Merge branch 'main' of https://github.com/AndrewRathbun/DFIRMindMaps …

…into main

OSArtifacts/Windows/SRUM/README.md

@@ -0,0 +1,13 @@
+# SRUM Mind Map
+
+![SRUMMindMap](https://raw.githubusercontent.com/AndrewRathbun/DFIRMindMaps/main/OSArtifacts/Windows/SRUM/SRUM%20(System%20Resource%20Usage%20Monitor).png)
+
+This Mindmap represents different artifacts related to the SRUM Database.
+
+## Editing/Improving this Mind Map
+
+Import the `.xmind` file into your favorite Mind Map-making software! Improve upon it and do a Pull Request to update the file here!
+
+# TODO
+
+XMind wasn't allowing me to do `SRUM` for the central topic. Will need to revisit another time to see if it'll work next time.

OSArtifacts/Windows/SRUM/SRUM (System Resource Usage Monitor).md

@@ -0,0 +1,147 @@
+# SRUM (System Resource Usage Monitor)
+
+## Repairing and parsing the SRUM DB (SRUDB.dat) 
+
+### Repair
+
+- 1. Make a copy of the C:\Windows\System32\SRU directory
+
+	- You will be modifying the SRUDB.dat during this repair process!
+
+- 2. Ensure the SRU directory isn't Read Only
+
+	- Right click on SRU directory and remove Read Only and apply to all subfolders and files
+
+- 3. Open PowerShell as Admin and run the following commands to repair the SRUDB.dat
+
+	- esentutl.exe /r sru /i
+	- esentutl.exe /p SRUDB.dat
+
+### Parse
+
+- [SrumECmd by Eric Zimmerman](https://github.com/EricZimmerman/Srum)
+
+	- srumecmd.exe -d "path\to\repaired\DB" --csv "path\to\output" --debug
+
+		- --debug is optional, but more verbose logging is helpful for troubleshooting and general awareness of what the tool is doing
+		- Provide the SOFTWARE hive in your "path\to\repaired\DB" to obtain additional output related to Performance Data
+
+- [ESEDatabaseView by NirSoft](https://www.nirsoft.net/utils/ese_database_view.html)
+
+	- .\ESEDatabaseView.exe /table "path\to\repaired\DB" * /scomma "path\to\output\SRUM_*.csv"
+
+		- * serves as a wildcard so the CSV filenames will be SRUM_TableName.csv
+
+- [SRUM-Dump by Mark Baggett](https://github.com/MarkBaggett/srum-dump)
+
+	- Provides GUI to parse SRUDB.dat
+
+## Use Cases
+
+### Incident Response
+
+- Identifying data exfil using Bytes Sent/Bytes Received
+- Tracking anomalous I/O activity by a specific binary
+
+### Law Enforcement
+
+- Track I/O activity by suspects using applications to commit crimes (IP Theft, CSAM cases, etc)
+- Track network activity by suspects using applications to commit crimes (IP Theft, CSAM cases, etc)
+
+### Corporate
+
+- Insider Threat
+
+	- Employee stealing secrets and sharing them with a competitor
+
+## Artifacts of Interest
+
+### Processes Run
+
+- AppID
+- User executing app
+- App energy usage
+- Bytes sent
+- Bytes received
+
+### App Push Notifications
+
+- AppID
+- User
+- Payload size
+
+### Networking Activity
+
+- Network interface
+- Network name
+- Bytes sent
+- Bytes received
+- Connection time
+- Connection duration
+
+### Energy Usage
+
+- Charge capacity
+- Charge level
+- Time
+
+## Registry
+
+### Location
+
+- SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SRUM\Extensions
+
+## SRUDB.dat
+
+### Historical Data
+
+- Stores 30 days of application data
+
+### Location
+
+- C:\Windows\System32\SRU\SRUDB.dat
+
+## Important Considerations
+
+### Records to SRUDB.dat approximately every 60 minutes or upon clean system shutdown
+
+## Tables
+
+### {DA73FB89-2BEA-4DDC-86B8-6E048C6DA477}
+
+### {FEE4E14F-02A9-4550-B5CE-5FA2DA202E37}LT
+
+### {FEE4E14F-02A9-4550-B5CE-5FA2DA202E37}
+
+### {D10CA2FE-6FCF-4F6D-848E-B2E99266FA89}
+
+- AppResourceUseInfo
+
+### {5C8CF1C7-7257-4F13-B223-970EF5939312}
+
+### {7ACBBAA3-D029-4BE4-9A7A-0885927F1D8F}
+
+### {DD6636C4-8929-4683-974E-22C046A43763}
+
+- NetworkConnection
+
+### {D10CA2FE-6FCF-4F6D-848E-B2E99266FA86}
+
+- PushNotification
+
+### {973F5D5C-1D90-4944-BE8E-24B94231A174}
+
+- NetworkUsage
+
+### SruDbCheckpointTable
+
+### SruDbIdMapTable
+
+### MSysLocales
+
+### MSysObjids
+
+### MSysObjectsShadow
+
+### MSysObjects
+

README.md

@@ -21,6 +21,10 @@ I personally use [XMind](https://www.xmind.net/) as I like how it has a Desktop
 
 I'm studying for the GCIH right now, so I need motivation to create visual learning aids for myself. If I create them, they will end up here in PDF, PNG, and `.xmind` format. 
 
+## Other DFIR Mind Map GitHub Repositories
+
+ * [nasbench's Mind Maps](https://github.com/nasbench/MindMaps)
+
 ## TODO
 
 1. Create Mind Map for top level README

Tools/WinDbg/README.md

@@ -0,0 +1,11 @@
+# WinDbg Mind Map
+
+Author: Abdallah Elshinbary - [@_n1ghtw0lf](https://twitter.com/_n1ghtw0lf)
+
+![WinDbgMindMap](./WinDbg_CheatSheet.png)
+
+Common WinDbg commands.
+
+## Editing/Improving this Mind Map
+
+Import the `.xmind` file into your favorite Mind Map-making software! Improve upon it and do a Pull Request to update the file here!

Tools/WinDbg/WinDbg_CheatSheet.md

@@ -0,0 +1,124 @@
+# WinDbg
+
+### Breakpoints
+
+- ​	bp <Addr>: regular breakpoint
+- ​	bp <Addr> <Num>: break at the Nth hit
+- ​	bu <Addr>: unresolved breakpoint
+- ​	bm module!<Regex>: symbols breakpoint
+- ​	ba <Access> <Size> <Addr>: memory access breakpoint
+- ​	bl: list breakpoints
+- ​	bd <Breakpoints>: disable breakpoint
+- ​	be  <Breakpoints>: enable breakpoint
+- ​	bc  <Breakpoints>: clear breakpoint
+
+### Memory
+
+- Display
+
+  - da: ascii
+    du: unicode
+    dw: word
+    dd: dword
+    dq: qword
+    db: byte + ascii hexdump
+    dc: dword + ascii hexdump
+    dW: word + ascii hexdump
+    dp: pointer size
+    dD: double
+    df: float
+    dv: local variables
+    dt <Type> <Addr>: map struct type to addr
+
+- Edit
+
+  - ea: ascii
+    eu: unicode
+    ew: word
+    ed: dword
+    eq: qword
+    eb: byte
+    ep: pointer size
+    eD: double
+    ef: float
+    eza: null-terminated ascii
+    ezu: null-terminated unicode
+- Search
+    - s -Flags <Range> <Pattern>
+        -b: byte
+        -w: word
+        -d: dword
+        -q: qword
+        -a: ascii
+        -u: unicode
+- Fill
+      	- f <Range> <Pattern>
+- Compare
+      	- c <Range> <Addr>
+- Move
+      	- m <Range> <Addr>
+
+### General
+
+- controls
+  - g: go (continue)
+  - p: step over
+  - t: step into
+  - gu: step out
+
+- ?: evaluate expression
+  - ? <Num>: hex to decimal
+  - ? 0n<Num>: decimal to hex
+
+- lm: list modules
+
+- k: show stack backtrace
+
+- ~: list threads
+  - ~<Num>s: switch to thread
+  - ~<Num>k: thread backtrace
+
+- |: list processes
+  - |<Num>s: switch to process
+  - |<Num>k: process backtrace
+
+- r: registers
+  - r <Reg>: read register
+  - r <Reg>=<Val>: set register
+
+- u: disassemble
+  - u <Addr>: disassemble from this address
+  - u <Range>: disassemble memory range
+  - uf <Addr>: disassemble function
+
+- x: examine symbols
+  - x /f module!<Regex>: examine module functions matching this regex
+
+### Bang Commands
+
+- !teb | !teb <Addr>:
+  display thread environment block
+
+- !peb | !peb <Addr>: 
+  display process environment block
+
+- !handle: list all handles
+  - !handle <Val>: get handle type
+  - !handle <Val> f: get handle detailed info
+
+- !address: view complete address space
+
+- !address <Addr>: 
+  display status of a memory block 
+  (region size, protection, ...)
+
+### Meta Commands
+
+- .symfix: set the symbol path to point to the Microsoft symbol store.
+- .reload /f module.dll: reload module symbols
+- .detach: detach from a process
+- .cls: clear commands window
+- .childdbg <0|1>: attach to child process
+
+- .writemem <FileName> <Range>: 
+  write contents of a memory range to a file