Most of us have a cheat sheet [CS] here and there. In my jump bag there is a 3 ring binder with cheat sheets in plastic sheet protectors. In this, it got me thinking about cheat sheets again and there are a few things to share. First, we have wrote about them many times over the years (located with site:isc.sans.edu Cheat Sheets) [1] [2] [3] [4] [5]. There are also a series of cheat sheets all over the ‘intertubes’ [6] [7] [8] and lets not forget the great list of CS at Packet Life [9]. There are even GIT repositories of CS [10].

Note: From here On, I am talking about an Apple OS X only App. If someone wants to contribute something similar for Linux and Windows email me ( rporter at isc dot sans dot edu ) or twitter @packetalien and I will post an update.

One common thing that has been bothering me as of late is ‘search-ability’ and ease of getting to quick answers in a cheat sheet. Then I thought about possible solutions and wanted to share.

For other coding references there is Dash [11] which I use heavily and they have tons of cheat sheets [12]. While sitting in a SANS 572 Advanced Network Forensics, it hit me, write a Packet Forensics CS, to the Dash Docs Batman.

As it turns out, the format is easy to understand and based in Ruby [12] and there is a Ruby gem called Cheatset [13] that has great samples.

Here is a screenshot of what I’ve got so far, and this cheat sheet will be for packet "forensicators":

There will be more to come as time permits and if anyone is interested in the source or docset for this and or would like to contribute email me ( rporter at isc dot sans dot edu ) or twitter @packetalien.

A final note, when doing forensics on a case, it is always good to have references handy!

[1] https://isc.sans.edu/diary/2+Cheat+Sheets+for+Incident+Handling/5354

[2] https://isc.sans.edu/diary/Cheat+Sheet%3A+Analyzing+Malicious+Documents/7705

[3] https://isc.sans.edu/diary/New+and+updated+cheat+sheets/6958

[4] https://isc.sans.edu/diary/New+Incident+Response+Methodology+Cheat+Sheet/10828

[5] https://isc.sans.edu/diary/OWASP+Session+Management+%22Cheat+Sheet%22/11263

[6] https://isc.sans.edu/presentations/

[7] https://www.owasp.org/index.php/Session_Management_Cheat_Sheet

[8] https://cert.societegenerale.com/en/publications.html

[9] http://packetlife.net/library/cheat-sheets/

[10] https://github.com/detailyang/cheat-sheets

[11] https://kapeli.com/dash

[12] https://github.com/Kapeli/cheatsheets

[13] https://github.com/Kapeli/cheatset

Richard Porter

@packetalien, packetalien.com, rporter at isc dot sans dot edu

--- ISC Handler on Duty