lense 0.1.25 → 0.1.26

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/bin/lense +2 -0
  3. data/data/mfwvl1.yaml +55 -52
  4. data/lib/lense.rb +2 -2
  5. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 087b3ef495a47f100cc11ad6e1fb20ba9450e153
4
- data.tar.gz: 9c627e0fc41207295c477421ec82032dfeba2589
3
+ metadata.gz: 93081a4dd98c443306c190459fcd3005e51e8c06
4
+ data.tar.gz: 9ecceca898731f2abcb7d97292dc3e24399fbc29
5
5
  SHA512:
6
- metadata.gz: 97fcdde37948525455d227da81278197e8f77279aed75a2427330c9a713098cc6568f2d0d5a62ce367b92fb54e54979442fc2c329acd279cf94e2734b66649e2
7
- data.tar.gz: c7ceb05d8540d6e345fa7238a10010bb8310e68b797fe7b94c4195f89d689b6a2ede40b6bb9d8584d601d7d54d5190e8c3863c2b6f33809d91ce78d9af781e0c
6
+ metadata.gz: 9e71efcc4ad9c150a6095eb554d1dd5a58aa0bcbcb26f4f76f1c2c07264599fcdcad5d3c783361ff0989e1a63f0a75f2cd9661abdc5fb7df0f9a988ae8c11148
7
+ data.tar.gz: 7eac7d1e887c6c1cbd310ac7a02c88bb1f09aece10096854c79f99ab2ccded0225264b0eb34478d7be433ea3fa7fa300a7377dcff0bcc8135d48d6e17dc6d5ce
data/bin/lense CHANGED
@@ -15,12 +15,14 @@ LENSE_APP = LENSE.new
15
15
 
16
16
  pre do |global_options,command,options,args|
17
17
  found_docker = system_check('which docker')
18
+ found_docker_compose = system_check('which docker-compose')
18
19
  docker_running = found_docker && system_check('docker version')
19
20
  found_vagrant = system_check('which vagrant')
20
21
  found_git = system_check('which git')
21
22
 
22
23
  be_quiet = global_options[:quiet] || LENSE_APP.config["quiet"]
23
24
  puts "WARNING: Docker not found. Unable to run courses that use Docker!" unless found_docker || be_quiet
25
+ puts "WARNING: Docker Compose not found. Unable to run courses that use Docker Compose!" unless found_docker || be_quiet
24
26
  puts "WARNING: Docker is not running. Unable to run courses that use Docker!" if (found_docker && !docker_running) && !be_quiet
25
27
  puts "WARNING: Vagrant not found. Unable to run courses that use Vagrant!" unless found_vagrant || be_quiet
26
28
 
data/data/mfwvl1.yaml CHANGED
@@ -1,54 +1,57 @@
1
1
  ---
2
2
  # Name of course. Should match website
3
- course_name: Memory Forensics With Volatility Lesson 1
4
-
5
- # Folder in ~/.lense directory
6
- folder_name: mfwvl1
7
-
8
- # Eh why not?
9
- course_difficulty: 1
10
-
11
- # Items to download. Should be placed in ~/.lense/<folder_name>
12
- downloads:
13
- - https://drive.google.com/file/d/0B50xr4dwmqonNmtpa3pycGM4WXM/view?usp=sharing
14
-
15
- # Any docker containers to pull.
16
- docker: llacoste/docker_volatility
17
-
18
- # The final command to open in a new terminal.
19
- entry_point: docker run -v ~/.lense/mfwvl1/my_memory_sample.vmem:/data -i -t
20
-
21
- # Begin the lesson.
22
- lesson_plan:
23
- - say: Load up volshell on the windows_xp.vmem image (volatility -f windows_xp.vmem volshell)
24
-
25
- - say: 'We are going to take a look at some TYPEs in volshell. Using the dt command inspect: _EPROCESS _ETHREAD _TOKEN'
26
- question:
27
- ask: What do you see?
28
- hint: 'Enter: dt("<TYPE>")'
29
- expect: '*'
30
-
31
- - say: Exit volshell and run pslist
32
- question:
33
- ask: What process has PID 296?
34
- expect: svchost.exe
35
-
36
- - say: Now run psscan
37
- question:
38
- ask: What is the offset of the explorer.exe process with PID 236
39
- expect: '0x0000000005201a08'
40
-
41
- - say: Now run pstree
42
- question:
43
- ask: What is the name of the first child process of explorer.exe with PID 236
44
- expect: vmtoolsd.ex
45
-
46
- - say: Now run psxview
47
- question:
48
- ask: What process has PID 296?
49
- expect: svchost.exe
50
-
51
- - say: You can look at the privileges of a process by using the privs plugin along with the -p flag. Use the -p flag on various plugins to focus on a particular process with the given PID i.e. -p 236 for explorer.exe. Run privs on explorer.exe
52
- question:
53
- ask: What are the privileges for SeImpersonatePrivilege
54
- expect: Present,Enabled,Default
3
+ course:
4
+ title: Memory Forensics With Volatility Lesson 1
5
+ difficulty: 1
6
+ authors:
7
+ - name: Lance Lacoste
8
+ email: lance.lacoste@gmail.com
9
+
10
+ # Items to download. Should be placed in ~/.lense/<folder_name>
11
+ data:
12
+ # ~/.lense/courses/llacoste/mfwvl1/data/foo
13
+ - rel: data
14
+ url: https://drive.google.com/file/d/0B50xr4dwmqonNmtpa3pycGM4WXM/view?usp=sharing
15
+ description: "why you need it?"
16
+ # ~/.lense/courses/llacoste/mfwvl1/data/memdumps/foo
17
+ - rel: data/memdumps
18
+ url: https://drive.google.com/file/d/0B50xr4dwmqonNmtpa3pycGM4WXM/view?usp=sharing
19
+ description: "why you need it?"
20
+
21
+ # The final command to open in a new terminal.
22
+ entry_point: docker run -v ~/.lense/mfwvl1/my_memory_sample.vmem:/data -i -t llacoste/docker_volatility
23
+
24
+ # Begin the lesson.
25
+ lesson_plan:
26
+ - say: Load up volshell on the windows_xp.vmem image (volatility -f windows_xp.vmem volshell)
27
+
28
+ - say: 'We are going to take a look at some TYPEs in volshell. Using the dt command inspect: _EPROCESS _ETHREAD _TOKEN'
29
+ question:
30
+ ask: What do you see?
31
+ hint: 'Enter: dt("<TYPE>")'
32
+ expect: '*'
33
+
34
+ - say: Exit volshell and run pslist
35
+ question:
36
+ ask: What process has PID 296?
37
+ expect: svchost.exe
38
+
39
+ - say: Now run psscan
40
+ question:
41
+ ask: What is the offset of the explorer.exe process with PID 236
42
+ expect: '0x0000000005201a08'
43
+
44
+ - say: Now run pstree
45
+ question:
46
+ ask: What is the name of the first child process of explorer.exe with PID 236
47
+ expect: vmtoolsd.exe
48
+
49
+ - say: Now run psxview
50
+ question:
51
+ ask: What process has PID 296?
52
+ expect: svchost.exe
53
+
54
+ - say: You can look at the privileges of a process by using the privs plugin along with the -p flag. Use the -p flag on various plugins to focus on a particular process with the given PID i.e. -p 236 for explorer.exe. Run privs on explorer.exe
55
+ question:
56
+ ask: What are the privileges for SeImpersonatePrivilege
57
+ expect: Present,Enabled,Default
data/lib/lense.rb CHANGED
@@ -4,7 +4,7 @@ require 'highline/import'
4
4
  class LENSE
5
5
  attr_reader :config, :current_course
6
6
 
7
- VERSION = '0.1.25'
7
+ VERSION = '0.1.26'
8
8
  LENSE_DIR = File.join(ENV['HOME'],'.lense')
9
9
  COURSES_DIR = File.join(LENSE_DIR,'courses')
10
10
  CURRENT_COURSE_FILE = File.join(LENSE_DIR,'current_course')
@@ -71,7 +71,7 @@ class LENSE
71
71
  test_str = File.file?(test_file) ? File.read(test_file) : ''
72
72
  lense_file = Psych.load(test_str) || {}
73
73
 
74
- lense_file['lesson_plan'].each do |lesson|
74
+ lense_file['course']['lesson_plan'].each do |lesson|
75
75
  say question_separator
76
76
  say "#{say_prefix} #{lesson['say']}" if lesson['say']
77
77
 
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: lense
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.25
4
+ version: 0.1.26
5
5
  platform: ruby
6
6
  authors:
7
7
  - Manuel Zubieta
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2015-04-22 00:00:00.000000000 Z
12
+ date: 2015-04-23 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: rake