If you’ve got some VHDX disk image files you need to analyze, your analysis tools may not ‘just work’ with them. Often the easiest route is to convert them to VHD files. This blog post shows an easy way to convert them in a simple one-line PowerShell command:
Note, however, that the Convert-VHD command only works if you have Hyper-V installed. To remedy this, use Turn Windows features on or off in Windows 10.
That’s about all there is to it.
There are a few good ways to include pieces of code. The first is to
Press Alt + Ctrl + 6
…which creates a small code block. This works best for small pieces of code or command line usage examples. For larger code samples where indentation or syntax coloring is beneficial, use gist.github.com:
Adding a Gist URL in the body of your Medium post (“story”) will automatically show a nice pane with the code.
When analyzing email headers from an MBOX file, a Python script like those below is useful to pull out the fields of interest. The first script below exports the data as a pipe-delimited file, whereas the second (similar) program will export the results to an Excel file (.xlsx).
Let’s say you’ve got a collection of PCAP files for a Jabber (XMPP) server and you need to identify what you can about the users of that server. The conversations themselves are encrypted so you can’t get that. The IP addresses, server names, usernames, jabber ID’s and status messages are about all you can get. Here’s how you do it:
First pull out the packets containing the Jabber server port number:
tshark.exe -r all.pcap -Y ‘tcp.dstport == 5222 && ip.dst == 127.0.0.1’ -w jabber_filtered.pcapng
Second, filter for packets containing Jabber’s XML fields we care about; save the timestamp, Source IP address, and data (content) in a JSON file:
tshark.exe -r jabber_filtered.pcapng -Y “frame contains “”from=””” -T json -e frame.time -e ip.src -e data > from.json
Lastly, use some Python to grab fields of interest and generate output in pipe-separated format:
Ploop is a disk storage container used by OpenVZ; see https://wiki.openvz.org/Ploop
The Ubuntu ploop command can be used to manage or mount these containers, provided you have the accompanying DiskDescriptor.xml file:
sudo apt-get install ploop
sudo apt-get install disktype
sudo ploop convert -f raw DiskDescriptor.xml