- Home
- DFIR – Notes for my transition
- How to analyse prefetch files from harddrive
- How to analyze malicious PDF files
- How to compare memory dump with baseline dump
- How to convert a hibernation file to a memory dump
- How to convert shellcode binary to executable
- How to create a super timeline
- How to create a timeline from harddrive image and memory dump
- How to create custom filters and parser presets for log2timeline and plaso
- How to deobfuscate JavaScript
- How to detect if malware is packed
- How to detect network communication
- How to detect root kits
- How to do behavioural analysis of malware
- How to do malware OSINT
- How to do runtime debugging of malware
- How to do static properties analysis of malware
- How to do Windows log analysis
- How to emulate running shellcode binaries
- How to extract (carve) cached files from a memory dump
- How to extract (carve) files from a packet dump (PCAP)
- How to extract a process from memory
- How to extract browser history
- How to extract credentials from a memory dump
- How to extract files from unallocated space
- How to extract LNK files from a harddrive image
- How to extract log files from a harddrive image
- How to extract registry values from a harddrive image
- How to extract registry values from memory
- How to extract shellbags from a harddrive image
- How to extract strings from malware
- How to extract the MFT from an E01 image
- How to extract the shimcache from memory and disk images
- How to extract the USN Journal of an NTFS image
- How to identify autostart persistence – Requires live system
- How to identify malware with densityscout
- How to identify malware with pescan
- How to identify malware with sigcheck
- How to identify recently opened files and searches on Windows
- How to identify rogue processes
- How to identify timestomping
- How to list loaded DLLs of a process
- How to list prefetch files from memory
- How to make your host respond to request for all IPs
- How to mount an E01 file in linux
- How to mount volume shadow copies
- How to parse the Master File Table (MFT) of an NTFS image
- How to parse the most recent files cache
- How to parse Windows INDX Slack and create a timeline
- How to see what resources a process handled
- How to see who started a process
- Things to remember when using Autopsy
- Things to remember when using VMWare
- Food
- Scribbles – notes and oneliners for infosec
- CodeWar – or How I Learned Python in 24 Hours
- How to decompile a JNLP application
- How to decompile the applications on your Android phone
- How to do a Java source code review
- How to do Python stuff in multiple threads
- How to make John the Ripper run on a multi-CPU System
- How to make the best wordlist for dictionary-based attacks
- How to Man-In-The-Middle a webapplication
- How to perform Man-in-the-Middle attacks without those big GUI tools
- How to verify DNS Cache Snooping