For Windows Operating System
1. check the Regedit informaiton
2. check Some other information
2018年5月16日 星期三
2018年4月16日 星期一
Digital Forensics How to analysis the TeamViewer Log
數位鑑識
關於 TeamViewer 的鑑識方法
(1)TeamViewer 安裝時間日期。
(2)TeamViewer 連線紀錄。
(3)TeamViewer 連線過程中,對方做了哪些事情 。
(4)TeamViewer 連線過程中 的 重要的 Log 資訊。
The following is My personal proposal to solve the above questions
關於 TeamViewer 的鑑識方法
(1)TeamViewer 安裝時間日期。
(2)TeamViewer 連線紀錄。
(3)TeamViewer 連線過程中,對方做了哪些事情 。
(4)TeamViewer 連線過程中 的 重要的 Log 資訊。
The following is My personal proposal to solve the above questions
2018年3月24日 星期六
using VboxManage convert dd to vmdk or vdi file
https://blog.sleeplessbeastie.eu/2012/04/29/virtualbox-convert-raw-image-to-vdi-and-otherwise/
Let's assume that we have raw image of the sdb device:
$ sudo dd if=/dev/sdb of=./sdb.raw
To use it with VirtualBox we need to convert it to the VDI format:
$ VBoxManage convertdd sdb.raw sdb.vdi --format VDI
To use it with VMware we need to convert it to the VMDK format:
$ VBoxManage convertdd sdb.raw sdb.vmdk --format VMDK
Convert between VDI/VMDK formats:
$ VBoxManage clonehd sdb.vdi sdb.vmdk --format VMDK
$ VBoxManage clonehd sdb.vmdk sdb.vdi --format VDI
Convert to the RAW image:
$ VBoxManage clonehd sdb.vdi sdb.raw --format RAW
Alternative solution to get back raw image after applying modifications is to use qemu-img command from qemu package:
$ qemu-img convert -f vmdk sdb.vmdk -O raw sdb.raw
Now we can write image to the device:
$ sudo dd if=./sdb.raw of=/dev/sdb
Let's assume that we have raw image of the sdb device:
$ sudo dd if=/dev/sdb of=./sdb.raw
To use it with VirtualBox we need to convert it to the VDI format:
$ VBoxManage convertdd sdb.raw sdb.vdi --format VDI
To use it with VMware we need to convert it to the VMDK format:
$ VBoxManage convertdd sdb.raw sdb.vmdk --format VMDK
Convert between VDI/VMDK formats:
$ VBoxManage clonehd sdb.vdi sdb.vmdk --format VMDK
$ VBoxManage clonehd sdb.vmdk sdb.vdi --format VDI
Convert to the RAW image:
$ VBoxManage clonehd sdb.vdi sdb.raw --format RAW
Alternative solution to get back raw image after applying modifications is to use qemu-img command from qemu package:
$ qemu-img convert -f vmdk sdb.vmdk -O raw sdb.raw
Now we can write image to the device:
$ sudo dd if=./sdb.raw of=/dev/sdb
2018年3月15日 星期四
Digital Forensics on a Linux Machine
https://staff.washington.edu/dittrich/misc/forensics/
https://securitycommunity.tcs.com/infosecsoapbox/articles/2015/11/17/forensic-artifacts-linux-machine
http://www.linuxleo.com/Docs/linuxintro-LEFE-4.31.pdf
https://help.ubuntu.com/community/LinuxLogFiles
http://linux.vbird.org/linux_basic/0570syslog/0570syslog.php
==========================================
audit
http://yishidian.net/如何使用linux審核系統在centos-7
https://serverfault.com/questions/327846/convert-selinux-log-date-format-from-epoch-to-normal
==========================================
system log
https://www.cyut.edu.tw/~ywfan/netlab/20060912chapter11-log.htm
http://linux.vbird.org/linux_basic/0570syslog.php
====================================================
ngeix log
https://stackoverflow.com/questions/26780466/nginx-understanding-access-log-column
example
=================== maillog reading method =================
https://sendgrid.com/blog/delivered-bounced-blocked-and-deferred-emails-what-does-it-all-mean/
=====================understanding reading mail log ============
http://linuxmaza.blogspot.tw/2010/02/understanding-and-reading-mail-logs.html
==================bash introduction ==========================
https://beginlinux.wordpress.com/tag/bash_logout/
===================== Browser history on linux machine ==== chorome and firefox
https://askubuntu.com/questions/631631/getting-internet-browsing-history-from-shell
https://securitycommunity.tcs.com/infosecsoapbox/articles/2015/11/17/forensic-artifacts-linux-machine
http://www.linuxleo.com/Docs/linuxintro-LEFE-4.31.pdf
https://help.ubuntu.com/community/LinuxLogFiles
http://linux.vbird.org/linux_basic/0570syslog/0570syslog.php
==========================================
audit
http://yishidian.net/如何使用linux審核系統在centos-7
https://serverfault.com/questions/327846/convert-selinux-log-date-format-from-epoch-to-normal
==========================================
system log
https://www.cyut.edu.tw/~ywfan/netlab/20060912chapter11-log.htm
http://linux.vbird.org/linux_basic/0570syslog.php
====================================================
ngeix log
https://stackoverflow.com/questions/26780466/nginx-understanding-access-log-column
# nginx.conf
http {
...
log_format combined '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
}example
66.249.65.159 - - [06/Nov/2014:19:10:38 +0600] "GET /news/53f8d72920ba2744fe873ebc.html HTTP/1.1" 404 177 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.65.3 - - [06/Nov/2014:19:11:24 +0600] "GET /?q=%E0%A6%AB%E0%A6%BE%E0%A7%9F%E0%A6%BE%E0%A6%B0 HTTP/1.1" 200 4223 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.65.62 - - [06/Nov/2014:19:12:14 +0600] "GET /?q=%E0%A6%A6%E0%A7%8B%E0%A7%9F%E0%A6%BE HTTP/1.1" 200 4356 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"=================== maillog reading method =================
https://sendgrid.com/blog/delivered-bounced-blocked-and-deferred-emails-what-does-it-all-mean/
=====================understanding reading mail log ============
http://linuxmaza.blogspot.tw/2010/02/understanding-and-reading-mail-logs.html
==================bash introduction ==========================
https://beginlinux.wordpress.com/tag/bash_logout/
===================== Browser history on linux machine ==== chorome and firefox
https://askubuntu.com/questions/631631/getting-internet-browsing-history-from-shell
2018年2月21日 星期三
資源回收桶中的 $I 和 $R 的存放位置
如提
Recycle Bin is located in a hidden directory named \$Recycle.Bin\%SID%, where %SID% is the SID of the user that performed the deletion.
tpye "document"
會秀出 document 內部的文件內容
Recycle Bin is located in a hidden directory named \$Recycle.Bin\%SID%, where %SID% is the SID of the user that performed the deletion.
tpye "document"
會秀出 document 內部的文件內容
2017年9月7日 星期四
two useful tools for forensics research
For some new data type , file and so on
you need to understand how to discover these type of file executable in a forensics methond
two helpful method is shown blow
Winalysis
SysTrace
you need to understand how to discover these type of file executable in a forensics methond
two helpful method is shown blow
Winalysis
SysTrace
2017年5月16日 星期二
用JAVA 改寫 時間紀錄之 code
如下 把 這個 改一改即可使用
import java.io.IOException;
import java.text.SimpleDateFormat;
import java.util.Calendar;
import java.util.Date;
public class Main {
/**
* @param args
* @throws IOException
*/
public static void main(String[] args) throws IOException {
// TODO Auto-generated method stub
Calendar c=Calendar.getInstance();
long milliseconds=c.getTimeInMillis();
// milliseconds = 13136098205550L -11644473600000L;
long hexValue = 0x01D02EDA7439D600L;
System.out.println("vlaue is " + hexValue);
hexValue /=10000;
milliseconds = hexValue -11644473600000L;
// milliseconds = 13110964489226L -11644473600000L;
// milliseconds = -11644473600000L;
System.out.println("当前时间毫秒值:"+milliseconds);
//当前时间
SimpleDateFormat sdf=new SimpleDateFormat("yyyy-MM-dd kk:mm:ss");
System.out.println("直接格式化毫秒值输出:"+sdf.format(milliseconds));
//2011-08-20 04:27:16
Date d=new Date(milliseconds);
//转换成Date对象
System.out.println("Date对象输出时间:"+sdf.format(d));
Calendar c2=Calendar.getInstance();
System.out.println("Calendar设置前毫秒值:"+c2.getTimeInMillis());
c2.setTime(d);
//通过setTime方法转换回Calendar对象
System.out.println("Calendar设置后毫秒值:"+c2.getTimeInMillis());
}
}
import java.io.IOException;
import java.text.SimpleDateFormat;
import java.util.Calendar;
import java.util.Date;
public class Main {
/**
* @param args
* @throws IOException
*/
public static void main(String[] args) throws IOException {
// TODO Auto-generated method stub
Calendar c=Calendar.getInstance();
long milliseconds=c.getTimeInMillis();
// milliseconds = 13136098205550L -11644473600000L;
long hexValue = 0x01D02EDA7439D600L;
System.out.println("vlaue is " + hexValue);
hexValue /=10000;
milliseconds = hexValue -11644473600000L;
// milliseconds = 13110964489226L -11644473600000L;
// milliseconds = -11644473600000L;
System.out.println("当前时间毫秒值:"+milliseconds);
//当前时间
SimpleDateFormat sdf=new SimpleDateFormat("yyyy-MM-dd kk:mm:ss");
System.out.println("直接格式化毫秒值输出:"+sdf.format(milliseconds));
//2011-08-20 04:27:16
Date d=new Date(milliseconds);
//转换成Date对象
System.out.println("Date对象输出时间:"+sdf.format(d));
Calendar c2=Calendar.getInstance();
System.out.println("Calendar设置前毫秒值:"+c2.getTimeInMillis());
c2.setTime(d);
//通过setTime方法转换回Calendar对象
System.out.println("Calendar设置后毫秒值:"+c2.getTimeInMillis());
}
}
訂閱:
文章 (Atom)