Commands tagged forensics (2)

  • Recover deleted Binary files

    The above command assumes the lost data is on /dev/sda and you previously issued the following command to mount _another_ disk or partition (/dev/sdb1) on /recovery sudo mount /dev/sdb1 /recovery If you don't do this, the data could be overwrited! foremost is a very powerful carving tool. By default foremost recovers all known file types. If you want to reduce the amount of files that are recovered you can specify the file type you are looking for. Read the man page to know the available file types. i.e to recover JPEG pictures append to foremost the switch -tjpg


    2
    sudo foremost -i /dev/sda -o /recovery
    vlan7 · 2010-08-19 22:27:41 0
  • Find out the Firefox bookmarks that have "string" in their note (aka 'description')

    1. First we get the `item_id` for that `comment`. Adapt the -C[N] parameter for your use. 2. Then we show the bookmark's `title` (or `url`). With that in your hand it's a matter of seconds to open Firefox's library and find the bookmark. Handy for eg. forensics or better sanitize of a place.sqlite before sharing it (on the cloud). It sure has room for improvement. Show Sample Output


    0
    sqlite3 -list places.sqlite 'SELECT item_id, content FROM moz_items_annos ;' | grep -A9 "string" ; sqlite3 places.sqlite 'SELECT title FROM moz_bookmarks WHERE .fk = <item_id number> ;'
    datruche · 2015-10-31 19:32:52 0

What's this?

commandlinefu.com is the place to record those command-line gems that you return to again and again. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.

Share Your Commands

Check These Out

pretend to be busy in office to enjoy a cup of coffee

Gives you what's between first string and second string included.
If the file content is : - Blah blah blah ABC hello blah blah blah bloh bloh bloh DEF Bah bah bah - You'll get: - ABC hello blah blah blah bloh bloh bloh DEF

port scan using parallel
It takes over 5 seconds to scan a single port on a single host using nmap $ time (nmap -p 80 192.168.1.1 &> /dev/null) real 0m5.109s user 0m0.102s sys 0m0.004s It took netcat about 2.5 minutes to scan port 80 on the class C $ time (for NUM in {1..255} ; do nc -w 1 -z -v 192.168.1.${NUM} 80 ; done &> /dev/null) real 2m28.651s user 0m0.136s sys 0m0.341s Using parallel, I am able to scan port 80 on the entire class C in under 2 seconds $ time (seq 1 255 | parallel -j255 'nc -w 1 -z -v 192.168.1.{} 80' &> /dev/null) real 0m1.957s user 0m0.457s sys 0m0.994s

Get all files of particular type (say, PDF) listed on some wegpage (say, example.com)
See man wget if you want linked files and not only those hosted on the website.

List your MACs address

Which processes are listening on a specific port (e.g. port 80)
swap out "80" for your port of interest. Can use port number or named ports e.g. "http"

Search apache virtual host by pattern
Outputs contents of virtual hosts containing PATTERN. Particularly useful for pefrorming complex searches. E.g. search for docroot of www.example.com: $ sed -n '/^[^#]*

Convert CSV to JSON
Replace 'csv_file.csv' with your filename.

See system users

Diff two directories by finding and comparing the md5 checksums of their contents.
Compares the md5 checksums of the contents of two directories, outputting the checksum and filename where any files differ. Shows only the file name, not the full path.

Stay in the loop…

Follow the Tweets.

Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.

» http://twitter.com/commandlinefu
» http://twitter.com/commandlinefu3
» http://twitter.com/commandlinefu10

Subscribe to the feeds.

Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):

Subscribe to the feed for: