wb4r/digitalforensics-examNotes.txt

## digitalforensics-examNotes.txt
[0] FIND / GREP
    notes-w1.txt
    [*] FIND
        - Depth
            $ find . -maxdepth 1
        - Find and then copy (exec)
            $ ... -exec cp {} /home/caine/etccopy/ \;
        - Size:
            c (bytes)
            k (kilobytes)
            M (MB)
            G (GB)
        - Size:
            smaller than X bytes => $ ... -10240c
            bigger than X bytes  => $ ... +10240c
            exactly X bytes      => $ ... 10240c
        - Owned by
            $ ... -user caine
        - Group
            $ ... -group groupname
        - Permissions
            $ ... -perm 664
    [*] GREP
        - Searches in contents of a file.
        - Uses Regex with -E
            $ grep -E expression file
        - CAse insensitive
            -i

[1] HEAD & TAIL
    - Print 3 lines
        $ head/tail -3 file
    [*] HEAD
    [*] WC
        chars   =>  --chars
        lines   =>  -l
        words   =>  -w

[2] PERMISSIONS
    - Chmod - letters: The change is one or more of 'ugo', then '+-=',
    then zero or more of 'rwx'
    - Chmod - numeric:
        4 = r(Read)
        3 = w(Write)
        1 = x(eXecute)

[3] MD5 / CMP
    [*] MD5SUM
        $ md5sum filename
        - Hash Collisions
            • If two files have different hash values then they are definitely not
            identical.
            • If two files have the same hash values then they are probably
            identical.
            • If two files are different but have the same hash they are referred to as
            a hash collision or a false positive.
    [*] CMP
        $ cmp file1 file2

[4] DD - Data Blocks
    [*] DD
        - Overwrite block 2 of file2 with block 10 of file1.
            $ dd if=file1.dd skip=10 of=file2.dd seek=2 count=1 bs=512 conv=notrunc
                START                $ dd
                FROM                 if=file1.dd skip=10
                TO                   of=file2.dd seek=2
                NUMBER               count=1
                ALWAYS THE SAME      bs=512 conv=notrunc
    [*] XXD
        - Open a data block (such as MBR)
            $ dd if=file1.dd skip=0 count=1 bs=512    |   xxd

[5] U/MOUNT, PARTITIONS & DISKS
    [*] MOUNT, UMOUNT
        - Mount, unmount partitions
            $ mount /what /where
            $ umount /where
    [*] SFDISK
        - Read partition structure
            $ sfdisk -l -uS /dev/sda
    [*] LOOSETUP
        - Mount files
            $ losetup /dev/loop0 /file1.dd
            [OR]     if /file1.dd is a whole disk, and you want to mount partition 1
            $ losetup /dev/loop0 /img1.dd –o (sfdisk's Start * 521)
            [AND]
            $ mount /dev/loop0 /where -o ro
        - Show info
            $ losetup -a
        - Unmount files
            $ umount /dev/loop0
            [AND]
            $ losetup -d /dev/loop0

[6] DISK ANALYSIS
    [*] MBR
        - Read MBR
            $ dd if=image.dd skip=0 count=1 bs=512    |    xxd
    [*] VBR - Volume Boot Record
        - Read VBR
            $ dd if=image.dd skip=63 count=1 bs=512    |    xxd
    [*] MMLS
        - Displays the contents of a volume system
            $ mmls image.dd

[7] BINARIES
    [*] XXD
        - View file
            $ xxd /bin/ls
        - View block
            $ dd if=file1.dd skip=0 count=1 bs=512    |   xxd
        - Binari writing
            $ echo -ne "LITTLE ENDIAN" | DEST conv=notrunc bs=1
            $ echo -ne "\x65"   |    dd of=test.dat seek=100 count=1 bs=1 conv=notrunc

[6] SORT
    - Delimiter (random,15)
        -t","
    - Sort by one kolumn (3 in this case)
        -k 3,3
    - Same but numeric sort
        -k 3n,3n
    - Sort by one kolumn and then another (3 and 5 in this case)
        -k 3n,5n
    - Uniqueness
        -u

[9] REGEXP
    "?"     for a single character
    "*"     for any number of chars (0 or more)
    [abc]   match 1 character && must be one of those in the square brackets
    "^x"    starts with x
    "n$"    ends with n
    "."     can match any character
    \.      to actually look for a dot, escaping char
    \[      to actually look for a [, escaping char
    {n}     repeat pattern n times


    Examples:
        - Starting with 'u' and finishing with '.conf'
            $ ... 'u*.conf'
        - Using dot:
            "^a.*z$"    abuzz, adz
            "^a.z$"     adz
            '^a*z$'     fucks it up and only gives "z" as a result
        - Word has ‘a’ then ‘b’ then ‘c’, with 0 or more characters in between
             'a.*b.*c'
        - Three characters where the first character is A
            '(a..)'
        - Three vowels appearing together
             '([aeiou][aeiou][aeiou])'
             OR
              '([aeiou]{3})'


#
	[0] FIND / GREP
	notes-w1.txt
	[*] FIND
	- Depth
	$ find . -maxdepth 1
	- Find and then copy (exec)
	$ ... -exec cp {} /home/caine/etccopy/ \;
	- Size:
	c (bytes)
	k (kilobytes)
	M (MB)
	G (GB)
	- Size:
	smaller than X bytes => $ ... -10240c
	bigger than X bytes => $ ... +10240c
	exactly X bytes => $ ... 10240c
	- Owned by
	$ ... -user caine
	- Group
	$ ... -group groupname
	- Permissions
	$ ... -perm 664
	[*] GREP
	- Searches in contents of a file.
	- Uses Regex with -E
	$ grep -E expression file
	- CAse insensitive
	-i

	[1] HEAD & TAIL
	- Print 3 lines
	$ head/tail -3 file
	[*] HEAD
	[*] WC
	chars => --chars
	lines => -l
	words => -w

	[2] PERMISSIONS
	- Chmod - letters: The change is one or more of 'ugo', then '+-=',
	then zero or more of 'rwx'
	- Chmod - numeric:
	4 = r(Read)
	3 = w(Write)
	1 = x(eXecute)

	[3] MD5 / CMP
	[*] MD5SUM
	$ md5sum filename
	- Hash Collisions
	• If two files have different hash values then they are definitely not
	identical.
	• If two files have the same hash values then they are probably
	identical.
	• If two files are different but have the same hash they are referred to as
	a hash collision or a false positive.
	[*] CMP
	$ cmp file1 file2

	[4] DD - Data Blocks
	[*] DD
	- Overwrite block 2 of file2 with block 10 of file1.
	$ dd if=file1.dd skip=10 of=file2.dd seek=2 count=1 bs=512 conv=notrunc
	START $ dd
	FROM if=file1.dd skip=10
	TO of=file2.dd seek=2
	NUMBER count=1
	ALWAYS THE SAME bs=512 conv=notrunc
	[*] XXD
	- Open a data block (such as MBR)
	$ dd if=file1.dd skip=0 count=1 bs=512 \| xxd

	[5] U/MOUNT, PARTITIONS & DISKS
	[*] MOUNT, UMOUNT
	- Mount, unmount partitions
	$ mount /what /where
	$ umount /where
	[*] SFDISK
	- Read partition structure
	$ sfdisk -l -uS /dev/sda
	[*] LOOSETUP
	- Mount files
	$ losetup /dev/loop0 /file1.dd
	[OR] if /file1.dd is a whole disk, and you want to mount partition 1
	$ losetup /dev/loop0 /img1.dd –o (sfdisk's Start * 521)
	[AND]
	$ mount /dev/loop0 /where -o ro
	- Show info
	$ losetup -a
	- Unmount files
	$ umount /dev/loop0
	[AND]
	$ losetup -d /dev/loop0

	[6] DISK ANALYSIS
	[*] MBR
	- Read MBR
	$ dd if=image.dd skip=0 count=1 bs=512 \| xxd
	[*] VBR - Volume Boot Record
	- Read VBR
	$ dd if=image.dd skip=63 count=1 bs=512 \| xxd
	[*] MMLS
	- Displays the contents of a volume system
	$ mmls image.dd

	[7] BINARIES
	[*] XXD
	- View file
	$ xxd /bin/ls
	- View block
	$ dd if=file1.dd skip=0 count=1 bs=512 \| xxd
	- Binari writing
	$ echo -ne "LITTLE ENDIAN" \| DEST conv=notrunc bs=1
	$ echo -ne "\x65" \| dd of=test.dat seek=100 count=1 bs=1 conv=notrunc

	[6] SORT
	- Delimiter (random,15)
	-t","
	- Sort by one kolumn (3 in this case)
	-k 3,3
	- Same but numeric sort
	-k 3n,3n
	- Sort by one kolumn and then another (3 and 5 in this case)
	-k 3n,5n
	- Uniqueness
	-u

	[9] REGEXP
	"?" for a single character
	"*" for any number of chars (0 or more)
	[abc] match 1 character && must be one of those in the square brackets
	"^x" starts with x
	"n$" ends with n
	"." can match any character
	\. to actually look for a dot, escaping char
	\[ to actually look for a [, escaping char
	{n} repeat pattern n times


	Examples:
	- Starting with 'u' and finishing with '.conf'
	$ ... 'u*.conf'
	- Using dot:
	"^a.*z$" abuzz, adz
	"^a.z$" adz
	'^a*z$' fucks it up and only gives "z" as a result
	- Word has ‘a’ then ‘b’ then ‘c’, with 0 or more characters in between
	'a.b.c'
	- Three characters where the first character is A
	'(a..)'
	- Three vowels appearing together
	'([aeiou][aeiou][aeiou])'
	OR
	'([aeiou]{3})'






















	#