Please enable JavaScript.
Coggle requires JavaScript to display documents.
NIST Data Leakage - Coggle Diagram
NIST Data Leakage
Commands
mkdir
Creates a directory
wget
Download traffic log
md5sum
Verify the integrity of file
fdisk(format disk)
Exam partition of an image
fls
List file or directory name
partscan
Scan the partition table on a newly created loop device
find
Find the first unused loop device.
show
Print device name
read-only
setup read-only loop device
mount
Makes a device accessible
cp
Copy system files
perl
Scanning arbitrary text files, extracting information from those text files.
tree
Displays directory paths and (optionally) files in each subdirectory
head
To print data from the beginning of one or more files
tail
To print data from the ending pf one or more files
Regripper
A software tool to extract/parse information
chmod
Allows you to change the permissions on a file
WindowsPrefetch
Prefetch is a memory management feature.
Python-evtx
Provides programmatic access to the File and Chunk headers and event entries
mmls
Show partition and unallocated spaces.
fsstat
List the first partition details using file system stat (fsstat)
-b
b: block size (default is 512)
-o
-o: image offset
profilelist
Search for profiles
SAM
Find and search for Security Accounts Manager (SAM) information
Winver
A command that displays the version of Windows that is running,
grep
To search text or searches the given file for lines containing a match to the given strings or words
MuiCache
Multilingual User Interface
Shimcache
Application Compatibility Cache
RecentFileCache.bcf
Stores metadata related to PE execution
UserAssist
Good to analyze the behaviors of users
SecurityEvt.xml
Exam security event logs
xmlstarlet
Transform, query, validate, and edit XML documents and files
el
el: Display element structure of XML document
-u
print out sorted unique lines
-a
show attributes
val
To validate documents
fo
Format XML document
sel
Select data or query XML document(s) (XPATH, etc)
xpath
Provide XML namespace for queuing data
stream editor
Used to perform basic text transformations on an input stream (a file or input from a pipeline).
ed
Edit XML documents
libpuff
Install email extracting tool
EMDMgmt
Looks at the device to determine its performance characteristics
evtx_dump.py Security.evtx > SecurityEvt.xml
Exam security event logs for logon/logoff
hivexsh
Provides a simple shell for navigating Windows Registry 'hive' files.
Windows Search registry
To help search function
USNjrnl
Keep record of updated files
usnparser
A Python script to parse the NTFS USN journal.
Most Recently Used (MRU)
Recently opened webpages, documents, files, images and other applications
Shellbags is a tree-like structure
A set of registry keys that store details about a viewed folder, such as its size, position, and icon.
jump list
Recently opened files
Pyhton3-dateutil
It's a part of the Python standard library
StagingPath
It shows the folder on the volume that is used to ‘stage’ files prior to committing them to the disc.
testdisk
Recover recycle bin
analyzeMFT
Designed to fully parse the MFT file from an NTFS file system
strings
Return the string characters into files
Binwalk
Extracting tool
foremost
Data carving
awk '{print NR,"|", $2,"|", $7, "|",$10, "|", $12, "|", $13, "|", $14, "|", $15}' FS='|' LogFile.csv | grep -Ei "DeleteIndexEntryAllocation" | grep "jpg"
Search “DeleteIndexEntryAllocation” transaction record
Sleuthkit
Recover deleted files.
Rainbow crack
To crack password.
rcrack . –h 209C6174DA490CAEB422F3FA5A7AE634
Use the rainbow state to crack the password
Steps
emails, USB, libpff
USN Journaling
USN Journal
Identify all traces related to changing of files in Windows Desktop
$MFT: Master File Table
Windows Security Event Logs, XML
Network drive IP, Shellbag, Jumplist
Windows Registry
Traversing directories in network drive, Cloud
Extract security event log files from the DD Image
CD burn, $MFT, $MFT log ($LogFile)
Extract prefetched event log files from the DD Image
Recycle Bin and Anti-forensics
Extract registry files from the DD Image
Data Recovery, Data Carving
Exam files in the DD image
Crack Windows’ Passwords
Get the NIST data leakage case DD image
Tools
XML parser
Xmlstartlet
Transform, query, validate, and edit XML documents and files
Windows-Prefetch-Parser
Prefetch is a memory management feature
Libpff
email extracting tool
RegRipper 3.0
A software tool to extract/parse information
usnparser
tree
Rainbowcrack
To crack password.
Provided Material
DD image