Forensics

Git Folder

The .git folder contains the entire history of the repository. It is possible to recover deleted files from the .git folder, as well as the entire original source code.

From a website, teh code can be downloaded with wget --mirror -I .git TARGET.COM/.git/. This downloads the entire .git folder, but only deleted files will show with git status. We can resolve that by running git checkout -- . to restore the files (source). The tool GitTools can be used to automate this process from a given domain or a list of domains.

Running git log once in the folder will show a list of users who made commits, along with their email addresses.

File Carving

When you want to know what the type of a file is, use the file command. Example:

$ file green_file
green_file: PNG image data, 63 x 36, 8-bit/color RGBA, non-interlaced

If we find ourselves thinking that there may be hidden data inside of a file, we can use binwalk to extract it. If asked how many files can be extracted, the answer is the whole count, not just the ones that look real and interesting.

Email Headers

WhatMail is a command-line tool that analyzes the header of an email and provides detailed information about various fields. It extracts commonly recognized email header fields such as To From Subject Date Delivered-To as well as useful fields like Message-ID Return-Path Reply-To X-Headers MIME Version Content Type Received-SPF DKIM Signature Authentication-Results X-Mailer and DMARC Results.

Installation

git clone https://github.com/z0m31en7/WhatMail.git
cd WhatMail
python WhatMail.py -hf {Path_to_header_file}

IP Geolocation

IPGeo is a Python tool to extract IP addresses from a captured network traffic file and generate a CSV file containing the IP addresses and their corresponding geographic location.