meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
soc:irt:playbooks:windows_disk [2026/06/16 12:06] titannetsoc:irt:playbooks:windows_disk [2026/06/17 08:44] (current) titannet
Line 18: Line 18:
 ==== Env variables ==== ==== Env variables ====
 <code bash> <code bash>
 +rm ~/.case.env
 pwd pwd
-WD=/case/working/folder && echo 'WD=$WD>> ~/.case.env +WD=/case/working/folder && echo "WD=$WD>> ~/.case.env 
-E=/case/working/folder/evidence/evidence.E01 && echo 'E=$E>> ~/.case.env+E=/case/working/folder/evidence/evidence.E01 && echo "E=$E>> ~/.case.env 
 </code> </code>
  
-==== Disk Image ====+==== Disk Image basics ====
  
  
 <code bash> <code bash>
 mmls -r $E mmls -r $E
-sudo -E ~/.local/bin/imount -p -o ## $E+sudo -E ~/.local/bin/imount -p -o ## -md /mnt/imount $E
 # -p has 'pretty' & predictable folder name, fails if in use # -p has 'pretty' & predictable folder name, fails if in use
 # new tab or crtl-z # new tab or crtl-z
-DISK_C=<imount_dir> & echo 'DISK_C=$DISK_C>> ~/.case.env+DISK_C=<imount_dir> && echo "DISK_C=$DISK_C>> ~/.case.env
 </code> </code>
 +
 +==== Hayabusa ====
 +
 +<code bash>
 +target-fs "$E" cp 'c:/Windows/System32/winevt/Logs' --output ./logs
 +docker run -it --rm -v "$PWD":/work --entrypoint /opt/hayabusa/hayabusa tabledevil/hayabusa:3.8.1 csv-timeline -d /work/logs -o /work/output/hayabusa.csv -p super-verbose
 +docker run -it --rm -v "$PWD":/work --entrypoint /opt/hayabusa/hayabusa tabledevil/hayabusa:3.8.1 json-timeline -d /work/logs -o /work/output/hayabusa.jsonl -p super-verbose
 +</code>
 +
 +
 +==== Plaso ====
 +
 +<code bash>
 +docker run -it --rm --entrypoint=/bin/bash -v ./:/work log2timeline/plaso
 +# docker run -it --rm --user :$(id -g) --entrypoint=/bin/bash -v ./:/work log2timeline/plaso
 +
 +# one step
 +psteal.py --source /work/evidence/<filename> -o dynamic,json_line -w /work/data/plaso_#.json
 +
 +# two step
 +log2timeline.py --storage-file /work/data/timeline.plaso /work/evidence/<filename>
 +psort.py -o json_line -w /work/output/plaso_out.json /work/data/timeline.plaso
 +#psort.py -o json_line -w /work/output/plaso_out.json /work/data/timeline.plaso
 +
 +
 +cp output/plaso_out.json tools/splunk/import/
 +cd tools/splunk
 +docker compose up -d
 +# -> localhost:8000, admin:password, settings->add->monitor->files->index_once->source_type=plaso
 +
 +</code>
 +
 +
 +==== Splunk ====
 +
 +<code bash>
 +mkdir -p etc/system/local/
 +vim props.conf
 +cp props.conf etc/system/local
 +
 +</code>
 +
  
  
Line 47: Line 91:
 mactime -b data/bodyfile -d -z UTC yyyy-mm-ddThh:mm:ss..yyyy-mm-dd > output/disk_timeline.csv mactime -b data/bodyfile -d -z UTC yyyy-mm-ddThh:mm:ss..yyyy-mm-dd > output/disk_timeline.csv
  
 +
 +# dissect
 +
 +target-query -f hostname,domain,version,ips,install_date,timezone $E
 +# much more useful for queries on multiple disks at once
 +
 +target-query -j -f services $E | jq -r '.name' 
 +# JSON output → jq
 +target-query --list | grep -iE 'userassist|shimcache|amcache|services|powershell_history|browser.history'
 </code> </code>