"Computação Forense"
25.7K views | +27 today
 
Scooped by João Carvalho
onto "Computação Forense"
Scoop.it!

Collection of Evidence from the Internet: Part 1

Collection of Evidence from the Internet: Part 1 | "Computação Forense" | Scoop.it
A Basic Methodology
The prospect of trying to obtain legally defensible digital evidence from the Internet is headache-worthy to many—but not impossible.
more...
No comment yet.
"Computação Forense"
Tecnologia e Computação Forense - Computer Forensics
Curated by João Carvalho
Your new post is loading...
Your new post is loading...
Scooped by João Carvalho
Scoop.it!

PowerShell: Getting Started (Part 1) - Customizing Your Environment!

PowerShell: Getting Started (Part 1) - Customizing Your Environment! | "Computação Forense" | Scoop.it
Getting Started Part 1 - Basics and environment customization

This will be part one in my series about learning how to get started with
Windows PowerShell.

We will be exploring:

* Just what PowerShell is.
* The different versions of PowerShell.
* How PowerShell works.
* Customizing your PowerShell experience, and making it feel like home.
o  A new home at least, and an extremely powerful one at that!
* Homework!
Just What is PowerShell?

PowerShell is essentially a framework provided by Microsoft that provides a
platform for automation, general scripting, and well just about anything
you can imagine doing with it. It's based on .NET, and has hooks into
pretty much anything Windows can do. There are a lot of new things
introduced with PowerShell, and it is ever evolving. You can also still use
old commands you're familiar with like ping, but you have much more
powerful options at your finger tips (like Test-Connection).  If you'd like
a deeper dive into what PowerShell is, check out Microsoft's Scripting
Guy's post, here.

We'll take an interactive tour of ping vs Test-Connection, but first let's
go over versions.

PowerShell Versions

It breaks down like this. Windows 7 comes with Windows PowerShell version
2.0 installed by default. If you're still running Windows 7 and want to try
out the latest version of PowerShell (currently 5.0), you'll need to
install the Windows Management Framework update. If you're running Windows
8 then you cannot run PowerShell 4.0+, but if you're on Windows 7, 8.1, or
10, you can run version 5.0. (Just don't run Windows 8, ok? ;)) Windows 10
comes with PowerShell version 5.0 installed by default.

How can I check what version I have?

Well, first you'll have to open PowerShell. 

1. Hit the Windows key or click the Start icon/button. 
2. Type in 'PowerShell', and select 'Windows PowerShell'

I recommend pinning PowerShell to your taskbar as well. This makes it
really easy to launch.

PowerShell stores the version in a special variable dedicated to host
information. This variable is aptly named $host. To see the value of this
variable, type $host into your console and press enter. You should see a
similar result to this:

If you simply wanted to return the latest version, try typing
$host.Version to display the Version property only.

Finally, if you want to just return the Major Version, use
$host.Version.Major.

For a more detailed write up on versions and supported OSs, see this post
at 4sysops.

How PowerShell Works

PowerShell works by executing commands called cmdlets (command-lets), and
then provides you a way to interpreting the results. Everything in
PowerShell either is or becomes an object in one way or another. Think of
an object in this instance as something you can take action on via methods,
and get information from via properties.

Let's learn some more basics before we go about customizing our
environment. Don't worry too much about grasping terminology! With
PowerShell especially, learning by doing is where it's at.

'Hello World'

Even the simplest thing in PowerShell, such as 'Hello World',  becomes an
object you can take action on. Go ahead and type the following command in
PowerShell:

'hello world'.Length

The above example should return 11, as seen below.

Since 'Hello World' is an object, we can pipe it via "|" to Get-Member to
see what we can do with it. Piping in PowerShell is the act of adding the
"|" character to take the results of the input before it, and pass that
over to the next command. Let's go ahead and run this:

'Hello World' | Get-Member

You should see the following:

You can see that the object Type is of System.String, and below that the
various methods and properties. To use them, simply add a dot after 'Hello
World' and specify the one you'd like to use. For instance, I wonder what
ToUpper does. Let's see!

'Hello World'.ToUpper

Hmm... that looks a little weird. That's because to execute the method, you
need to put a pair of parentheses after it. Sometimes you can include
different values in the parentheses to include overload options. What we're
seeing here is the definition of those options for .ToUpper(). For this
example we can just use:

'Hello World'.ToUpper()

Get-Member will likely be one of the handiest cmdlets you will use. It lets
you know what properties and methods the object contains.

Now that we've covered some basics, let's get back to checking out...

Ping vs Test-Connection

Let's ping google.com via PowerShell.

Ping Google.com

Alright, pretty standard! Let's see what Test-Connection Google.com does.

Test-Connection Google.com

Now that looks a little bit different. So what's so special about
Test-Connection? To see what else Test-Connection can do and the options it
provides, use:

Get-Help Test-Connection

Notice under REMARKS it states that I don't have the help files stored on
my computer. To remedy this, right click your PowerShell icon on the
taskbar, and go to Run as Administrator. Then use this command:

Update-Help

Now let's see the help for Test-Connection again!

Get-Help Test-Connection

Under the SYNTAX portion you can see that Test-Connection accepts the
 -ComputerName parameter. This is the one that Google.com was placed into
by default. It then specifies what the input is expected to be. This
parameter accepts a string, and string array. That is what the [] next to
string means. Think of an array as a collection of values.

To see examples of how to run Test-Connection, type:

Get-Help Test-Connection -Examples

Variables

Let's take advantage of the fact that Test-Connection's -ComputerName
parameter can accept a string array. To do this, we'll need to create a
variable and add some values to it. The best way to create a string array
is to use this command:

[System.Collections.ArrayList]$testArray = @()

This above code will create an empty array in the variable $testArray.
Think of a variable as a container of objects.

Let's add some hosts to this array that we'll want to use with
Test-Connection

$testArray.Add('192.168.1.1')
$testArray.Add('google.com')
$testArray.Add('qwertyuiop.asdf')

 

Arrays in PowerShell always start with 0, and when we use the .Add method
on this array you can see it outputs the index of the element(value) we are
adding. To add an element without seeing that, simply pipe
$testArray.Add('yahoo.com') to Out-Null.

$testArray.Add('yahoo.com') | Out-Null

You can see it did not return the index number this time. To display the
values in the array, type:

$testArray

OK! Now that we have our array setup, let's use:

Test-Connection -ComputerName $testArray

You can even use Test-Connection with conditional logic. 

if (Test-Connection Google.com) {Write-Host "Success!"}

Since Test-Connection Google.com returned $true, it proceeds to perform the
command in the script block {}.

I wonder what happens if you replace Google.com with 'qwertyuiop.asdf'...

Alright! Now that we've gone through some more of the basic concepts, it's
time to...

Customize Your Environment

Open up your PowerShell console and Right Click the title bar. 

1. Select Properties.
2. Select the Font tab to adjust the font.
3. Select the Colors tab to set the colors you want.

Customizing your profile

PowerShell uses profile files to automatically load a script when you start
the PowerShell console.

Let's take a look at the file PowerShell uses for your current user profile
on all hosts (meaning the ISE and console). We'll get into the different
host types in a different post. The special variable we'll want to look at
is $profile, and we'll want to see the CurrentUserAllHosts property.

$profile.CurrentUserAllHosts

It looks like the generic Dell account (my way to have a fresh instance of
PowerShell) I'm using would have the profile stored in:

C:\Users\Dell\Documents\WindowsPowerShell\profile.ps1

Since the folder and file do not exist, let's use the New-Item cmdlet to
create each. Be sure to change the values to match what your result was
from the $profile.CurrentUserAllHosts value. Note: the file will still be
profile.ps1, and only the user name should change.

New-Item -Path C:\Users\Dell\Documents\ -ItemType Directory -Name WindowsPowerShell
New-Item -Path C:\Users\Dell\Documents\WindowsPowerShell\ -ItemType File -Name profile.ps1

Now you should be able to use the Start-Process cmdlet(which opens a file
with the associated handler in Windows automatically) to open and edit the
profile file.

Start-Process $profile.CurrentUserAllHosts

You should now have a blank text file open with profile.ps1 as the name in
the upper left.

Let's add the following code to the profile.ps1 file:
I will detail what this code does in the next post!

$global:foregroundColor = 'white'
$time = Get-Date
$psVersion= $host.Version.Major
$curUser= (Get-ChildItem Env:\USERNAME).Value
$curComp= (Get-ChildItem Env:\COMPUTERNAME).Value

Write-Host "Greetings, $curUser!" -foregroundColor $foregroundColor
Write-Host "It is: $($time.ToLongDateString())"
Write-Host "You're running PowerShell version: $psVersion" -foregroundColor Green
Write-Host "Your computer name is: $curComp" -foregroundColor Green
Write-Host "Happy scripting!" `n

function Prompt {

$curtime = Get-Date

Write-Host -NoNewLine "p" -foregroundColor $foregroundColor
Write-Host -NoNewLine "$" -foregroundColor Green
Write-Host -NoNewLine "[" -foregroundColor Yellow
Write-Host -NoNewLine ("{0:HH}:{0:mm}:{0:ss}" -f (Get-Date)) -foregroundColor $foregroundColor
Write-Host -NoNewLine "]" -foregroundColor Yellow
Write-Host -NoNewLine ">" -foregroundColor Red

$host.UI.RawUI.WindowTitle = "PS >> User: $curUser >> Current DIR: $((Get-Location).Path)"

Return " "

}

Once you've added the content, save profile.ps1.
Now close and re-open your PowerShell console.

It should now look similar to this:

Each time you type a command the function named prompt executes and changes
both the prompt (to include the current time), and the Window Title (to
include the current user and directory).

In the next post I will be going over command discovery and formatting
results. 

Homework
* Try to figure out exactly how the string format operator works in the
prompt function to format the time. 
* Use Get-Command to discover more PowerShell commands.
* Find some commands to run (maybe Get-Date)? and Pipe them to
Get-Member to see what properties and methods they contain.
* Declare a variable and use that variable to use the methods and
display the properties available. Hint: $time = Get-Date.
* Further customize your profile to change up your prompt and title!

Let me know if you have any questions! Feedback is always appreciated.

-Ginger Ninja

[Back to top]
more...
No comment yet.
Scooped by João Carvalho
Scoop.it!

10 Free Softwares To Delete Files Permanently | SmashingApps.com

10 Free Softwares To Delete Files Permanently | SmashingApps.com | "Computação Forense" | Scoop.it
In this assortment, we are going to showcasing 10 free and very useful software that guarantee delete files permanently. When you use these useful software you
more...
No comment yet.
Scooped by João Carvalho
Scoop.it!

Ransomware Removal Kit - gHacks Tech News

Ransomware Removal Kit - gHacks Tech News | "Computação Forense" | Scoop.it
Ransomware Removal Kit is a collection of anti-ransomware programs designed to be used by security professionals and system administrators.
more...
No comment yet.
Scooped by João Carvalho
Scoop.it!

PowerShell Digital Forensics

PowerShell Digital Forensics | "Computação Forense" | Scoop.it
Invoke-IR | PowerShell Digital Forensics and Incident Response
João Carvalho's insight:
Share your insight
more...
No comment yet.
Scooped by João Carvalho
Scoop.it!

SIM, IMSI, ICC-ID, ESN and IMEI

SIM, IMSI, ICC-ID, ESN and IMEI | "Computação Forense" | Scoop.it
What do the words SIM, IMSI, ICC-ID, ESN and IMEI  mean and what are they? I unfortunately have faced very often situations where people don't still know what those acronyms represent. The huge commercial diffusion of the mobile phones among the common people, especially among the new generations, impose at least to have an idea…
more...
No comment yet.
Scooped by João Carvalho
Scoop.it!

Free IT forensic software | Free computer forensic software tools | Forensic Control

Free IT forensic software | Free computer forensic software tools | Forensic Control | "Computação Forense" | Scoop.it
Free IT forensics and computer forensics software. Forensic Control - IT forensics and computer forensics investigators in cases of computer misuse or dispute.
more...
Aly Mime's curator insight, February 7, 10:30 AM

Free IT forensics and computer forensics software. Forensic Control - IT forensics and computer forensics investigators in cases of computer misuse or dispute.

Scooped by João Carvalho
Scoop.it!

meirwah/awesome-incident-response

awesome-incident-response - A curated list of tools for incident response
João Carvalho's insight:

awesome-incident-response and forensic tools

more...
No comment yet.
Scooped by João Carvalho
Scoop.it!

Free Python for Security Professionals Training Class - Cybrary

Free Python for Security Professionals Training Class - Cybrary | "Computação Forense" | Scoop.it
Free, online, self-paced Python for Security Professionals training by Joe Perry, on Cybrary.
more...
No comment yet.
Scooped by João Carvalho
Scoop.it!

Working with Outlook for Mac attachments (.olk14MsgAttach)

Working with Outlook for Mac attachments (.olk14MsgAttach) | "Computação Forense" | Scoop.it
Recently I was working on a case when I noticed that a whole bunch of Outlook attachments had not been processed correctly. These were the .olk14MsgAttach from Outlook (Office for Mac 2011).
more...
No comment yet.
Scooped by João Carvalho
Scoop.it!

Database Forensics without the Database

Databases. You have them; attackers want them. It's where all the good stuff sits. Let's make sure we're defending them the best we can!

In this talk, we're going to introduce and/or improve database forensics in your incident response workflow. Only; we're not going to touch the database. Through analysis of various artifacts, we're going to show you how to build a timeline of attacker activity and discover what may have happened to your data while it was exposed. We're also going to release new research that can be used immediately to include database forensics in your next case.
more...
No comment yet.
Scooped by João Carvalho
Scoop.it!

Physical acquisition of a locked Android device

Physical acquisition of a locked Android device | "Computação Forense" | Scoop.it
So, you got a locked Android device. What’s next? Is USB debugging enabled? No, it’s not. But still, there is a solution. Today our patient will be a locked Samsung GT-I9300 smartphone.…
more...
No comment yet.
Scooped by João Carvalho
Scoop.it!

This forensic toolkit makes you love PowerShell

This forensic toolkit makes you love PowerShell | "Computação Forense" | Scoop.it
PowerForensics is a PowerShell digital forensics framework developed by Jared Atkinson.
more...
No comment yet.
Scooped by João Carvalho
Scoop.it!

Building Your Own Pentesting Environment - InfoSec Resources

Building Your Own Pentesting Environment - InfoSec Resources | "Computação Forense" | Scoop.it
Introduction Ethical hacking is a term used to describe hacking done by a person/individual to identify the potential vulnerabilities or weakness in the sy
more...
No comment yet.
Scooped by João Carvalho
Scoop.it!

Android Forensic Logical Acquisition - InfoSec Resources

Android Forensic Logical Acquisition - InfoSec Resources | "Computação Forense" | Scoop.it
Introduction The following is a demonstration of how we will create an Android Emulator; then we will go through needed steps to acquire a logical image of
more...
No comment yet.
Rescooped by João Carvalho from Cyber Security & Digital Forensics
Scoop.it!

Encoding vs. Encryption vs. Hashing vs. Obfuscation

Encoding vs. Encryption vs. Hashing vs. Obfuscation | "Computação Forense" | Scoop.it
Encoding Encryption Hashing Obfuscation There is often significant confusion around the differences between encryption, encoding, hashing, and obfuscation.

Via Constantin Ionel Milos / Milos Constantin
more...
No comment yet.
Scooped by João Carvalho
Scoop.it!

Forensically, free online photo forensics tools

Forensically, free online photo forensics tools | "Computação Forense" | Scoop.it
Forensically is a set of free tools for digital image forensics. It includes clone detection, error level analysis, meta data extraction and more.
more...
No comment yet.
Scooped by João Carvalho
Scoop.it!

Free Computer Forensics Weapons

Free Computer Forensics Weapons | "Computação Forense" | Scoop.it
Free Computer Forensic Tools & ToolkitsList of over 130 free tools is provided as a free resource for all. It’s updated several times a year. I'm provide no support or warranties for the listed software and it is the user’s responsibility to verify licensing agreements. Inclusion on the list does not equate to a recommendation. Using forensic software does not, on its own, make the user a forensic analyst. Evidence is more likely to be admissible if it is produced by a professional computer fore
more...
No comment yet.
Scooped by João Carvalho
Scoop.it!

Windows event log management software, monitor system, application and security event logs — FSPro Labs

Windows event log management software, monitor system, application and security event logs — FSPro Labs | "Computação Forense" | Scoop.it
Windows event log analysis, view and monitor security, system, and other logs on Windows servers and workstations
more...
No comment yet.