From b908ce934f0b31ace35dea952ee67057af07d082 Mon Sep 17 00:00:00 2001 From: Ana Maria Martinez Gomez Date: Mon, 20 Nov 2023 15:38:03 +0100 Subject: [PATCH 1/3] flarevm.installer.vm: Delete `flarevm.installer.vm` is not used anymore as FLARE-VM now uses `installer.vm` which is shared with Commando VM. --- .../flarevm.installer.vm.nuspec | 14 -- .../tools/chocolateyinstall.ps1 | 129 ------------------ 2 files changed, 143 deletions(-) delete mode 100644 packages/flarevm.installer.vm/flarevm.installer.vm.nuspec delete mode 100644 packages/flarevm.installer.vm/tools/chocolateyinstall.ps1 diff --git a/packages/flarevm.installer.vm/flarevm.installer.vm.nuspec b/packages/flarevm.installer.vm/flarevm.installer.vm.nuspec deleted file mode 100644 index 9aee17118..000000000 --- a/packages/flarevm.installer.vm/flarevm.installer.vm.nuspec +++ /dev/null @@ -1,14 +0,0 @@ - - - - flarevm.installer.vm - 0.0.0.20230626 - FLARE VM Installer - FLARE - Generic installer for Mandiant's custom virtual machines. Originally created by FLARE for FLARE VM, a malware analysis environment. - - - - - - diff --git a/packages/flarevm.installer.vm/tools/chocolateyinstall.ps1 b/packages/flarevm.installer.vm/tools/chocolateyinstall.ps1 deleted file mode 100644 index 0257bdbbb..000000000 --- a/packages/flarevm.installer.vm/tools/chocolateyinstall.ps1 +++ /dev/null @@ -1,129 +0,0 @@ -$ErrorActionPreference = 'Continue' -$global:VerbosePreference = "SilentlyContinue" -Import-Module vm.common -Force -DisableNameChecking - -function Get-InstalledPackages { - if (Get-Command choco -ErrorAction:SilentlyContinue) { - powershell.exe "choco list -r" | ForEach-Object { - $Name, $Version = $_ -split '\|' - New-Object -TypeName psobject -Property @{ - 'Name' = $Name - 'Version' = $Version - } - } - } -} - -try { - # Gather packages to install - $installedPackages = (Get-InstalledPackages).Name - $configPath = Join-Path ${Env:VM_COMMON_DIR} "config.xml" -Resolve - $configXml = [xml](Get-Content $configPath) - $packagesToInstall = $configXml.config.packages.package.name | Where-Object { $installedPackages -notcontains $_ } - - # List packages to install - Write-Host "[+] Packages to install:" - foreach ($package in $packagesToInstall) { - Write-Host "`t[+] $package" - } - Start-Sleep 1 - - # Install the packages - foreach ($package in $packagesToInstall) { - Write-Host "[+] Installing: $package" -ForegroundColor Cyan - choco install "$package" -y - } - Write-Host "[+] Installation complete" -ForegroundColor Green - - # Remove Chocolatey cache - $cache = "${Env:LocalAppData}\ChocoCache" - Remove-Item $cache -Recurse -Force - - # Construct failed packages file path - $desktopPath = [Environment]::GetFolderPath("Desktop") - $failedPackages = Join-Path $desktopPath "failed_packages.txt" - $failures = @{} - - # Check and list failed packages from "lib-bad" - $chocoLibBad = Join-Path ${Env:ProgramData} "chocolatey\lib-bad" - if ((Test-Path $chocoLibBad) -and (Get-ChildItem -Path $chocoLibBad | Measure-Object).Count -gt 0) { - Get-ChildItem -Path $chocoLibBad | Foreach-Object { - $failures[$_.Name] = $true - } - } - - # Cross-compare packages to install versus installed packages to find failed packages - $installedPackages = (Get-InstalledPackages).Name - foreach ($package in $packagesToInstall) { - if ($installedPackages -notcontains $package) { - $failures[$package] = $true - } - } - - $installedPackages = choco list -r | Out-String - VM-Write-Log "INFO" "Packages installed:`n$installedPackages" - - # Write each failed package to failure file - foreach ($package in $failures.Keys) { - VM-Write-Log "ERROR" "Failed to install: $package" - Add-Content $failedPackages $package - } - - # Log additional info if we found failed packages - $logPath = Join-Path ${Env:VM_COMMON_DIR} "log.txt" - if ((Test-Path $failedPackages)) { - VM-Write-Log "ERROR" "For each failed package, you may attempt a manual install via: choco install -y " - VM-Write-Log "ERROR" "Failed package list saved to: $failedPackages" - VM-Write-Log "ERROR" "Please check the following logs for additional errors:" - VM-Write-Log "ERROR" "`t$logPath (this file)" - VM-Write-Log "ERROR" "`t%PROGRAMDATA%\chocolatey\logs\chocolatey.log" - VM-Write-Log "ERROR" "`t%LOCALAPPDATA%\Boxstarter\boxstarter.log" - } - - # Display installer log if available - if ((Test-Path $logPath)) { - Write-Host "[-] Please check the following logs for any errors:" -ForegroundColor Yellow - Write-Host "`t[-] $logPath" -ForegroundColor Yellow - Write-Host "`t[-] %PROGRAMDATA%\chocolatey\logs\chocolatey.log" -ForegroundColor Yellow - Write-Host "`t[-] %LOCALAPPDATA%\Boxstarter\boxstarter.log" -ForegroundColor Yellow - Start-Sleep 5 - & notepad.exe $logPath - } - - # Let users know installation is complete by setting background, playing win sound, and display message box - Set-ItemProperty 'HKCU:\Control Panel\Colors' -Name Background -Value "0 0 0" -Force | Out-Null - $backgroundImage = "${Env:VM_COMMON_DIR}\background.png" - if ((Test-Path $backgroundImage)) { - # Center: 0, Stretch: 2, Fit:6, Fill: 10, Span: 22 - New-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name WallpaperStyle -PropertyType String -Value 6 -Force | Out-Null - New-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name TileWallpaper -PropertyType String -Value 0 -Force | Out-Null - Add-Type -TypeDefinition @" -using System; -using System.Runtime.InteropServices; - -public class VMBackground -{ - [DllImport("User32.dll",CharSet=CharSet.Unicode)] - public static extern int SystemParametersInfo (Int32 uAction, Int32 uParam, String lpvParam, Int32 fuWinIni); - [DllImport("User32.dll",CharSet=CharSet.Unicode)] - public static extern bool SetSysColors(int cElements, int[] lpaElements, int[] lpaRgbValues); -} -"@ - [VMBackground]::SystemParametersInfo(20, 0, $backgroundImage, 3) - [VMBackground]::SetSysColors(1, @(1), @(0x000000)) - } - - $playWav = New-Object System.Media.SoundPlayer - $playWav.SoundLocation = 'https://www.winhistory.de/more/winstart/down/owin31.wav' - $playWav.PlaySync() - - Add-Type -AssemblyName PresentationCore,PresentationFramework - $msgBody = "Install complete!`nPlease review %VM_COMMON_DIR%\log.txt for any errors.`nThank you" - $msgTitle = "VM Installation Complete" - $msgButton = 'OK' - $msgImage = 'Asterisk' - [System.Windows.MessageBox]::Show($msgBody,$msgTitle,$msgButton,$msgImage) -} catch { - VM-Write-Log-Exception $_ -} - From d55c67a716ca09e24a5786f4785c25e2173f952c Mon Sep 17 00:00:00 2001 From: Naacbin Date: Fri, 8 Dec 2023 14:51:39 +0100 Subject: [PATCH 2/3] Add .NET6 ZimmermanTools --- packages/amcacheparser.vm/amcacheparser.vm.nuspec | 13 +++++++++++++ .../amcacheparser.vm/tools/chocolateyinstall.ps1 | 10 ++++++++++ .../amcacheparser.vm/tools/chocolateyuninstall.ps1 | 7 +++++++ .../appcompatcacheparser.vm.nuspec | 13 +++++++++++++ .../tools/chocolateyinstall.ps1 | 10 ++++++++++ .../tools/chocolateyuninstall.ps1 | 7 +++++++ packages/bstrings.vm/bstrings.vm.nuspec | 13 +++++++++++++ packages/bstrings.vm/tools/chocolateyinstall.ps1 | 10 ++++++++++ packages/bstrings.vm/tools/chocolateyuninstall.ps1 | 7 +++++++ packages/evtxecmd.vm/evtxecmd.vm.nuspec | 13 +++++++++++++ packages/evtxecmd.vm/tools/chocolateyinstall.ps1 | 10 ++++++++++ packages/evtxecmd.vm/tools/chocolateyuninstall.ps1 | 7 +++++++ packages/ezviewer.vm/ezviewer.vm.nuspec | 13 +++++++++++++ packages/ezviewer.vm/tools/chocolateyinstall.ps1 | 10 ++++++++++ packages/ezviewer.vm/tools/chocolateyuninstall.ps1 | 7 +++++++ packages/jlecmd.vm/jlecmd.vm.nuspec | 13 +++++++++++++ packages/jlecmd.vm/tools/chocolateyinstall.ps1 | 10 ++++++++++ packages/jlecmd.vm/tools/chocolateyuninstall.ps1 | 7 +++++++ .../jumplist_explorer.vm.nuspec | 13 +++++++++++++ .../tools/chocolateyinstall.ps1 | 10 ++++++++++ .../tools/chocolateyuninstall.ps1 | 7 +++++++ packages/lecmd.vm/lecmd.vm.nuspec | 13 +++++++++++++ packages/lecmd.vm/tools/chocolateyinstall.ps1 | 10 ++++++++++ packages/lecmd.vm/tools/chocolateyuninstall.ps1 | 7 +++++++ packages/mft_explorer.vm/mft_explorer.vm.nuspec | 13 +++++++++++++ .../mft_explorer.vm/tools/chocolateyinstall.ps1 | 10 ++++++++++ .../mft_explorer.vm/tools/chocolateyuninstall.ps1 | 7 +++++++ packages/mftecmd.vm/mftecmd.vm.nuspec | 13 +++++++++++++ packages/mftecmd.vm/tools/chocolateyinstall.ps1 | 10 ++++++++++ packages/mftecmd.vm/tools/chocolateyuninstall.ps1 | 7 +++++++ packages/pecmd.vm/pecmd.vm.nuspec | 13 +++++++++++++ packages/pecmd.vm/tools/chocolateyinstall.ps1 | 10 ++++++++++ packages/pecmd.vm/tools/chocolateyuninstall.ps1 | 7 +++++++ packages/rbcmd.vm/rbcmd.vm.nuspec | 13 +++++++++++++ packages/rbcmd.vm/tools/chocolateyinstall.ps1 | 10 ++++++++++ packages/rbcmd.vm/tools/chocolateyuninstall.ps1 | 7 +++++++ .../recentfilecacheparser.vm.nuspec | 13 +++++++++++++ .../tools/chocolateyinstall.ps1 | 10 ++++++++++ .../tools/chocolateyuninstall.ps1 | 7 +++++++ packages/recmd.vm/recmd.vm.nuspec | 13 +++++++++++++ packages/recmd.vm/tools/chocolateyinstall.ps1 | 10 ++++++++++ packages/recmd.vm/tools/chocolateyuninstall.ps1 | 7 +++++++ .../registry_explorer.vm.nuspec | 13 +++++++++++++ .../tools/chocolateyinstall.ps1 | 10 ++++++++++ .../tools/chocolateyuninstall.ps1 | 7 +++++++ packages/rla.vm/rla.vm.nuspec | 13 +++++++++++++ packages/rla.vm/tools/chocolateyinstall.ps1 | 10 ++++++++++ packages/rla.vm/tools/chocolateyuninstall.ps1 | 7 +++++++ packages/sbecmd.vm/sbecmd.vm.nuspec | 13 +++++++++++++ packages/sbecmd.vm/tools/chocolateyinstall.ps1 | 10 ++++++++++ packages/sbecmd.vm/tools/chocolateyuninstall.ps1 | 7 +++++++ packages/sdb_explorer.vm/sdb_explorer.vm.nuspec | 13 +++++++++++++ .../sdb_explorer.vm/tools/chocolateyinstall.ps1 | 10 ++++++++++ .../sdb_explorer.vm/tools/chocolateyuninstall.ps1 | 7 +++++++ .../shellbags_explorer.vm.nuspec | 13 +++++++++++++ .../tools/chocolateyinstall.ps1 | 10 ++++++++++ .../tools/chocolateyuninstall.ps1 | 7 +++++++ packages/sqlecmd.vm/sqlecmd.vm.nuspec | 13 +++++++++++++ packages/sqlecmd.vm/tools/chocolateyinstall.ps1 | 10 ++++++++++ packages/sqlecmd.vm/tools/chocolateyuninstall.ps1 | 7 +++++++ packages/srumecmd.vm/srumecmd.vm.nuspec | 13 +++++++++++++ packages/srumecmd.vm/tools/chocolateyinstall.ps1 | 10 ++++++++++ packages/srumecmd.vm/tools/chocolateyuninstall.ps1 | 7 +++++++ packages/sumecmd.vm/sumecmd.vm.nuspec | 13 +++++++++++++ packages/sumecmd.vm/tools/chocolateyinstall.ps1 | 10 ++++++++++ packages/sumecmd.vm/tools/chocolateyuninstall.ps1 | 7 +++++++ .../timeline_explorer.vm.nuspec | 13 +++++++++++++ .../tools/chocolateyinstall.ps1 | 10 ++++++++++ .../tools/chocolateyuninstall.ps1 | 7 +++++++ packages/vscmount.vm/tools/chocolateyinstall.ps1 | 10 ++++++++++ packages/vscmount.vm/tools/chocolateyuninstall.ps1 | 7 +++++++ packages/vscmount.vm/vscmount.vm.nuspec | 13 +++++++++++++ packages/wxtcmd.vm/tools/chocolateyinstall.ps1 | 10 ++++++++++ packages/wxtcmd.vm/tools/chocolateyuninstall.ps1 | 7 +++++++ packages/wxtcmd.vm/wxtcmd.vm.nuspec | 13 +++++++++++++ 75 files changed, 750 insertions(+) create mode 100644 packages/amcacheparser.vm/amcacheparser.vm.nuspec create mode 100644 packages/amcacheparser.vm/tools/chocolateyinstall.ps1 create mode 100644 packages/amcacheparser.vm/tools/chocolateyuninstall.ps1 create mode 100644 packages/appcompatcacheparser.vm/appcompatcacheparser.vm.nuspec create mode 100644 packages/appcompatcacheparser.vm/tools/chocolateyinstall.ps1 create mode 100644 packages/appcompatcacheparser.vm/tools/chocolateyuninstall.ps1 create mode 100644 packages/bstrings.vm/bstrings.vm.nuspec create mode 100644 packages/bstrings.vm/tools/chocolateyinstall.ps1 create mode 100644 packages/bstrings.vm/tools/chocolateyuninstall.ps1 create mode 100644 packages/evtxecmd.vm/evtxecmd.vm.nuspec create mode 100644 packages/evtxecmd.vm/tools/chocolateyinstall.ps1 create mode 100644 packages/evtxecmd.vm/tools/chocolateyuninstall.ps1 create mode 100644 packages/ezviewer.vm/ezviewer.vm.nuspec create mode 100644 packages/ezviewer.vm/tools/chocolateyinstall.ps1 create mode 100644 packages/ezviewer.vm/tools/chocolateyuninstall.ps1 create mode 100644 packages/jlecmd.vm/jlecmd.vm.nuspec create mode 100644 packages/jlecmd.vm/tools/chocolateyinstall.ps1 create mode 100644 packages/jlecmd.vm/tools/chocolateyuninstall.ps1 create mode 100644 packages/jumplist_explorer.vm/jumplist_explorer.vm.nuspec create mode 100644 packages/jumplist_explorer.vm/tools/chocolateyinstall.ps1 create mode 100644 packages/jumplist_explorer.vm/tools/chocolateyuninstall.ps1 create mode 100644 packages/lecmd.vm/lecmd.vm.nuspec create mode 100644 packages/lecmd.vm/tools/chocolateyinstall.ps1 create mode 100644 packages/lecmd.vm/tools/chocolateyuninstall.ps1 create mode 100644 packages/mft_explorer.vm/mft_explorer.vm.nuspec create mode 100644 packages/mft_explorer.vm/tools/chocolateyinstall.ps1 create mode 100644 packages/mft_explorer.vm/tools/chocolateyuninstall.ps1 create mode 100644 packages/mftecmd.vm/mftecmd.vm.nuspec create mode 100644 packages/mftecmd.vm/tools/chocolateyinstall.ps1 create mode 100644 packages/mftecmd.vm/tools/chocolateyuninstall.ps1 create mode 100644 packages/pecmd.vm/pecmd.vm.nuspec create mode 100644 packages/pecmd.vm/tools/chocolateyinstall.ps1 create mode 100644 packages/pecmd.vm/tools/chocolateyuninstall.ps1 create mode 100644 packages/rbcmd.vm/rbcmd.vm.nuspec create mode 100644 packages/rbcmd.vm/tools/chocolateyinstall.ps1 create mode 100644 packages/rbcmd.vm/tools/chocolateyuninstall.ps1 create mode 100644 packages/recentfilecacheparser.vm/recentfilecacheparser.vm.nuspec create mode 100644 packages/recentfilecacheparser.vm/tools/chocolateyinstall.ps1 create mode 100644 packages/recentfilecacheparser.vm/tools/chocolateyuninstall.ps1 create mode 100644 packages/recmd.vm/recmd.vm.nuspec create mode 100644 packages/recmd.vm/tools/chocolateyinstall.ps1 create mode 100644 packages/recmd.vm/tools/chocolateyuninstall.ps1 create mode 100644 packages/registry_explorer.vm/registry_explorer.vm.nuspec create mode 100644 packages/registry_explorer.vm/tools/chocolateyinstall.ps1 create mode 100644 packages/registry_explorer.vm/tools/chocolateyuninstall.ps1 create mode 100644 packages/rla.vm/rla.vm.nuspec create mode 100644 packages/rla.vm/tools/chocolateyinstall.ps1 create mode 100644 packages/rla.vm/tools/chocolateyuninstall.ps1 create mode 100644 packages/sbecmd.vm/sbecmd.vm.nuspec create mode 100644 packages/sbecmd.vm/tools/chocolateyinstall.ps1 create mode 100644 packages/sbecmd.vm/tools/chocolateyuninstall.ps1 create mode 100644 packages/sdb_explorer.vm/sdb_explorer.vm.nuspec create mode 100644 packages/sdb_explorer.vm/tools/chocolateyinstall.ps1 create mode 100644 packages/sdb_explorer.vm/tools/chocolateyuninstall.ps1 create mode 100644 packages/shellbags_explorer.vm/shellbags_explorer.vm.nuspec create mode 100644 packages/shellbags_explorer.vm/tools/chocolateyinstall.ps1 create mode 100644 packages/shellbags_explorer.vm/tools/chocolateyuninstall.ps1 create mode 100644 packages/sqlecmd.vm/sqlecmd.vm.nuspec create mode 100644 packages/sqlecmd.vm/tools/chocolateyinstall.ps1 create mode 100644 packages/sqlecmd.vm/tools/chocolateyuninstall.ps1 create mode 100644 packages/srumecmd.vm/srumecmd.vm.nuspec create mode 100644 packages/srumecmd.vm/tools/chocolateyinstall.ps1 create mode 100644 packages/srumecmd.vm/tools/chocolateyuninstall.ps1 create mode 100644 packages/sumecmd.vm/sumecmd.vm.nuspec create mode 100644 packages/sumecmd.vm/tools/chocolateyinstall.ps1 create mode 100644 packages/sumecmd.vm/tools/chocolateyuninstall.ps1 create mode 100644 packages/timeline_explorer.vm/timeline_explorer.vm.nuspec create mode 100644 packages/timeline_explorer.vm/tools/chocolateyinstall.ps1 create mode 100644 packages/timeline_explorer.vm/tools/chocolateyuninstall.ps1 create mode 100644 packages/vscmount.vm/tools/chocolateyinstall.ps1 create mode 100644 packages/vscmount.vm/tools/chocolateyuninstall.ps1 create mode 100644 packages/vscmount.vm/vscmount.vm.nuspec create mode 100644 packages/wxtcmd.vm/tools/chocolateyinstall.ps1 create mode 100644 packages/wxtcmd.vm/tools/chocolateyuninstall.ps1 create mode 100644 packages/wxtcmd.vm/wxtcmd.vm.nuspec diff --git a/packages/amcacheparser.vm/amcacheparser.vm.nuspec b/packages/amcacheparser.vm/amcacheparser.vm.nuspec new file mode 100644 index 000000000..5a31c9534 --- /dev/null +++ b/packages/amcacheparser.vm/amcacheparser.vm.nuspec @@ -0,0 +1,13 @@ + + + + amcacheparser.vm + 1.5.1.20231208 + Eric Zimmerman + Amcache.hve parser with lots of extra features. Handles locked files + + + + + + diff --git a/packages/amcacheparser.vm/tools/chocolateyinstall.ps1 b/packages/amcacheparser.vm/tools/chocolateyinstall.ps1 new file mode 100644 index 000000000..c57e60f4e --- /dev/null +++ b/packages/amcacheparser.vm/tools/chocolateyinstall.ps1 @@ -0,0 +1,10 @@ +$ErrorActionPreference = 'Stop' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'AmcacheParser' +$category = 'Forensic' + +$zipUrl = 'https://f001.backblazeb2.com/file/EricZimmermanTools/net6/AmcacheParser.zip' +$zipSha256 = '7b78aa7f26287c6b9b3bf68d3bbccc372687760edf9ae84fafceaed3de535566' + +VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $true -innerFolder $false diff --git a/packages/amcacheparser.vm/tools/chocolateyuninstall.ps1 b/packages/amcacheparser.vm/tools/chocolateyuninstall.ps1 new file mode 100644 index 000000000..5dfcb6142 --- /dev/null +++ b/packages/amcacheparser.vm/tools/chocolateyuninstall.ps1 @@ -0,0 +1,7 @@ +$ErrorActionPreference = 'Continue' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'AmcacheParser' +$category = 'Forensic' + +VM-Uninstall $toolName $category diff --git a/packages/appcompatcacheparser.vm/appcompatcacheparser.vm.nuspec b/packages/appcompatcacheparser.vm/appcompatcacheparser.vm.nuspec new file mode 100644 index 000000000..7e75f011c --- /dev/null +++ b/packages/appcompatcacheparser.vm/appcompatcacheparser.vm.nuspec @@ -0,0 +1,13 @@ + + + + appcompatcacheparser.vm + 1.5.0.20231208 + Eric Zimmerman + AppCompatCache aka ShimCache parser. Handles locked files + + + + + + diff --git a/packages/appcompatcacheparser.vm/tools/chocolateyinstall.ps1 b/packages/appcompatcacheparser.vm/tools/chocolateyinstall.ps1 new file mode 100644 index 000000000..70d77a642 --- /dev/null +++ b/packages/appcompatcacheparser.vm/tools/chocolateyinstall.ps1 @@ -0,0 +1,10 @@ +$ErrorActionPreference = 'Stop' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'AppCompatCacheParser' +$category = 'Forensic' + +$zipUrl = 'https://f001.backblazeb2.com/file/EricZimmermanTools/net6/AppCompatCacheParser.zip' +$zipSha256 = '0ef9cc96a0784bc54f79e584f5845f7e3ada703cbfb6e209e9612bf1f7aad6c9' + +VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $true -innerFolder $false diff --git a/packages/appcompatcacheparser.vm/tools/chocolateyuninstall.ps1 b/packages/appcompatcacheparser.vm/tools/chocolateyuninstall.ps1 new file mode 100644 index 000000000..657816078 --- /dev/null +++ b/packages/appcompatcacheparser.vm/tools/chocolateyuninstall.ps1 @@ -0,0 +1,7 @@ +$ErrorActionPreference = 'Continue' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'AppCompatCacheParser' +$category = 'Forensic' + +VM-Uninstall $toolName $category diff --git a/packages/bstrings.vm/bstrings.vm.nuspec b/packages/bstrings.vm/bstrings.vm.nuspec new file mode 100644 index 000000000..6fb959cbb --- /dev/null +++ b/packages/bstrings.vm/bstrings.vm.nuspec @@ -0,0 +1,13 @@ + + + + bstrings.vm + 1.5.2.20231208 + Eric Zimmerman + Find them strings yo. Built in regex patterns. Handles locked files + + + + + + diff --git a/packages/bstrings.vm/tools/chocolateyinstall.ps1 b/packages/bstrings.vm/tools/chocolateyinstall.ps1 new file mode 100644 index 000000000..505134f4d --- /dev/null +++ b/packages/bstrings.vm/tools/chocolateyinstall.ps1 @@ -0,0 +1,10 @@ +$ErrorActionPreference = 'Stop' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'bstrings' +$category = 'Utilities' + +$zipUrl = 'https://f001.backblazeb2.com/file/EricZimmermanTools/net6/bstrings.zip' +$zipSha256 = '1521031bab2843757bb701b75741a24154965ba219a57cbfefddb792c6d5b301' + +VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $true -innerFolder $false diff --git a/packages/bstrings.vm/tools/chocolateyuninstall.ps1 b/packages/bstrings.vm/tools/chocolateyuninstall.ps1 new file mode 100644 index 000000000..9000f95b9 --- /dev/null +++ b/packages/bstrings.vm/tools/chocolateyuninstall.ps1 @@ -0,0 +1,7 @@ +$ErrorActionPreference = 'Continue' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'bstrings' +$category = 'Utilities' + +VM-Uninstall $toolName $category diff --git a/packages/evtxecmd.vm/evtxecmd.vm.nuspec b/packages/evtxecmd.vm/evtxecmd.vm.nuspec new file mode 100644 index 000000000..bf542c964 --- /dev/null +++ b/packages/evtxecmd.vm/evtxecmd.vm.nuspec @@ -0,0 +1,13 @@ + + + + evtxecmd.vm + 1.5.0.20231208 + Eric Zimmerman + Event log (evtx) parser with standardized CSV, XML, and json output! Custom maps, locked file support, and more! + + + + + + diff --git a/packages/evtxecmd.vm/tools/chocolateyinstall.ps1 b/packages/evtxecmd.vm/tools/chocolateyinstall.ps1 new file mode 100644 index 000000000..41dee8445 --- /dev/null +++ b/packages/evtxecmd.vm/tools/chocolateyinstall.ps1 @@ -0,0 +1,10 @@ +$ErrorActionPreference = 'Stop' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'EvtxECmd' +$category = 'Forensic' + +$zipUrl = 'https://f001.backblazeb2.com/file/EricZimmermanTools/net6/EvtxECmd.zip' +$zipSha256 = 'e1b4a5f9b09eca3c057cdc2d0ed1a28fe0c24dc90f9f68b7e0572e373dce86a6' + +VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $true -innerFolder $true diff --git a/packages/evtxecmd.vm/tools/chocolateyuninstall.ps1 b/packages/evtxecmd.vm/tools/chocolateyuninstall.ps1 new file mode 100644 index 000000000..7662f8508 --- /dev/null +++ b/packages/evtxecmd.vm/tools/chocolateyuninstall.ps1 @@ -0,0 +1,7 @@ +$ErrorActionPreference = 'Continue' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'EvtxECmd' +$category = 'Forensic' + +VM-Uninstall $toolName $category diff --git a/packages/ezviewer.vm/ezviewer.vm.nuspec b/packages/ezviewer.vm/ezviewer.vm.nuspec new file mode 100644 index 000000000..40c7ba792 --- /dev/null +++ b/packages/ezviewer.vm/ezviewer.vm.nuspec @@ -0,0 +1,13 @@ + + + + ezviewer.vm + 2.0.0.20231208 + Eric Zimmerman + Standalone, zero dependency viewer for .doc, .docx, .xls, .xlsx, .txt, .log, .rtf, .otd, .htm, .html, .mht, .csv, and .pdf. Any non-supported files are shown in a hex editor (with data interpreter!) + + + + + + diff --git a/packages/ezviewer.vm/tools/chocolateyinstall.ps1 b/packages/ezviewer.vm/tools/chocolateyinstall.ps1 new file mode 100644 index 000000000..38b8b6790 --- /dev/null +++ b/packages/ezviewer.vm/tools/chocolateyinstall.ps1 @@ -0,0 +1,10 @@ +$ErrorActionPreference = 'Stop' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'EZViewer' +$category = 'Office' + +$zipUrl = 'https://f001.backblazeb2.com/file/EricZimmermanTools/net6/EZViewer.zip' +$zipSha256 = '86a27bf8f4744d283c33d7321ad8a510e6f4067ec776cfdf1cc4748a0684072d' + +VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $false -innerFolder $true diff --git a/packages/ezviewer.vm/tools/chocolateyuninstall.ps1 b/packages/ezviewer.vm/tools/chocolateyuninstall.ps1 new file mode 100644 index 000000000..02536ff44 --- /dev/null +++ b/packages/ezviewer.vm/tools/chocolateyuninstall.ps1 @@ -0,0 +1,7 @@ +$ErrorActionPreference = 'Continue' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'EZViewer' +$category = 'Office' + +VM-Uninstall $toolName $category diff --git a/packages/jlecmd.vm/jlecmd.vm.nuspec b/packages/jlecmd.vm/jlecmd.vm.nuspec new file mode 100644 index 000000000..08a9776ff --- /dev/null +++ b/packages/jlecmd.vm/jlecmd.vm.nuspec @@ -0,0 +1,13 @@ + + + + jlecmd.vm + 1.5.0.20231208 + Eric Zimmerman + Jump List parser + + + + + + diff --git a/packages/jlecmd.vm/tools/chocolateyinstall.ps1 b/packages/jlecmd.vm/tools/chocolateyinstall.ps1 new file mode 100644 index 000000000..f1654be56 --- /dev/null +++ b/packages/jlecmd.vm/tools/chocolateyinstall.ps1 @@ -0,0 +1,10 @@ +$ErrorActionPreference = 'Stop' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'JLECmd' +$category = 'Forensic' + +$zipUrl = 'https://f001.backblazeb2.com/file/EricZimmermanTools/net6/JLECmd.zip' +$zipSha256 = 'b0635517a72d2a7cdfdc92d5161f38e968380ae2ec33673571108bacf31b4480' + +VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $true -innerFolder $false diff --git a/packages/jlecmd.vm/tools/chocolateyuninstall.ps1 b/packages/jlecmd.vm/tools/chocolateyuninstall.ps1 new file mode 100644 index 000000000..811ce0c31 --- /dev/null +++ b/packages/jlecmd.vm/tools/chocolateyuninstall.ps1 @@ -0,0 +1,7 @@ +$ErrorActionPreference = 'Continue' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'JLECmd' +$category = 'Forensic' + +VM-Uninstall $toolName $category diff --git a/packages/jumplist_explorer.vm/jumplist_explorer.vm.nuspec b/packages/jumplist_explorer.vm/jumplist_explorer.vm.nuspec new file mode 100644 index 000000000..73acbe743 --- /dev/null +++ b/packages/jumplist_explorer.vm/jumplist_explorer.vm.nuspec @@ -0,0 +1,13 @@ + + + + jumplist_explorer.vm + 2.0.0.20231208 + Eric Zimmerman + GUI based Jump List viewer + + + + + + diff --git a/packages/jumplist_explorer.vm/tools/chocolateyinstall.ps1 b/packages/jumplist_explorer.vm/tools/chocolateyinstall.ps1 new file mode 100644 index 000000000..6f07a9a16 --- /dev/null +++ b/packages/jumplist_explorer.vm/tools/chocolateyinstall.ps1 @@ -0,0 +1,10 @@ +$ErrorActionPreference = 'Stop' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'JumpListExplorer' +$category = 'Forensic' + +$zipUrl = 'https://f001.backblazeb2.com/file/EricZimmermanTools/net6/JumpListExplorer.zip' +$zipSha256 = '5543774e73f6c42ece035b95f2e3689a1a52ef89cb04b15512da264c8bc799f9' + +VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $false -innerFolder $true diff --git a/packages/jumplist_explorer.vm/tools/chocolateyuninstall.ps1 b/packages/jumplist_explorer.vm/tools/chocolateyuninstall.ps1 new file mode 100644 index 000000000..2bcfaed47 --- /dev/null +++ b/packages/jumplist_explorer.vm/tools/chocolateyuninstall.ps1 @@ -0,0 +1,7 @@ +$ErrorActionPreference = 'Continue' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'JumpListExplorer' +$category = 'Forensic' + +VM-Uninstall $toolName $category diff --git a/packages/lecmd.vm/lecmd.vm.nuspec b/packages/lecmd.vm/lecmd.vm.nuspec new file mode 100644 index 000000000..2a1e48dc2 --- /dev/null +++ b/packages/lecmd.vm/lecmd.vm.nuspec @@ -0,0 +1,13 @@ + + + + lecmd.vm + 1.5.0.20231208 + Eric Zimmerman + Parse lnk files + + + + + + diff --git a/packages/lecmd.vm/tools/chocolateyinstall.ps1 b/packages/lecmd.vm/tools/chocolateyinstall.ps1 new file mode 100644 index 000000000..92be4e0b5 --- /dev/null +++ b/packages/lecmd.vm/tools/chocolateyinstall.ps1 @@ -0,0 +1,10 @@ +$ErrorActionPreference = 'Stop' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'LECmd' +$category = 'Forensic' + +$zipUrl = 'https://f001.backblazeb2.com/file/EricZimmermanTools/net6/LECmd.zip' +$zipSha256 = '103bd3f0209c26598718c81585edbd624c4679a3e58ed369ade325e33fb7022a' + +VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $true -innerFolder $false diff --git a/packages/lecmd.vm/tools/chocolateyuninstall.ps1 b/packages/lecmd.vm/tools/chocolateyuninstall.ps1 new file mode 100644 index 000000000..506b22d3f --- /dev/null +++ b/packages/lecmd.vm/tools/chocolateyuninstall.ps1 @@ -0,0 +1,7 @@ +$ErrorActionPreference = 'Continue' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'LECmd' +$category = 'Forensic' + +VM-Uninstall $toolName $category diff --git a/packages/mft_explorer.vm/mft_explorer.vm.nuspec b/packages/mft_explorer.vm/mft_explorer.vm.nuspec new file mode 100644 index 000000000..8c2b550d3 --- /dev/null +++ b/packages/mft_explorer.vm/mft_explorer.vm.nuspec @@ -0,0 +1,13 @@ + + + + mft_explorer.vm + 2.0.0.20231208 + Eric Zimmerman + Graphical $MFT viewer + + + + + + diff --git a/packages/mft_explorer.vm/tools/chocolateyinstall.ps1 b/packages/mft_explorer.vm/tools/chocolateyinstall.ps1 new file mode 100644 index 000000000..e67725ac1 --- /dev/null +++ b/packages/mft_explorer.vm/tools/chocolateyinstall.ps1 @@ -0,0 +1,10 @@ +$ErrorActionPreference = 'Stop' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'MFTExplorer' +$category = 'Forensic' + +$zipUrl = 'https://f001.backblazeb2.com/file/EricZimmermanTools/net6/MFTExplorer.zip' +$zipSha256 = '99947e91bbc19e440de7b1ff7a3557beed6ee79a3765eb67d58e4369ac711f1f' + +VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $false -innerFolder $true diff --git a/packages/mft_explorer.vm/tools/chocolateyuninstall.ps1 b/packages/mft_explorer.vm/tools/chocolateyuninstall.ps1 new file mode 100644 index 000000000..206202ea0 --- /dev/null +++ b/packages/mft_explorer.vm/tools/chocolateyuninstall.ps1 @@ -0,0 +1,7 @@ +$ErrorActionPreference = 'Continue' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'MFTExplorer' +$category = 'Forensic' + +VM-Uninstall $toolName $category diff --git a/packages/mftecmd.vm/mftecmd.vm.nuspec b/packages/mftecmd.vm/mftecmd.vm.nuspec new file mode 100644 index 000000000..a974cfaac --- /dev/null +++ b/packages/mftecmd.vm/mftecmd.vm.nuspec @@ -0,0 +1,13 @@ + + + + mftecmd.vm + 1.2.2.20231208 + Eric Zimmerman + $MFT, $Boot, $J, $SDS, $I30, and $LogFile (coming soon) parser. Handles locked files + + + + + + diff --git a/packages/mftecmd.vm/tools/chocolateyinstall.ps1 b/packages/mftecmd.vm/tools/chocolateyinstall.ps1 new file mode 100644 index 000000000..90b233aff --- /dev/null +++ b/packages/mftecmd.vm/tools/chocolateyinstall.ps1 @@ -0,0 +1,10 @@ +$ErrorActionPreference = 'Stop' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'MFTECmd' +$category = 'Forensic' + +$zipUrl = 'https://f001.backblazeb2.com/file/EricZimmermanTools/net6/MFTECmd.zip' +$zipSha256 = 'ce4313e33cf424fd102959d7c687c768c5075bffc4a6536765d017e7d30d443b' + +VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $true -innerFolder $false diff --git a/packages/mftecmd.vm/tools/chocolateyuninstall.ps1 b/packages/mftecmd.vm/tools/chocolateyuninstall.ps1 new file mode 100644 index 000000000..33686c4d9 --- /dev/null +++ b/packages/mftecmd.vm/tools/chocolateyuninstall.ps1 @@ -0,0 +1,7 @@ +$ErrorActionPreference = 'Continue' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'MFTECmd' +$category = 'Forensic' + +VM-Uninstall $toolName $category diff --git a/packages/pecmd.vm/pecmd.vm.nuspec b/packages/pecmd.vm/pecmd.vm.nuspec new file mode 100644 index 000000000..1e6e32db8 --- /dev/null +++ b/packages/pecmd.vm/pecmd.vm.nuspec @@ -0,0 +1,13 @@ + + + + pecmd.vm + 1.5.0.20231208 + Eric Zimmerman + Prefetch parser + + + + + + diff --git a/packages/pecmd.vm/tools/chocolateyinstall.ps1 b/packages/pecmd.vm/tools/chocolateyinstall.ps1 new file mode 100644 index 000000000..7a2b73990 --- /dev/null +++ b/packages/pecmd.vm/tools/chocolateyinstall.ps1 @@ -0,0 +1,10 @@ +$ErrorActionPreference = 'Stop' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'PECmd' +$category = 'Forensic' + +$zipUrl = 'https://f001.backblazeb2.com/file/EricZimmermanTools/net6/PECmd.zip' +$zipSha256 = 'e20254b2f813e66fe5295488e5a00e9675679c91841f99ddcc8d083299bb55d6' + +VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $true -innerFolder $false diff --git a/packages/pecmd.vm/tools/chocolateyuninstall.ps1 b/packages/pecmd.vm/tools/chocolateyuninstall.ps1 new file mode 100644 index 000000000..f6214148b --- /dev/null +++ b/packages/pecmd.vm/tools/chocolateyuninstall.ps1 @@ -0,0 +1,7 @@ +$ErrorActionPreference = 'Continue' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'PECmd' +$category = 'Forensic' + +VM-Uninstall $toolName $category diff --git a/packages/rbcmd.vm/rbcmd.vm.nuspec b/packages/rbcmd.vm/rbcmd.vm.nuspec new file mode 100644 index 000000000..cf9788f90 --- /dev/null +++ b/packages/rbcmd.vm/rbcmd.vm.nuspec @@ -0,0 +1,13 @@ + + + + rbcmd.vm + 1.5.0.20231208 + Eric Zimmerman + Recycle Bin artifact (INFO2/$I) parser + + + + + + diff --git a/packages/rbcmd.vm/tools/chocolateyinstall.ps1 b/packages/rbcmd.vm/tools/chocolateyinstall.ps1 new file mode 100644 index 000000000..ffdcf07b2 --- /dev/null +++ b/packages/rbcmd.vm/tools/chocolateyinstall.ps1 @@ -0,0 +1,10 @@ +$ErrorActionPreference = 'Stop' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'RBCmd' +$category = 'Forensic' + +$zipUrl = 'https://f001.backblazeb2.com/file/EricZimmermanTools/net6/RBCmd.zip' +$zipSha256 = '326b4d77bd2915551b85391bdebf1dc4a32bc5a872a4da0d55af8df657086135' + +VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $true -innerFolder $false diff --git a/packages/rbcmd.vm/tools/chocolateyuninstall.ps1 b/packages/rbcmd.vm/tools/chocolateyuninstall.ps1 new file mode 100644 index 000000000..33d8dc6ec --- /dev/null +++ b/packages/rbcmd.vm/tools/chocolateyuninstall.ps1 @@ -0,0 +1,7 @@ +$ErrorActionPreference = 'Continue' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'RBCmd' +$category = 'Forensic' + +VM-Uninstall $toolName $category diff --git a/packages/recentfilecacheparser.vm/recentfilecacheparser.vm.nuspec b/packages/recentfilecacheparser.vm/recentfilecacheparser.vm.nuspec new file mode 100644 index 000000000..0ae8fb885 --- /dev/null +++ b/packages/recentfilecacheparser.vm/recentfilecacheparser.vm.nuspec @@ -0,0 +1,13 @@ + + + + recentfilecacheparser.vm + 1.5.0.20231208 + Eric Zimmerman + RecentFileCache parser + + + + + + diff --git a/packages/recentfilecacheparser.vm/tools/chocolateyinstall.ps1 b/packages/recentfilecacheparser.vm/tools/chocolateyinstall.ps1 new file mode 100644 index 000000000..25ab718ae --- /dev/null +++ b/packages/recentfilecacheparser.vm/tools/chocolateyinstall.ps1 @@ -0,0 +1,10 @@ +$ErrorActionPreference = 'Stop' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'RecentFileCacheParser' +$category = 'Forensic' + +$zipUrl = 'https://f001.backblazeb2.com/file/EricZimmermanTools/net6/RecentFileCacheParser.zip' +$zipSha256 = '4b9760b75f4e91269e55d9a03b0b0572b3ed90948f2a08cc6c1215e2e00e3353' + +VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $true -innerFolder $false diff --git a/packages/recentfilecacheparser.vm/tools/chocolateyuninstall.ps1 b/packages/recentfilecacheparser.vm/tools/chocolateyuninstall.ps1 new file mode 100644 index 000000000..56aa1f412 --- /dev/null +++ b/packages/recentfilecacheparser.vm/tools/chocolateyuninstall.ps1 @@ -0,0 +1,7 @@ +$ErrorActionPreference = 'Continue' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'RecentFileCacheParser' +$category = 'Forensic' + +VM-Uninstall $toolName $category diff --git a/packages/recmd.vm/recmd.vm.nuspec b/packages/recmd.vm/recmd.vm.nuspec new file mode 100644 index 000000000..7a33ce200 --- /dev/null +++ b/packages/recmd.vm/recmd.vm.nuspec @@ -0,0 +1,13 @@ + + + + recmd.vm + 2.0.0.20231208 + Eric Zimmerman + Powerful command line Registry tool searching, multi-hive support, plugins, and more + + + + + + diff --git a/packages/recmd.vm/tools/chocolateyinstall.ps1 b/packages/recmd.vm/tools/chocolateyinstall.ps1 new file mode 100644 index 000000000..acb928db3 --- /dev/null +++ b/packages/recmd.vm/tools/chocolateyinstall.ps1 @@ -0,0 +1,10 @@ +$ErrorActionPreference = 'Stop' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'RECmd' +$category = 'Forensic' + +$zipUrl = 'https://f001.backblazeb2.com/file/EricZimmermanTools/net6/RECmd.zip' +$zipSha256 = '53ca90113116ebbf3d14264991318cb4b3c8667a996bba8ba49adcc41032665e' + +VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $true -innerFolder $true diff --git a/packages/recmd.vm/tools/chocolateyuninstall.ps1 b/packages/recmd.vm/tools/chocolateyuninstall.ps1 new file mode 100644 index 000000000..4e1c894be --- /dev/null +++ b/packages/recmd.vm/tools/chocolateyuninstall.ps1 @@ -0,0 +1,7 @@ +$ErrorActionPreference = 'Continue' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'RECmd' +$category = 'Forensic' + +VM-Uninstall $toolName $category diff --git a/packages/registry_explorer.vm/registry_explorer.vm.nuspec b/packages/registry_explorer.vm/registry_explorer.vm.nuspec new file mode 100644 index 000000000..c81d0e283 --- /dev/null +++ b/packages/registry_explorer.vm/registry_explorer.vm.nuspec @@ -0,0 +1,13 @@ + + + + registry_explorer.vm + 2.0.0.20231208 + Eric Zimmerman + Registry viewer with searching, multi-hive support, plugins, and more. Handles locked files + + + + + + diff --git a/packages/registry_explorer.vm/tools/chocolateyinstall.ps1 b/packages/registry_explorer.vm/tools/chocolateyinstall.ps1 new file mode 100644 index 000000000..d5d2a825f --- /dev/null +++ b/packages/registry_explorer.vm/tools/chocolateyinstall.ps1 @@ -0,0 +1,10 @@ +$ErrorActionPreference = 'Stop' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'RegistryExplorer' +$category = 'Forensic' + +$zipUrl = 'https://f001.backblazeb2.com/file/EricZimmermanTools/net6/RegistryExplorer.zip' +$zipSha256 = '50a11bd0a5e44dcea6469b8564eb3f010b9a8faf323ff6481222d391da26887e' + +VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $false -innerFolder $true diff --git a/packages/registry_explorer.vm/tools/chocolateyuninstall.ps1 b/packages/registry_explorer.vm/tools/chocolateyuninstall.ps1 new file mode 100644 index 000000000..c08fb669c --- /dev/null +++ b/packages/registry_explorer.vm/tools/chocolateyuninstall.ps1 @@ -0,0 +1,7 @@ +$ErrorActionPreference = 'Continue' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'RegistryExplorer' +$category = 'Forensic' + +VM-Uninstall $toolName $category diff --git a/packages/rla.vm/rla.vm.nuspec b/packages/rla.vm/rla.vm.nuspec new file mode 100644 index 000000000..0458b9366 --- /dev/null +++ b/packages/rla.vm/rla.vm.nuspec @@ -0,0 +1,13 @@ + + + + rla.vm + 2.0.0.20231208 + Eric Zimmerman + Replay transaction logs and update Registry hives so they are no longer dirty. Useful when tools do not know how to handle transaction logs + + + + + + diff --git a/packages/rla.vm/tools/chocolateyinstall.ps1 b/packages/rla.vm/tools/chocolateyinstall.ps1 new file mode 100644 index 000000000..7e41b90bc --- /dev/null +++ b/packages/rla.vm/tools/chocolateyinstall.ps1 @@ -0,0 +1,10 @@ +$ErrorActionPreference = 'Stop' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'RLA' +$category = 'Forensic' + +$zipUrl = 'https://f001.backblazeb2.com/file/EricZimmermanTools/net6/rla.zip' +$zipSha256 = '3a67f6aa06f8eef9b60417199dd06b3909ad8c94985180c687ef32468f7710c5' + +VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $true -innerFolder $false diff --git a/packages/rla.vm/tools/chocolateyuninstall.ps1 b/packages/rla.vm/tools/chocolateyuninstall.ps1 new file mode 100644 index 000000000..76eb4032b --- /dev/null +++ b/packages/rla.vm/tools/chocolateyuninstall.ps1 @@ -0,0 +1,7 @@ +$ErrorActionPreference = 'Continue' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'RLA' +$category = 'Forensic' + +VM-Uninstall $toolName $category diff --git a/packages/sbecmd.vm/sbecmd.vm.nuspec b/packages/sbecmd.vm/sbecmd.vm.nuspec new file mode 100644 index 000000000..1023e06b2 --- /dev/null +++ b/packages/sbecmd.vm/sbecmd.vm.nuspec @@ -0,0 +1,13 @@ + + + + sbecmd.vm + 2.0.0.20231208 + Eric Zimmerman + ShellBags Explorer, command line edition, for exporting shellbag data + + + + + + diff --git a/packages/sbecmd.vm/tools/chocolateyinstall.ps1 b/packages/sbecmd.vm/tools/chocolateyinstall.ps1 new file mode 100644 index 000000000..8314ad2c2 --- /dev/null +++ b/packages/sbecmd.vm/tools/chocolateyinstall.ps1 @@ -0,0 +1,10 @@ +$ErrorActionPreference = 'Stop' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'SBECmd' +$category = 'Forensic' + +$zipUrl = 'https://f001.backblazeb2.com/file/EricZimmermanTools/net6/SBECmd.zip' +$zipSha256 = '640caf1592daf5a62c4984f50d684f96e69c98c67611742a172f5fd35572ced0' + +VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $true -innerFolder $false diff --git a/packages/sbecmd.vm/tools/chocolateyuninstall.ps1 b/packages/sbecmd.vm/tools/chocolateyuninstall.ps1 new file mode 100644 index 000000000..51896988c --- /dev/null +++ b/packages/sbecmd.vm/tools/chocolateyuninstall.ps1 @@ -0,0 +1,7 @@ +$ErrorActionPreference = 'Continue' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'SBECmd' +$category = 'Forensic' + +VM-Uninstall $toolName $category diff --git a/packages/sdb_explorer.vm/sdb_explorer.vm.nuspec b/packages/sdb_explorer.vm/sdb_explorer.vm.nuspec new file mode 100644 index 000000000..9ee292f5a --- /dev/null +++ b/packages/sdb_explorer.vm/sdb_explorer.vm.nuspec @@ -0,0 +1,13 @@ + + + + sdb_explorer.vm + 2.0.0.20231208 + Eric Zimmerman + Shim database GUI + + + + + + diff --git a/packages/sdb_explorer.vm/tools/chocolateyinstall.ps1 b/packages/sdb_explorer.vm/tools/chocolateyinstall.ps1 new file mode 100644 index 000000000..d1154b29c --- /dev/null +++ b/packages/sdb_explorer.vm/tools/chocolateyinstall.ps1 @@ -0,0 +1,10 @@ +$ErrorActionPreference = 'Stop' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'SDBExplorer' +$category = 'Forensic' + +$zipUrl = 'https://f001.backblazeb2.com/file/EricZimmermanTools/net6/SDBExplorer.zip' +$zipSha256 = 'c88085e74405801f9d4f2557ce35eaa6316e6fe812e5efd66a6a1d87f1b1cbd6' + +VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $false -innerFolder $true diff --git a/packages/sdb_explorer.vm/tools/chocolateyuninstall.ps1 b/packages/sdb_explorer.vm/tools/chocolateyuninstall.ps1 new file mode 100644 index 000000000..89bf2652c --- /dev/null +++ b/packages/sdb_explorer.vm/tools/chocolateyuninstall.ps1 @@ -0,0 +1,7 @@ +$ErrorActionPreference = 'Continue' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'SDBExplorer' +$category = 'Forensic' + +VM-Uninstall $toolName $category diff --git a/packages/shellbags_explorer.vm/shellbags_explorer.vm.nuspec b/packages/shellbags_explorer.vm/shellbags_explorer.vm.nuspec new file mode 100644 index 000000000..13fe2f843 --- /dev/null +++ b/packages/shellbags_explorer.vm/shellbags_explorer.vm.nuspec @@ -0,0 +1,13 @@ + + + + shellbags_explorer.vm + 2.0.0.20231208 + Eric Zimmerman + GUI for browsing shellbags data. Handles locked files + + + + + + diff --git a/packages/shellbags_explorer.vm/tools/chocolateyinstall.ps1 b/packages/shellbags_explorer.vm/tools/chocolateyinstall.ps1 new file mode 100644 index 000000000..a6a3ae533 --- /dev/null +++ b/packages/shellbags_explorer.vm/tools/chocolateyinstall.ps1 @@ -0,0 +1,10 @@ +$ErrorActionPreference = 'Stop' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'ShellBagsExplorer' +$category = 'Forensic' + +$zipUrl = 'https://f001.backblazeb2.com/file/EricZimmermanTools/net6/ShellBagsExplorer.zip' +$zipSha256 = '8f81e32b723115462d6245357d1c3d8a41fff2926c263c857a086765ce3f7ad2' + +VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $false -innerFolder $true diff --git a/packages/shellbags_explorer.vm/tools/chocolateyuninstall.ps1 b/packages/shellbags_explorer.vm/tools/chocolateyuninstall.ps1 new file mode 100644 index 000000000..36c4f394d --- /dev/null +++ b/packages/shellbags_explorer.vm/tools/chocolateyuninstall.ps1 @@ -0,0 +1,7 @@ +$ErrorActionPreference = 'Continue' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'ShellBagsExplorer' +$category = 'Forensic' + +VM-Uninstall $toolName $category diff --git a/packages/sqlecmd.vm/sqlecmd.vm.nuspec b/packages/sqlecmd.vm/sqlecmd.vm.nuspec new file mode 100644 index 000000000..2f8f3e1e0 --- /dev/null +++ b/packages/sqlecmd.vm/sqlecmd.vm.nuspec @@ -0,0 +1,13 @@ + + + + sqlecmd.vm + 1.0.0.20231208 + Eric Zimmerman + Find and process SQLite files according to your needs with maps! + + + + + + diff --git a/packages/sqlecmd.vm/tools/chocolateyinstall.ps1 b/packages/sqlecmd.vm/tools/chocolateyinstall.ps1 new file mode 100644 index 000000000..a29c800d2 --- /dev/null +++ b/packages/sqlecmd.vm/tools/chocolateyinstall.ps1 @@ -0,0 +1,10 @@ +$ErrorActionPreference = 'Stop' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'SQLECmd' +$category = 'Forensic' + +$zipUrl = 'https://f001.backblazeb2.com/file/EricZimmermanTools/net6/SQLECmd.zip' +$zipSha256 = '40a23c2bd6855753e5f39a7cb944cd2e13aecb70ae2c5b3db840c959225454be' + +VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $true -innerFolder $true diff --git a/packages/sqlecmd.vm/tools/chocolateyuninstall.ps1 b/packages/sqlecmd.vm/tools/chocolateyuninstall.ps1 new file mode 100644 index 000000000..94c5dd723 --- /dev/null +++ b/packages/sqlecmd.vm/tools/chocolateyuninstall.ps1 @@ -0,0 +1,7 @@ +$ErrorActionPreference = 'Continue' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'SQLECmd' +$category = 'Forensic' + +VM-Uninstall $toolName $category diff --git a/packages/srumecmd.vm/srumecmd.vm.nuspec b/packages/srumecmd.vm/srumecmd.vm.nuspec new file mode 100644 index 000000000..23c350ef7 --- /dev/null +++ b/packages/srumecmd.vm/srumecmd.vm.nuspec @@ -0,0 +1,13 @@ + + + + srumecmd.vm + 0.5.1.20231208 + Eric Zimmerman + Process SRUDB.dat and (optionally) SOFTWARE hive for network, process, and energy info! + + + + + + diff --git a/packages/srumecmd.vm/tools/chocolateyinstall.ps1 b/packages/srumecmd.vm/tools/chocolateyinstall.ps1 new file mode 100644 index 000000000..9b8634b4c --- /dev/null +++ b/packages/srumecmd.vm/tools/chocolateyinstall.ps1 @@ -0,0 +1,10 @@ +$ErrorActionPreference = 'Stop' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'SrumECmd' +$category = 'Forensic' + +$zipUrl = 'https://f001.backblazeb2.com/file/EricZimmermanTools/net6/SrumECmd.zip' +$zipSha256 = 'acfff757f1da4e7cc5c7c521c8fd7eeda938ac9402ae4874f2c8f49239d52dc1' + +VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $true -innerFolder $false diff --git a/packages/srumecmd.vm/tools/chocolateyuninstall.ps1 b/packages/srumecmd.vm/tools/chocolateyuninstall.ps1 new file mode 100644 index 000000000..4904a4d8f --- /dev/null +++ b/packages/srumecmd.vm/tools/chocolateyuninstall.ps1 @@ -0,0 +1,7 @@ +$ErrorActionPreference = 'Continue' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'SrumECmd' +$category = 'Forensic' + +VM-Uninstall $toolName $category diff --git a/packages/sumecmd.vm/sumecmd.vm.nuspec b/packages/sumecmd.vm/sumecmd.vm.nuspec new file mode 100644 index 000000000..8a0f14abd --- /dev/null +++ b/packages/sumecmd.vm/sumecmd.vm.nuspec @@ -0,0 +1,13 @@ + + + + sumecmd.vm + 0.5.2.20231208 + Eric Zimmerman + Process Microsoft User Access Logs found under "C:\Windows\System32\LogFiles\SUM" + + + + + + diff --git a/packages/sumecmd.vm/tools/chocolateyinstall.ps1 b/packages/sumecmd.vm/tools/chocolateyinstall.ps1 new file mode 100644 index 000000000..870f52a15 --- /dev/null +++ b/packages/sumecmd.vm/tools/chocolateyinstall.ps1 @@ -0,0 +1,10 @@ +$ErrorActionPreference = 'Stop' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'SumECmd' +$category = 'Forensic' + +$zipUrl = 'https://f001.backblazeb2.com/file/EricZimmermanTools/net6/SumECmd.zip' +$zipSha256 = '74ed2f833056c2c88ee906fd1cbd8938a1d8f0c2df7e7ce031614858c8d16cb7' + +VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $true -innerFolder $false diff --git a/packages/sumecmd.vm/tools/chocolateyuninstall.ps1 b/packages/sumecmd.vm/tools/chocolateyuninstall.ps1 new file mode 100644 index 000000000..1f865b953 --- /dev/null +++ b/packages/sumecmd.vm/tools/chocolateyuninstall.ps1 @@ -0,0 +1,7 @@ +$ErrorActionPreference = 'Continue' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'SumECmd' +$category = 'Forensic' + +VM-Uninstall $toolName $category diff --git a/packages/timeline_explorer.vm/timeline_explorer.vm.nuspec b/packages/timeline_explorer.vm/timeline_explorer.vm.nuspec new file mode 100644 index 000000000..5db807e93 --- /dev/null +++ b/packages/timeline_explorer.vm/timeline_explorer.vm.nuspec @@ -0,0 +1,13 @@ + + + + timeline_explorer.vm + 2.0.0.20231208 + Eric Zimmerman + View CSV and Excel files, filter, group, sort, etc. with ease + + + + + + diff --git a/packages/timeline_explorer.vm/tools/chocolateyinstall.ps1 b/packages/timeline_explorer.vm/tools/chocolateyinstall.ps1 new file mode 100644 index 000000000..eb45f2781 --- /dev/null +++ b/packages/timeline_explorer.vm/tools/chocolateyinstall.ps1 @@ -0,0 +1,10 @@ +$ErrorActionPreference = 'Stop' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'TimelineExplorer' +$category = 'Forensic' + +$zipUrl = 'https://f001.backblazeb2.com/file/EricZimmermanTools/net6/TimelineExplorer.zip' +$zipSha256 = '0542e719418d91ee7fa0d62a4b7af6003c72e8bd0ecc572ecd6fc0ab4c3a83e0' + +VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $false -innerFolder $true diff --git a/packages/timeline_explorer.vm/tools/chocolateyuninstall.ps1 b/packages/timeline_explorer.vm/tools/chocolateyuninstall.ps1 new file mode 100644 index 000000000..a41397764 --- /dev/null +++ b/packages/timeline_explorer.vm/tools/chocolateyuninstall.ps1 @@ -0,0 +1,7 @@ +$ErrorActionPreference = 'Continue' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'TimelineExplorer' +$category = 'Forensic' + +VM-Uninstall $toolName $category diff --git a/packages/vscmount.vm/tools/chocolateyinstall.ps1 b/packages/vscmount.vm/tools/chocolateyinstall.ps1 new file mode 100644 index 000000000..01de42c4b --- /dev/null +++ b/packages/vscmount.vm/tools/chocolateyinstall.ps1 @@ -0,0 +1,10 @@ +$ErrorActionPreference = 'Stop' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'VSCMount' +$category = 'Forensic' + +$zipUrl = 'https://f001.backblazeb2.com/file/EricZimmermanTools/net6/VSCMount.zip' +$zipSha256 = '28927b892af255673432a962ac41f58f9be5cb3c7c0a2444556a01b033f066a7' + +VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $true -innerFolder $false diff --git a/packages/vscmount.vm/tools/chocolateyuninstall.ps1 b/packages/vscmount.vm/tools/chocolateyuninstall.ps1 new file mode 100644 index 000000000..3c8a9b377 --- /dev/null +++ b/packages/vscmount.vm/tools/chocolateyuninstall.ps1 @@ -0,0 +1,7 @@ +$ErrorActionPreference = 'Continue' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'VSCMount' +$category = 'Forensic' + +VM-Uninstall $toolName $category diff --git a/packages/vscmount.vm/vscmount.vm.nuspec b/packages/vscmount.vm/vscmount.vm.nuspec new file mode 100644 index 000000000..10e0f2a6d --- /dev/null +++ b/packages/vscmount.vm/vscmount.vm.nuspec @@ -0,0 +1,13 @@ + + + + vscmount.vm + 1.5.0.20231208 + Eric Zimmerman + Mount all VSCs on a drive letter to a given mount point + + + + + + diff --git a/packages/wxtcmd.vm/tools/chocolateyinstall.ps1 b/packages/wxtcmd.vm/tools/chocolateyinstall.ps1 new file mode 100644 index 000000000..59f7a2d6c --- /dev/null +++ b/packages/wxtcmd.vm/tools/chocolateyinstall.ps1 @@ -0,0 +1,10 @@ +$ErrorActionPreference = 'Stop' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'WxTCmd' +$category = 'Forensic' + +$zipUrl = 'https://f001.backblazeb2.com/file/EricZimmermanTools/net6/WxTCmd.zip' +$zipSha256 = '87d97c832a6c7d82ca57e2213c6e3416a3b4ea5ff5b54db4cc84e48b1cfc424a' + +VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $true -innerFolder $false diff --git a/packages/wxtcmd.vm/tools/chocolateyuninstall.ps1 b/packages/wxtcmd.vm/tools/chocolateyuninstall.ps1 new file mode 100644 index 000000000..9a899f4df --- /dev/null +++ b/packages/wxtcmd.vm/tools/chocolateyuninstall.ps1 @@ -0,0 +1,7 @@ +$ErrorActionPreference = 'Continue' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'WxTCmd' +$category = 'Forensic' + +VM-Uninstall $toolName $category diff --git a/packages/wxtcmd.vm/wxtcmd.vm.nuspec b/packages/wxtcmd.vm/wxtcmd.vm.nuspec new file mode 100644 index 000000000..155f38a0e --- /dev/null +++ b/packages/wxtcmd.vm/wxtcmd.vm.nuspec @@ -0,0 +1,13 @@ + + + + wxtcmd.vm + 1.0.0.20231208 + Eric Zimmerman + Windows 10 Timeline database parser + + + + + + From 496763522338a0cef6c12fa35279c6069b013ce2 Mon Sep 17 00:00:00 2001 From: Naacbin Date: Tue, 20 Feb 2024 16:15:07 +0100 Subject: [PATCH 3/3] Add .NET4 hasher --- packages/hasher.vm/hasher.vm.nuspec | 13 +++++++++++++ packages/hasher.vm/tools/chocolateyinstall.ps1 | 10 ++++++++++ packages/hasher.vm/tools/chocolateyuninstall.ps1 | 7 +++++++ 3 files changed, 30 insertions(+) create mode 100644 packages/hasher.vm/hasher.vm.nuspec create mode 100644 packages/hasher.vm/tools/chocolateyinstall.ps1 create mode 100644 packages/hasher.vm/tools/chocolateyuninstall.ps1 diff --git a/packages/hasher.vm/hasher.vm.nuspec b/packages/hasher.vm/hasher.vm.nuspec new file mode 100644 index 000000000..90932ee4d --- /dev/null +++ b/packages/hasher.vm/hasher.vm.nuspec @@ -0,0 +1,13 @@ + + + + hasher.vm + 2.0.0.20231207 + Eric Zimmerman + Hash all the things + + + + + + diff --git a/packages/hasher.vm/tools/chocolateyinstall.ps1 b/packages/hasher.vm/tools/chocolateyinstall.ps1 new file mode 100644 index 000000000..c62192c7b --- /dev/null +++ b/packages/hasher.vm/tools/chocolateyinstall.ps1 @@ -0,0 +1,10 @@ +$ErrorActionPreference = 'Stop' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'Hasher' +$category = 'Utilities' + +$zipUrl = 'https://f001.backblazeb2.com/file/EricZimmermanTools/hasher.zip' +$zipSha256 = '1693875e5f830e582dc01778cae34e50c1e28d472ced9fe1caeac89843b58cfa' + +VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $false -innerFolder $true diff --git a/packages/hasher.vm/tools/chocolateyuninstall.ps1 b/packages/hasher.vm/tools/chocolateyuninstall.ps1 new file mode 100644 index 000000000..da4e01457 --- /dev/null +++ b/packages/hasher.vm/tools/chocolateyuninstall.ps1 @@ -0,0 +1,7 @@ +$ErrorActionPreference = 'Continue' +Import-Module vm.common -Force -DisableNameChecking + +$toolName = 'Hasher' +$category = 'Utilities' + +VM-Uninstall $toolName $category