meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
soc:irt:playbooks:windows_disk [2026/06/16 13:35] titannetsoc:irt:playbooks:windows_disk [2026/06/16 14:45] (current) titannet
Line 33: Line 33:
 # -p has 'pretty' & predictable folder name, fails if in use # -p has 'pretty' & predictable folder name, fails if in use
 # new tab or crtl-z # new tab or crtl-z
-DISK_C=<imount_dir> & echo 'DISK_C=$DISK_C>> ~/.case.env+DISK_C=<imount_dir> && echo "DISK_C=$DISK_C>> ~/.case.env
 </code> </code>
  
Line 50: Line 50:
 #psort.py -o json_line -w /work/output/plaso_out.json /work/data/timeline.plaso #psort.py -o json_line -w /work/output/plaso_out.json /work/data/timeline.plaso
  
 +
 +cp output/plaso_out.json tools/splunk/import/
 +cd tools/splunk
 +docker compose up -d
 +# -> localhost:8000, admin:password, settings->add->monitor->files->index_once->source_type=plaso
  
 </code> </code>
Line 68: Line 73:
 # dissect # dissect
  
-target-query -f hostname,domain,version,ips,install_date,timezone "$E" +target-query -f hostname,domain,version,ips,install_date,timezone $E 
-target-query -j -f services "$E| jq -r '.name' +# much more useful for queries on multiple disks at once 
 + 
 +target-query -j -f services $E | jq -r '.name' 
 # JSON output → jq # JSON output → jq
 target-query --list | grep -iE 'userassist|shimcache|amcache|services|powershell_history|browser.history' target-query --list | grep -iE 'userassist|shimcache|amcache|services|powershell_history|browser.history'
 </code> </code>