Contribuez à SecuObs en envoyant des bitcoins ou des dogecoins.
Nouveaux articles (fr): 1pwnthhW21zdnQ5WucjmnF3pk9puT5fDF
Amélioration du site: 1hckU85orcGCm8A9hk67391LCy4ECGJca

Contribute to SecuObs by sending bitcoins or dogecoins.

Chercher :
Newsletter :  


Revues :
- Presse
- Presse FR
- Vidéos
- Twitter
- Secuobs





Sommaires :
- Tendances
- Failles
- Virus
- Concours
- Reportages
- Acteurs
- Outils
- Breves
- Infrastructures
- Livres
- Tutoriels
- Interviews
- Podcasts
- Communiques
- USBsploit
- Commentaires


Revue Presse:
- Tous
- Francophone
- Par mot clé
- Par site
- Le tagwall


Top bi-hebdo:
- Ensemble
- Articles
- Revue
- Videos
- Twitter
- Auteurs


Articles :
- Par mot clé
- Par auteur
- Par organisme
- Le tagwall


Videos :
- Toutes
- Par mot clé
- Par site
- Le tagwall


Twitter :
- Tous
- Par mot clé
- Par compte
- Le tagwall


Commentaires :
- Breves
- Virus
- Failles
- Outils
- Tutoriels
- Tendances
- Acteurs
- Reportages
- Infrastructures
- Interviews
- Concours
- Livres
- Communiques


RSS/XML :
- Articles
- Commentaires
- Revue
- Revue FR
- Videos
- Twitter


RSS SecuObs :
- sécurité
- exploit
- windows
- attaque
- outil
- microsoft


RSS Revue :
- security
- microsoft
- windows
- hacker
- attack
- network


RSS Videos :
- curit
- security
- biomet
- metasploit
- biometric
- cking


RSS Twitter :
- security
- linux
- botnet
- attack
- metasploit
- cisco


RSS Comments :
- Breves
- Virus
- Failles
- Outils
- Tutoriels
- Tendances
- Acteurs
- Reportages
- Infrastructures
- Interviews
- Concours
- Livres
- Communiques


RSS OPML :
- Français
- International











Revue de presse francophone :
- Appaloosa AppDome nouent un partenariat pour accompagner les entreprises dans le déploiement et la protection des applications mobiles
- D-Link offre une avec un routeur VPN sans fil AC
- 19 mai Paris Petit-Déjeuner Coreye Développer son business à l'abri des cyberattaques
- POYNTING PRESENTE LA NOUVELLE ANTENNE OMNI-291, SPECIALE MILIEU MARITIME, CÔTIER ET MILIEU HUMIDE
- Flexera Software Les utilisateurs français de PC progressent dans l'application de correctifs logiciels, mais des défis de tailles subsistent
- Riverbed lance SD-WAN basé sur le cloud
- Fujitsu multi-récompensé VMware lui décerne plusieurs Partner Innovation Awards à l'occasion du Partner Leadership Summit
- Zscaler Private Access sécuriser l'accès à distance en supprimant les risques inhérents aux réseaux privés virtuels
- QNAP annonce la sortie de QTS 4.2.1
- Une enquête réalisée par la société de cyber sécurité F-Secure a décelé des milliers de vulnérabilités graves, potentiellement utilisables par des cyber criminels pour infiltrer l'infrastru
- Trouver le juste équilibre entre une infrastructure dédiée et cloud le dilemme de la distribution numérique
- 3 juin - Fleurance - Cybersécurité Territoires
- Cyber-assurances Seules 40 pourcents des entreprises françaises sont couvertes contre les violations de sécurité et les pertes de données
- Des étudiants de l'ESIEA inventent CheckMyHTTPS un logiciel qui vérifie que vos connexions WEB sécurisées ne sont pas interceptées
- Les produits OmniSwitch d'Alcatel-Lucent Enterprise ALE gagnent en sécurité pour lutter contre les cyber-attaques modernes

Dernier articles de SecuObs :
- DIP, solution de partage d'informations automatisée
- Sqreen, protection applicative intelligente de nouvelle génération
- Renaud Bidou (Deny All): "L'innovation dans le domaine des WAFs s'oriente vers plus de bon sens et d'intelligence, plus de flexibilité et plus d'ergonomie"
- Mises à jour en perspective pour le système Vigik
- Les russes ont-ils pwn le système AEGIS ?
- Le ministère de l'intérieur censure une conférence au Canada
- Saut d'air gap, audit de firmware et (in)sécurité mobile au programme de Cansecwest 2014
- GCHQ: Le JTRIG torpille Anonymous qui torpille le JTRIG (ou pas)
- #FIC2014: Entrée en territoire inconnu
- Le Sénat investit dans les monnaies virtuelles

Revue de presse internationale :
- VEHICLE CYBERSECURITY DOT and Industry Have Efforts Under Way, but DOT Needs to Define Its Role in Responding to a Real-world Attack
- Demand letter served on poll body over disastrous Comeleak breach
- The Minimin Aims To Be The Simplest Theremin
- Hacking group PLATINUM used Windows own patching system against it
- Hacker With Victims in 100 Nations Gets 7 Years in Prison
- HPR2018 How to make Komboucha Tea
- Circuit Bender Artist bends Fresnel Lens for Art
- FBI Director Suggests iPhone Hacking Method May Remain Secret
- 2016 Hack Miami Conference May 13-15, 2016
- 8-bit Video Wall Made From 160 Gaming Keyboards
- In An Era Of Decline, News Sites Can t Afford Poor Web Performance
- BeautifulPeople.com experiences data breach 1m affected
- Swedish Air Space Infringed, Aircraft Not Required
- Why cybercriminals attack healthcare more than any other industry
- Setting the Benchmark in the Network Security Forensics Industry

Annuaire des videos
- FUZZING ON LINE PART THREE
- Official Maltego tutorial 5 Writing your own transforms
- Official Maltego tutorial 6 Integrating with SQL DBs
- Official Maltego tutorial 3 Importing CSVs spreadsheets
- install zeus botnet
- Eloy Magalhaes
- Official Maltego tutorial 1 Google s websites
- Official Maltego tutorial 4 Social Networks
- Blind String SQL Injection
- backdoor linux root from r57 php shell VPS khg crew redc00de
- How To Attaque Pc With Back Track 5 In Arabique
- RSA Todd Schomburg talks about Roundup Ready lines available in 2013
- Nessus Diagnostics Troubleshooting
- Panda Security Vidcast Panda GateDefender Performa Parte 2 de 2
- MultiPyInjector Shellcode Injection

Revue Twitter
- RT @fpalumbo: Cisco consistently leading the way ? buys vCider to boost its distributed cloud vision #CiscoONE
- @mckeay Looks odd... not much to go on (prob some slideshow/vid app under Linux)
- [SuggestedReading] Using the HTML5 Fullscreen API for Phishing Attacks
- RT @BrianHonan: Our problems are not technical but cultural. OWASP top 10 has not changed over the years @joshcorman #RSAC
- RT @mikko: Wow. Apple kernels actually have a function called PE_i_can_has_debugger:
- [Blog Spam] Metasploit and PowerShell payloads
- PinkiePie Strikes Again, Compromises Google Chrome in Pwnium Contest at Hack in the Box: For the second time thi...
- @mikko @fslabs y'all wldn't happen to have lat/long data sets for other botnets, wld you? Doing some research (free/open info rls when done)
- RT @nickhacks: Want to crash a remote host running Snow Leopard? Just use: nmap -P0 -6 --script=targets-ipv6-multicast-mld #wishiwaskidding
- An inexpensive proxy service called is actually a front for #malware distribution -

Mini-Tagwall
Revue de presse : security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone

+ de mots clés pour la revue de presse

Annuaires des videos : curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit

+ de mots clés pour les videos

Revue Twitter : security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall

+ de mots clés pour la revue Twitter

Top bi-hebdo des articles de SecuObs
- [Ettercap – Partie 2] Ettercap par l'exemple - Man In the Middle et SSL sniffing
- [Infratech - release] version 0.6 de Bluetooth Stack Smasher
- [IDS Snort Windows – Partie 2] Installation et configuration
- [Infratech - vulnérabilité] Nouvelle version 0.8 de Bluetooth Stack Smasher
- Mises à jour en perspective pour le système Vigik
- USBDumper 2 nouvelle version nouvelles fonctions !
- EFIPW récupère automatiquement le mot de passe BIOS EFI des Macbook Pro avec processeurs Intel
- La sécurité des clés USB mise à mal par USBDUMPER
- Une faille critique de Firefox expose les utilisateurs de Tor Browser Bundle
- Installation sécurisée d'Apache Openssl, Php4, Mysql, Mod_ssl, Mod_rewrite, Mod_perl , Mod_security

Top bi-hebdo de la revue de presse
- StackScrambler and the Tale of a Packet Parsing Bug

Top bi-hebdo de l'annuaire des videos
- DC++ Botnet. How To DDos A Hub With Fake IPs.
- Comment creer un server botnet!!!!(Réseau de pc zombies)
- Defcon 14 Hard Drive Recovery Part 3

Top bi-hebdo de la revue Twitter
- RT @secureideas: I believe that all the XSS flaws announced are fixed in CVS. Will test again tomorrow if so, release 1.4.3. #BASESnort
- Currently, we do not support 100% of the advanced PDF features found in Adobe Reader... At least that's a good idea.
- VPN (google): German Foreign Office Selects Orange Business for Terrestrial Wide: Full
- @DisK0nn3cT Not really, mostly permission issues/info leak...they've had a couple of XSS vulns but nothing direct.
- Swatting phreaker swatted and heading to jail: A 19-year-old American has been sentenced to eleven years in pris..
- RT @fjserna You are not a true hacker if the calc.exe payload is not the scientific one... infosuck.org/0x0035.png

Top des articles les plus commentés
- [Metasploit 2.x – Partie 1] Introduction et présentation
- Microsoft !Exploitable un nouvel outil gratuit pour aider les développeurs à évaluer automatiquement les risques
- Webshag, un outil d'audit de serveur web
- Les navigateurs internet, des mini-systèmes d’exploitation hors de contrôle ?
- Yellowsn0w un utilitaire de déblocage SIM pour le firmware 2.2 des Iphone 3G
- CAINE un Live[CD|USB] pour faciliter la recherche légale de preuves numériques de compromission
- Nessus 4.0 placé sous le signe de la performance, de l'unification et de la personnalisation
- [Renforcement des fonctions de sécurité du noyau Linux – Partie 1] Présentation
- [IDS Snort Windows – Partie 1] Introduction aux IDS et à SNORT
- Origami pour forger, analyser et manipuler des fichiers PDF malicieux

Automating DFIR - How to series on programming libtsk with python Part 1

Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS

Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]

S'abonner au fil RSS global de la revue de presse



Automating DFIR - How to series on programming libtsk with python Part 1

Par Hacking Exposed Computer Forensics Blog
Le [2015-02-19] à 23:06:14



Présentation : Hello Reader, As you can see from the title of this post I'm starting on a series all about automating your work flow when doing DFIR work. It is my belief that our industry as we know it is poised for change due to the work of a few, but mostly in my opinion Joachim Metz. For all the time that I've done DFIR work the biggest lock in that commercial software had that everyone else did not was the ability to work directly against a forensic image. We would always have to resort to using some commercial tool whether free, semi free or paid for to get access to the underlying data within a forensic image or a live running system to get at the data we wanted to. With the large set of free and open source libraries now available you can write simple code to automate most of the work you were doing within these forensic tools and have the ability to customize that to your actual need. This in my opinion is a huge shift in how we can do our work, We can build tools that do not require us to load up our dongles, handle how someone else imagines your workflow and export data just so we can get our favorite one off tool to work with a specific artifact. This is becoming more of an issue as the community itself is finding new artifacts faster than the commercial entities can keep up with them so even if you wanted to stay in the commercial suite your purchased, you are still forced to get out of their box to get a new artifact that could make your case. In this series of posts I want to show how we can build up from a small python program that will access an image to a full blown forensic utility that will pull all the data from an image and create its output all in a way that we can change and customize to our liking. Now you may be saying, hey there are already examples of how to do this in the projects that made these libraries You are right there are, but I am hoping to simplify this to those of you new to programming so we can expand the scope of people out there that can use these libraries and push our industry forward. For those of you who are serious programmers be warned, I am not going to follow good coding practices in this post as I am trying to get people motivated to try programming. What you will need to follow along ----------------------------------- Python 2.7 Windows I like ActiveState so I would use Active Python on windows, but you can use any python interpreter you want but all the code and libraries I'm working with are written for Python 2. http www.activestate.com activepython downloads Linux OSX - Python should already be installed, if not do it with your operating systems package manager Pytsk Windows After installing python you can grab a windows installer for this library here https e366e647f8637dd31e0a13f75e5469341a9ab0ee.googledrive.com host 0B30H7z4S52FleW5vUHBnblJfcjg 3rdpourcents20party win32-vs2008 pytsk3-4.1.3-20140506.win32-py2.7.msi Linux OSX After installing python you can probably get it installed with the python package manager but otherwise grab an package here https e366e647f8637dd31e0a13f75e5469341a9ab0ee.googledrive.com host 0B30H7z4S52FleW5vUHBnblJfcjg 3rdpourcents20party Pyewf Wndows After installing python you can grab a windows installer for this library here https e366e647f8637dd31e0a13f75e5469341a9ab0ee.googledrive.com host 0B30H7z4S52FleW5vUHBnblJfcjg 3rdpourcents20party win32-vs2008 pyewf-20140608.1.win32-py2.7.msi Linux OSX After installing python you can probably get it installed with the python package manager but otherwise grab an package here https e366e647f8637dd31e0a13f75e5469341a9ab0ee.googledrive.com host 0B30H7z4S52FleW5vUHBnblJfcjg 3rdpourcents20party An image, I am going to work on this one from a prior challenge to start with https mega.co.nz ywxEgQZZ RawTMjJoR6mJgn4P0sQAdzU5XOedR6ianFRcY_xxvwY it's a small VHD that we can start with. In later posts I will be using and providing additional images. You will need to unzip the image and then place it in the same directory where you are going to create your code examples for ease of use. A text editor, I am using ActiveState Komodo as my development environment. That is just because I am familiar with it though. You can just use vi or notepad. Getting started, access an image -------------------------------- Ok you have all the items listed above so you are ready We are going to make a new file called dfirwizard.py. The first thing we have to do is give the file the normal header and then import the libraries we want to work with. usr bin python Sample program or step 1 in becoming a DFIR Wizard No license as this code is simple and free import sys import pytsk3 So here we importing the standard python system library and pytsk3 which will give us all the forensic image access goodness we want. Next we need to tell it where the image is located and then have pytsk open it up for us. I am going to keep this very simple to prevent confusion errors and hard code the path, as we build up this program we will switch that out so you can pass the name of the image in each time you run your super dfir wizard programs. usr bin python Sample program or step 1 in becoming a DFIR Wizard No license as this code is simple and free import sys import pytsk3 imagefile Stage2.vhd imagehandle pytsk3.Img_Info imagefile So we have hardcoded the name of the image in a variable named 'imagefile'. Next we created a python tsk object using the function Image_Info that is built into python tsk. that will allow us to work with this forensic image. The resulting object is now stored in the variable 'imagehandle' which will then be used to access the underlying image. Now this returns nothing even though it worked so lets add one more simple line that shows us that we do in fact have access to the underlying image. Let's tell pytsk to give us the partition table for this image, to do this we will need another built in python tsk library function named Volume_Info. We give Volume_Info the image object we made in the previous example and it returns to us the partition information contained within it, assuming there is a partition table available. usr bin python Sample program or step 1 in becoming a DFIR Wizard No license as this code is simple and free import sys import pytsk3 imagefile Stage2.vhd imagehandle pytsk3.Img_Info imagefile partitionTable pytsk3.Volume_Info imagehandle Great now we just need to do something with this result set that has been provided to us that is currently stored in the variable 'partitionTable'. The most obvious thing to do is print it out one partition at a time. I'm using the for loop contained in the pytsk example mmls.py to show this usr bin python Sample program or step 1 in becoming a DFIR Wizard No license as this code is simple and free import sys import pytsk3 imagefile Stage2.vhd imagehandle pytsk3.Img_Info imagefile partitionTable pytsk3.Volume_Info imagehandle for partition in partitionTable print partition.addr, partition.desc, pourcentsss pourcentss pourcents partition.start, partition.start 512 , partition.len So now we are printing out the partition table to the back to the window where the command prompt you are running this python script exists. The variable PartitionTable contains a linked list of partition entries that we are iterating through using a for loop in this example above. So for every partition list in the linked list we are printing out specific attributes of the partition. For a full list of all attributes returned in this linked list go to the following api reference page from libtsk http www.sleuthkit.org sleuthkit docs api-docs structTSK__VS__PART__INFO.html When you run our python script, and become a DFIR Wizard , you will see the following output F downloads SSFFC-Level2python dfirwizard.py 0 Primary Table 0 0s 0 1 1 Unallocated 0s 0 128 2 NTFS 0x07 128s 65536 1042432 3 Unallocated 1042560s 533790720 6017 So what do we see here Let's break down the NTFS line. 2 NTFS 0x07 128s 65536 1042432 2 - Represents the partition number NTFS 0x07 - Reprents the partition description including the type flag for NTFS 128s - Represnts the starting sector of the partition 65536 - Represents the offset by multiplying the sector number where the partition starts by 512 bytes to calculate the absolute position within the image where the partition begins. 1042432 - Represents the length in sectors that makes up this partition. If you where to again multiply this number by 512 you would get 533,725,184 which is 509 MegaBytes divide 533,725,184 by 1024 once to get kilobytes, twice to get megabytes and is the size of the partition found within the image. So there you have it. You have just accessed a forensic image and printed out the partition table from it with 10 lines of code. This wasn't possible to do so easily prior to pytsk which is providing a simplified interface to libtsk. If you want to download the code rather than risk python errors of indentation in copy and pasting it you can download this sample file here https mega.co.nz j9BUnaZA uA9WaR6hB3cLcQE7xgGjGnKcCODAHpRPim8O40AWDMw Familiar with git I made a github for this series you can access here https github.com dlcowen dfirwizard tree master In the next post let's actually grab a file out an image and show it to you and then just keep building on from there Do you have a specific thing you want to see built or shown in these posts Leave a comment below and I'll make sure to include it.

Les mots clés de la revue de presse pour cet article : python
Les videos sur SecuObs pour les mots clés : python
Les éléments de la revue Twitter pour les mots clé : python



AddThis Social Bookmark Widget



Les derniers articles du site "Hacking Exposed Computer Forensics Blog" :

- Automating DFIR - How to series on programming libtsk with python Part 10
- Automating DFIR - How to series on programming libtsk with python Part 9
- Forensic Lunch 2 27 15 - Ben LeMere, Lee Whitfield and Robin Keir
- Automating DFIR - How to series on programming libtsk with python Part 8
- Automating DFIR - How to series on programming libtsk with python Part 7
- Automating DFIR - How to series on programming libtsk with python Part 6
- Automating DFIR - How to series on programming libtsk with python Part 5
- Automating DFIR - How to series on programming libtsk with python Part 4
- Automating DFIR - How to series on programming libtsk with python Part 3
- Automating DFIR - How to series on programming libtsk with python Part 2




S'abonner au fil RSS global de la revue de presse

Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]



Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 88.190.17.190 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.190.17.190 to any 80"
- Nous contacter par mail




SecuToolBox :

Mini-Tagwall des articles publiés sur SecuObs :

Mini-Tagwall de l'annuaire video :

Mini-Tagwall des articles de la revue de presse :

Mini-Tagwall des Tweets de la revue Twitter :