📘 📕 Field Manuals

📕 Windows RTFM

This is about … .

📘 Linux BTFM

Variables

# no spaces when assigning
$0 # the first arg

# array
array=(1 2 4 5)
${array[0]}
${array[*]} # all items delimited by IFS
${array[@]} # all items 
${!array[@]} # all indexes
${#array[@]} # number of items
${#array[0]} # length of item 0

ARRAY=($(ls *.txt))
COUNT=1
for FILE in "${ARRAY[@]}"
do
	echo -n $FILE
	echo -n "[${ARRAY[$COUNT]}]"
	if [ -w "$FILE"]; then
		echo -e "\t YES"
	else
		echo -e "\t NO"
done

Functions

function functionname	() {
	local name=$1
	commands
}
hello

function functioname2 {
 commands		
}

Conditions

# if/elif
if [ $# -ne 1]; then
  echo "Exactly 1 arg needed"
  exit 1
fi

# case
case $var in
 "$cond1") 
   commands
   ;;
 "$cond2") 
   commands
   ;;
 "$cond3") 
   commands
   ;; 
   *)
   commands
   ;;
 *)
 	 commands
 	 ;;

Loops

# reading a file line by line

while read line
do 
  commands
done < $"Filename"
# or
cat $"Filename" |
while read line
do 
  commands
done


for((i=0; i -lt 10; i++));

Examples

#!/bin/bash

while [ $# -gt 0 ]
do
  case $1 in
    -f|--file)
      FILE=$2
      if ! [ -f $FILE ]; then
        echo "This is not a valid file"
      exit 1
      fi
      echo "Words in the file $(cat $FILE | wc -w)"
      ;;
     -h|--help)
      echo "specifiy a file"
      ;;
  esac
done


while getopts a:b:cd param; do
  case $param in 
    a)
     echo $OPTARG 1
     ;;
    b) 
     echo $OPTARG 2
     ;;
     
opts=`getopt -o -a::b:cd --long file::,name;,help -- "$@"`
eval set -- "$opts"

FUC

(Frequently Used Commands)

📘 macOS BTFM

python FSEParser_V3.3.py -s -t folder /.fseventsd -o /Users/sentinel/Desktop/FSEvents_Out

References

📘 Powershell BTFM

Settings

Association

It’s better to associate powershell scripts with notepad.exe that PowerShell for security reasons.

Execution Policy

Get Execution Policy. Powershell execution policy is applied to scripts only. Here are the main policies used:

Get-ExecutionPolicy
> Restricted # no scripts are allowed (default for desktop)
> RemoteSigned # downloaded scripts should be signed (preferred, default for WinServer). For local scripts no signature is required.
> Unrestricted # everything is allowed (dangerous)
> Undefined # Restricted for Win and RemoteSigned for WinServer
> AllSigned # Signatures are required for local scripts also
> ByPass # Nothing is blocked, no warnings and prompts

Other policies, official doc [2].

📘 SIFT BTFM

Here is the official cheatsheet from SANS. I’ve copied it here for convenience. I will comment some of them after I try each command in the list.

Shadow Timeline Creation

Step 1 – Attach Local or Remote System Drive

ewfmount system-name.E01 /mnt/ewf

Step 2 – Mount VSS Volume

VSS - Windows NT Volume Shadow Snapshot.

cd /mnt/ewf
vshadowmount ewf1 /mnt/vss

Step 3 – Run fls across ewf1 mounted image

cd /mnt/ewf
fls –r –m C: ewf1 >> /cases/vss-
bodyfile

Step 4 – Run fls Across All Snapshot Images

📘 Windows BTFM

FUC

(Frequently Used Commands)

User

Get user’s SID:

wmic useraccount where name='veronicazvereva' get sid
# or
whoami /user # for current user

System

USB

Mounting

USB devices on are mounted automatically, but VHD drives might need to be mounted manually. To do so, go to disk management utility, choose Attach VHD from the top menu, select it, open and ok.

DISKPART

diskpart
DISKPART> list volume
DISKPART> select disk 0
DISKPART> clean # wipe the selected disk
DISKPART> list partition
DISKPART> select partition 1
DISKPART> active 
DISKPART> format fs=ntfs label=test qiuck
DISKPART> delete partition

Remote

FTP