Dfirzeek 

@[email protected]
18 Followers
139 Following
11 Posts
DFIR | Purple Team | OSINT | Threat Hunter | GIAC | 
My views only
Dfirzeek Feb 2, 2023
Show threadTom Webb   Jan 27, 2023

@Pytt4m There is TimeLine Explorer that is a nice spreadsheet viewer. Plaso also has the ability to export directly into elastic and then you can build Kabana dashboards.

#psort.sy -o elastic --server 127.0.0.1 --port 9200 --index_name mywebserver web.plaso.

This is probably the best way to visualize this data as you can filter/graph on any field and lots of options.

I typically go old school commandline and very surgical. If I'm full timelining something then I already have an idea of when. Then I'll do something like this...

#grep <date time> timeline.csv |cut -d ',' -f1,3,5,7,8,12 |grep -v '.a..'

In the above command:
Grep filters the date and time you want from the file. Use the format the file uses. "2021-03-12 15:00"

cut -d says use the delimiter comma

cut -f grab fields 1,3,5,7,8,12 ( i just made these up for the example)

Grep -v do not show file access times which is typically shown as .a... This also depends on what I'm investigating though, but initial triage I remove them.

I do this because of speed. Greping files is usually very fast and I dont have to setup anything additional to process the files. If the file is huge, I'll break out the couple days I'm interested in to make it faster.

#grep '2023-01-23' timeline.csv >2023-01-23-timeline.csv

If I need to do a graphical timeline for a report, I'll use Aurora and manually create it. Hope this helps!

#DFIR #Linux #incidentresponse

Dfirzeek Feb 2, 2023
Rami Krispin Jan 22, 2023

A great and detailed Bash script cheatsheet 👇🏼

https://devhints.io/bash

#bash #commandline #cli #shellscripting

Bash scripting cheatsheet

Variables · Functions · Interpolation · Brace expansions · Loops · Conditional execution · Command substitution · One-page guide to Bash scripting

Devhints.io cheatsheets
Dfirzeek Feb 2, 2023
BuZZ-dEE ☮️ 🇺🇦 🇪🇺 🇩🇪Jan 24, 2023

#CLI #tools you won't be able to live without

Thank you @lissy93

#commandline #productivity #terminal #tooling

https://dev.to/lissy93/cli-tools-you-cant-live-without-57f6

CLI tools you won't be able to live without 🔧

A list of 50 command line tools, which you should definitely check out!

DEV Community
Dfirzeek Feb 2, 2023
Hal PomeranzFeb 1, 2023

The standard Apache "combined" log format is:

IPaddr - - [date] "method URI protocol" code bytes "referer" "user-agent"

Write a Linux command to output:

count IPaddr user-agent

Here "count" is the number of times each "IPaddr user-agent" combo appears. The output should be sorted by IP address.

#Linux #DFIR #CommandLine #Trivia

Dfirzeek Dec 24, 2022
Jason HaddixDec 23, 2022

For consumers of LastPass:

If your master password wasn't LONG and COMPLEX, I'd make it a priority to go through your Lastpass and change passwords on all the sites. Like... asap.

IMO don't abandon the idea of password managers, but strongly consider 1Password or Bitwarden.
---
RT @ejcx_
I worked at LastPass as an engineer a long time ago. 7+ years ago. My 2 cents on the situation.

This is the worst breach LastPass has had. By a lot.

T…
https://twitter.com/ejcx_/status/1606428769731878913

evan j on Twitter

“I worked at LastPass as an engineer a long time ago. 7+ years ago. My 2 cents on the situation. This is the worst breach LastPass has had. By a lot. The key difference is that customer vaults were accessed this time, which are kept in a completely separate database. 1/x”

Twitter
Dfirzeek Dec 14, 2022
AlexNov 21, 2022

Do you like Wikis? Do you like Forensics?

If you answered both with yes, you will like: https://forensics.wiki/

The page has recently migrated to a GitHub based system (yeah I know it is no longer a wiki, whatever :-) : https://github.com/forensicswiki/wiki.

@RyanDFIR, Joachim and Robert are currently working on this.

A little bit of context and history:
https://osdfir.blogspot.com/2022/11/transitioning-forensics-wiki-to-github.html

Feel free to share and or contribute.