added pdf forensics and reworked ooxml forensics
This commit is contained in:
parent
5566ae0be4
commit
0cc87fa399
Binary file not shown.
|
|
@ -0,0 +1,6 @@
|
|||
# Javascript Forensics
|
||||
|
||||
## Triaging Javascript Files
|
||||
|
||||
Use [box-js](https://box.js.org/) to analyze javascript files.
|
||||
Indicator of Compromises (IoCs) will be found and stored automatically as a result.
|
||||
|
|
@ -1,37 +0,0 @@
|
|||
# oletools & Vmonkey
|
||||
|
||||
* Analyze ooxml and ole2 files
|
||||
|
||||
* [oletools repo](https://github.com/decalage2/oletools.git)
|
||||
|
||||
## Usage
|
||||
|
||||
### OLEtools
|
||||
|
||||
* Check content of a stream
|
||||
```sh
|
||||
oledump.py file.doc -Ss <No. of stream>
|
||||
oledump.py file.doc -Ss <No. of stream> -v
|
||||
```
|
||||
```sh
|
||||
oledump.py -i file.doc
|
||||
```
|
||||
```sh
|
||||
olevba file.doc
|
||||
```
|
||||
|
||||
### Vipermonkey
|
||||
* For the lazy ones
|
||||
```sh
|
||||
vmonkey file.doc
|
||||
```
|
||||
|
||||
## scdbg
|
||||
* [scdbg repo](https://github.com/dzzie/SCDBG.git)
|
||||
|
||||
## Outlook
|
||||
|
||||
* Outlook files like `.msg` can be read and changed to by perl-email-outlook-message via
|
||||
```sh
|
||||
msgconvert *.msg
|
||||
```
|
||||
|
|
@ -0,0 +1,70 @@
|
|||
# Open Office XML Format (OOXML) Forensics
|
||||
|
||||
Microsoft OOXML documents like docx, docm, xlsx and pptx consist of a bunch of
|
||||
XML documents inside a zip file. Malicious content therein could be for example
|
||||
links, exploits, embedded (hidden) objects or for the most part macros.
|
||||
|
||||
## Triage
|
||||
|
||||
### File Overview
|
||||
|
||||
Take a look at the file composition inside an OOXML zipped file via [decalage's oleid](https://github.com/decalage2/oletools.git) or [Marko Pontello's trid](https://www.mark0.net/soft-trid-e.html).
|
||||
|
||||
### Going deeper
|
||||
|
||||
Take a look at the header via `olemap`
|
||||
|
||||
```sh
|
||||
olemap file.doc
|
||||
```
|
||||
|
||||
Get the properties of streams in side via `olemeta`
|
||||
|
||||
```sh
|
||||
olemeta.py file.doc
|
||||
```
|
||||
|
||||
Check content inside a stream via `oledump`, especially macros
|
||||
|
||||
```sh
|
||||
oledump.py -M file.doc
|
||||
oledump.py file.doc -Ss <No. of stream>
|
||||
oledump.py file.doc -Ss <No. of stream> -v
|
||||
oledump.py -i file.doc
|
||||
```
|
||||
|
||||
Check VBA scripts and malicious elements inside the document via `olevba`
|
||||
|
||||
```sh
|
||||
olevba file.doc
|
||||
olevba3 file.doc
|
||||
```
|
||||
|
||||
Check file modification timestamps through `oletimes`
|
||||
|
||||
```sh
|
||||
oletimes file.doc
|
||||
```
|
||||
|
||||
### Vipermonkey VBA Emulation
|
||||
|
||||
>ViperMonkey is a VBA Emulation engine written in Python, designed to analyze and deobfuscate malicious VBA Macros contained in Microsoft Office files (Word, Excel, PowerPoint, Publisher, etc).
|
||||
|
||||
Emulate VBA scripts or macros via [decalage2's Vmonkey](https://github.com/decalage2/ViperMonkey.git)
|
||||
|
||||
```sh
|
||||
vmonkey file.doc -o vmonkey-result.json
|
||||
```
|
||||
|
||||
## scdbg
|
||||
|
||||
[scdbg repo](https://github.com/dzzie/SCDBG.git)
|
||||
|
||||
## Outlook
|
||||
|
||||
Outlook files like `.msg` can be read and changed to by
|
||||
perl-email-outlook-message via
|
||||
|
||||
```sh
|
||||
msgconvert *.msg
|
||||
```
|
||||
|
|
@ -0,0 +1,69 @@
|
|||
# The PDF File Format
|
||||
|
||||
## Structure
|
||||
|
||||
The PDF Header contains meta data and starts with
|
||||
|
||||
```
|
||||
%PDF-<version.number>
|
||||
```
|
||||
|
||||
The Body contains objects and a cross-reference table to locate objects inside
|
||||
the file. An objects start and end looks like the following example
|
||||
|
||||
```
|
||||
1 0 obj
|
||||
<<
|
||||
[...]
|
||||
>>endobj
|
||||
```
|
||||
|
||||
The footer, or trailer, contains the start of the cross-reference table and the
|
||||
end of file marker
|
||||
|
||||
```
|
||||
trailer
|
||||
<>
|
||||
<cross-reference-table>
|
||||
%%EOF
|
||||
```
|
||||
|
||||
## Multi Media Keywords
|
||||
|
||||
PDF format contains properties for multi media in a single document.
|
||||
An example is given by [zeltser's Analysing Malicious Documents](https://zeltser.com/media/docs/analyzing-malicious-document-files.pdf)
|
||||
|
||||
```
|
||||
/OpenAction and /AA specify the script or action to
|
||||
run automatically.
|
||||
/JavaScript, /JS, /AcroForm, and /XFA can specify
|
||||
JavaScript to run.
|
||||
/URI accesses a URL, perhaps for phishing.
|
||||
/SubmitForm and /GoToR can send data to URL.
|
||||
/ObjStm can hide objects inside an object stream.
|
||||
/XObject can embed an image for phishing.
|
||||
Be mindful of obfuscation with hex codes, such as
|
||||
/JavaScript vs. /J#61vaScript
|
||||
```
|
||||
|
||||
<embed src="./CheatSheets/analyzing-malicious-document-files.pdf" type="application/pdf">
|
||||
|
||||
### Triage keywords
|
||||
|
||||
To triage keywords use [jesparza's peepdf](https://github.com/jesparza/peepdf)
|
||||
or [Didie Stevens' PDF
|
||||
tools](https://blog.didierstevens.com/programs/pdf-tools/) like pdfid.py.
|
||||
Parsing is done via pdf-parser.py.
|
||||
|
||||
```sh
|
||||
pdf-parser.py --search <keyword> file.pdf
|
||||
pdf-parser.py --object <objectNo.> file.pdf
|
||||
```
|
||||
|
||||
Peepdf decodes values of an object in interactive mode
|
||||
|
||||
```sh
|
||||
peepdf -i file.pdf
|
||||
[..]
|
||||
PPDF> object <No.>
|
||||
```
|
||||
Loading…
Reference in New Issue