lense 0.1.25 → 0.1.26

Sign up to get free protection for your applications and to get access to all the features.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/bin/lense +2 -0
  3. data/data/mfwvl1.yaml +55 -52
  4. data/lib/lense.rb +2 -2
  5. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 087b3ef495a47f100cc11ad6e1fb20ba9450e153
4
- data.tar.gz: 9c627e0fc41207295c477421ec82032dfeba2589
3
+ metadata.gz: 93081a4dd98c443306c190459fcd3005e51e8c06
4
+ data.tar.gz: 9ecceca898731f2abcb7d97292dc3e24399fbc29
5
5
  SHA512:
6
- metadata.gz: 97fcdde37948525455d227da81278197e8f77279aed75a2427330c9a713098cc6568f2d0d5a62ce367b92fb54e54979442fc2c329acd279cf94e2734b66649e2
7
- data.tar.gz: c7ceb05d8540d6e345fa7238a10010bb8310e68b797fe7b94c4195f89d689b6a2ede40b6bb9d8584d601d7d54d5190e8c3863c2b6f33809d91ce78d9af781e0c
6
+ metadata.gz: 9e71efcc4ad9c150a6095eb554d1dd5a58aa0bcbcb26f4f76f1c2c07264599fcdcad5d3c783361ff0989e1a63f0a75f2cd9661abdc5fb7df0f9a988ae8c11148
7
+ data.tar.gz: 7eac7d1e887c6c1cbd310ac7a02c88bb1f09aece10096854c79f99ab2ccded0225264b0eb34478d7be433ea3fa7fa300a7377dcff0bcc8135d48d6e17dc6d5ce
data/bin/lense CHANGED
@@ -15,12 +15,14 @@ LENSE_APP = LENSE.new
15
15
 
16
16
  pre do |global_options,command,options,args|
17
17
  found_docker = system_check('which docker')
18
+ found_docker_compose = system_check('which docker-compose')
18
19
  docker_running = found_docker && system_check('docker version')
19
20
  found_vagrant = system_check('which vagrant')
20
21
  found_git = system_check('which git')
21
22
 
22
23
  be_quiet = global_options[:quiet] || LENSE_APP.config["quiet"]
23
24
  puts "WARNING: Docker not found. Unable to run courses that use Docker!" unless found_docker || be_quiet
25
+ puts "WARNING: Docker Compose not found. Unable to run courses that use Docker Compose!" unless found_docker || be_quiet
24
26
  puts "WARNING: Docker is not running. Unable to run courses that use Docker!" if (found_docker && !docker_running) && !be_quiet
25
27
  puts "WARNING: Vagrant not found. Unable to run courses that use Vagrant!" unless found_vagrant || be_quiet
26
28
 
data/data/mfwvl1.yaml CHANGED
@@ -1,54 +1,57 @@
1
1
  ---
2
2
  # Name of course. Should match website
3
- course_name: Memory Forensics With Volatility Lesson 1
4
-
5
- # Folder in ~/.lense directory
6
- folder_name: mfwvl1
7
-
8
- # Eh why not?
9
- course_difficulty: 1
10
-
11
- # Items to download. Should be placed in ~/.lense/<folder_name>
12
- downloads:
13
- - https://drive.google.com/file/d/0B50xr4dwmqonNmtpa3pycGM4WXM/view?usp=sharing
14
-
15
- # Any docker containers to pull.
16
- docker: llacoste/docker_volatility
17
-
18
- # The final command to open in a new terminal.
19
- entry_point: docker run -v ~/.lense/mfwvl1/my_memory_sample.vmem:/data -i -t
20
-
21
- # Begin the lesson.
22
- lesson_plan:
23
- - say: Load up volshell on the windows_xp.vmem image (volatility -f windows_xp.vmem volshell)
24
-
25
- - say: 'We are going to take a look at some TYPEs in volshell. Using the dt command inspect: _EPROCESS _ETHREAD _TOKEN'
26
- question:
27
- ask: What do you see?
28
- hint: 'Enter: dt("<TYPE>")'
29
- expect: '*'
30
-
31
- - say: Exit volshell and run pslist
32
- question:
33
- ask: What process has PID 296?
34
- expect: svchost.exe
35
-
36
- - say: Now run psscan
37
- question:
38
- ask: What is the offset of the explorer.exe process with PID 236
39
- expect: '0x0000000005201a08'
40
-
41
- - say: Now run pstree
42
- question:
43
- ask: What is the name of the first child process of explorer.exe with PID 236
44
- expect: vmtoolsd.ex
45
-
46
- - say: Now run psxview
47
- question:
48
- ask: What process has PID 296?
49
- expect: svchost.exe
50
-
51
- - say: You can look at the privileges of a process by using the privs plugin along with the -p flag. Use the -p flag on various plugins to focus on a particular process with the given PID i.e. -p 236 for explorer.exe. Run privs on explorer.exe
52
- question:
53
- ask: What are the privileges for SeImpersonatePrivilege
54
- expect: Present,Enabled,Default
3
+ course:
4
+ title: Memory Forensics With Volatility Lesson 1
5
+ difficulty: 1
6
+ authors:
7
+ - name: Lance Lacoste
8
+ email: lance.lacoste@gmail.com
9
+
10
+ # Items to download. Should be placed in ~/.lense/<folder_name>
11
+ data:
12
+ # ~/.lense/courses/llacoste/mfwvl1/data/foo
13
+ - rel: data
14
+ url: https://drive.google.com/file/d/0B50xr4dwmqonNmtpa3pycGM4WXM/view?usp=sharing
15
+ description: "why you need it?"
16
+ # ~/.lense/courses/llacoste/mfwvl1/data/memdumps/foo
17
+ - rel: data/memdumps
18
+ url: https://drive.google.com/file/d/0B50xr4dwmqonNmtpa3pycGM4WXM/view?usp=sharing
19
+ description: "why you need it?"
20
+
21
+ # The final command to open in a new terminal.
22
+ entry_point: docker run -v ~/.lense/mfwvl1/my_memory_sample.vmem:/data -i -t llacoste/docker_volatility
23
+
24
+ # Begin the lesson.
25
+ lesson_plan:
26
+ - say: Load up volshell on the windows_xp.vmem image (volatility -f windows_xp.vmem volshell)
27
+
28
+ - say: 'We are going to take a look at some TYPEs in volshell. Using the dt command inspect: _EPROCESS _ETHREAD _TOKEN'
29
+ question:
30
+ ask: What do you see?
31
+ hint: 'Enter: dt("<TYPE>")'
32
+ expect: '*'
33
+
34
+ - say: Exit volshell and run pslist
35
+ question:
36
+ ask: What process has PID 296?
37
+ expect: svchost.exe
38
+
39
+ - say: Now run psscan
40
+ question:
41
+ ask: What is the offset of the explorer.exe process with PID 236
42
+ expect: '0x0000000005201a08'
43
+
44
+ - say: Now run pstree
45
+ question:
46
+ ask: What is the name of the first child process of explorer.exe with PID 236
47
+ expect: vmtoolsd.exe
48
+
49
+ - say: Now run psxview
50
+ question:
51
+ ask: What process has PID 296?
52
+ expect: svchost.exe
53
+
54
+ - say: You can look at the privileges of a process by using the privs plugin along with the -p flag. Use the -p flag on various plugins to focus on a particular process with the given PID i.e. -p 236 for explorer.exe. Run privs on explorer.exe
55
+ question:
56
+ ask: What are the privileges for SeImpersonatePrivilege
57
+ expect: Present,Enabled,Default
data/lib/lense.rb CHANGED
@@ -4,7 +4,7 @@ require 'highline/import'
4
4
  class LENSE
5
5
  attr_reader :config, :current_course
6
6
 
7
- VERSION = '0.1.25'
7
+ VERSION = '0.1.26'
8
8
  LENSE_DIR = File.join(ENV['HOME'],'.lense')
9
9
  COURSES_DIR = File.join(LENSE_DIR,'courses')
10
10
  CURRENT_COURSE_FILE = File.join(LENSE_DIR,'current_course')
@@ -71,7 +71,7 @@ class LENSE
71
71
  test_str = File.file?(test_file) ? File.read(test_file) : ''
72
72
  lense_file = Psych.load(test_str) || {}
73
73
 
74
- lense_file['lesson_plan'].each do |lesson|
74
+ lense_file['course']['lesson_plan'].each do |lesson|
75
75
  say question_separator
76
76
  say "#{say_prefix} #{lesson['say']}" if lesson['say']
77
77
 
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: lense
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.25
4
+ version: 0.1.26
5
5
  platform: ruby
6
6
  authors:
7
7
  - Manuel Zubieta
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2015-04-22 00:00:00.000000000 Z
12
+ date: 2015-04-23 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: rake