GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → ANSSI-FR → bits_parser

ANSSI-FR / bits_parser

Licence: MIT License
Extract BITS jobs from QMGR queue and store them as CSV records

Programming Languages

python
139335 projects - #7 most used programming language

Labels

windowsincident-responseforensics

Projects that are alternatives of or similar to bits parser

Sleuthkit
The Sleuth Kit® (TSK) is a library and collection of command line digital forensics tools that allow you to investigate volume and file system data. The library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence.
Stars: ✭ 1,948 (+2943.75%)
Mutual labels:  incident-response, forensics
Packrat
Live system forensic collector
Stars: ✭ 16 (-75%)
Mutual labels:  incident-response, forensics
Pypowershellxray
Python script to decode common encoded PowerShell scripts
Stars: ✭ 192 (+200%)
Mutual labels:  incident-response, forensics
Ir Rescue
A Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.
Stars: ✭ 311 (+385.94%)
Mutual labels:  incident-response, forensics
MindMaps
#ThreatHunting #DFIR #Malware #Detection Mind Maps
Stars: ✭ 224 (+250%)
Mutual labels:  incident-response, forensics
Invoke Liveresponse
Invoke-LiveResponse
Stars: ✭ 115 (+79.69%)
Mutual labels:  incident-response, forensics
ir scripts
incident response scripts
Stars: ✭ 17 (-73.44%)
Mutual labels:  incident-response, forensics
Information Security Tasks
This repository is created only for infosec professionals whom work day to day basis to equip ourself with uptodate skillset, We can daily contribute daily one hour for day to day tasks and work on problem statements daily, Please contribute by providing problem statements and solutions
Stars: ✭ 108 (+68.75%)
Mutual labels:  incident-response, forensics
INDXRipper
Carve file metadata from NTFS index ($I30) attributes
Stars: ✭ 32 (-50%)
Mutual labels:  incident-response, forensics
MEAT
This toolkit aims to help forensicators perform different kinds of acquisitions on iOS devices
Stars: ✭ 101 (+57.81%)
Mutual labels:  incident-response, forensics
CCXDigger
The CyberCX Digger project is designed to help Australian organisations determine if they have been impacted by certain high profile cyber security incidents. Digger provides threat hunting functionality packaged in a simple-to-use tool, allowing users to detect certain attacker activities; all for free.
Stars: ✭ 45 (-29.69%)
Mutual labels:  incident-response, forensics
uac
UAC is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts.
Stars: ✭ 260 (+306.25%)
Mutual labels:  incident-response, forensics
RdpCacheStitcher
RdpCacheStitcher is a tool that supports forensic analysts in reconstructing useful images out of RDP cache bitmaps.
Stars: ✭ 176 (+175%)
Mutual labels:  incident-response, forensics
CDIR
CDIR (Cyber Defense Institute Incident Response) Collector - live collection tool based on oss tool/library
Stars: ✭ 122 (+90.63%)
Mutual labels:  incident-response, forensics
PSTrace
Trace ScriptBlock execution for powershell v2
Stars: ✭ 38 (-40.62%)
Mutual labels:  incident-response, forensics
wazuh-puppet
Wazuh - Puppet module
Stars: ✭ 25 (-60.94%)
Mutual labels:  incident-response
git-forensics-plugin
Jenkins plug-in that mines and analyzes data from a Git repository
Stars: ✭ 19 (-70.31%)
Mutual labels:  forensics
truehunter
Truehunter
Stars: ✭ 30 (-53.12%)
Mutual labels:  forensics
fastfinder
Incident Response - Fast suspicious file finder
Stars: ✭ 116 (+81.25%)
Mutual labels:  incident-response
aws-customer-playbook-framework
This repository provides sample templates for security playbooks against various scenarios when using Amazon Web Services.
Stars: ✭ 43 (-32.81%)
Mutual labels:  incident-response
View All Similar Projects ➔

bits_parser

Extract BITS jobs from QMGR queue and store them as CSV records.

This topic has been presented during a talk at the French conference CORI&IN 2018

Installation

If you want to run the latest version of bits_parser you can install it from PyPI by running the following command:

pip install bits_parser

To install it from the sources:

python setup.py install

Usage

QMGR queues are usually .dat files located in the folder %%ALLUSERSPROFILE%%\Microsoft\Network\Downloader on a Windows system.

Once those files have been located (e.g. qmgr0.dat and qmgr1.dat) you can run bits_parser by issuing the following command:

bits_parser qmgr0.dat

bits_parser also supports full-disk analysis but the process is longer and the results are dirtier (some data from adjacent data clusters can leak in the result). This mode is enable with the switch -i:

bits_parser -i image.bin

The disk mode works by looking for expected bit sequences (markers) and collecting surrounding data. The amount of surrounding data (the radiance) is settable and defaulted to 2048 kB:

bits_parser -i --radiance=4096 image.bin

Increasing the radiance could help to retrieve more data but the default value is normally enough.

When the processing is finished, the result is csv-formatted and then displayed on the standard output. The output can be written to a file with -o:

bits_parser -o jobs.csv qmgr0.dat

Use --help to display all options options of bits_parser.

Related works

Finding your naughty BITS [DFRWS USA 2015, Matthew Geiger]

BITSInject [DEFCON 2017, Dor Azouri]

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].