# Digital Forensics & Incident Response ## iBlueTeam - [Welcome](https://www.iblue.team/readme.md) - [Azure Blob storage with NGINX proxy](https://www.iblue.team/general-notes-1/azure-blob-storage-with-nginx-proxy.md): Create an NGINX proxy and stick it in front of your Azure Blob storage so you can use Crowdstrike RTR to its full potential, bypassing restrictive file size limits and artificial bandwidth limitations - [Install and Configure ZeroTier client](https://www.iblue.team/general-notes-1/install-and-configure-zerotier-client.md): ZeroTier creates secure networks between on-premise, cloud, desktop, and mobile devices. - [S3FS Fuse and MinIO](https://www.iblue.team/general-notes-1/s3fs-fuse-and-minio.md) - [Enable nested VT-X/AMD-V](https://www.iblue.team/general-notes-1/enable-nested-vt-x-amd-v.md) - [mitm proxy](https://www.iblue.team/general-notes-1/mitm-proxy.md) - [Exploring Volume Shadow Copies Manually](https://www.iblue.team/general-notes-1/exploring-volume-shadow-copies-manually.md): How to explore volume shadow copies manually with opensource tools - [Resize VMDK/VDI](https://www.iblue.team/general-notes-1/resize-vmdk-vdi.md) - [Resize VMDK on ESXi](https://www.iblue.team/general-notes-1/resize-vmdk-on-esxi.md): You've created a Linux guest VM on ESXi, but now it's outgrown its original storage requirements and you need to resize it. - [Convert raw to vmdk](https://www.iblue.team/general-notes-1/convert-raw-to-vmdk-for-virtual-machine.md) - [Favicon hashing and hunting with Shodan](https://www.iblue.team/general-notes-1/favicon-hashing-and-hunting-with-shodan.md) - [WinRM/RemotePS](https://www.iblue.team/general-notes-1/winrm-remoteps.md) - [MinIO/S3/R2 ghost files](https://www.iblue.team/general-notes-1/minio-s3-r2-ghost-files.md): Sometimes a multi-part upload will fail and result in ghost files. Your bucket will indicate it has contents/cannot be deleted, but you can't see anything. - [Mount E01 containing VMDK/XFS from RHEL system](https://www.iblue.team/general-notes-1/mount-e01-containing-vmdk-xfs-from-rhel-system.md): You're provided with an E01 of a VMDK from a RedHat Enterprise Linux system, which is formatted using XFS and is part of an LVM group. - [Disk images for various filesystems and configurations](https://www.iblue.team/general-notes-1/disk-images-for-various-filesystems-and-configurations.md) - [ext4 with LVM and RAID5 (3 disks)](https://www.iblue.team/general-notes-1/disk-images-for-various-filesystems-and-configurations/ext4-with-lvm-and-raid5-3-disks.md): Single LVM on top of a 3 disk RAID5 array, formatted as ext4 - [ZFS](https://www.iblue.team/general-notes-1/disk-images-for-various-filesystems-and-configurations/zfs.md): Both single volume (arguably pointless), and dual volume pool - [UFS, FFS, BTRFS, XFS](https://www.iblue.team/general-notes-1/disk-images-for-various-filesystems-and-configurations/ufs-ffs-btrfs-xfs.md) - [ext4, LVM, and LUKS1/LUKS2](https://www.iblue.team/general-notes-1/disk-images-for-various-filesystems-and-configurations/ext4-lvm-and-luks1-luks2.md) - [NTFS, FAT32, with BitLocker](https://www.iblue.team/general-notes-1/disk-images-for-various-filesystems-and-configurations/ntfs-fat32-with-bitlocker.md) - [NTFS, FAT32, exFAT with TrueCrypt, VeraCrypt](https://www.iblue.team/general-notes-1/disk-images-for-various-filesystems-and-configurations/ntfs-fat32-exfat-with-truecrypt-veracrypt.md) - [VirtualBox adapters greyed out](https://www.iblue.team/general-notes-1/virtualbox-adapters-greyed-out.md) - [Exporting SQLite blob data from standalone SQLite database using command line tools](https://www.iblue.team/general-notes-1/exporting-sqlite-blob-data-from-standalone-sqlite-database-using-command-line-tools.md): Description and steps on how to export binary/blob data from a SQLite database using sqlite command line tools. - [Cribl](https://www.iblue.team/data-collection-processing-and-integration/cribl.md) - [Setup and Configuration](https://www.iblue.team/data-collection-processing-and-integration/cribl/setup-and-configuration.md) - [Azure / M365 Integration](https://www.iblue.team/data-collection-processing-and-integration/cribl/azure-m365-integration.md) - [Splunk](https://www.iblue.team/data-collection-processing-and-integration/splunk.md) - [Setup and Configuration](https://www.iblue.team/data-collection-processing-and-integration/splunk/setup-and-configuration.md) - [Introduction to KQL](https://www.iblue.team/microsoft-defender-kql/introduction-to-kql.md): Introduction to KQL (in the context of hunting in Defender) - [PsExec](https://www.iblue.team/windows-forensics/psexec.md) - [PsExec and NTUSER data](https://www.iblue.team/windows-forensics/psexec/psexec-and-ntuser-data.md): TL;DR - Using PsExec to deploy & execute a file in the context of a user results in the specified user's NTUSER data profile being created despite never interactively logging onto the system itself. - [Security Patch/KB Install Date](https://www.iblue.team/windows-forensics/security-patch-kb-install-date.md): How to determine installation time of a specific security patch/update/KB package based on registry key values. - [Inspecting RPM/DEB packages](https://www.iblue.team/linux-forensics/inspecting-rpm-deb-packages.md) - [Common Locations](https://www.iblue.team/linux-forensics/linux.md): Typical location & description of various Linux log files - [LUKS, hashcat, and hidden volumes](https://www.iblue.team/linux-forensics/luks-hashcat-and-hidden-volumes.md) - [Mount external USB device in ESXi hypervisor](https://www.iblue.team/esxi-forensics/mount-external-usb-device-in-esxi-hypervisor.md): How to mount an external USB drive in an ESXi hypervisor for host access. I highly recommend using a new, large disk (depending on your requirements) which will be formatted using VMFS/VMFS6. - [Understanding ESXi](https://www.iblue.team/esxi-forensics/understanding-esxi.md) - [Partitions / Volumes](https://www.iblue.team/esxi-forensics/understanding-esxi/partitions-volumes.md) - [ESXi console / shell](https://www.iblue.team/esxi-forensics/understanding-esxi/esxi-console-shell.md) - [Guest Virtual Machines](https://www.iblue.team/esxi-forensics/understanding-esxi/guest-virtual-machines.md) - [General Notes](https://www.iblue.team/esxi-forensics/general-notes.md) - [Triage and Imaging](https://www.iblue.team/esxi-forensics/triage-and-imaging.md) - [ESXi VMFS Exploration](https://www.iblue.team/esxi-forensics/esxi-vmfs-exploration.md): Scenario: Provided with E01 of disks from an ESXi server. You need to examine the files contained within a guest VM which was hosted on the ESXi server. - [Export OVF from ESXi using OVF Tool](https://www.iblue.team/esxi-forensics/export-ovf-from-esxi-using-ovf-tool.md): Sometimes you may not have access to the underlying datastore connected to an ESXi instance or vSphere cluster. Use OVF Tool to export an OVF of your required virtual machine - [Identification, acquisition, and examination of iSCSI LUNs and VMFS datastores](https://www.iblue.team/esxi-forensics/identification-acquisition-and-examination-of-iscsi-luns-and-vmfs-datastores.md) - [Volatility](https://www.iblue.team/memory-forensics-1/volatility-plugins.md): How to get Volatility2.6.1 working / workbench setup - [Volatility3 core commands](https://www.iblue.team/memory-forensics-1/volatility-plugins/volatility3-core-commands.md) - [Build Custom Linux Profile for Volatility](https://www.iblue.team/memory-forensics-1/volatility-plugins/build-custom-linux-profile-for-volatility.md) - [Generate custom profile using btf2json](https://www.iblue.team/memory-forensics-1/volatility-plugins/generate-custom-profile-using-btf2json.md): How to use btf2json to generate a kernel profile for Volatility 3, without using a virtual machine and entirely within WSL. - [Banners, isfinfo, and custom profiles](https://www.iblue.team/memory-forensics-1/volatility-plugins/banners-isfinfo-and-custom-profiles.md): How to force Volatility3 to use a specific (albeit mismatching) Linux kernel profile - [Volatility2 core commands](https://www.iblue.team/memory-forensics-1/volatility-plugins/core-commands.md) - [3rd Party Plugins](https://www.iblue.team/memory-forensics-1/volatility-plugins/3rd-party-plugins.md) - [Acquisition](https://www.iblue.team/memory-forensics-1/acquisition.md) - [ESXi / VMware Workstation snapshots](https://www.iblue.team/memory-forensics-1/acquisition/esxi-vmware-workstation-snapshots.md) - [DumpIt](https://www.iblue.team/memory-forensics-1/acquisition/dumpit.md) - [WinPMem](https://www.iblue.team/memory-forensics-1/acquisition/acquisition-with-winpmem.md) - [Linux / AVML](https://www.iblue.team/memory-forensics-1/acquisition/linux-avml-acquisition.md) - [Another day, another ClickFix](https://www.iblue.team/incident-response-1/another-day-another-clickfix.md) - [Axios npm Supply Chain Attack](https://www.iblue.team/incident-response-1/axios-npm-supply-chain-attack.md) - [Following the Trail of Malicious JavaScript](https://www.iblue.team/incident-response-1/following-the-trail-of-malicious-javascript.md) - [Ivanti Connect Secure Auth Bypass and Remote Code Authentication CVE-2024-21887](https://www.iblue.team/incident-response-1/ivanti-connect-secure-auth-bypass-and-remote-code-authentication-cve-2024-21887.md): This article provides guidance on how to inspect/analyse disk images/memory from a virtual Ivanti Connect Secure appliance, in response to CVE-2023-46085 and CVE-2024-21887. - [VirusTotal & hash lists](https://www.iblue.team/incident-response-1/virustotal-and-hash-lists.md): We'll take UAC's md5 hash output and query VirusTotal's API to search for malicious binaries. - [Unix-like Artifacts Collector (UAC)](https://www.iblue.team/incident-response-1/unix-like-artifacts-collector-uac.md) - [Setup MinIO (object storage)](https://www.iblue.team/incident-response-1/unix-like-artifacts-collector-uac/setup-minio-object-storage.md): We'll setup a server using MinIO and generate a pre-signed URL using the Python SDK so we can upload a triage collection. - [Create S3 pre-signed URL](https://www.iblue.team/incident-response-1/unix-like-artifacts-collector-uac/create-s3-pre-signed-url.md): We'll setup a server using MinIO and generate a pre-signed URL using the Python SDK so we can upload a triage collection. - [UAC and pre-signed URLs](https://www.iblue.team/incident-response-1/unix-like-artifacts-collector-uac/uac-and-pre-signed-urls.md) - [Acquiring Linux VPS via SSH](https://www.iblue.team/incident-response-1/acquiring-linux-vps-via-ssh.md): Scenario: compromised VPS instance (through a provider such as BinaryLane, Linode, Vultr, etc) which is no longer live, and requires remote acquisition for examination/analysis. - [AVML dump to SMB / AWS](https://www.iblue.team/incident-response-1/avml-dump-to-smb-aws.md) - [China Chopper webshell](https://www.iblue.team/incident-response-1/china-chopper-webshell.md) - [Logging Powershell activities](https://www.iblue.team/incident-response-1/logging-powershell-activities.md) - [Compromised UniFi Controller](https://www.iblue.team/incident-response-1/compromised-unifi-controller.md): General pointers on where to look for configuration files and/or logs when investigating a compromised UniFi controller. - [AnyDesk Remote Access](https://www.iblue.team/incident-response-1/anydesk-remote-access.md): AnyDesk is a popular remote access program which is often used by threat actors (and scammers) as either an entry point into an environment or to transfer tools between environments - [Mounting UFS VMDK from NetScaler/Citrix ADC](https://www.iblue.team/incident-response-1/mounting-ufs-vmdk-from-netscaler-citrix-adc.md): We'll cover how to mount a VMDK, which contains multiple partitions, originating from a NetScaler VM. This is to support analysis in relation to CVE-2023-3519. - [Checkm8 / checkra1n acquisitions/extractions](https://www.iblue.team/ios-forensics/checkm8-checkra1n-acquisitions-extractions.md): Get up and running quickly with a platform to perform checkm8 based iOS extractions - [13Cubed Linux memory forensics](https://www.iblue.team/ctf-challenges/13cubed-linux-memory-forensics.md): 13Cubed have provided a memory sample from an Ubuntu host for participants to practice their Linux memory analysis skills. - [13Cubed Windows memory forensics](https://www.iblue.team/ctf-challenges/13cubed-windows-memory-forensics.md) - [Compromised Windows Server 2022 (simulation)](https://www.iblue.team/ctf-challenges/compromised-windows-server-2022-simulation.md): This series of pages will examine a data set provided by Benjamin Donnachie involving a compromised Windows Server 2022 (simulation data) - [FTK Imager](https://www.iblue.team/ctf-challenges/compromised-windows-server-2022-simulation/ftk-imager.md): How to use FTK Imager to verify, inspect, and export data from an image - [Autopsy Forensics](https://www.iblue.team/ctf-challenges/compromised-windows-server-2022-simulation/autopsy-forensics.md): How to use Autopsy to process and examine the Compromised Windows Server 2022 image. - [Plaso](https://www.iblue.team/ctf-challenges/compromised-windows-server-2022-simulation/plaso.md): How to process an image using log2timeline/plaso - [Events Ripper](https://www.iblue.team/ctf-challenges/compromised-windows-server-2022-simulation/events-ripper.md): How to process Windows event logs from E01 using Events Ripper - [EZ tools](https://www.iblue.team/ctf-challenges/compromised-windows-server-2022-simulation/ez-tools.md): How to process and interpret various artefacts using the EZ tools suite. - [DEFCON 2019 forensics](https://www.iblue.team/ctf-challenges/defcon-2019-forensics.md): This is a brief write up for the DEFCON 2019 forensics CTF - [Tomcat shells](https://www.iblue.team/ctf-challenges/tomcat-shells.md) - [Magnet Weekly CTF](https://www.iblue.team/ctf-challenges/magnet-weekly-ctf-challenge.md) - [Magnet CTF Week 0](https://www.iblue.team/ctf-challenges/magnet-weekly-ctf-challenge/magnet-ctf-week-1.md) - [Magnet CTF Week 1](https://www.iblue.team/ctf-challenges/magnet-weekly-ctf-challenge/magnet-ctf-week-1-1.md) - [DFIR Madness CTF](https://www.iblue.team/ctf-challenges/dfir-madness-ctf-challenges.md) - [Case 001 - Szechuan Sauce](https://www.iblue.team/ctf-challenges/dfir-madness-ctf-challenges/case-001-szechuan-sauce.md) - [Windows](https://www.iblue.team/log-files-1/windows.md): Typical location & description of various log files - [Generating Log Timelines](https://www.iblue.team/log-files-1/windows/generating-log-timelines.md) - [Identifying UPX packed ELF, decompressing, fixing, and analysing Linux malware](https://www.iblue.team/malware-analysis/identifying-upx-packed-elf-decompressing-fixing-and-analysing-linux-malware.md) - [PDF Analysis](https://www.iblue.team/malware-analysis/pdf-analysis.md) - [Walking the VAD tree](https://www.iblue.team/walking-the-vad-tree.md) - [What is CTI/OpenCTI?](https://www.iblue.team/opencti/what-is-cti-opencti.md) - [Setting up OpenCTI](https://www.iblue.team/opencti/setting-up-opencti.md) - [Container Management](https://www.iblue.team/opencti/container-management.md) - [Configure Connectors](https://www.iblue.team/opencti/configure-connectors.md): Connectors are manual uploads/imports, as well as API endpoints for data fees. - [Setting Up Nessus (Essentials)](https://www.iblue.team/vulnerability-management/setting-up-nessus-essentials.md): How to setup Nessus Essentials on an Ubuntu VM - [Troubleshooting](https://www.iblue.team/vulnerability-management/troubleshooting.md): Troubleshooting tips - [Privacy](https://www.iblue.team/privacy.md) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on a page URL with the `ask` query parameter: ``` GET https://www.iblue.team/readme.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.