{"version":1,"pages":[{"id":"-MAcqH2IxoaAFyJbHfO4","title":"Welcome","pathname":"/","siteSpaceId":"sitesp_3a09Q","description":""},{"id":"Zx3PioGtZSScgL3J1Eh7","title":"Azure Blob storage with NGINX proxy","pathname":"/general-notes-1/azure-blob-storage-with-nginx-proxy","siteSpaceId":"sitesp_3a09Q","description":"Create an NGINX proxy and stick it in front of your Azure Blob storage so you can use Crowdstrike RTR to its full potential, bypassing restrictive file size limits and artificial bandwidth limitations","breadcrumbs":[{"label":"General Notes"}]},{"id":"VFUUBQlnre4zBephG6Wz","title":"Install and Configure ZeroTier client","pathname":"/general-notes-1/install-and-configure-zerotier-client","siteSpaceId":"sitesp_3a09Q","description":"ZeroTier creates secure networks between on-premise, cloud, desktop, and mobile devices.","breadcrumbs":[{"label":"General Notes"}]},{"id":"shRgTLQWFpAPWOONpTr7","title":"S3FS Fuse and MinIO","pathname":"/general-notes-1/s3fs-fuse-and-minio","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"General Notes"}]},{"id":"s4uUY6TSb8kllsx12OwZ","title":"Enable nested VT-X/AMD-V","pathname":"/general-notes-1/enable-nested-vt-x-amd-v","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"General Notes"}]},{"id":"-MfquC6td3Sv41kqolDm","title":"mitm proxy","pathname":"/general-notes-1/mitm-proxy","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"General Notes"}]},{"id":"-MK8qC1F1wEe-LcBeaVO","title":"Exploring Volume Shadow Copies Manually","pathname":"/general-notes-1/exploring-volume-shadow-copies-manually","siteSpaceId":"sitesp_3a09Q","description":"How to explore volume shadow copies manually with opensource tools","breadcrumbs":[{"label":"General Notes"}]},{"id":"-MBbp5C5kvJPVoLSZD-3","title":"Resize VMDK/VDI","pathname":"/general-notes-1/resize-vmdk-vdi","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"General Notes"}]},{"id":"yhfIOiR6rhBEOgCL4K5G","title":"Resize VMDK on ESXi","pathname":"/general-notes-1/resize-vmdk-on-esxi","siteSpaceId":"sitesp_3a09Q","description":"You've created a Linux guest VM on ESXi, but now it's outgrown its original storage requirements and you need to resize it.","breadcrumbs":[{"label":"General Notes"}]},{"id":"-MBSKXfojFXIaPWCPe7g","title":"Convert raw to vmdk","pathname":"/general-notes-1/convert-raw-to-vmdk-for-virtual-machine","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"General Notes"}]},{"id":"-MOiGIqJTwO-WD35dHlt","title":"Favicon hashing and hunting with Shodan","pathname":"/general-notes-1/favicon-hashing-and-hunting-with-shodan","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"General Notes"}]},{"id":"e7dyG2sVsW1JHMJqCCBy","title":"WinRM/RemotePS","pathname":"/general-notes-1/winrm-remoteps","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"General Notes"}]},{"id":"KPzfa9jzsVZw2F0EeF4m","title":"MinIO/S3/R2 ghost files","pathname":"/general-notes-1/minio-s3-r2-ghost-files","siteSpaceId":"sitesp_3a09Q","description":"Sometimes a multi-part upload will fail and result in ghost files. Your bucket will indicate it has contents/cannot be deleted, but you can't see anything.","breadcrumbs":[{"label":"General Notes"}]},{"id":"8JmbOxczEq6yZXAjyc2T","title":"Mount E01 containing VMDK/XFS from RHEL system","pathname":"/general-notes-1/mount-e01-containing-vmdk-xfs-from-rhel-system","siteSpaceId":"sitesp_3a09Q","description":"You're provided with an E01 of a VMDK from a RedHat Enterprise Linux system, which is formatted using XFS and is part of an LVM group.","breadcrumbs":[{"label":"General Notes"}]},{"id":"cZFbrYEDqcsL4iAqZ63A","title":"Disk images for various filesystems and configurations","pathname":"/general-notes-1/disk-images-for-various-filesystems-and-configurations","siteSpaceId":"sitesp_3a09Q","breadcrumbs":[{"label":"General Notes"}]},{"id":"6SVYil2jtrMuGur5ogCJ","title":"ext4 with LVM and RAID5 (3 disks)","pathname":"/general-notes-1/disk-images-for-various-filesystems-and-configurations/ext4-with-lvm-and-raid5-3-disks","siteSpaceId":"sitesp_3a09Q","description":"Single LVM on top of a 3 disk RAID5 array, formatted as ext4","breadcrumbs":[{"label":"General Notes"},{"label":"Disk images for various filesystems and configurations"}]},{"id":"cAtsy7YFi6xwtJqbYs6J","title":"ZFS","pathname":"/general-notes-1/disk-images-for-various-filesystems-and-configurations/zfs","siteSpaceId":"sitesp_3a09Q","description":"Both single volume (arguably pointless), and dual volume pool","breadcrumbs":[{"label":"General Notes"},{"label":"Disk images for various filesystems and configurations"}]},{"id":"4j4hb9bPD5Bs45DtQjKP","title":"UFS, FFS, BTRFS, XFS","pathname":"/general-notes-1/disk-images-for-various-filesystems-and-configurations/ufs-ffs-btrfs-xfs","siteSpaceId":"sitesp_3a09Q","breadcrumbs":[{"label":"General Notes"},{"label":"Disk images for various filesystems and configurations"}]},{"id":"JEjNwdWTfnw8LMDtbdVc","title":"ext4, LVM, and LUKS1/LUKS2","pathname":"/general-notes-1/disk-images-for-various-filesystems-and-configurations/ext4-lvm-and-luks1-luks2","siteSpaceId":"sitesp_3a09Q","breadcrumbs":[{"label":"General Notes"},{"label":"Disk images for various filesystems and configurations"}]},{"id":"IDEebBQK4lOoOb9jsIcM","title":"NTFS, FAT32, with BitLocker","pathname":"/general-notes-1/disk-images-for-various-filesystems-and-configurations/ntfs-fat32-with-bitlocker","siteSpaceId":"sitesp_3a09Q","breadcrumbs":[{"label":"General Notes"},{"label":"Disk images for various filesystems and configurations"}]},{"id":"gIyCBkqV6P472co8LDiR","title":"NTFS, FAT32, exFAT with TrueCrypt, VeraCrypt","pathname":"/general-notes-1/disk-images-for-various-filesystems-and-configurations/ntfs-fat32-exfat-with-truecrypt-veracrypt","siteSpaceId":"sitesp_3a09Q","breadcrumbs":[{"label":"General Notes"},{"label":"Disk images for various filesystems and configurations"}]},{"id":"2E8Eqt8ZRiZHU0YJlCPg","title":"VirtualBox adapters greyed out","pathname":"/general-notes-1/virtualbox-adapters-greyed-out","siteSpaceId":"sitesp_3a09Q","breadcrumbs":[{"label":"General Notes"}]},{"id":"rkR3oh9U8gc7n1iwEIOf","title":"Exporting SQLite blob data from standalone SQLite database using command line tools","pathname":"/general-notes-1/exporting-sqlite-blob-data-from-standalone-sqlite-database-using-command-line-tools","siteSpaceId":"sitesp_3a09Q","description":"Description and steps on how to export binary/blob data from a SQLite database using sqlite command line tools.","breadcrumbs":[{"label":"General Notes"}]},{"id":"DrS6PhNygrWjQ6hzGdqZ","title":"Cribl","pathname":"/data-collection-processing-and-integration/cribl","siteSpaceId":"sitesp_3a09Q","breadcrumbs":[{"label":"Data Collection, Processing, and Integration"}]},{"id":"AFOKM46jfoJgkKbtb50o","title":"Setup and Configuration","pathname":"/data-collection-processing-and-integration/cribl/setup-and-configuration","siteSpaceId":"sitesp_3a09Q","breadcrumbs":[{"label":"Data Collection, Processing, and Integration"},{"label":"Cribl"}]},{"id":"cxG9l7vK67DCYLmw8dEy","title":"Azure / M365 Integration","pathname":"/data-collection-processing-and-integration/cribl/azure-m365-integration","siteSpaceId":"sitesp_3a09Q","breadcrumbs":[{"label":"Data Collection, Processing, and Integration"},{"label":"Cribl"}]},{"id":"fF46vnI7OQmUSR5xP63N","title":"Splunk","pathname":"/data-collection-processing-and-integration/splunk","siteSpaceId":"sitesp_3a09Q","breadcrumbs":[{"label":"Data Collection, Processing, and Integration"}]},{"id":"vSNmLYkGqX9nMS5O2R14","title":"Setup and Configuration","pathname":"/data-collection-processing-and-integration/splunk/setup-and-configuration","siteSpaceId":"sitesp_3a09Q","breadcrumbs":[{"label":"Data Collection, Processing, and Integration"},{"label":"Splunk"}]},{"id":"yfCmFrR1zHfOiIBPtZZF","title":"Introduction to KQL","pathname":"/microsoft-defender-kql/introduction-to-kql","siteSpaceId":"sitesp_3a09Q","description":"Introduction to KQL (in the context of hunting in Defender)","breadcrumbs":[{"label":"Microsoft Defender KQL"}]},{"id":"hjHw5ZwAWdZoX1AEclhr","title":"PsExec","pathname":"/windows-forensics/psexec","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"Windows Forensics"}]},{"id":"kpgHmMEBPe6362qevJRo","title":"PsExec and NTUSER data","pathname":"/windows-forensics/psexec/psexec-and-ntuser-data","siteSpaceId":"sitesp_3a09Q","description":"TL;DR - Using PsExec to deploy & execute a file in the context of a user results in the specified user's NTUSER data profile being created despite never interactively logging onto the system itself.","breadcrumbs":[{"label":"Windows Forensics"},{"label":"PsExec"}]},{"id":"3WTNrrhdTy8rNVvQeqsM","title":"Security Patch/KB Install Date","pathname":"/windows-forensics/security-patch-kb-install-date","siteSpaceId":"sitesp_3a09Q","description":"How to determine installation time of a specific security patch/update/KB package based on registry key values.","breadcrumbs":[{"label":"Windows Forensics"}]},{"id":"7fhp3bcC9jlr1yMhEnun","title":"Inspecting RPM/DEB packages","pathname":"/linux-forensics/inspecting-rpm-deb-packages","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"Linux Forensics"}]},{"id":"-Mhm72x-jxjXheCdegbq","title":"Common Locations","pathname":"/linux-forensics/linux","siteSpaceId":"sitesp_3a09Q","description":"Typical location & description of various Linux log files","breadcrumbs":[{"label":"Linux Forensics"}]},{"id":"NlcpDh0sWqUHvszMOa5t","title":"LUKS, hashcat, and hidden volumes","pathname":"/linux-forensics/luks-hashcat-and-hidden-volumes","siteSpaceId":"sitesp_3a09Q","breadcrumbs":[{"label":"Linux Forensics"}]},{"id":"TJ2jWWll4KFTd1GwpDQ5","title":"Mount external USB device in ESXi hypervisor","pathname":"/esxi-forensics/mount-external-usb-device-in-esxi-hypervisor","siteSpaceId":"sitesp_3a09Q","description":"How to mount an external USB drive in an ESXi hypervisor for host access. I highly recommend using a new, large disk (depending on your requirements) which will be formatted using VMFS/VMFS6.","breadcrumbs":[{"label":"ESXi Forensics"}]},{"id":"u1v97bZFobNptfev6YM1","title":"Understanding ESXi","pathname":"/esxi-forensics/understanding-esxi","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"ESXi Forensics"}]},{"id":"8e35QmULCETHeA0WRxj8","title":"Partitions / Volumes","pathname":"/esxi-forensics/understanding-esxi/partitions-volumes","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"ESXi Forensics"},{"label":"Understanding ESXi"}]},{"id":"wR6svKHWHyLlfXCM9qgt","title":"ESXi console / shell","pathname":"/esxi-forensics/understanding-esxi/esxi-console-shell","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"ESXi Forensics"},{"label":"Understanding ESXi"}]},{"id":"0mtX5sFbZrJZ2W0UoUgc","title":"Guest Virtual Machines","pathname":"/esxi-forensics/understanding-esxi/guest-virtual-machines","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"ESXi Forensics"},{"label":"Understanding ESXi"}]},{"id":"cswA01ysStPzgqZqZFZ6","title":"General Notes","pathname":"/esxi-forensics/general-notes","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"ESXi Forensics"}]},{"id":"ZDELlAU4BTTFCLwj28aW","title":"Triage and Imaging","pathname":"/esxi-forensics/triage-and-imaging","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"ESXi Forensics"}]},{"id":"B4VYzn9oaemSC8t3CHos","title":"ESXi VMFS Exploration","pathname":"/esxi-forensics/esxi-vmfs-exploration","siteSpaceId":"sitesp_3a09Q","description":"Scenario: Provided with E01 of disks from an ESXi server. You need to examine the files contained within a guest VM which was hosted on the ESXi server.","breadcrumbs":[{"label":"ESXi Forensics"}]},{"id":"MHJ3JC8jR1rqMyyTkYE0","title":"Export OVF from ESXi using OVF Tool","pathname":"/esxi-forensics/export-ovf-from-esxi-using-ovf-tool","siteSpaceId":"sitesp_3a09Q","description":"Sometimes you may not have access to the underlying datastore connected to an ESXi instance or vSphere cluster. Use OVF Tool to export an OVF of your required virtual machine","breadcrumbs":[{"label":"ESXi Forensics"}]},{"id":"ZPLTKaBMGZRKJmQAM3uR","title":"Identification, acquisition, and examination of iSCSI LUNs and VMFS datastores","pathname":"/esxi-forensics/identification-acquisition-and-examination-of-iscsi-luns-and-vmfs-datastores","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"ESXi Forensics"}]},{"id":"-MBDgQUUNC21M-CP1jPI","title":"Volatility","pathname":"/memory-forensics-1/volatility-plugins","siteSpaceId":"sitesp_3a09Q","description":"How to get Volatility2.6.1 working / workbench setup","breadcrumbs":[{"label":"Memory Forensics"}]},{"id":"woSo4fBFH4TnedcAnBer","title":"Volatility3 core commands","pathname":"/memory-forensics-1/volatility-plugins/volatility3-core-commands","siteSpaceId":"sitesp_3a09Q","breadcrumbs":[{"label":"Memory Forensics"},{"label":"Volatility"}]},{"id":"hjZSIPV2Fz06acdAAfGV","title":"Build Custom Linux Profile for Volatility","pathname":"/memory-forensics-1/volatility-plugins/build-custom-linux-profile-for-volatility","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"Memory Forensics"},{"label":"Volatility"}]},{"id":"q9nauFzc8WmwSt2rM29P","title":"Generate custom profile using btf2json","pathname":"/memory-forensics-1/volatility-plugins/generate-custom-profile-using-btf2json","siteSpaceId":"sitesp_3a09Q","description":"How to use btf2json to generate a kernel profile for Volatility 3, without using a virtual machine and entirely within WSL.","breadcrumbs":[{"label":"Memory Forensics"},{"label":"Volatility"}]},{"id":"Phud5qrjdFNM7seqlQHV","title":"Banners, isfinfo, and custom profiles","pathname":"/memory-forensics-1/volatility-plugins/banners-isfinfo-and-custom-profiles","siteSpaceId":"sitesp_3a09Q","description":"How to force Volatility3 to use a specific (albeit mismatching) Linux kernel profile","breadcrumbs":[{"label":"Memory Forensics"},{"label":"Volatility"}]},{"id":"-MJQTkQTAwYSxD7PwGY2","title":"Volatility2 core commands","pathname":"/memory-forensics-1/volatility-plugins/core-commands","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"Memory Forensics"},{"label":"Volatility"}]},{"id":"-MJQR49knmTLA42Dpavx","title":"3rd Party Plugins","pathname":"/memory-forensics-1/volatility-plugins/3rd-party-plugins","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"Memory Forensics"},{"label":"Volatility"}]},{"id":"-MJQbBplDsBEWK6JEQC7","title":"Acquisition","pathname":"/memory-forensics-1/acquisition","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"Memory Forensics"}]},{"id":"0OlY2Us2KkqFTqr9iAGC","title":"ESXi / VMware Workstation snapshots","pathname":"/memory-forensics-1/acquisition/esxi-vmware-workstation-snapshots","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"Memory Forensics"},{"label":"Acquisition"}]},{"id":"-MJQbKdeX290Qi_rWi9u","title":"DumpIt","pathname":"/memory-forensics-1/acquisition/dumpit","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"Memory Forensics"},{"label":"Acquisition"}]},{"id":"-MBDWG2uFYLywINEAAdn","title":"WinPMem","pathname":"/memory-forensics-1/acquisition/acquisition-with-winpmem","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"Memory Forensics"},{"label":"Acquisition"}]},{"id":"-MBajjH3zL8K1YdSwnqB","title":"Linux / AVML","pathname":"/memory-forensics-1/acquisition/linux-avml-acquisition","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"Memory Forensics"},{"label":"Acquisition"}]},{"id":"SlkBbIXIlAnralS2D35U","title":"Axios npm Supply Chain Attack","pathname":"/incident-response-1/axios-npm-supply-chain-attack","siteSpaceId":"sitesp_3a09Q","breadcrumbs":[{"label":"Incident Response"}]},{"id":"CsWez3jDf6KWBA6Z4Niv","title":"Following the Trail of Malicious JavaScript","pathname":"/incident-response-1/following-the-trail-of-malicious-javascript","siteSpaceId":"sitesp_3a09Q","breadcrumbs":[{"label":"Incident Response"}]},{"id":"4pjWC6qRHg5mhgXUADYy","title":"Ivanti Connect Secure Auth Bypass and Remote Code Authentication CVE-2024-21887","pathname":"/incident-response-1/ivanti-connect-secure-auth-bypass-and-remote-code-authentication-cve-2024-21887","siteSpaceId":"sitesp_3a09Q","description":"This article provides guidance on how to inspect/analyse disk images/memory from a virtual Ivanti Connect Secure appliance, in response to CVE-2023-46085 and CVE-2024-21887.","breadcrumbs":[{"label":"Incident Response"}]},{"id":"WHIc9PjJutr3Q3F2EGlG","title":"VirusTotal & hash lists","pathname":"/incident-response-1/virustotal-and-hash-lists","siteSpaceId":"sitesp_3a09Q","description":"We'll take UAC's md5 hash output and query VirusTotal's API to search for malicious binaries.","breadcrumbs":[{"label":"Incident Response"}]},{"id":"dcAVFUrRNyVoLWBtwIXZ","title":"Unix-like Artifacts Collector (UAC)","pathname":"/incident-response-1/unix-like-artifacts-collector-uac","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"Incident Response"}]},{"id":"siQHXucMUIMBE8hgCKEr","title":"Setup MinIO (object storage)","pathname":"/incident-response-1/unix-like-artifacts-collector-uac/setup-minio-object-storage","siteSpaceId":"sitesp_3a09Q","description":"We'll setup a server using MinIO and generate a pre-signed URL using the Python SDK so we can upload a triage collection.","breadcrumbs":[{"label":"Incident Response"},{"label":"Unix-like Artifacts Collector (UAC)"}]},{"id":"7OxWAFynFOtU0V4qnsTj","title":"Create S3 pre-signed URL","pathname":"/incident-response-1/unix-like-artifacts-collector-uac/create-s3-pre-signed-url","siteSpaceId":"sitesp_3a09Q","description":"We'll setup a server using MinIO and generate a pre-signed URL using the Python SDK so we can upload a triage collection.","breadcrumbs":[{"label":"Incident Response"},{"label":"Unix-like Artifacts Collector (UAC)"}]},{"id":"r9YADfWIQQG17E43poSk","title":"UAC and pre-signed URLs","pathname":"/incident-response-1/unix-like-artifacts-collector-uac/uac-and-pre-signed-urls","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"Incident Response"},{"label":"Unix-like Artifacts Collector (UAC)"}]},{"id":"0E9SYqRj7YI1N2oeIDVL","title":"Acquiring Linux VPS via SSH","pathname":"/incident-response-1/acquiring-linux-vps-via-ssh","siteSpaceId":"sitesp_3a09Q","description":"Scenario: compromised VPS instance (through a provider such as BinaryLane, Linode, Vultr, etc) which is no longer live, and requires remote acquisition for examination/analysis.","breadcrumbs":[{"label":"Incident Response"}]},{"id":"-MBd2wPoIgwI-cj1th8o","title":"AVML dump to SMB / AWS","pathname":"/incident-response-1/avml-dump-to-smb-aws","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"Incident Response"}]},{"id":"-MBb7MQipLabdGn6WPSS","title":"China Chopper webshell","pathname":"/incident-response-1/china-chopper-webshell","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"Incident Response"}]},{"id":"1aglCCOF3A4GTb6YIIdt","title":"Logging Powershell activities","pathname":"/incident-response-1/logging-powershell-activities","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"Incident Response"}]},{"id":"Hd2XUUQ9r4Nze8cUs0qQ","title":"Compromised UniFi Controller","pathname":"/incident-response-1/compromised-unifi-controller","siteSpaceId":"sitesp_3a09Q","description":"General pointers on where to look for configuration files and/or logs when investigating a compromised UniFi controller.","breadcrumbs":[{"label":"Incident Response"}]},{"id":"R4kC8xmT8i7vUkTf5qaW","title":"AnyDesk Remote Access","pathname":"/incident-response-1/anydesk-remote-access","siteSpaceId":"sitesp_3a09Q","description":"AnyDesk is a popular remote access program which is often used by threat actors (and scammers) as either an entry point into an environment or to transfer tools between environments","breadcrumbs":[{"label":"Incident Response"}]},{"id":"EvrKGWUnPLdotAGrFv2A","title":"Mounting UFS VMDK from NetScaler/Citrix ADC","pathname":"/incident-response-1/mounting-ufs-vmdk-from-netscaler-citrix-adc","siteSpaceId":"sitesp_3a09Q","description":"We'll cover how to mount a VMDK, which contains multiple partitions, originating from a NetScaler VM. This is to support analysis in relation to CVE-2023-3519.","breadcrumbs":[{"label":"Incident Response"}]},{"id":"-MMiaiO-WnsDF9nPHEd5","title":"Checkm8 / checkra1n acquisitions/extractions","pathname":"/ios-forensics/checkm8-checkra1n-acquisitions-extractions","siteSpaceId":"sitesp_3a09Q","description":"Get up and running quickly with a platform to perform checkm8 based iOS extractions","breadcrumbs":[{"label":"iOS Forensics"}]},{"id":"0xfNgpP6GgTeuy68k8XV","title":"13Cubed Linux memory forensics","pathname":"/ctf-challenges/13cubed-linux-memory-forensics","siteSpaceId":"sitesp_3a09Q","description":"13Cubed have provided a memory sample from an Ubuntu host for participants to practice their Linux memory analysis skills.","breadcrumbs":[{"label":"CTF / Challenges"}]},{"id":"kc07m6rlKsE5fgxMzTEa","title":"13Cubed Windows memory forensics","pathname":"/ctf-challenges/13cubed-windows-memory-forensics","siteSpaceId":"sitesp_3a09Q","breadcrumbs":[{"label":"CTF / Challenges"}]},{"id":"o3yzKWjkd3FSNZcxIInf","title":"Compromised Windows Server 2022 (simulation)","pathname":"/ctf-challenges/compromised-windows-server-2022-simulation","siteSpaceId":"sitesp_3a09Q","description":"This series of pages will examine a data set provided by Benjamin Donnachie involving a compromised Windows Server 2022 (simulation data)","breadcrumbs":[{"label":"CTF / Challenges"}]},{"id":"7fZf5aa26CzpxZ6S1k7K","title":"FTK Imager","pathname":"/ctf-challenges/compromised-windows-server-2022-simulation/ftk-imager","siteSpaceId":"sitesp_3a09Q","description":"How to use FTK Imager to verify, inspect, and export data from an image","breadcrumbs":[{"label":"CTF / Challenges"},{"label":"Compromised Windows Server 2022 (simulation)"}]},{"id":"t8uYx6UFUWIbE4Ct2KYp","title":"Autopsy Forensics","pathname":"/ctf-challenges/compromised-windows-server-2022-simulation/autopsy-forensics","siteSpaceId":"sitesp_3a09Q","description":"How to use Autopsy to process and examine the Compromised Windows Server 2022 image.","breadcrumbs":[{"label":"CTF / Challenges"},{"label":"Compromised Windows Server 2022 (simulation)"}]},{"id":"D1tnQWXi0zxoOpzIbvPv","title":"Plaso","pathname":"/ctf-challenges/compromised-windows-server-2022-simulation/plaso","siteSpaceId":"sitesp_3a09Q","description":"How to process an image using log2timeline/plaso","breadcrumbs":[{"label":"CTF / Challenges"},{"label":"Compromised Windows Server 2022 (simulation)"}]},{"id":"vkXrLBhJpo2MiWLXf5XE","title":"Events Ripper","pathname":"/ctf-challenges/compromised-windows-server-2022-simulation/events-ripper","siteSpaceId":"sitesp_3a09Q","description":"How to process Windows event logs from E01 using Events Ripper","breadcrumbs":[{"label":"CTF / Challenges"},{"label":"Compromised Windows Server 2022 (simulation)"}]},{"id":"FIPR57tXTJc2gXieZG2A","title":"EZ tools","pathname":"/ctf-challenges/compromised-windows-server-2022-simulation/ez-tools","siteSpaceId":"sitesp_3a09Q","description":"How to process and interpret various artefacts using the EZ tools suite.","breadcrumbs":[{"label":"CTF / Challenges"},{"label":"Compromised Windows Server 2022 (simulation)"}]},{"id":"-MBDYLoRQRL9n6-9t9EZ","title":"DEFCON 2019 forensics","pathname":"/ctf-challenges/defcon-2019-forensics","siteSpaceId":"sitesp_3a09Q","description":"This is a brief write up for the DEFCON 2019 forensics CTF","breadcrumbs":[{"label":"CTF / Challenges"}]},{"id":"-MBvloUt8DDCODDj3jkQ","title":"Tomcat shells","pathname":"/ctf-challenges/tomcat-shells","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"CTF / Challenges"}]},{"id":"-MIqZlqUGDCi6yNzHCcR","title":"Magnet Weekly CTF","pathname":"/ctf-challenges/magnet-weekly-ctf-challenge","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"CTF / Challenges"}]},{"id":"-MIqZlqVk6Ibt8byHVd8","title":"Magnet CTF Week 0","pathname":"/ctf-challenges/magnet-weekly-ctf-challenge/magnet-ctf-week-1","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"CTF / Challenges"},{"label":"Magnet Weekly CTF"}]},{"id":"-MIx6XNiJ0MOaIczq9wL","title":"Magnet CTF Week 1","pathname":"/ctf-challenges/magnet-weekly-ctf-challenge/magnet-ctf-week-1-1","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"CTF / Challenges"},{"label":"Magnet Weekly CTF"}]},{"id":"-MIq_kLgFGH3LpVusTk5","title":"DFIR Madness CTF","pathname":"/ctf-challenges/dfir-madness-ctf-challenges","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"CTF / Challenges"}]},{"id":"-MIq_oP_jUI2ToGj5TyO","title":"Case 001 - Szechuan Sauce","pathname":"/ctf-challenges/dfir-madness-ctf-challenges/case-001-szechuan-sauce","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"CTF / Challenges"},{"label":"DFIR Madness CTF"}]},{"id":"-Mhm6ac9euuid8FrXdpV","title":"Windows","pathname":"/log-files-1/windows","siteSpaceId":"sitesp_3a09Q","description":"Typical location & description of various log files","breadcrumbs":[{"label":"Log Files"}]},{"id":"5KIKNJR1cWork2krsHbE","title":"Generating Log Timelines","pathname":"/log-files-1/windows/generating-log-timelines","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"Log Files"},{"label":"Windows"}]},{"id":"DnnL8hTSqC2q4VmcTHjG","title":"Identifying UPX packed ELF, decompressing, fixing, and analysing Linux malware","pathname":"/malware-analysis/identifying-upx-packed-elf-decompressing-fixing-and-analysing-linux-malware","siteSpaceId":"sitesp_3a09Q","breadcrumbs":[{"label":"Malware Analysis"}]},{"id":"-MiYveygxpgtYoe7r1-k","title":"PDF Analysis","pathname":"/malware-analysis/pdf-analysis","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"Malware Analysis"}]},{"id":"-MiuCjfmMC6paM3UgjzM","title":"Walking the VAD tree","pathname":"/walking-the-vad-tree","siteSpaceId":"sitesp_3a09Q","description":""},{"id":"uCwtIEK4IDm33gh26CZD","title":"What is CTI/OpenCTI?","pathname":"/opencti/what-is-cti-opencti","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"OpenCTI"}]},{"id":"JToa4TNwhMIv8xVgdZvx","title":"Setting up OpenCTI","pathname":"/opencti/setting-up-opencti","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"OpenCTI"}]},{"id":"NoPWFAoldyvrruy5J5oM","title":"Container Management","pathname":"/opencti/container-management","siteSpaceId":"sitesp_3a09Q","description":"","breadcrumbs":[{"label":"OpenCTI"}]},{"id":"GsCFOT8CMAq9a35w7rfF","title":"Configure Connectors","pathname":"/opencti/configure-connectors","siteSpaceId":"sitesp_3a09Q","description":"Connectors are manual uploads/imports, as well as API endpoints for data fees.","breadcrumbs":[{"label":"OpenCTI"}]},{"id":"8H1MmTNsF0UV7v5zNPWw","title":"Setting Up Nessus (Essentials)","pathname":"/vulnerability-management/setting-up-nessus-essentials","siteSpaceId":"sitesp_3a09Q","description":"How to setup Nessus Essentials on an Ubuntu VM","breadcrumbs":[{"label":"Vulnerability Management"}]},{"id":"5HJwgDG0fxeJlyQxVi6O","title":"Troubleshooting","pathname":"/vulnerability-management/troubleshooting","siteSpaceId":"sitesp_3a09Q","description":"Troubleshooting tips","breadcrumbs":[{"label":"Vulnerability Management"}]},{"id":"t191sNEyXgD6NpCCL8yH","title":"Privacy","pathname":"/privacy","siteSpaceId":"sitesp_3a09Q","description":""}]}