diff --git a/Forensics/CheatSheets/analyzing-malicious-document-files.pdf b/Forensics/CheatSheets/analyzing-malicious-document-files.pdf new file mode 100644 index 0000000..6ec0e81 Binary files /dev/null and b/Forensics/CheatSheets/analyzing-malicious-document-files.pdf differ diff --git a/Forensics/JavaScript.md b/Forensics/JavaScript.md new file mode 100644 index 0000000..c528c18 --- /dev/null +++ b/Forensics/JavaScript.md @@ -0,0 +1,6 @@ +# Javascript Forensics + +## Triaging Javascript Files + +Use [box-js](https://box.js.org/) to analyze javascript files. +Indicator of Compromises (IoCs) will be found and stored automatically as a result. diff --git a/Forensics/OLEtools.md b/Forensics/OLEtools.md deleted file mode 100644 index 99c1193..0000000 --- a/Forensics/OLEtools.md +++ /dev/null @@ -1,37 +0,0 @@ -# oletools & Vmonkey - -* Analyze ooxml and ole2 files - -* [oletools repo](https://github.com/decalage2/oletools.git) - -## Usage - -### OLEtools - -* Check content of a stream -```sh -oledump.py file.doc -Ss -oledump.py file.doc -Ss -v -``` -```sh -oledump.py -i file.doc -``` -```sh -olevba file.doc -``` - -### Vipermonkey -* For the lazy ones -```sh -vmonkey file.doc -``` - -## scdbg -* [scdbg repo](https://github.com/dzzie/SCDBG.git) - -## Outlook - -* Outlook files like `.msg` can be read and changed to by perl-email-outlook-message via -```sh -msgconvert *.msg -``` diff --git a/Forensics/OOXML.md b/Forensics/OOXML.md new file mode 100644 index 0000000..922cc1e --- /dev/null +++ b/Forensics/OOXML.md @@ -0,0 +1,70 @@ +# Open Office XML Format (OOXML) Forensics + +Microsoft OOXML documents like docx, docm, xlsx and pptx consist of a bunch of +XML documents inside a zip file. Malicious content therein could be for example +links, exploits, embedded (hidden) objects or for the most part macros. + +## Triage + +### File Overview + +Take a look at the file composition inside an OOXML zipped file via [decalage's oleid](https://github.com/decalage2/oletools.git) or [Marko Pontello's trid](https://www.mark0.net/soft-trid-e.html). + +### Going deeper + +Take a look at the header via `olemap` + +```sh +olemap file.doc +``` + +Get the properties of streams in side via `olemeta` + +```sh +olemeta.py file.doc +``` + +Check content inside a stream via `oledump`, especially macros + +```sh +oledump.py -M file.doc +oledump.py file.doc -Ss +oledump.py file.doc -Ss -v +oledump.py -i file.doc +``` + +Check VBA scripts and malicious elements inside the document via `olevba` + +```sh +olevba file.doc +olevba3 file.doc +``` + +Check file modification timestamps through `oletimes` + +```sh +oletimes file.doc +``` + +### Vipermonkey VBA Emulation + +>ViperMonkey is a VBA Emulation engine written in Python, designed to analyze and deobfuscate malicious VBA Macros contained in Microsoft Office files (Word, Excel, PowerPoint, Publisher, etc). + +Emulate VBA scripts or macros via [decalage2's Vmonkey](https://github.com/decalage2/ViperMonkey.git) + +```sh +vmonkey file.doc -o vmonkey-result.json +``` + +## scdbg + +[scdbg repo](https://github.com/dzzie/SCDBG.git) + +## Outlook + +Outlook files like `.msg` can be read and changed to by +perl-email-outlook-message via + +```sh +msgconvert *.msg +``` diff --git a/Forensics/PDF.md b/Forensics/PDF.md new file mode 100644 index 0000000..c4e61aa --- /dev/null +++ b/Forensics/PDF.md @@ -0,0 +1,69 @@ +# The PDF File Format + +## Structure + +The PDF Header contains meta data and starts with + +``` +%PDF- +``` + +The Body contains objects and a cross-reference table to locate objects inside +the file. An objects start and end looks like the following example + +``` +1 0 obj +<< +[...] +>>endobj +``` + +The footer, or trailer, contains the start of the cross-reference table and the +end of file marker + +``` +trailer +<> + +%%EOF +``` + +## Multi Media Keywords + +PDF format contains properties for multi media in a single document. +An example is given by [zeltser's Analysing Malicious Documents](https://zeltser.com/media/docs/analyzing-malicious-document-files.pdf) + +``` +/OpenAction and /AA specify the script or action to +run automatically. +/JavaScript, /JS, /AcroForm, and /XFA can specify +JavaScript to run. +/URI accesses a URL, perhaps for phishing. +/SubmitForm and /GoToR can send data to URL. +/ObjStm can hide objects inside an object stream. +/XObject can embed an image for phishing. +Be mindful of obfuscation with hex codes, such as +/JavaScript vs. /J#61vaScript +``` + + + +### Triage keywords + +To triage keywords use [jesparza's peepdf](https://github.com/jesparza/peepdf) +or [Didie Stevens' PDF +tools](https://blog.didierstevens.com/programs/pdf-tools/) like pdfid.py. +Parsing is done via pdf-parser.py. + +```sh +pdf-parser.py --search file.pdf +pdf-parser.py --object file.pdf +``` + +Peepdf decodes values of an object in interactive mode + +```sh +peepdf -i file.pdf +[..] +PPDF> object +```