Misc Cheat Sheet

Online Tools

Encode & Decode
Free Online Barcode Reader
QR Code Barcode Reader Online
Encoding
獸語

Check file info

$ binwalk [-e] [filename] # or binwalk --dd=".*" [filename]
$ exiftool [filename]
$ pngcheck [filename]
$ stat [filename]
$ file [filename]

• $ binwalk -e 的範例可以參考Deadface - Electric Steel

Steganography

• text: zsteg(just for bmp and png files), Quick Crypto
• file: steghide(sudo apt-get install steghide)($ steghide extract -sf atbash.jpg)
• 進階的steghide$\to$stegseek

  1 2 3

  $ wget https://github.com/RickdeJager/stegseek/releases/download/v0.6/stegseek_0.6-1.deb $ sudo apt install ./stegseek_0.6-1.deb -y $ stegseek [stegofile.jpg] [wordlist.txt]

Disk Analysis

• Foremost: 針對所支援的檔案結構去進行資料搜尋與救援 $ foremost -v {filename}
• Sleuth kit/Autopsy
• FTK Imager
• Logontracer: Just use GUI to present event log traced on windows $ python logontracer.py -r -o 8000 -u neo4j -p neo4j -s localhost

Memory Forensics

• 建議直接使用windown protable version會比較穩定而且不需要處理環境的問題
• Volatility - Cheat Sheet
• Volatility 3 :::spoiler Set up & How2Use Windows Volatility 3 Problems & Solutions Windows Set up Tutorials

    $ git clone https://github.com/volatilityfoundation/volatility3
    $ cd volatility3
    $ pip install -r requirement.txt
    $ python vol.py -f <path to memory image> plugin_name plugin_option
    $ python vol.py -h # For help
  

  :::

• Volatility 2 :::spoiler Set up & How2Use Windows Set up Tutorials

    $ conda create --name py27 python=2.7
    $ conda activate py27
    $ git clone https://github.com/volatilityfoundation/volatility
    $ cd volatility
    $ pip install pycrypto
    $ pip install distorm3
    $ python vol.py -f <path to memory image> plugin_name plugin_option
    $ python vol.py -h # For help
  

  :::

Package

• Wireshark cheat sheet
• nmap: $ sudo apt-get install nmap
• ntpdc $ sudo apt-get install ntpdc
• tcpflow $ sudo tcpflow -r {pcap file}

Brute Force Password

• for WPA/Wifi based: aircrack-ng, Wifite
• for system user: John the Ripper

Sound

• hide files: MP3stego

  1 2	$ ./encode -E hidden_text.txt -P pass svega.wav svega_stego.mp3 $ ./decode -X -P pass svega_stego.mp3

• sound to image:
  • How to convert a SSTV audio file to images using QSSTV - en
  • How to convert a SSTV audio file to images using QSSTV - zh-cn
• hide message: silenteye

Mail

• PST Viewer
• eml Viewer
• ThunderBird Client

Overall

• All stego decrypt tools
• All stego encrypt tools
• ctf tool
• Other people’s note