gp/product/0139498761?psc=1&redirect=true&ref_=oh_aui_search_detailpage) +- [Threat Modeling: Designing for Security](http://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998) - [The Tangled Web](http://www.amazon.com/The-Tangled-Web-Securing-Applications/dp/1593273886) - [The Art of Exploitation](http://www.amazon.com/Hacking-The-Art-Exploitation-Edition/dp/1593271441) - [The Art of Software Security Assessment](http://www.amazon.com/The-Software-Security-Assessment-Vulnerabilities/dp/0321444426)