Salin MFT file

 Salin guna rawcopy

RawCopy.exe /FileNamePath:C:0 /OutputPath:C:\Audit /OutputName:MFT_C.bin

ref: 

https://www.jaiminton.com/cheatsheet/DFIR/#master-file-table

https://github.com/jschicht/RawCopy

Kibana KQL escape character

Need to escape these characters:
    \():<>"*

with quotes, does not need to escape:
    http.request.referrer: "https://example.com"

 
without quotes, must escape:

    http.request.referrer: https\://example.com

 

This not work as expected because * is interprate as literal *:
    http.request.referrer: "https://example.com*"

Instead use this:
    http.request.referrer: https\://example.com*

File path issue in windows:
Kibana display value as:
    C:\WINDOWS\system32\MRT.exe

But if you check in json, actual value stored in elastic is:
    "c:\\windows\\system32\\mrt.exe"

Thus, to find all files in folder system32(and sub folder) you need to escape the backslash character:
    file.path.caseless : c\:\\\\windows\\\\system32\\\\*

    

To find all files in folder system32(exclude sub folder):
    file.path.caseless : c\:\\\\windows\\\\system32\\\\* and not file.path.caseless : c\:\\\\windows\\\\system32\\\\*\\\\*

ref: https://www.elastic.co/guide/en/kibana/current/kuery-query.html

Kibana KQL Wild Card

thefield.caseless: system32*    

    will match system32\\calc.exe (* is wildcard)

thefield: "system32*"

    Not match system32\\calc.exe.(* is literal because it in quotes)

ref: https://www.elastic.co/guide/en/kibana/current/kuery-query.html

elastic snapshot on shared folder problem if using sshfs

if you want to set path.repo on mounted dir for elasticsearch snapshot. You probably will get this permission error, even though the dir seems writable by all user.

java.lang.IllegalStateException: Unable to access 'path.repo' (/mnt/remote_snapshot_on_st02/snap_dir) at org.elasticsearch.bootstrap.FilePermissionUtils.addDirectoryPath(FilePermissionUtils.java:66) ~[elasticsearch-8.8.1.jar:?]

This happen because elasticsearh process is own by user elasticsearch. You need to mount the dir using elasticsearch acc. sudo su -u elasticsearch sshfs myacc@10.10.10.10:/data/my_elastic_snapshot_dir/ /mnt/my_snapshot_dir Of course you need to have set path.repo on your elasticsearch.yml path.repo: [/mnt/my_snapshot_dir/the_snapshot_dir_on_remote]

carian string dlm wireshark

1)

2)

 ref: https://www.cellstream.com/reference-reading/tipsandtricks/431-finding-text-strings-in-wireshark-captures

Sejarah ip yg pernah pc ubuntu anda pegang

 history of ip has been assign to your pc

Ada 2 command yg boleh senaraikan IP yg pc anda dapat dari DHCP.

1) sudo cat /var/log/syslog | grep -Ei 'dhcp' | grep ip_address

2) sudo journalctl | grep -Ei 'dhcp' | grep ip_address

cara install apt package specific version

$ apt-cache madison calc calc | 2.12.7.2-4 | http://10.108.201.140/ubuntu/mirror/archive.ubuntu.com/ubuntu focal/universe amd64 Packages calc | 2.10.18-dfsg-2build1 | http://archive.ubuntu.com/ubuntu xenial/multiverse amd64 Packages

$ apt-cache policy virtualbox virtualbox: Installed: (none) Candidate: 5.0.40-dfsg-0ubuntu1.16.04.2 Version table: 5.0.40-dfsg-0ubuntu1.16.04.2 500 500 http://cm.archive.ubuntu.com/ubuntu xenial-updates/multiverse amd64 Packages 5.0.18-dfsg-2build1 500 

500 http://cm.archive.ubuntu.com/ubuntu xenial/multiverse amd64 Packages 

ref:
https://linuxopsys.com/topics/install-specific-version-package-apt