Hacker Profiling Guide
User Manual:
Open the PDF directly: View PDF 
.
Page Count: 21
The4960’s Hacker Profiling Guide
Authors:
Christian Aaron Murga
Editors/Contributors:
Albert Morales
Jaime Acosta
Tables of contents:
Type of Attacks 2
Types of Malware 4
Motivations 6
Cybercriminal Profiles 7
Motivational Typologies 8
Digital Forensics Workflow 9
Skills/Areas of Knowledge 9
File Extensions 10
Network Protocols 10
Partition Formats 11
Windows Programs 14
Windows 7 Programs (Default) 15
Windows Registry Hives 16
Linux Programs 17
Glossary 19
References 21
1
Type of Attacks
● Man in the Middle Attack -
gaining unauthorized access to
network traffic
such that the traffic
goes through the attacker before
reaching its end point. An attacker
can use this to simply listen in on
traffic, or can be used to modify
traffic with malicious intent.
● Spoofing - falsifying or presenting
data in such a way that the attacker
appears to have a different identify
.
● Phishing Attack - when an attacker,
masquerading as a trusted entity
,
dupes a victim into opening an
email, instant message, or text
message. The recipient is then
tricked into clicking a malicious link
,
which can lead to a variety of
attacks.
● Denial of Service - maliciously
consuming a system’s resources
such that it is unable to serve clients.
2
● XXS Cross-Site Scripting - injecting
a malicious script
to a vulnerable
website. When a normal client visits
the website, the client run the
malicious script
.
● SQL Injection - submitting malicious
input to a vulnerable server’s form
such that the server treats the input
as a command rather than data
.
● Brute Force/Dictionary Attack - a
form of password cracking
where an
attacker incrementally guess what
they password might be from a large
set of inputs.
3
Types of Malware
● Virus - Attached to a program.
Spreads when a user launches an
infected program – keeps a low
profile and usually infects new
programs or disks.
● Worm - Does not need to attach to
an existing program. Sends a copy
of itself to another computer and
then launches that copy.
● Ransomware - encrypts files and
demands payment to decrypt them.
This is a subset of scamware.
4
● Backdoor - allow the attacker to
execute commands usually with little
or no authentication
● Rootkit - designed to conceal
existence of other malware
● Adware - “Software typically installed
that displays advertisements
browser pop-ups).”
● Keylogger - collects keystroke
information and gives to attacker.
5
Motivations
6
Cybercriminal Profiles
From “Computer Incident Response and Forensics Team Management : Conducting a Successful Incident Response”
●Script kiddie
- not technologically sophisticated; uses existing scripts; ego driven; usually
have the intent to trespass or invade privacy.
●Cyberpunks
- technologically proficient; usually young; ego driven. Tend to engage in
trespassing, invasion, theft, sabotage. Often viruses and DOS against established
companies.
●Old timers
- most technologically proficient; motivation is ego driven and perfecting the
cyber-trespassing ‘art.’ Typically middle aged or older; have extensive technology
backgrounds. Sometimes deface websites; usually do not cause much harm due to skill.
●Unhappy insider
- very dangerous since they are inside an organization's defenses, any
and and employment level, motivation is revenge and/or monetary gain. Intend to steal
from or harm company. Engage in extortion or exposure of company secrets. Depend
on direct access - Internet is secondary (also to obtain tools, transfer, etc).
●Ex-insider
- separated from company unwillingly (e.g. layoff, bad performance/conduct);
motive is revenge and purpose to harm company; if termination is foreseen, they may
perform other destructive acts (e.g. logic bombs, delete data); benefit from private
company information
●Cyber-thieves
- any age, does not require vast technological experience. Motivation is
profit (e.g. stealing data, monetary theft). Adept at social engineering, but use network
tools as well. Often try to gain employment at targeted company; some work from the
outside.
●Cyberhucksters
- spammers and malware distributors. Focused on monetary gain.
Good at social engineering and spoofing. Use spyware. Sometimes infect systems so
they can sell the cure.
●Con man
- Motivated by monetary gain. “Theft is their trademark.” Often run scams and
perform phishing attacks to commit identity and credit card theft. Very good at social
engineering and spoofing. Harder to catch because they are usually antonymous.
Typically no specific victim; some will target high value targets by spear phishing.
●Cyberstalker
- driven by ego and deviance. Want to invade their victim’s privacy to
satisfy personal/psychological need (e.g. jealousy). Use keyloggers, Trojan horses,
sniffers; very resourceful and diverse.
●Code warriors
- skilled with long histories with technology (often times with degrees).
Initially focused on ego and revenge. Now more capitalistic, performing theft or
sabotage. Not an ‘art’, more of a profession. Code exploitation and trojan horse
creators. Any age, but typically 30-50. Usually socially inept and social deviants.
●Mafia soldier
- some characteristics from con-man and code warrior. Highly organized
with criminal purpose of making money. Typically engage in theft, extortion, and privacy
invasion with goal of blackmail.
●Warfighter
- Any age; very bright and skilled. Motivation is infowar (e.g. after strategic
advantages for their country and their allies). All types of cyber weapons (e.g. trojan
horses, DOS attacks, and use of disinformation.
7
Motivational Typologies
From “Profiling and Serial Crime : Theoretical and Practical Issues”
● Power Reassurance
○ “This offender is driven by a relational fantasy and feels that the victim is special
because of it.”
○ “There is no intent to punish or degrade, and they are the least likely to physically
harm their victim since this would shatter the illusion that the relationship was
somehow wanted”
○ “The attack is intended to restore diminishing feelings of masculinity, and power
is achieved by taking power away from the victim.”
● Power Assertive
○ Offender “feel inadequate and both seek affirmation about their masculinity and
worth.”
○ “offender tries to establish a relationship with the victim, and in this way hopes to
shore up their low self-worth.”
○ “offenders try to make themselves feel better by making others feel bad.”
○ “is not concerned about the victim’s welfare in any form. Moderate to excessive
force may be used in controlling the victim, and the attacks will occur at any time
and location that is convenient and safe.”
● Anger Retaliatory
○ “does not want to include the victim or want their input. They will use excessive
levels of force, even beyond that needed to gain control over a victim, or that
required to get compliance.”
○ “Offenders hate the target (individual or group) against whom the offense is
committed and will hold them accountable for real wrongs, or misplace their
aggression as would happen in the case of a perceived wrong.”
○ “focus is an individual or a group that has either done something wrong or that
the offender believes has done something wrong.”
● Pervasively Angry
○ “The offense is the manifestation of anger not directed at a specific target, group,
or institution, but results from cumulative life stresses in any or all aspects of
being.”
● Gang and Opportunistic
○ Reassurance Oriented - seeking emotional support due to low self-esteem
○ Pervasively Angry - group used as a platform to legitimize behavior
○ The gang espouses a philosophy that is concordant with their own
○ Joins gang for monetary gain
● Profit
○ Struggling to make ends meet
○ Does not have to be actual cash
8
Digital Forensics Workflow
From “Computer Incident Response and Forensics Team Management : Conducting a Successful Incident Response”
1. Prepare —Specific forensics training, overarching corporate policies and procedures, as
well as practice investigations and examinations will prepare you for an “event.”
Specialized forensics or incident handling certifications are considered of great value for
forensics investigators. Identify —When approaching an incident scene— review what is
occurring on the computer screen. If data is being deleted, pull the power plug from the
wall; otherwise perform real-time capture of system “volatile” data first.
2. Preserve —Once the system-specific “volatile” data is retrieved, then turn off machine,
remove it from scene, and power it up in an isolated environment. Perform a full system
bit-stream image capture of the data on the machine, remembering to “hash” the image
with the original data for verification purposes.
3. Select —Once you have a verified copy of the available data, start investigation of data
by selecting potential evidence files, datasets, and locations data could be stored.
Isolate event-specific data from normal system data for further examination.
4. Examine —Look for potential hidden storage locations of data such as slack space,
unallocated space, and in front of File Allocation Table (FAT) space on hard drives.
Remember to look in registry entries or root directories for additional potential indicators
of data storage activity. Classify —Evaluate data in potential locations for relevance to
current investigation. Is the data directly related to case, or does it support events of the
case, or is it unrelated to the case?
5. Analyze —Review data from relevant locations. Ensure data is readable, legible, and
relevant to investigation. Evaluate it for type of evidence: Is it direct evidence of alleged
issue or is it related to issue?
6. Present —Correlate all data reviewed to investigation papers (warrants, corporate
documents, etc.). Prepare data report for presentation— either in a court of law or to
corporate officers.
Skills/Areas of Knowledge
● Encryption
● Web development
● Malware writing
● Programming
● Computer vision
● Data mining
● Machine learning
● Reverse engineering
● Networking
● Penetration testing
● Social engineering
● Wireless communications
9
File Extensions
● elf - Linux executable
● exe - Windows executable
● lnk - Reference/link to another file
● txt - Text file
● php - Webpage
● html - Webpage
● bat - Windows shell script
● dll - Windows dynamically link library
● ps1 - Windows Powershell script
● dat - General information file
● py - Python script
● java - Java source code
● webm - Video file
Network Protocols
8 Layer model: Physical, Data, Network, Transport, Session, Presentation, Application
(Please Do Not Teach Stupid People Acronyms)
4 Layer model: Network access layer, Network layer, Transport layer, Application layer
Port
Name
Description
8
echo
Test connection between client and server
17
qotd
Quote of the day
18
msp
Message send protocol
21
ftp
File transfer
22
ssh
Remote shell
23
telnet
Old remote terminal connection
25
smtp
Mail transfer
53
domain/DNS
Domain name system - resolves domain names
66
sql-net
SQL database server
67
dhcps
Dynamic Host Configuration Protocol server - assigns
IP addresses
68
dhcpc
Dynamic Host Configuration Protocol client - assigned
IP addresses
69
tftp
Trivial File Transfer Protocol
79
finger
User information look up
10
80
http
Hypertext transfer protocol - websites
88
kerberos
Authentication protocol
110
pop3
Email service
111
rpcbind
Bind port to program
123
ntp
Network time protocol
137
netbios-ns
Network Basic Input/Output System
138
netbios-dgm
Network Basic Input/Output System
139
netbios-ssn
Network Basic Input/Output System
143
imap
Email service
162
snmp
Simple Network Management protocol
194
irc
Internet relay chat
443
https
Secure HTTP
445
microsoft-ds
SMB over IP
497
retrospect
Backup software
514
syslog
Logger for network devices
515
printer
...
520
rip
Controls routing tables
1434
ms-sql-m
Microsoft sql monitor
1723
pptp
Point-to-Point Tunneling Protocol
1900
upnp
Universal Plug and Play
8080
http-proxy
….
Partition Formats
● NTFS - robust and effective. Windows install format. Somewhat low compatibility with
other systems. (1993)
11
● FAT32 (File Allocation Table 32) - all operating systems (universal); Max volume:
depends, typically 2TB, but 32GB in Windows. Max file size 4GB. Not a journaling file
system (more prone to corruption). Does not support file permissions. (1977)
● EXFAT - flash drive optimized. More compatible than NTFS, but less than FAT32.
(2006)
● EXT4 - Max file size: 16TB. Max volume: 1EB (exabyte) = 1,024PB (petabyte) =
1,048,576 TB (terabyte). Linux install format. Optional journaling file system. (2008)
● EXT3 - Max file size: 2TB. Max volume: 32TB. Journaling file system. (2001)
● Linux-swap - used when RAM is full.
12
Windows Programs
● Programming/Development
○ XAMPP - used to develop
and host websites. Website
files stored in
C:\xampp\htdocs\
○ Python - scripting programing
language
○ PHP - web-focused
programing language
○ Java JDK/JRE - object
oriented programing
language
○ Eclipse - Integrated
development environment for
programming
○ GitHub Desktop - version
control software; usually
used when programming
○ Blender - 3D modeling
program
○ Unity Game Engine -
cross-platform game engine
for game development
○ Matlab - Programming
language with mathematical
focus
○ Visual Studio - Integrated
development environment for
programming
○ Sublime Text Editor -
typically for programming
○ Cygwin - GNU Linux tools for
Windows
● Pen-testing
○ Metasploit - penetration
testing software. Has a
folder at ~/.msf4
containing
logs, history, and other
settings.
○ Wireshark - network analysis
software
○ Nmap - network scanner
○ Tor Browser - proxy-based
browser built on Firefox
○ Burp Suite - web application
testing tool
○ Cain & Able - penetration
testing and password
recovery tool
○ Mimikatz - penetration testing
tool targeting Windows
○ IDA pro - reverse
engineering tool
● Defensive
○ Snort - intrusion
detection/prevention system
○ AVG AntiVirus
○ Malwarebytes - antivirus
○ TrueCrypt - used to encrypt
harddrives
○ Autopsy - forensics analysis
software
○ FKTImager - forensics
software for data previews
and imaging
○ RegRipper - forensics
software for extracting
registry data
● Utils
○ Putty - SSH and telnet client.
RegRipper has a plugin to
detect SSH keys
○ Icecream Screen Recorder -
used to record/takes pictures
of screen
○ Win32 Disk Imager - tool for
imaging USB flash drives
○ Rufus - tool for creating
bootable USB flash drives
○ CCleaner - a utility program
used to clean Windows
14
Registry entries from a
computer.
○ Filezilla - FTP client
○ 7zip - archive utility
○ BitTorrent - Torrenting
software
● Virtualization
○ Virtualbox
○ VMware
○ XenCenter - capable to
nested virtualization
○ Bluestacks - Android virtual
machines
● Communication
○ Pidgin - universal chat client
(cross-platform)
○ Thunderbird - email client
(cross-platform)
○ Microsoft Outlook - email
client
● Gaming
○ Minecraft - popular
cross-platform game
○ League of Legends - popular
competitive PC game
○ Steam - video game
distribution platform
○ DaedalusX64 R747 - game
emulation software
● General
○ Chrome - best web browser
○ Firefox - decent web browser
○ Teamviewer - remote
desktop software
○ Skype - text and video
communication software
○ VLC Media Player
○ GIMP - raster graphics editor
○ Inkscape - vector graphics
editor
○ Microsoft Office - document
editor
Windows 7 Programs (Default)
In “C:\Program Files”
● Common Files
● DVD Maker
● Internet Explorer
● Microsoft Games
● MSBuild
● Reference Assemblies
● Windows Defender
● Windows Journal
● Windows Mail
● Windows Media Player
● WIndows NT
● Windows Photo Viewer
● Windows Portable Devices
● Windows Sidebar
In “C:\Program Files (x86)”
● Common Files
● Internet Explorer
● MSBuild
● Reference Assemblies
● Windows Defender
● Windows Journal
● Windows Mail
● Windows Media Player
● WIndows NT
● Windows Photo Viewer
● Windows Portable Devices
● Windows Sidebar
In “C:\Windows\System32”
AdapterTroubleshooter.exe,aitagent.exe,alg.exe,appidcertstorecheck.exe,appidpolicyconverter.exe,ARP.EXE,at.exe,AtBroker.exe,attrib.ex
e,audiodg.exe,auditpol.exe,autochk.exe,autoconv.exe,autofmt.exe,AxInstUI.exe,baaupdate.exe,bcdboot.exe,bcdedit.exe,BdeHdCfg.exe,Bd
eUISrv.exe,BdeUnlockWizard.exe,BitLockerWizard.exe,BitLockerWizardElev.exe,bitsadmin.exe,bootcfg.exe,bridgeunattend.exe,bthudtask.
exe,cacls.exe,calc.exe,CertEnrollCtrl.exe,certreq.exe,certutil.exe,change.exe,charmap.exe,chglogon.exe,chgport.exe,chgusr.exe,chkdsk.ex
15
e,chkntfs.exe,choice.exe,cipher.exe,cleanmgr.exe,cliconfg.exe,clip.exe,cmd.exe,cmdkey.exe,cmdl32.exe,cmmon32.exe,cmstp.exe,cofire.e
xe,colorcpl.exe,comp.exe,compact.exe,CompMgmtLauncher.exe,ComputerDefaults.exe,conhost.exe,consent.exe,control.exe,convert.exe,c
redwiz.exe,cscript.exe,csrss.exe,ctfmon.exe,cttune.exe,cttunesvr.exe,dccw.exe,dcomcnfg.exe,ddodiag.exe,Defrag.exe,DeviceDisplayObjec
tProvider.exe,DeviceEject.exe,DevicePairingWizard.exe,DeviceProperties.exe,DFDWiz.exe,dfrgui.exe,dialer.exe,diantz.exe,dinotify.exe,dis
kpart.exe,diskperf.exe,diskraid.exe,Dism.exe,dispdiag.exe,DisplaySwitch.exe,djoin.exe,dllhost.exe,dllhst3g.exe,dnscacheugc.exe,doskey.e
xe,dpapimig.exe,DpiScaling.exe,dpnsvr.exe,driverquery.exe,drvinst.exe,dvdplay.exe,dvdupgrd.exe,dwm.exe,DWWIN.EXE,dxdiag.exe,Dxp
server.exe,Eap3Host.exe,efsui.exe,EhStorAuthn.exe,esentutl.exe,eudcedit.exe,eventcreate.exe,eventvwr.exe,expand.exe,extrac32.exe,fc.
exe,find.exe,findstr.exe,finger.exe,fixmapi.exe,fltMC.exe,fontview.exe,forfiles.exe,fsutil.exe,ftp.exe,fvenotify.exe,fveprompt.exe,FXSCOVER
.exe,FXSSVC.exe,FXSUNATD.exe,getmac.exe,GettingStarted.exe,gpresult.exe,gpscript.exe,gpupdate.exe,grpconv.exe,hdwwiz.exe,help.e
xe,HOSTNAME.EXE,hwrcomp.exe,hwrreg.exe,icacls.exe,icardagt.exe,icsunattend.exe,ie4uinit.exe,ieUnatt.exe,iexpress.exe,InfDefaultInsta
ll.exe,ipconfig.exe,irftp.exe,iscsicli.exe,iscsicpl.exe,isoburn.exe,klist.exe,ksetup.exe,ktmutil.exe,label.exe,LocationNotifications.exe,Locator.
exe,lodctr.exe,logagent.exe,logman.exe,logoff.exe,LogonUI.exe,lpksetup.exe,lpremove.exe,lsass.exe,lsm.exe,Magnify.exe,makecab.exe,m
anage-bde.exe,mblctr.exe,mcbuilder.exe,mctadmin.exe,MdRes.exe,MdSched.exe,mfpmp.exe,MigAutoPlay.exe,mmc.exe,mobsync.exe,mo
untvol.exe,mpnotify.exe,MpSigStub.exe,MRINFO.EXE,msconfig.exe,msdt.exe,msdtc.exe,msfeedssync.exe,msg.exe,mshta.exe,msiexec.ex
e,msinfo32.exe,mspaint.exe,msra.exe,mstsc.exe,mtstocom.exe,MuiUnattend.exe,MultiDigiMon.exe,NAPSTAT.EXE,Narrator.exe,nbtstat.ex
e,ndadmin.exe,net.exe,net1.exe,netbtugc.exe,netcfg.exe,netiougc.exe,Netplwiz.exe,NetProj.exe,netsh.exe,NETSTAT.EXE,newdev.exe,nlt
est.exe,notepad.exe,nslookup.exe,ntoskrnl.exe,ntprint.exe,ocsetup.exe,odbcad32.exe,odbcconf.exe,openfiles.exe,OptionalFeatures.exe,os
k.exe,p2phost.exe,PATHPING.EXE,pcalua.exe,pcaui.exe,pcawrk.exe,pcwrun.exe,perfmon.exe,PING.EXE,PkgMgr.exe,plasrv.exe,PnPUna
ttend.exe,PnPutil.exe,poqexec.exe,powercfg.exe,PresentationHost.exe,PresentationSettings.exe,prevhost.exe,print.exe,PrintBrmUi.exe,pri
ntfilterpipelinesvc.exe,PrintIsolationHost.exe,printui.exe,proquota.exe,psr.exe,PushPrinterConnections.exe,qappsrv.exe,qprocess.exe,quer
y.exe,quser.exe,qwinsta.exe,rasautou.exe,rasdial.exe,raserver.exe,rasphone.exe,rdpclip.exe,rdpinit.exe,rdpshell.exe,rdpsign.exe,rdrleakdi
ag.exe,RDVGHelper.exe,ReAgentc.exe,recdisc.exe,recover.exe,reg.exe,regedt32.exe,regini.exe,RegisterIEPKEYs.exe,regsvr32.exe,rekey
wiz.exe,relog.exe,RelPost.exe,repair-bde.exe,replace.exe,reset.exe,resmon.exe,RMActivate.exe,RMActivate_isv.exe,RMActivate_ssp.exe,
RMActivate_ssp_isv.exe,RmClient.exe,Robocopy.exe,ROUTE.EXE,RpcPing.exe,rrinstaller.exe,rstrui.exe,runas.exe,rundll32.exe,RunLega
cyCPLElevated.exe,runonce.exe,rwinsta.exe,sbunattend.exe,sc.exe,schtasks.exe,sdbinst.exe,sdchange.exe,sdclt.exe,sdiagnhost.exe,Sear
chFilterHost.exe,SearchIndexer.exe,SearchProtocolHost.exe,SecEdit.exe,secinit.exe,services.exe,sethc.exe,SetIEInstalledDate.exe,setspn
.exe,setupcl.exe,setupugc.exe,setx.exe,sfc.exe,shadow.exe,shrpubw.exe,shutdown.exe,sigverif.exe,slui.exe,smss.exe,SndVol.exe,Snippin
gTool.exe,snmptrap.exe,sort.exe,SoundRecorder.exe,spinstall.exe,spoolsv.exe,sppsvc.exe,spreview.exe,srdelayed.exe,StikyNot.exe,subst
.exe,svchost.exe,sxstrace.exe,SyncHost.exe,syskey.exe,systeminfo.exe,SystemPropertiesAdvanced.exe,SystemPropertiesComputerName
.exe,SystemPropertiesDataExecutionPrevention.exe,SystemPropertiesHardware.exe,SystemPropertiesPerformance.exe,SystemProperties
Protection.exe,SystemPropertiesRemote.exe,systray.exe,tabcal.exe,takeown.exe,TapiUnattend.exe,taskeng.exe,taskhost.exe,taskkill.exe,t
asklist.exe,taskmgr.exe,tcmsetup.exe,TCPSVCS.EXE,timeout.exe,TpmInit.exe,tracerpt.exe,TRACERT.EXE,tscon.exe,tsdiscon.exe,tskill.ex
e,TSTheme.exe,TsUsbRedirectionGroupPolicyControl.exe,TSWbPrxy.exe,TsWpfWrp.exe,typeperf.exe,tzutil.exe,ucsvc.exe,UI0Detect.exe,
unlodctr.exe,unregmp2.exe,upnpcont.exe,UserAccountControlSettings.exe,userinit.exe,Utilman.exe,VaultCmd.exe,VaultSysUi.exe,vds.exe,
vdsldr.exe,verclsid.exe,verifier.exe,vmicsvc.exe,vssadmin.exe,VSSVC.exe,w32tm.exe,waitfor.exe,wbadmin.exe,wbengine.exe,wecutil.exe,
WerFault.exe,WerFaultSecure.exe,wermgr.exe,wevtutil.exe,wextract.exe,WFS.exe,where.exe,whoami.exe,wiaacmgr.exe,wiawow64.exe,wi
mserv.exe,WindowsAnytimeUpgradeResults.exe,wininit.exe,winload.exe,winlogon.exe,winresume.exe,winrs.exe,winrshost.exe,WinSAT.ex
e,winver.exe,wisptis.exe,wksprt.exe,wlanext.exe,wlrmdr.exe,wowreg32.exe,WPDShextAutoplay.exe,wpnpinst.exe,write.exe,wscript.exe,W
SManHTTPConfig.exe,wsmprovhost.exe,wsqmcons.exe,wuapp.exe,wuauclt.exe,WUDFHost.exe,wusa.exe,xcopy.exe,xpsrchvw.exe,xwizar
d.exe
Windows Registry Hives
● C:\Windows\System32\config\
○ SAM - user account information
○ SYSTEM -
○ SOFTWARE -
○ SECURITY -
● C:\Users\<username>\
○ NTUSER.DAT
● C:\Users\<username>\AppData\Local\Microsoft\Windows\
○ USRCLASS.DAT
16
Linux Programs
Text Editors
● Gedit - GUI based
● Leafpad - GUI based
● Nano/Pico - Command line based;
uses hidden folder : ~/.nano
● Emacs - Command line based, but
has a GUI version; uses hidden folder:
~/.emacs.d
● vi/vim - Command line based
Web Browsing
● w3m - Interactive command line
based. uses hidden folder: ~/.w3s
● curl - command line based. Prints
webpage to stdout
● wget - command line based. Prints
webpage to file
● Firefox/Iceweasel - GUI based; Firefox
uses hidden folder: ~/.mozilla
● Chrome - GUI based
● Tor Browser - Firefox based. Used to
increase anonymity
Pen-testing
● Metasploit - used to create malware
and perform well know exploits; uses
hidden folder: ~/.ms4
● Nmap - used to perform network
reconnaissance
● Zenmap - GUI version of Nmap; uses
hidden folder: ~/.zenmap
● Crunch - used to generate words
lists/dictionaries.
● John - used to crack passwords,
usually given a wordlist. uses hidden
folder: ~/.john
● Tshark and tcpdump - captures
network traffic
● Wireshark - GUI version tshark
● Apktool and Dex2jar - used to reverse
engineer Android applications
● OllyDbg - used for reverse engineering
Windows 32-bit applications
● Angr - binary analysis framework
utilizing symbolic execution
● CORE - used to simulate computer
networks
Shells
● Bash - Bourne Again Shell - very
popular and usually the default shell;
uses hidden files: ~./bash_profile,
~/.bashrc, ~/.bash_history
● Sh - The original shell.
● Ssh - Secure shell - a
protocol/program used to run a remote
shell on an unsecure network.
Replaced rlogin, telnet, and rsh
protocols; uses hidden folder: ~/.ssh
● Fish - friendly interactive shell
● Zsh - has features from bash, tcsh,
and ksh
● Ksh - Korn shell
● Tcsh/Csh - Uses C-like syntax
Utility
○ Networking
■ Nc - arbitrary TCP and UDP
connections and listens
■ Scp - transfer file over the
network. Uses ssh
■ Ifconfig - view and configure
network interfaces
■ Route - view and configure IP
routing table
○ File related
■ Mkdir - make folder/directory
■ Cd - change working directory
of shell
■ Cp - copy file (e.g. cp
source.file new_dst.file)
■ Mv - move/rename file
17
■ Touch - update timestamp of
file. If the file does not exist, it
is create empty.
■ Ln - create a link to a file
■ Find - search for files
■ more/less - view scrollable file
■ zip/tar/bzip/gzip - used to
compress a file/files
■ Dd - read from hardware
devices and output to file
format
○ Text related
■ Yes - print text repeatedly
■ Grep/egrep/fgrep/rgrep - print
lines matching a pattern
■ Cat - print the content of a
file/files
■ Echo - print text
■ Wc - word count - prints the
lines, words, and character
count of the input
■ Diff - print the difference
between two inputs
○ Task management
■ cron - a utility to schedule
tasks
■ Watch - execute a command
repeatedly
■ Bg - run a task in the
background
■ Fg - run a task in the
foreground
■ Kill - stop running a task
■ Ps/jobs - print current
processes
■ Exec - Replace the current
process with a new process
■ Exit - quit shell
○ Misc.
■ Systemd, Init - control system’s
and programs’ state
■ Apt, dpkg - package manager
for Debian based Linux
distribution (install/uninstall
programs).
■ Yum - deprecated package
manager for Redhat based
Linux distributions
■ Pacman - package manager
for Arch based linux
distributions
■ Docker - use to manage
program sandbox
■ Man - used to view the manual
for programs
■ Passwd - change the password
of a user
■ Fdisk - used to manage disk
partitions
■ Mount - mount a drive (e.g. usb
or hard drive usually found in
the /dev folder) onto a folder.
■ md5sum - compute the md5
checksum of an input
■ shasum - compute the sha1
checksum of an input
18
Glossary
From “Computer Incident Response and Forensics Team Management : Conducting a Successful Incident Response”
● Attacker : “Person or entity performing any kind of malicious activity that attempts to
collect, disrupt, deny, degrade, or destroy information system resources or the
information itself.”
● Botnet : Shorted term for Robot Network, this is a network of compromised computers
and servers that are remotely controlled by unauthorized personnel where the
compromised devices are performing activities not under the
● Computer Forensics : “The practice of gathering, retaining, and analyzing
computer-related data for investigative purposes in a manner that maintains the integrity
of the data.”
● Digital Signature : “A digital signature is a mathematical encryption mechanism for
proving the authenticity of a digital message or document. A valid digital signature gives
a recipient reason to believe that the message was created by a known sender, such
that the sender cannot deny having sent the message (authentication and
nonrepudiation) and that the message was not altered in transit (integrity). Digital
signatures are commonly used for software distribution, financial transactions, and in
other cases where it is important to detect forgery or tampering.”
● Cybercrime profiling : “the investigation, analysis, assessment and reconstruction of data
from a behavioral/psychological perspective extracted from computer systems, networks
and the humans committing the crimes”
○ “The inductive approach assumes that individuals who committed the same
crimes in the past share characteristics with individuals who are committing the
same crime now. Examples of such profiles are those created for serial killers
and rapists. The deductive approach uses evidence collected at the crime scene
to develop a specific profile that can be used for offender identification.
Understanding inductive profiles helps as the deductive approach frequently
looks to them for clues in developing a more specific offender profile”
● Intent : The intent to commit a crime: malice, as evidenced by a criminal act; intent to
deprive or defraud the true owner of his property. A person intends a consequence they
foresee that it will happen if the given series of acts or omissions continue, and desires it
to happen.
● Intrusion : The unauthorized act of bypassing the security mechanisms of a system for
the purposes of causing an incident.
● Logic Bomb : A piece of code intentionally inserted into a software system that will set off
a malicious function when specified conditions are met.
● Malware : Malicious software which is designed to damage or disable computers with the
intent to steal information or gain control of the device. Software or firmware intended to
perform an unauthorized process that will have adverse impact on the confidentiality,
integrity, or availability of an information system. Examples include virus, worm, Trojan
19
horse, or other code-based entity that infects a host. Spyware and some forms of
adware are also examples of malicious code.
● Nonrepudiation : “Assurance that the sender of information is provided with proof of
delivery and the recipient is provided with proof of the sender’s identity, so neither can
later deny having processed the information. This protection against an individual falsely
denying having performed a particular action provides the capability to determine
whether a given individual took a particular action such as creating information, sending
a message, approving information, and receiving a message.”
● Penetration Test : A test methodology in which assessors, typically working under
specific constraints, attempt to circumvent or defeat the security features of an
information system.
● Piracy : Illegally reproducing copyrighted work. Music, photographs, movies, and
software are all potentially copyrighted and can be pirated.
● Privacy : The act of guaranteeing that the interests of persons and organizations are
protected and secluded from outside disclosure.
● Spam : Electronic junk mail or the abuse of electronic messaging systems to
indiscriminately send unsolicited bulk messages.
● Spear phishing : A targeted phishing attack on a select group of victims, usually
executives.
● Spoofing : There are two meanings to spoofing in our context:
○ Either faking the sending address of a transmission to gain illegal entry into a
secure system or
○ the deliberate inducement of a user or resource to take incorrect action.
○ Note: Impersonating, masquerading, piggybacking, and mimicking are forms of
spoofing.
● Spyware : Software that is secretly or surreptitiously installed into an information system
to gather information on individuals or organizations without their knowledge; a type of
malicious code.
● Zombie : An infected computer that floods another computer with packets in an attempt
to infect or crash it without the consent or knowledge of the infected computer’s owner.
20
References
●
●https://www.diffen.com/difference/FAT32_vs_NTFS
●https://www.howtogeek.com/235596/whats-the-difference-between-fat32-exfat-and-ntfs/
●http://www.pointsoftware.ch/en/4-ext4-vs-ext3-filesystem-and-why-delayed-allocation-is-
bad/
●http://www.ntfs.com/ntfs_vs_fat.htm
● Petherick, Wayne. Profiling and Serial Crime : Theoretical and Practical Issues, Elsevier
Science & Technology, 2012. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/fbial-ebooks/detail.action?docID=1111846.
Created from fbial-ebooks on 2018-06-30 20:38:56.
● Johnson, Leighton. Computer Incident Response and Forensics Team Management :
Conducting a Successful Incident Response, William Andrew, 2013. ProQuest Ebook
Central, http://ebookcentral.proquest.com/lib/fbial-ebooks/detail.action?docID=1115165.
Created from fbial-ebooks on 2018-06-30 20:03:59.
● Shipley, Todd G., and Art Bowker. Investigating Internet Crimes : An Introduction to
Solving Crimes in Cyberspace, William Andrew, 2013. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/fbial-ebooks/detail.action?docID=1115158.
Created from fbial-ebooks on 2018-06-30 16:11:30.
● Cyber Crime and Cyber Terrorism Investigator's Handbook, edited by Babak Akhgar, et
al., William Andrew, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/fbial-ebooks/detail.action?docID=1744499.
Created from fbial-ebooks on 2018-06-30 15:40:55.
● Johnson, Leighton. Computer Incident Response and Forensics Team Management :
Conducting a Successful Incident Response, William Andrew, 2013. ProQuest Ebook
Central, http://ebookcentral.proquest.com/lib/fbial-ebooks/detail.action?docID=1115165.
Created from fbial-ebooks on 2018-06-30 14:41:06.
21
