From 3debea2ff4a9d22fb0612794f79aa9f16d6dc41a Mon Sep 17 00:00:00 2001 From: Jan Vales Date: Thu, 5 Jun 2014 20:37:56 +0200 Subject: [PATCH] started writing report3 --- report3/.gitignore | 11 ++ report3/build.sh | 4 + report3/content.tex | 285 +++++++++++++++++++++++++++++++++++++++++ report3/gitinfohook.sh | 28 ++++ report3/main.tex | 136 ++++++++++++++++++++ 5 files changed, 464 insertions(+) create mode 100644 report3/.gitignore create mode 100755 report3/build.sh create mode 100644 report3/content.tex create mode 100755 report3/gitinfohook.sh create mode 100644 report3/main.tex diff --git a/report3/.gitignore b/report3/.gitignore new file mode 100644 index 0000000..ebb76a1 --- /dev/null +++ b/report3/.gitignore @@ -0,0 +1,11 @@ +##### .gitignore default file. ##### +*.dep +*.swp +*.pdf +*.aux +*.log +*.toc +*.out +*.dvi +*.gz +gitHeadInfo.gin diff --git a/report3/build.sh b/report3/build.sh new file mode 100755 index 0000000..28cf32f --- /dev/null +++ b/report3/build.sh @@ -0,0 +1,4 @@ +#!/bin/bash +./gitinfohook.sh +pdflatex main.tex + diff --git a/report3/content.tex b/report3/content.tex new file mode 100644 index 0000000..72d5697 --- /dev/null +++ b/report3/content.tex @@ -0,0 +1,285 @@ + +\newpage\section{Questions image1.vmem (5 points)} +\subsection{What information can you extract about the operating system?} +\ttfamily{volatility -f image1.vmem imageinfo} +\begin{lstlisting} + Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86) + AS Layer1 : IA32PagedMemoryPae (Kernel AS) + AS Layer2 : FileAddressSpace (/home/jan/vmshare/digforRAM/image1.vmem) + PAE type : PAE + DTB : 0x319000L + KDBG : 0x80545b60 + Number of Processors : 1 + Image Type (Service Pack) : 3 + KPCR for CPU 0 : 0xffdff000 + KUSER_SHARED_DATA : 0xffdf0000 + Image date and time : 2011-11-30 11:14:10 + Image local date and time : 2011-11-30 12:14:10 +0100 +\end{lstlisting} + +\subsection{What happened at the time of the RAM dump} + +\ttfamily{volatility -f image1.vmem -{}-profile=WinXPSP2x86 pstree} +\begin{lstlisting} +Name Pid PPid Thds Hnds Time +--------------------------------- ------ ------ ------ ------ ---- + 0x823c8830:System 4 0 56 252 1970-01-01 00:00:00 +. 0x822224c8:smss.exe 552 4 3 19 2011-11-30 11:10:38 +.. 0x822aaae0:csrss.exe 600 552 10 431 2011-11-30 11:10:39 +.. 0x822479c0:winlogon.exe 624 552 24 522 2011-11-30 11:10:40 +... 0x8229db68:services.exe 676 624 15 259 2011-11-30 11:10:40 +.... 0x821a23c0:VMUpgradeHelper 512 676 6 97 2011-11-30 11:10:54 +.... 0x821e3260:alg.exe 1368 676 7 104 2011-11-30 11:10:56 +.... 0x82293728:svchost.exe 1032 676 84 1552 2011-11-30 11:10:40 +..... 0x821a1650:wuauclt.exe 1132 1032 8 177 2011-11-30 11:10:54 +..... 0x821ea4c0:wscntfy.exe 1988 1032 1 39 2011-11-30 11:10:56 +..... 0x81e1cb08:wuauclt.exe 3560 1032 6 118 2011-11-30 11:11:55 +.... 0x82100b28:svchost.exe 940 676 9 261 2011-11-30 11:10:40 +.... 0x82096748:svchost.exe 1080 676 5 ------ 2011-11-30 11:10:40 +.... 0x82225020:vmacthlp.exe 844 676 1 25 2011-11-30 11:10:40 +.... 0x81ea1558:spoolsv.exe 1620 676 14 123 2011-11-30 11:10:42 +.... 0x82228020:svchost.exe 860 676 19 204 2011-11-30 11:10:40 +..... 0x81dfa918:AcroRd32Info.ex 3728 860 7 149 2011-11-30 11:12:28 +..... 0x81e23878:wmiprvse.exe 992 860 5 189 2011-11-30 11:10:54 +.... 0x8219d578:svchost.exe 1124 676 15 210 2011-11-30 11:10:41 +.... 0x81e27da0:vmtoolsd.exe 252 676 6 222 2011-11-30 11:10:51 +... 0x820a3aa8:lsass.exe 688 624 24 362 2011-11-30 11:10:40 + 0x8220ac08:explorer.exe 1512 1460 16 424 2011-11-30 11:10:42 +. 0x81e7d020:AdobeARM.exe 1796 1512 8 143 2011-11-30 11:10:43 +. 0x81e7a2a0:ctfmon.exe 1804 1512 1 99 2011-11-30 11:10:43 +. 0x822149f8:VMwareTray.exe 1752 1512 1 58 2011-11-30 11:10:43 +. 0x81dc5958:AcroRd32.exe 3692 1512 4 161 2011-11-30 11:12:27 +.. 0x8228c400:rundll32.exe 3968 3692 1 59 2011-11-30 11:14:06 +. 0x81e67308:Netlogon.exe 3976 1512 1 14 2011-11-30 11:14:06 +. 0x82203da0:VMwareUser.exe 1772 1512 6 211 2011-11-30 11:10:43 + 0x821fb3d8:svchost.exe 416 1828 4 138 2011-11-30 11:10:53 + 0x821d7da0:svchost.exe 3708 3632 5 144 2011-11-30 11:12:28 +\end{lstlisting} + +\ttfamily{volatility -f image1.vmem --profile=WinXPSP2x86 sockscan} +\begin{lstlisting} +Offset(P) PID Port Proto Protocol Address Create Time +---------- -------- ------ ------ --------------- --------------- ----------- +0x02008008 1080 1033 17 UDP 0.0.0.0 2011-11-30 11:11:07 +0x02009250 1368 1027 6 TCP 127.0.0.1 2011-11-30 11:10:56 +0x02060460 4 137 17 UDP 192.168.187.130 2011-11-30 11:10:44 +0x02062140 4 138 17 UDP 192.168.187.130 2011-11-30 11:10:44 +0x0206c258 4 139 6 TCP 192.168.187.130 2011-11-30 11:10:44 +0x02105e98 932 135 6 TCP 0.0.0.0 2011-11-30 11:05:07 +0x02118c08 1092 1025 17 UDP 0.0.0.0 2011-11-29 13:44:23 +0x0235b008 1032 123 17 UDP 192.168.187.130 2011-11-30 11:10:54 +0x0235e570 4 1031 6 TCP 0.0.0.0 2011-11-30 11:10:57 +0x0236e220 4 445 17 UDP 0.0.0.0 2011-11-30 11:10:37 +0x02373338 4 0 47 GRE 0.0.0.0 2011-11-30 11:10:57 +0x02385e98 688 4500 17 UDP 0.0.0.0 2011-11-30 11:10:52 +0x0238a8e0 688 0 255 Reserved 0.0.0.0 2011-11-30 11:10:52 +0x02396548 1032 123 17 UDP 127.0.0.1 2011-11-30 11:10:55 +0x023e6e98 1124 1900 17 UDP 127.0.0.1 2011-11-30 11:10:56 +0x023f2e98 688 500 17 UDP 0.0.0.0 2011-11-30 11:10:52 +0x02408e98 1124 1900 17 UDP 192.168.187.130 2011-11-30 11:10:56 +0x024650b0 940 135 6 TCP 0.0.0.0 2011-11-30 11:10:40 +0x024a5970 4 445 6 TCP 0.0.0.0 2011-11-30 11:10:37 +\end{lstlisting} + + + +\subsection{Can you find traces of Malware?} +\begin{itemize} +\item\emph{\textbf{rundll32.exe}} could hint that the system has been compromised, but no definite proof could be found. +\item\emph{\textbf{AcroRd32Info.ex(e)}} is also known to cause problems sometimes. +\end{itemize} + + + +\newpage\section{Questions image2.vmem (5 points)} +\subsection{What information can you extract about the operating system?} +\ttfamily{volatility -f image2.vmem imageinfo}\ +\begin{lstlisting} + Suggested Profile(s) : VistaSP1x86, Win2008SP1x86, Win2008SP2x86, VistaSP2x86 + AS Layer1 : IA32PagedMemoryPae (Kernel AS) + AS Layer2 : FileAddressSpace (/home/jan/vmshare/digforRAM/image2.vmem) + PAE type : PAE + DTB : 0x122000L + KDBG : 0x81afcc90 + Number of Processors : 1 + Image Type (Service Pack) : 1 + KPCR for CPU 0 : 0x81afd800 + KUSER_SHARED_DATA : 0xffdf0000 + Image date and time : 2011-11-30 14:23:46 + Image local date and time : 2011-11-30 15:23:46 +0100 +\end{lstlisting} + +\ttfamily{volatility -f image2.vmem -{}-profile=Win2008SP1x86 pstree} +\begin{lstlisting} +Name Pid PPid Thds Hnds Time +--------------------------------- ------ ------ ------ ------ ---- + 0x84a802d0:csrss.exe 460 448 10 518 2011-11-30 14:03:24 + 0x84b7b020:wininit.exe 500 448 3 99 2011-11-30 14:03:25 +. 0x844ba020:lsass.exe 600 500 16 562 2011-11-30 14:03:25 +. 0x84bab020:services.exe 584 500 7 233 2011-11-30 14:03:25 +.. 0x84ddba50:msdtc.exe 2176 584 14 174 2011-11-30 14:03:49 +.. 0x84d851c8:svchost.exe 1032 584 42 786 2011-11-30 14:03:30 +... 0x84e252c8:taskeng.exe 1920 1032 7 137 2011-11-30 14:03:41 +... 0x84511248:taskeng.exe 2504 1032 15 318 2011-11-30 14:03:59 +.. 0x84506188:SearchIndexer.e 2028 584 18 756 2011-11-30 14:03:46 +... 0x84291150:SearchProtocolH 3804 2028 6 318 2011-11-30 14:05:05 +... 0x842b0758:SearchFilterHos 3828 2028 3 90 2011-11-30 14:05:05 +... 0x842b2070:SearchProtocolH 3868 2028 5 283 2011-11-30 14:05:06 +.. 0x84e4c688:svchost.exe 1296 584 19 378 2011-11-30 14:03:31 +.. 0x84e27ce8:dllhost.exe 1796 584 18 256 2011-11-30 14:03:47 +.. 0x84dc0b68:VSSVC.exe 2392 584 5 127 2011-11-30 14:03:55 +.. 0x843ead90:VMwareService.e 1316 584 7 226 2011-11-30 14:03:45 +.. 0x84cc2158:svchost.exe 1224 584 20 583 2011-11-30 14:03:31 +.. 0x84c7bd90:svchost.exe 824 584 7 285 2011-11-30 14:03:30 +.. 0x84d1d4a8:dllhost.exe 1356 584 20 195 2011-11-30 14:03:46 +.. 0x84d85d90:spoolsv.exe 1488 584 18 311 2011-11-30 14:03:31 +.. 0x844a6020:svchost.exe 1016 584 33 455 2011-11-30 14:03:30 +... 0x84e92020:dwm.exe 2864 1016 3 63 2011-11-30 14:04:16 +.. 0x84d99540:svchost.exe 1108 584 5 122 2011-11-30 14:03:30 +.. 0x84488020:svchost.exe 856 584 15 377 2011-11-30 14:03:30 +.. 0x84e753f0:svchost.exe 1444 584 4 43 2011-11-30 14:03:46 +.. 0x84da2440:svchost.exe 988 584 24 362 2011-11-30 14:03:30 +... 0x84d70440:audiodg.exe 1084 988 6 110 2011-11-30 14:03:30 +.. 0x84d8da20:svchost.exe 1512 584 31 302 2011-11-30 14:03:31 +.. 0x84d94c40:SLsvc.exe 1132 584 5 86 2011-11-30 14:03:30 +.. 0x84e41020:svchost.exe 496 584 6 123 2011-11-30 14:03:45 +.. 0x84c8f278:svchost.exe 760 584 6 294 2011-11-30 14:03:30 +... 0x842c37d0:WmiPrvSE.exe 536 760 7 139 2011-11-30 14:23:39 +. 0x84b84020:lsm.exe 608 500 10 162 2011-11-30 14:03:25 + 0x84d83a58:explorer.exe 2884 2856 31 633 2011-11-30 14:04:16 +. 0x845108f8:cmd.exe 3576 2884 1 18 2011-11-30 14:04:46 +.. 0x84287d90:telnet.exe 3968 3576 3 92 2011-11-30 14:05:14 +. 0x844d4858:MSASCui.exe 2992 2884 11 314 2011-11-30 14:04:18 +. 0x84e0e528:VMwareUser.exe 3008 2884 6 192 2011-11-30 14:04:18 +. 0x84d4cd90:sidebar.exe 3076 2884 9 267 2011-11-30 14:04:18 +. 0x844c4d90:VMwareTray.exe 3000 2884 1 56 2011-11-30 14:04:18 + 0x82db0790:System 4 0 100 501 2011-11-30 14:02:51 +. 0x844913f8:smss.exe 396 4 4 28 2011-11-30 14:03:23 + 0x84e3fb80:csrss.exe 2076 2068 9 237 2011-11-30 14:03:48 + 0x843765a8:winlogon.exe 2100 2068 4 123 2011-11-30 14:03:48 +\end{lstlisting} + +\begin{lstlisting} +Offset(P) Proto Local Address Foreign Address State Pid Owner Created +0x1dcd41d8 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 988 svchost.exe +0x1dd0b100 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 988 svchost.exe +0x1dd0b100 TCPv6 :::49153 :::0 LISTENING 988 svchost.exe +0x1de7de10 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 1032 svchost.exe +0x1ded9488 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 824 svchost.exe +0x1def6a60 TCPv4 0.0.0.0:445 0.0.0.0:0 LISTENING 4 System +0x1def6a60 TCPv6 :::445 :::0 LISTENING 4 System +0x1df3c250 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 500 wininit.exe +0x1df3c250 TCPv6 :::49152 :::0 LISTENING 500 wininit.exe +0x1df46008 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 824 svchost.exe +0x1df46008 TCPv6 :::135 :::0 LISTENING 824 svchost.exe +0x1df4d920 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 1032 svchost.exe +0x1df4d920 TCPv6 :::49154 :::0 LISTENING 1032 svchost.exe +0x1df86858 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 500 wininit.exe +0x1e69b678 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 600 lsass.exe +0x1e69b678 TCPv6 :::49155 :::0 LISTENING 600 lsass.exe +0x1e69bf60 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 600 lsass.exe +0x1e6bf288 TCPv4 192.168.187.132:139 0.0.0.0:0 LISTENING 4 System +0x1e6fd008 TCPv4 0.0.0.0:49156 0.0.0.0:0 LISTENING 584 services.exe +0x1e6fd008 TCPv6 :::49156 :::0 LISTENING 584 services.exe +0x1e98b358 TCPv4 0.0.0.0:49156 0.0.0.0:0 LISTENING 584 services.exe +0x1e711a68 TCPv4 192.168.187.132:49158 94.142.241.111:23 ESTABLISHED 3968 telnet.exe +0x1dc22c08 UDPv4 0.0.0.0:0 *:* 1032 svchost.exe 2011-11-30 14:03:45 +0x1dc22c08 UDPv6 :::0 *:* 1032 svchost.exe 2011-11-30 14:03:45 +0x1dc463f8 UDPv4 0.0.0.0:500 *:* 1032 svchost.exe 2011-11-30 14:03:45 +0x1dc463f8 UDPv6 :::500 *:* 1032 svchost.exe 2011-11-30 14:03:45 +0x1dc80008 UDPv4 0.0.0.0:5355 *:* 1296 svchost.exe 2011-11-30 14:04:10 +0x1dc80008 UDPv6 :::5355 *:* 1296 svchost.exe 2011-11-30 14:04:10 +0x1dd0c4e8 UDPv4 0.0.0.0:500 *:* 1032 svchost.exe 2011-11-30 14:03:45 +0x1dd0c800 UDPv4 0.0.0.0:4500 *:* 1032 svchost.exe 2011-11-30 14:03:45 +0x1de98d60 UDPv4 0.0.0.0:0 *:* 496 svchost.exe 2011-11-30 14:03:45 +0x1df237b0 UDPv4 0.0.0.0:123 *:* 1224 svchost.exe 2011-11-30 14:04:07 +0x1df237b0 UDPv6 :::123 *:* 1224 svchost.exe 2011-11-30 14:04:07 +0x1df89910 UDPv4 192.168.187.132:137 *:* 4 System 2011-11-30 14:03:44 +0x1dfb03f0 UDPv4 0.0.0.0:0 *:* 1032 svchost.exe 2011-11-30 14:03:45 +0x1e151008 UDPv4 0.0.0.0:5355 *:* 1296 svchost.exe 2011-11-30 14:04:10 +0x1e607380 UDPv4 0.0.0.0:0 *:* 496 svchost.exe 2011-11-30 14:03:45 +0x1e607380 UDPv6 :::0 *:* 496 svchost.exe 2011-11-30 14:03:45 +0x1e60f390 UDPv4 192.168.187.132:138 *:* 4 System 2011-11-30 14:03:44 +0x1e62a008 UDPv4 0.0.0.0:0 *:* 1224 svchost.exe 2011-11-30 14:03:46 +0x1e6c9008 UDPv4 0.0.0.0:123 *:* 1224 svchost.exe 2011-11-30 14:04:07 +0x1e6f2368 UDPv4 0.0.0.0:0 *:* 1296 svchost.exe 2011-11-30 14:04:10 +0x1e6f2368 UDPv6 :::0 *:* 1296 svchost.exe 2011-11-30 14:04:10 +0x1e96d4b8 UDPv4 0.0.0.0:0 *:* 1224 svchost.exe 2011-11-30 14:03:46 +0x1e96d4b8 UDPv6 :::0 *:* 1224 svchost.exe 2011-11-30 14:03:46 +\end{lstlisting} + +\subsection{What users are there on the system? Extract the password +hashes and passwords.} +volatility -f image2.vmem --profile=Win2008SP1x86 hashdump -s 0x94cdb6a8 -y 0x86224008 +\begin{lstlisting}Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: +Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: +Vista:1000:aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634::: +Bob:1001:aad3b435b51404eeaad3b435b51404ee:878d8014606cda29677a44efa1353fc7::: +Alice:1002:aad3b435b51404eeaad3b435b51404ee:5835048ce94ad0564e29a924a03510ef::: +Eve:1003:aad3b435b51404eeaad3b435b51404ee:4d55663e41abd66cf17584c9c9f7c86c::: +\end{lstlisting} + +\subsection{What "movie" was watched by the logged in user (beware, not a real movie!)?} +volatility -f image2.vmem --profile=Win2008SP1x86 cmdscan +\begin{lstlisting} +Volatility Foundation Volatility Framework 2.3.1 +************************************************** +CommandProcess: csrss.exe Pid: 2076 +CommandHistory: 0xe31160 Application: telnet.exe Flags: Allocated +CommandCount: 0 LastAdded: -1 LastDisplayed: -1 +FirstCommand: 0 CommandCountMax: 50 +ProcessHandle: 0x374 +Cmd #31 @ 0xe2fa54: ? +Cmd #34 @ 0x76bca0a0: ????????????j??????? +Cmd #35 @ 0x755c522e: ?????? +Cmd #47 @ 0xe30001: ???? +************************************************** +CommandProcess: csrss.exe Pid: 2076 +CommandHistory: 0x83c32d8 Application: cmd.exe Flags: Allocated, Reset +CommandCount: 1 LastAdded: 0 LastDisplayed: 0 +FirstCommand: 0 CommandCountMax: 50 +ProcessHandle: 0xf8 +Cmd #0 @ 0xe31050: telnet towel.blinkenlights.nl +\end{lstlisting} + + + +\newpage\section{Details} +\subsection{Sources} +\subsubsection{image1.vmem} +Image 1 +\begin{quote} +\textbf{size}: 536870912 byte\\ +\textbf{''file''-output}: data\\ +\textbf{sha512}\\\ttfamily{ +04f0be53b4c7bc0e316759ce69f9f21b6e06911a1b436b13d7764bbad6413a8e\\ +aed62520286858fcee4c1af8e92c3791762b45d34ee215cca7da01b20b33d644} +\end{quote} + +\subsubsection{image2.vmem} +Image2 +\begin{quote} +\textbf{size}: 536870912 byte\\ +\textbf{''file''-output}: data\\ +\textbf{sha512}\\\ttfamily{ +68998034f90148e220d8b676826ca1b96777d48a3c6214cf0782f10b1cd3a437\\ +71bd0e862c7cc2f13c491189b8c401c017baef32836a8e96f575c3c9b2d6755b} +\end{quote} + + +\subsection{Used tools on Host} +Tools that were used for analysis (-{}-version): +\begin{itemize} +\item Volatility Foundation Volatility Framework 2.3.1 +\item sha512sum (GNU coreutils) 8.22 +\item ls (GNU coreutils) 8.22 +\item file 5.18 +\end{itemize} + + +\subsection{Machines} +\begin{itemize} +\item \textbf{Host machine}\\ + Linux rebx 3.14.0-gentoo-somenet.org \#1 SMP Sun Apr 6 01:00:17 CEST 2014 x86\_64 Intel(R) Core(TM)2 Duo CPU T9300 \@ 2.50GHz GenuineIntel GNU/Linux +\end{itemize} + diff --git a/report3/gitinfohook.sh b/report3/gitinfohook.sh new file mode 100755 index 0000000..e085f4e --- /dev/null +++ b/report3/gitinfohook.sh @@ -0,0 +1,28 @@ +#!/bin/sh +# Copyright 2011 Brent Longborough +# Please read gitinfo.pdf for licencing and other details +# ----------------------------------------------------- +# cp gitinfohook.sh .git/hooks/post-update +# chmod +x .git/hooks/post-update +# +#prefixes=". test docs" # Example for multiple gitHeadInfo.tex files +prefixes="." # Default --- in the working copy root +for pref in $prefixes + do + git log -1 --date=short \ + --pretty=format:"\usepackage[% + shash={%h}, + lhash={%H}, + authname={%an}, + authemail={%ae}, + authsdate={%ad}, + authidate={%ai}, + authudate={%at}, + commname={%an}, + commemail={%ae}, + commsdate={%ad}, + commidate={%ai}, + commudate={%at}, + refnames={%d} + ]{gitsetinfo}" HEAD > $pref/gitHeadInfo.gin + done diff --git a/report3/main.tex b/report3/main.tex new file mode 100644 index 0000000..cc6f99e --- /dev/null +++ b/report3/main.tex @@ -0,0 +1,136 @@ +\RequirePackage{snapshot} % stats of included files: $filename.dep + +\documentclass[10pt,a4paper,ngerman]{article} +\usepackage[ngerman]{babel} + +%%%%% Formatting and encoding %%%%% +% encoding +\usepackage[T1]{fontenc} +\usepackage[utf8]{inputenc} + +% page +\usepackage[columnsep=1.75cm,lmargin=1.75cm,rmargin=1.75cm,tmargin=2.5cm,bmargin=2.5cm]{geometry} +\setlength{\parindent}{0pt} + +\usepackage{fancyhdr} +\pagestyle{fancy} +\lhead{} +\chead{} +\rhead{} +\cfoot{} +\fancyhead[LE,RO]{\leftmark} +\fancyfoot[LE,RO]{\thepage} + +% Use sans serif font. +\renewcommand*{\familydefault}{\sfdefault} + +% change heading fontsizes. +\usepackage{sectsty} +\subsectionfont{\normalsize} +\subsubsectionfont{\small} + +% \chapter hacks +% Create \Hide command (used for chapters) +\usepackage[explicit]{titlesec} +\newcommand*\Hide{\titleformat{\chapter}[display]{}{}{0pt}{\Huge}\titleformat{\part}{}{}{0pt}{}} + +% inhibit creation of new double page on new chapter. +\usepackage{etoolbox} +\makeatletter +\patchcmd{\chapter}{\if@openright\cleardoublepage\else\clearpage\fi}{}{}{} +\makeatother + +% change heading margins. +\titlespacing*{\chapter}{0pt}{0pt}{-40pt} +\titlespacing*{\section}{0pt}{9pt}{3pt} +\titlespacing*{\subsection}{0pt}{6pt}{0pt} +\titlespacing*{\subsubsection}{0pt}{0pt}{0pt} + +% make \paragraph do newlines +\makeatletter +\renewcommand\paragraph{\@startsection{paragraph}{4}{\z@} + {-.75ex \@plus -1ex \@minus -0.2ex} + {0.01pt} + {\normalfont\normalsize\bfseries} +} +\makeatother + +%%% TOC changes %%% +% inhibit "Contents" Head in TOC +\makeatletter +\renewcommand\tableofcontents{\@starttoc{toc}} +\makeatother + +%make toc consider Chapter and section only. +\setcounter{tocdepth}{3} + +% disable chapter, section, ... numbering +\setcounter{secnumdepth}{-1} + +%%% /TOC changes %%% + +% make footnote numbering reset on every page. +\usepackage[hang,flushmargin,perpage]{footmisc} +%%%%% / Formatting %%%%% + +% includable git commit info +\usepackage[missing=run\ build.sh\ or\ gitinfohook.sh]{gitinfo} + +% Fürs "last generated" Datum +\usepackage[iso]{isodate} + +% Image import stuff +\usepackage[absolute]{textpos} +\usepackage{graphicx} +\DeclareGraphicsExtensions{.pdf,.png,.jpg} + +% clickable references/links/... +\usepackage{hyperref} + +% euro-sign +\usepackage{eurosym} +\DeclareUnicodeCharacter{20AC}{\euro} + +% frames +\usepackage[framemethod=default]{mdframed} +\newmdenv[linecolor=red,backgroundcolor=yellow]{yellowframe} + +% quotes +\usepackage[babel,german=quotes]{csquotes} + +\usepackage{listings} +\lstset{literate=% +{Ö}{{\"O}}1 +{Ä}{{\"A}}1 +{Ü}{{\"U}}1 +{ß}{{\ss}}2 +{ü}{{\"u}}1 +{ä}{{\"a}}1 +{ö}{{\"o}}1 +} + + +% START DOCUMENT +\begin{document}\thispagestyle{empty} +\hspace{50pt} +\section*{Digital Forensics 188.922} +\textbf{2014S} + +\section*{Assignment 2} +\textbf{NTFS} + +\section*{Jan Vales} +\textbf{0726236\\\url{mailto:jan@jvales.net}}\\\\ +\textbf{Still want an official \LaTeX{} template!}\\ + +\vspace{50pt} + +\section*{Table of Contents}\begin{footnotesize}\tableofcontents\end{footnotesize} +\subsection*{Version}\begin{footnotesize}\url{http://git.somenet.org/?p=priv/jan/digfor.git}\\ +git clone \url{ssh://git@git.somenet.org:666/priv/jan/digfor}\\ +This is revision: \textbf{\gitAbbrevHash}. Document (.tex) compiled on: \textbf{\today} +\end{footnotesize}\vspace{\fill}\newpage + +\input{content.tex} + +\end{document} -- 2.43.0