Dave Hull davehull
davehull
/ Resolve-KnownFolderGUID
Last active
October 27, 2024 04:02
Need to resolve a Windows "known folder guid" to it's human-readable value?
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [CmdletBinding()] | |
| Param( | |
| [Parameter(Mandatory=$True,Position=0)] | |
| [String]$GUID | |
| ) | |
| function Resolve-KnownFolderGuid { | |
| Param( | |
| [Parameter(Mandatory=$True,Position=0)] | |
| [String]$GUID |
davehull
/ get_meta_by_dir.py
Created
December 12, 2011 01:23
Convert dictionary of file system metadata to a sorted list of dictionaries.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Takes the unsorted Python dictionary of file system metadata created by | |
| git://gist.github.com/1463512.git and converts it to a sorted list of dictionaries containing | |
| files and their metadata elements. | |
| def get_meta_by_dir(dictionary): | |
| # Sort the dictionary, return a list of dictionaries | |
| items = [(pname, fname) for pname, fname in dictionary.items()] | |
| items.sort() | |
| return items |
davehull
/ uid_dist.py
Created
December 12, 2011 01:16
This Python function analyzes the distribution of uids on a per directory basis.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Give this method the output of git://gist.github.com/1464048.git and it will go through the list | |
| and calculate the distribution of uids on a per directory basis. It could be easily modified to do | |
| the same for gids and permissions. | |
| This may be useful to find malicious files in a file system that have unusual uids, say for instance | |
| in a directory like /usr/lib where everything is normally uid 0, an attacker may have an archive that | |
| drops files in the directory with different uids. Yes, I've seen this before. | |
| def get_uid_freq_by_dir(items): | |
| for path_name, file_name in items: |
davehull
/ get_meta.py
Created
December 11, 2011 23:37
This Python function builds a dictionary from the lines of a bodyfile as produced by The Sleuth Kit's fls command
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def get_meta(bodyfile): | |
| fname_skip_cnt = bad_line = total_lines = 0 | |
| meta = {} | |
| fi = open(bodyfile, 'rb') | |
| for line in fi: | |
| total_lines += 1 | |
| try: | |
| md5,ppath,inode,mode,uid,gid,size,atime,mtime,ctime,crtime = line.rstrip().split("|") | |
| except: |
davehull
/ meta-outliers.py
Created
September 12, 2011 03:56
This script takes output from The Sleuth Kit's fls command (specifically fls -arp), calculates the average metadata address for all files per directory, calculates the standard deviation for each directory, then returns a list of files with outlier metada
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # | |
| # script name: meta-outliers.py | |
| # | |
| # In the spirit of release early, release often, here's a script | |
| # that's part of a larger project I'm working on. | |
| # | |
| # What does it do? | |
| # Parses the output from the Sleuth Kit's fls command. | |
| # More specifically fls -arp run against a disk image or dev. |
davehull
/ davehull.sh
Created
May 3, 2011 05:17
— forked from errzey/davehull.sh
Example script to show how to do an intelligent merge-sort in parallel
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # determines number of proccessors, splits a large file into sizes that | |
| # can be consumed by n-1 sort processes (where n is the number of processors) | |
| # | |
| # After the file has been split up properly, it will run a sort on each split | |
| # file in parallel. Once all processes have completed, a merge sort is executed. | |
| # | |
| # mthomas@n2o:~/words [100%] $ du -h big | |
| # 1.7G big |
NewerOlder