Differences

This shows you the differences between two versions of the page.

--- soc:irt:playbooks:windows_disk [2026/06/16 13:15] – titannet
+++ soc:irt:playbooks:windows_disk [2026/06/16 14:45] (current) – titannet
@@ Line 18: / Line 18: @@
 ==== Env variables ====
 <code bash>
+rm ~/.case.env
 pwd
-WD=/case/working/folder && echo 'WD=$WD' >> ~/.case.env
+WD=/case/working/folder && echo "WD=$WD" >> ~/.case.env
-E=/case/working/folder/evidence/evidence.E01 && echo 'E=$E' >> ~/.case.env
+E=/case/working/folder/evidence/evidence.E01 && echo "E=$E" >> ~/.case.env
 </code>
@@ Line 31: / Line 33: @@
 # -p has 'pretty' & predictable folder name, fails if in use
 # new tab or crtl-z
-DISK_C=<imount_dir> & echo 'DISK_C=$DISK_C' >> ~/.case.env
+DISK_C=<imount_dir> && echo "DISK_C=$DISK_C" >> ~/.case.env
 </code>
@@ Line 45: / Line 47: @@
 # two step
 log2timeline.py --storage-file /work/data/timeline.plaso /work/evidence/<filename>
-psort.py -o dynamic,json_line -w /work/output/plaso_out.json /work/data/timeline.plaso
+psort.py -o json_line -w /work/output/plaso_out.json /work/data/timeline.plaso
 #psort.py -o json_line -w /work/output/plaso_out.json /work/data/timeline.plaso
+cp output/plaso_out.json tools/splunk/import/
+cd tools/splunk
+docker compose up -d
+# -> localhost:8000, admin:password, settings->add->monitor->files->index_once->source_type=plaso
 </code>
@@ Line 66: / Line 73: @@
 # dissect
-target-query -f hostname,domain,version,ips,install_date,timezone "$E"
+target-query -f hostname,domain,version,ips,install_date,timezone $E
-target-query -j -f services "$E" | jq -r '.name'
+# much more useful for queries on multiple disks at once
+target-query -j -f services $E | jq -r '.name'
 # JSON output → jq
 target-query --list | grep -iE 'userassist|shimcache|amcache|services|powershell_history|browser.history'
 </code>

Tools

menus and quick search

quick search

site status

Page Tools

meta data for this page

Differences