Skip to content

Instantly share code, notes, and snippets.

View obsidianforensics's full-sized avatar

Ryan Benson obsidianforensics

252 followers · 31 following
View GitHub Profile
@mattifestation
mattifestation / SysmonEventGUIDParser.ps1
Last active March 9, 2024 08:37
Extracts fields from sysmon process and logon GUIDs
# Author: Matthew Graeber (@mattifestation)
$Epoch = Get-Date '01/01/1970'
# Conversion trick taken from https://blogs.technet.microsoft.com/heyscriptingguy/2017/02/01/powertip-convert-from-utc-to-my-local-time-zone/
$StrCurrentTimeZone = (Get-WmiObject Win32_timezone).StandardName
$TZ = [TimeZoneInfo]::FindSystemTimeZoneById($StrCurrentTimeZone)
# Parse out all the LogonGUID fields for sysmon ProcessCreate events
Get-WinEvent -FilterHashtable @{ LogName = 'Microsoft-Windows-Sysmon/Operational'; Id = 1 } | ForEach-Object {
@pudquick
pudquick / last.py
Last active August 1, 2022 14:54
Parsing utmp/utmpx record entries for login, logout, shutdown and reboot on macOS with python and ctypes
from ctypes import CDLL, Structure, POINTER, c_int64, c_int32, c_int16, c_char, c_uint32
from ctypes.util import find_library
import time
c = CDLL(find_library("System"))
# https://opensource.apple.com/source/Libc/Libc-1158.50.2/include/NetBSD/utmpx.h.auto.html
# https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man3/endutxent.3.html#//apple_ref/doc/man/3/endutxent
BOOT_TIME = 2
@glassdfir
glassdfir / pyesedbwebcache2.py
Last active April 4, 2016 16:54
import pyesedb, csv
from datetime import datetime, timedelta
file_object = open("WebCacheV01.dat", "rb")
esedb_file = pyesedb.file()
esedb_file.open_file_object(file_object)
ContainersTable = esedb_file.get_table_by_name("Containers")
WebHistoryTables = []
OutputRecord = 0
Output = []
@dfirfpi
dfirfpi / w10pfdecomp.py
Last active September 14, 2023 10:42
Windows 10 Prefetch (native) Decompress
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2015, Francesco "dfirfpi" Picasso <francesco.picasso@gmail.com>
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
@cou929
cou929 / detect-private-browsing.js
Last active April 6, 2024 03:21
Detect private browsing mode (InPrivate Browsing or Incognito).
function retry(isDone, next) {
var current_trial = 0, max_retry = 50, interval = 10, is_timeout = false;
var id = window.setInterval(
function() {
if (isDone()) {
window.clearInterval(id);
next(is_timeout);
}
if (current_trial++ > max_retry) {
window.clearInterval(id);
@dustismo
dustismo / gist:6203329
Last active November 30, 2022 00:22
How to install leveldb on ubuntu
sudo apt-get install libsnappy-dev
wget https://leveldb.googlecode.com/files/leveldb-1.9.0.tar.gz
tar -xzf leveldb-1.9.0.tar.gz
cd leveldb-1.9.0
make
sudo mv libleveldb.* /usr/local/lib
cd include
sudo cp -R leveldb /usr/local/include