awk -F '|' '
BEGIN{
# the '|'-delimited fields that contain BMC timestamps
fields[0]=11;
fields[1]=9;
fields[2]=10;
}
{
Willi Ballenthin williballenthin
williballenthin
/ extract_all_i30.sh
Last active
October 22, 2018 12:25
Extracts all INDX attributes from an NTFS image using Sleuthkit utilities
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Extracts all INDX attributes from an NTFS image using Sleuthkit utilities | |
| # Willi Ballenthin <willi.ballenthin@gmail.com>, 2013 | |
| # Updates provided by Stefan Kelm, 2013 | |
| usage() | |
| { | |
| cat <<EOF | |
| Usage: $0 offset /path/to/image/ /path/to/output/directory/ | |
| EOF |
williballenthin
/ Willi_Ballenthin-subscriptions.xml
Created
March 15, 2013 14:13
OPML of RSS feeds I follow.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <opml version="1.0"> | |
| <head> | |
| <title>xolot1 subscriptions in Google Reader</title> | |
| </head> | |
| <body> | |
| <outline text="Believe the Lie" title="Believe the Lie" | |
| type="rss" xmlUrl="http://www.sygyzy.com/feed/" htmlUrl="http://www.sygyzy.com"/> | |
| <outline text="Life Is Too Short For Bad Code" | |
| title="Life Is Too Short For Bad Code" type="rss" |
williballenthin
/ parse_windows_timestamp.py
Created
April 4, 2013 18:56
Parse a hex encoded Windows timestamp into a readable ISO formatted timestamp.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def parse_windows_timestamp(hex_str): | |
| """ | |
| @type hex_str: str | |
| @param hex_str: A string that contains a hex encoded QWORD (8 bytes) that are a Windows timestamp. | |
| @rtype: str | |
| @return: A string that contains an ISO formatted timestamp. | |
| """ | |
| import struct, binascii | |
| from datetime import datetime | |
| return datetime.utcfromtimestamp(float(struct.unpack_from("<Q", binascii.unhexlify(hex_str.replace(" ", "")))[0]) * 1e-7 - 11644473600).isoformat("T") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 0000 2A 2A 00 00 D0 09 00 00 19 68 00 00 00 00 00 00 **.......h...... | |
| 0010 64 82 38 8A FA 88 CC 01 0F 01 01 00 0C 01 84 30 d.8............0 | |
| 0020 7C 5E 26 02 00 00 00 00 00 00 84 30 7C 5E 67 73 |^&........0|^gs | |
| 0030 6B 9F C7 6D 8C BB A4 C5 45 C8 96 04 00 00 0F 01 k..m....E....... | |
| 0040 01 00 41 11 00 8A 04 00 00 4D 02 00 00 00 00 00 ..A......M...... | |
| 0050 00 BA 0C 05 00 45 00 76 00 65 00 6E 00 74 00 00 .....E.v.e.n.t.. | |
| 0060 00 87 00 00 00 06 6A 02 00 00 00 00 00 00 BC 0F ......j......... | |
| 0070 05 00 78 00 6D 00 6C 00 6E 00 73 00 00 00 05 01 ..x.m.l.n.s..... | |
| 0080 35 00 68 00 74 00 74 00 70 00 3A 00 2F 00 2F 00 5.h.t.t.p.:././. | |
| 0090 73 00 63 00 68 00 65 00 6D 00 61 00 73 00 2E 00 s.c.h.e.m.a.s... |
williballenthin
/ eid_record_numbers.txt
Created
April 19, 2013 00:25
Output of eid_record_numbers.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| python-evtx/scripts - [master] » python eid_record_numbers.py /tmp/Security.evtx 4624 | |
| 26902 | |
| 26907 | |
| 26909 | |
| 26912 | |
| 26914 | |
| 26916 | |
| 26919 | |
| 26921 | |
| 26924 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| python-registry/samples - [master●] » python timeline.py --bodyfile /tmp/NTUSER.DAT | |
| 0|[Registry NTUSER] $$$PROTO.HIV|0|0|0|0|0|1307730644|0|0|0 | |
| 0|[Registry NTUSER] $$$PROTO.HIV\AppEvents|0|0|0|0|0|1281972745|0|0|0 | |
| 0|[Registry NTUSER] $$$PROTO.HIV\AppEvents\EventLabels|0|0|0|0|0|1289599433|0|0|0 | |
| 0|[Registry NTUSER] $$$PROTO.HIV\AppEvents\EventLabels\.Default|0|0|0|0|0|1281972745|0|0|0 | |
| 0|[Registry NTUSER] $$$PROTO.HIV\AppEvents\EventLabels\ActivatingDocument|0|0|0|0|0|1281981027|0|0|0 | |
| 0|[Registry NTUSER] $$$PROTO.HIV\AppEvents\EventLabels\AppGPFault|0|0|0|0|0|1281972745|0|0|0 | |
| 0|[Registry NTUSER] $$$PROTO.HIV\AppEvents\EventLabels\BlockedPopup|0|0|0|0|0|1281981027|0|0|0 | |
| 0|[Registry NTUSER] $$$PROTO.HIV\AppEvents\EventLabels\CCSelect|0|0|0|0|0|1281981027|0|0|0 | |
| 0|[Registry NTUSER] $$$PROTO.HIV\AppEvents\EventLabels\Close|0|0|0|0|0|1281972745|0|0|0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| python-registry/samples - [master●] » python regfetch.py /tmp/NTUSER.DAT "Software\\Sysinternals\\PsExec" EulaAccepted | |
| 1 |
williballenthin
/ brute_alternate_superblock.sh
Created
June 5, 2013 18:09
Brute force the address of an alternate superblock of an ext3 file system that has a dirty journal.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| max_block_number=200781 # CHANGEME | |
| device=/dev/loop0 # CHANGEME | |
| offset=0; | |
| cont=1; | |
| while [[ cont -eq 1 ]]; do | |
| sudo mount -t ext3 -o ro,sb=$offset "$device" /mnt > /dev/null 2>&1; | |
| suc=$?; | |
| if [[ suc -ne 32 ]]; then |
williballenthin
/ awk-bodyfile-to-metadatablock-filter.md
Last active
December 22, 2015 12:59
AWK filter to convert Bodyfile to (filename, birth, modification, changed) with timestamps in ISO8601 UTC.
williballenthin
/ FileMap.py
Last active
December 26, 2015 00:39
In Python, wrap a file-like object as a buffer and unpack data from it.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| import sys | |
| from struct import unpack_from as old_unpack_from | |
| from struct import unpack_from as old_unpack | |
| from struct import calcsize | |
| from collections import OrderedDict | |
| # From: http://code.activestate.com/recipes/577197-sortedcollection/ | |
| from SortedCollection import SortedCollection |
OlderNewer