Forensics

Forensics

  • File scanning

    Use this section to find information about files.

  • Keepass

    keepassx can be installed on Ubuntu to open and explore Keepass databases. Keepass databases master passwords can be cracked with keepass2john.

  • VS Code Hex editor - Website

    An extension for VS Code that allows you to view and edit files in hexadecimal format.

  • ImHex - Website

    An hex editor that supports patterns (ex PNG). Watch out for the unfriendly UX but it’s free and works.

  • WIM : Windows Imaging Format - Wikipedia

    Compressed format that can be found in windows installation media.

    Can be mounted or extracted with wimlib tools. wimlib is a package on most linux distributions.

    wiminfo <file.wim> # List all images in the wim file
wimapply <file.wim> <image_index> <output_directory> # Extract an image from the wim file

  • Prefetch files - Wikipedia

    Windows stores information about the programs that are run in a prefetch file. This information can be used to determine what programs were run on a system. The prefetch files are stored in C:\Windows\Prefetch\ and have the extension .pf.

    It can be parsed using PECmd from Eric Zimmerman’s tools. Win10 prefetch files can only be parsed on Win8+ systems, wine will not work for this.

  • USB capture

    Wireshark can be used to display USB traffic in .pcap or .pcapng files. Some github repositories can be used to convert it to keyboard keystrokes:

Android Forensics Browser Forensics Disk Image Docker Logs Memory Dump