boB Rudis hrbrmstr

## macOS_savedstate.py
'''
parse SavedState artifacts extracted from OSX.

author: Willi Ballenthin (william.ballenthin@fireeye.com)
license: Apache 2.0
'''
import re
import sys
import json
import struct

## macOS_keychain.py
#!/usr/bin/env python3
'''
bling.py - extract keys from macOS keychains.

installation:
  pip install pytz hexdump vivisect-vstruct-wb tabulate argparse pycryptodome

usage:
  python bling.py /path/to/keychain-db <password> ./path/to/output/directory

## macOS_stickies.py
'''
parse osx sticky databases.

author: Willi Ballenthin <william.ballenthin@fireeye.com>
license: Apache 2.0

usage:

    $ python extract_stickies.py  /path/to/input.bin  /path/to/output/directory/
'''

## mta-sts_scans-io_dns-any_2018-08-24.txt
mta-sts.0xdeadbeef600ddecafbad.de,cname,sb33.not-your-server.de
mta-sts.123apps.net,cname,mta-sts.luteijn.email
mta-sts.79p.de,cname,79p.de
mta-sts.abel-battenberg.de,a,78.46.137.164
mta-sts.abel-fkb.de,a,78.46.137.164
mta-sts.adrien-martin.net,cname,adrien-martin.net
mta-sts.akademeia.moe,cname,mta-sts.luteijn.email
mta-sts.akademiaf2p.pl,cname,ha.hetzner.tensquaregames.com
mta-sts.alainwolf.ch,cname,mta-sts.urown.net
mta-sts.alainwolf.net,cname,mta-sts.urown.net

## put64.R
# Copyright 2018 Noam Ross
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all

## boyermoor.py
def alphabet_index(c):
    """
    Returns the index of the given character in the English alphabet, counting from 0.
    """
    return ord(c.lower()) - 97 # 'a' is ASCII character 97

def match_length(S, idx1, idx2):
    """
    Returns the length of the match of the substrings of S beginning at idx1 and idx2.
    """

## docker-compose.yml
version: '2'
services:
  api:
    volumes:
      - "nfsmount:${CONTAINER_DIR}"

volumes:
  nfsmount:
    driver: local
    driver_opts:

## .README-bitcoin-nord-world-bubbles
Only including this file so the title of the gist isn't `.gitignore`

## git-create-remote.sh
# This function will walk you through the creation of a remote repository on github
# without wasting your precious time going to the website :)
# how:
#   - source it in your (bash|zsh)rc
#   - change the alias at the bottom of the script to your needs
#   - call it, follow instructions... profit
function createRemoteGitRepository() {
  local RED='\033[0;31m'
  local NC='\033[0m' # No Color
  local GITHUB_USER=''

## gg_tweet.R
library(httr)
library(magick)
library(hrbrthemes)
library(ggplot2)

theme_tweet_rc <- function(grid = "XY", style = c("stream", "card"), retina=TRUE) {

  style <- match.arg(tolower(style), c("stream", "card"))

  switch(
	'''
	parse SavedState artifacts extracted from OSX.

	author: Willi Ballenthin (william.ballenthin@fireeye.com)
	license: Apache 2.0
	'''
	import re
	import sys
	import json
	import struct
	#!/usr/bin/env python3
	'''
	bling.py - extract keys from macOS keychains.

	installation:
	pip install pytz hexdump vivisect-vstruct-wb tabulate argparse pycryptodome

	usage:
	python bling.py /path/to/keychain-db <password> ./path/to/output/directory
	'''
	parse osx sticky databases.

	author: Willi Ballenthin <william.ballenthin@fireeye.com>
	license: Apache 2.0

	usage:

	$ python extract_stickies.py /path/to/input.bin /path/to/output/directory/
	'''
	mta-sts.0xdeadbeef600ddecafbad.de,cname,sb33.not-your-server.de
	mta-sts.123apps.net,cname,mta-sts.luteijn.email
	mta-sts.79p.de,cname,79p.de
	mta-sts.abel-battenberg.de,a,78.46.137.164
	mta-sts.abel-fkb.de,a,78.46.137.164
	mta-sts.adrien-martin.net,cname,adrien-martin.net
	mta-sts.akademeia.moe,cname,mta-sts.luteijn.email
	mta-sts.akademiaf2p.pl,cname,ha.hetzner.tensquaregames.com
	mta-sts.alainwolf.ch,cname,mta-sts.urown.net
	mta-sts.alainwolf.net,cname,mta-sts.urown.net
	# Copyright 2018 Noam Ross
	#
	# Permission is hereby granted, free of charge, to any person obtaining a copy
	# of this software and associated documentation files (the "Software"), to deal
	# in the Software without restriction, including without limitation the rights
	# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
	# copies of the Software, and to permit persons to whom the Software is
	# furnished to do so, subject to the following conditions:
	#
	# The above copyright notice and this permission notice shall be included in all
	def alphabet_index(c):
	"""
	Returns the index of the given character in the English alphabet, counting from 0.
	"""
	return ord(c.lower()) - 97 # 'a' is ASCII character 97

	def match_length(S, idx1, idx2):
	"""
	Returns the length of the match of the substrings of S beginning at idx1 and idx2.
	"""
	version: '2'
	services:
	api:
	volumes:
	- "nfsmount:${CONTAINER_DIR}"

	volumes:
	nfsmount:
	driver: local
	driver_opts:
	# This function will walk you through the creation of a remote repository on github
	# without wasting your precious time going to the website :)
	# how:
	# - source it in your (bash\|zsh)rc
	# - change the alias at the bottom of the script to your needs
	# - call it, follow instructions... profit
	function createRemoteGitRepository() {
	local RED='\033[0;31m'
	local NC='\033[0m' # No Color
	local GITHUB_USER=''
	library(httr)
	library(magick)
	library(hrbrthemes)
	library(ggplot2)

	theme_tweet_rc <- function(grid = "XY", style = c("stream", "card"), retina=TRUE) {

	style <- match.arg(tolower(style), c("stream", "card"))

	switch(