Andrew Case · Jan 10, 2020 · 1:19 AM UTC

Andrew Case

Andrew Case @attrc

10 Jan 2020

#DFIR Tip! The -A, -B and -C flags to grep are *VERY* handy when searching strings files with -A <#> it will show you # number of lines after a hit on your search pattern -B <#> shows number of lines before -C <#> which stands for context, will show # lines before&after

Hal Pomeranz · Jan 10, 2020 · 1:22 AM UTC

Hal Pomeranz · Jan 10, 2020 · 1:22 AM UTC

Hal Pomeranz @hal_pomeranz

10 Jan 2020

Replying to @attrc

“vol.py ... malfind | grep -B4 MZ | grep Process” is one of my faves for quickly pulling out processes with injected PE sections

Jan 10, 2020 · 1:22 AM UTC

Andrew Case · Jan 10, 2020 · 1:24 AM UTC

Andrew Case @attrc

10 Jan 2020

Replying to @hal_pomeranz

Nice! You probably know, but you can also do “malfind -D <directory>” then run the file command on all the extracted regions. AV will freak out on known malware though since it’s being written to disk :)