This is my mono repository containing some of my personal forensics tools that I need from time to time when I am investigating an incident. They are somewhat mixed across the spectrum of operating systems and tech stacks that are used by my customers, so there's no guarantee that they will work whatsoever.
The Git Tools are useful for OSINT gathering on public repositories, such as on BitBucket, GitHub or GitLab.
The SQL Tools are useful for working with extremely large SQL file dumps that are too huge to be opened at once.
sql-tables large-dump.sql; # list of table names
sql-extract large-dump.sql table-name; # extracts a specific table and its dataThe Torrent Tools allow to inspect and modify magnet: URLs.
The TOTP Tools allow to export encoded otp-migration:// 2FA seeds
from screenshots or camera photos into a json file and a QRCode png that can
be used to import them within other password managers.
totp-extract ./path/to/camera-photo-of-qrcode.jpg;The uncrx tool is useful for extracting a .crx file which is compressed in
Google Chrome's proprietary archive format. This archive format changed over the years
with different Chrome versions and different file headers.
export EXTENSION_ID="cjpalhdlnbpafiamejdnhcphjbkeiagm";
export EXTENSION_NAME="ublock-origin";
wget -O "$EXTENSION_NAME.crx" "https://clients2.google.com/service/update2/crx?response=redirect&acceptformat=crx2,crx3&prodversion=100&x=id%3D$EXTENSION_ID%26uc";
uncrx "$EXTENSION_NAME.crx": # creates the $EXTENSION_NAME.zip file in the same folder
unzip "$EXTENSION_NAME.zip" -d "./$EXTENSION_NAME"; # unpack the extension, so that it can be loaded in Developer ModeGPL3