meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
soc:irt:playbooks:windows_disk [2026/06/16 13:37] titannetsoc:irt:playbooks:windows_disk [2026/06/17 08:44] (current) titannet
Line 30: Line 30:
 <code bash> <code bash>
 mmls -r $E mmls -r $E
-sudo -E ~/.local/bin/imount -p -o ## $E+sudo -E ~/.local/bin/imount -p -o ## -md /mnt/imount $E
 # -p has 'pretty' & predictable folder name, fails if in use # -p has 'pretty' & predictable folder name, fails if in use
 # new tab or crtl-z # new tab or crtl-z
Line 36: Line 36:
 </code> </code>
  
-==== Start with plaso ====+==== Hayabusa ==== 
 + 
 +<code bash> 
 +target-fs "$E" cp 'c:/Windows/System32/winevt/Logs' --output ./logs 
 +docker run -it --rm -v "$PWD":/work --entrypoint /opt/hayabusa/hayabusa tabledevil/hayabusa:3.8.1 csv-timeline -d /work/logs -o /work/output/hayabusa.csv -p super-verbose 
 +docker run -it --rm -v "$PWD":/work --entrypoint /opt/hayabusa/hayabusa tabledevil/hayabusa:3.8.1 json-timeline -d /work/logs -o /work/output/hayabusa.jsonl -p super-verbose 
 +</code> 
 + 
 + 
 +==== Plaso ====
  
 <code bash> <code bash>
Line 50: Line 59:
 #psort.py -o json_line -w /work/output/plaso_out.json /work/data/timeline.plaso #psort.py -o json_line -w /work/output/plaso_out.json /work/data/timeline.plaso
  
 +
 +cp output/plaso_out.json tools/splunk/import/
 +cd tools/splunk
 +docker compose up -d
 +# -> localhost:8000, admin:password, settings->add->monitor->files->index_once->source_type=plaso
  
 </code> </code>
 +
 +
 +==== Splunk ====
 +
 +<code bash>
 +mkdir -p etc/system/local/
 +vim props.conf
 +cp props.conf etc/system/local
 +
 +</code>
 +
 +
  
 === Extended disk image anaylsis === === Extended disk image anaylsis ===
Line 68: Line 94:
 # dissect # dissect
  
-target-query -f hostname,domain,version,ips,install_date,timezone "$E" +target-query -f hostname,domain,version,ips,install_date,timezone $E 
-target-query -j -f services "$E| jq -r '.name' +# much more useful for queries on multiple disks at once 
 + 
 +target-query -j -f services $E | jq -r '.name' 
 # JSON output → jq # JSON output → jq
 target-query --list | grep -iE 'userassist|shimcache|amcache|services|powershell_history|browser.history' target-query --list | grep -iE 'userassist|shimcache|amcache|services|powershell_history|browser.history'
 </code> </code>