Skip to main content
  1. Hacking/

Forensics

Disclaimer: These are my personal notes, published "as-is" without warranty or guarantee of any kind. Use at your own risk. Licensed CC BY-NC-SA 4.0.

Powershell #

On Kali #

Need to find the PSModule path to be able to use PSDecode:

┌──(kali㉿kali)-[~/psd/PSDecode]
└─$ pwsh
┌──(kali㉿kali)-[/home/kali/psd/PSDecode]
└─PS> $Env:PSModulePath
/home/kali/.local/share/powershell/Modules:/usr/local/share/powershell/Modules:/opt/microsoft/powershell/7/Modules
┌──(kali㉿kali)-[~/psd/PSDecode]
└─$ mkdir /home/kali/.local/share/powershell/Modules/PSDecode
┌──(kali㉿kali)-[~/psd/PSDecode]
└─$ mv PSDecode.psm1 /home/kali/.local/share/powershell/Modules/PSDecode
┌──(kali㉿kali)-[/home/kali]
└─PS> PSDecode -dump -beautify -verbose fileToDecode.ps1

Packet capture #

  • Wireshark GUI
  • tshark CLI
    • brew install --cask wireshark
    • tshark -r capture.pcap --export-objects http,http_objs
  • A-Packets - Online pcap analysis

Office docs #

.doc or .xls #

.docx or .xlsx #

  • Used OfficeDissector on a Ubuntu 20.04 GCP VM to export to JSON, then search for interesting strings.
    • Office file analysis (new format .docx only). Requires python2.
import officedissector
doc = officedissector.doc.Document('file.docx')
doc_json = doc.to_json()