30 April 2020

log2timeline

1)
log2timeline.exe "C:\OUTPUT_1.plaso" "C:\INPUT_PATH\IMAGE.E01"



extra)

use pinfo.py C:\INPUT_PATH\OUTPUT_1.plaso to check status of the proses


2)psort.exe -z US/Pacific -o l2tcsv -w "C:\FINAL_TIMELINE_OUTPUT.csv" "C:\INPUT_PATH\OUTPUT_1.plaso"







ref:
https://digital-forensics.sans.org/media/Plaso-Cheat-Sheet.pdf

28 April 2020

Extract MFT file

1)
dapatkan offset:
mmls ../image/image.raw
Output:
      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Safety Table
001:  -------   0000000000   0000002047   0000002048   Unallocated
002:  Meta      0000000001   0000000001   0000000001   GPT Header
003:  Meta      0000000002   0000000033   0000000032   Partition Table
004:  000       0000002048   0001023999   0001021952   Basic data partition
005:  001       0001024000   0001226751   0000202752   EFI system partition
006:  004       0001226752   0001227263   0000000512   Microsoft shadow copy partition
007:  002       0001227264   0001259519   0000032256   Microsoft reserved partition
008:  003       0001259520   0209713151   0208453632   Basic data partition
009:  -------   0209713152   0209715199   0000002048   Unallocated




2) extract mft to file mft.raw:

icat -o 0001259520 image.raw 0 > mft.raw

Restart wsl(Linux on Windows 10)


List wsl:
wsl.exe --list --running
wsl.exe --list --all



Kill wsl:
wsl --terminate .



Start wsl:

02 April 2020

elasticsearch license basic, security enable

When your license is basic, and you set xpack.security.enabled to true, elastic will require to enable ssl(xpack.security.transport.ssl.enabled=true)


This page(1) will help to create certificate, in order to enable transport.ssl.

0) download elasticsearch tar.gz file and extract somewhere

1) Create ca
        $ bin/elasticsearch-certutil ca
# by default will create file elastic-stack-ca.p12 in config/ dir
   

2) create cert
        $bin/elasticsearch-certutil cert --ca config/elastic-stack-ca.p12


3) copy the cert to others node
4) Tell node to use this Cert. In elasticsearch.yml
      xpack.security.transport.ssl.enabled: true
      xpack.security.transport.ssl.verification_mode: certificate
      xpack.security.transport.ssl.keystore.path: elastic-certificates.p12


5) Tell node to trust any certificate by the CA. In elasticsearch.yml
      xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

   # file elastic-certificates.p12 will contain both Cert and the CA



ref:
1) https://www.elastic.co/guide/en/elasticsearch/reference/7.6/configuring-tls.html
2) https://www.elastic.co/fr/blog/getting-started-with-elasticsearch-security