| grep '^[0-9][0-9]*|' |awk -F '|' '{OFS="|";print 0,$5,0,0,0,0,0,-1,$1,-1,-1} {}'
Jan Starke janstarke
janstarke
/ procmon_to_neo4j.cql
Last active
January 22, 2017 16:52
neo4j: importing processes from procmon csv
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # delete all | |
| MATCH (n) | |
| OPTIONAL MATCH (n)-[r]-() | |
| DELETE n,r; | |
| # create process index | |
| CREATE INDEX on :Process(pid); | |
| CREATE INDEX on :File(path); | |
| CREATE INDEX on :RegistryValue(path); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| MYIP=$1 | |
| function configure() { | |
| sed -i "s~#*$2:.*~$2: $3~" $1 | |
| } | |
| CFG=/etc/elasticsearch/elasticsearch.yml | |
| export DEBIAN_FRONTEND=noninteractive | |
| apt install --yes elasticsearch |
janstarke
/ forensics.bash
Last active
April 16, 2021 10:11
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # convert all evtx files to xml files | |
| for F in *.evtx; do evtx_dump "$F">"${F%.evtx}.xml"; done | |
| # create python env | |
| python3 -m venv venv | |
| source venv/bin/activate.fish | |
| pip3 install --upgrade pip | |
| pip3 install regipy |
janstarke
/ gist:d9a892875094b0daf6534fbad1f27ddf
Last active
January 3, 2022 08:39
Convert regripper timeline to bodyfile
janstarke
/ windows_timelines.sh
Last active
June 13, 2022 11:49
create triage data from mounted Windows image
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| trap "exit 1" TERM | |
| export TOP_PID=$$ | |
| RIP=/usr/local/bin/rip | |
| function tln2csv { | |
| egrep '^[0-9]+\|' | awk -F '|' '{OFS="|";print 0,$5,0,0,0,0,0,-1,$1,-1,-1}' |mactime2 -b - -d -t "$TIMEZONE" | |
| } |
janstarke
/ mounteddevices.pl
Created
April 25, 2022 11:44
Correlate mounteddevices and mountpoints2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/perl -w | |
| use strict; | |
| use warnings; | |
| use DateTime; | |
| -r "mounted_devices.txt" or die "unable to read 'mounted_devices.txt'"; | |
| my %devices = (); |
janstarke
/ evtx_timeline.json
Created
May 30, 2022 14:53
lnav format for evtx timelines, created with ` evtx2bodyfile`, `mactime2` and ` jq`
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "$schema": "https://lnav.org/schemas/format-v1.schema.json", | |
| "evtx_timeline": { | |
| "title": "Windows EVTX timeline", | |
| "file-pattern": "evtx.*\\.json(\\.gz)?", | |
| "json": true, | |
| "line-format": [ | |
| {"field": "ts"}, | |
| "|", | |
| {"field": "event_id", "min-width": 5, "max-width": 5, "align": "right"}, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| display_usage() { | |
| echo "$0 <dir with vmdk files>" >&2 | |
| } | |
| exit_with_error() { | |
| MSG="$1" | |
| echo "$MSG" >&2 | |
| exit 1 |