-
Notifications
You must be signed in to change notification settings - Fork 0
/
forensics-documents.cheat
69 lines (48 loc) · 2.29 KB
/
forensics-documents.cheat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
% forensics documents
$ filename: fdfind . "$(pwd)" -Ltf | sort -u
# run mailcap (can be used for docx)
run-mailcap --nopager <filename> | tee runmailcap-<filename>.out
# install and upgrade oletools
sudo -H python3 -m pip install -U oletools
# oleid: to analyze OLE files to detect specific characteristics usually found in malicious files.
oleid <filename> | tee oleid-<filename>.out
# olevba: to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML).
olevba <filename> | tee olevba-<filename>.out
# MacroRaptor: to detect malicious VBA Macros (can be used with zip + password)
mraptor <filename> | tee mraptor-<filename>.out
# msodde: to detect and extract DDE/DDEAUTO links from MS Office documents, RTF and CSV
msodde -a <filename> | tee msodde-<filename>.out
# pyxswf: to detect, extract and analyze Flash objects (SWF) that may be embedded in files such as MS Office documents (e.g. Word, Excel) and RTF, which is especially useful for malware analysis.
pyxswf -o <filename>
# oleobj: to extract embedded objects from OLE files.
oleobj -s all <filename>
# rtfobj: to extract embedded objects from RTF files.
rtfobj -s all <filename>
# olebrowse: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to view and extract individual data streams.
olebrowse <filename>
# olemeta: to extract all standard properties (metadata) from OLE files.
olemeta <filename> | tee olemeta-<filename>.out
# oletimes: to extract creation and modification timestamps of all streams and storages.
oletimes <filename> | tee oletimes-<filename>.out
# oledir: to display all the directory entries of an OLE file, including free and orphaned entries.
oledir <filename> | tee oledir-<filename>.out
# olemap: to display a map of all the sectors in an OLE file.
olemap <filename> | tee olemap-<filename>.out
# JPEG Stego
steghide extract -sf <filename> | tee steghide.out
# PNG Stego
zsteg -a <filename> | tee zsteg.out
# Extract all files from a given file
binwalk -D='.*' <filename> | tee binwalk.out
# Extract data from PDF document
pdf-parser <filename> | tee pdfparser.out
# default to this for forensics on a file
strings <file>
steghide extract -sf <file>
stegseek <file>
exiftool <file>
binwalk <file>
stegseek <file>
java -jar StegSolve.jar <file>
zsteg -a <file>
foremost <file>