Contribuez à SecuObs en envoyant des bitcoins ou des dogecoins.
Nouveaux articles (fr): 1pwnthhW21zdnQ5WucjmnF3pk9puT5fDF
Amélioration du site: 1hckU85orcGCm8A9hk67391LCy4ECGJca

Contribute to SecuObs by sending bitcoins or dogecoins.

Chercher :
Newsletter :  


Revues :
- Presse
- Presse FR
- Vidéos
- Twitter
- Secuobs





Sommaires :
- Tendances
- Failles
- Virus
- Concours
- Reportages
- Acteurs
- Outils
- Breves
- Infrastructures
- Livres
- Tutoriels
- Interviews
- Podcasts
- Communiques
- USBsploit
- Commentaires


Revue Presse:
- Tous
- Francophone
- Par mot clé
- Par site
- Le tagwall


Top bi-hebdo:
- Ensemble
- Articles
- Revue
- Videos
- Twitter
- Auteurs


Articles :
- Par mot clé
- Par auteur
- Par organisme
- Le tagwall


Videos :
- Toutes
- Par mot clé
- Par site
- Le tagwall


Twitter :
- Tous
- Par mot clé
- Par compte
- Le tagwall


Commentaires :
- Breves
- Virus
- Failles
- Outils
- Tutoriels
- Tendances
- Acteurs
- Reportages
- Infrastructures
- Interviews
- Concours
- Livres
- Communiques


RSS/XML :
- Articles
- Commentaires
- Revue
- Revue FR
- Videos
- Twitter


RSS SecuObs :
- sécurité
- exploit
- windows
- attaque
- outil
- microsoft


RSS Revue :
- security
- microsoft
- windows
- hacker
- attack
- network


RSS Videos :
- curit
- security
- biomet
- metasploit
- biometric
- cking


RSS Twitter :
- security
- linux
- botnet
- attack
- metasploit
- cisco


RSS Comments :
- Breves
- Virus
- Failles
- Outils
- Tutoriels
- Tendances
- Acteurs
- Reportages
- Infrastructures
- Interviews
- Concours
- Livres
- Communiques


RSS OPML :
- Français
- International











Revue de presse francophone :
- Appaloosa AppDome nouent un partenariat pour accompagner les entreprises dans le déploiement et la protection des applications mobiles
- D-Link offre une avec un routeur VPN sans fil AC
- 19 mai Paris Petit-Déjeuner Coreye Développer son business à l'abri des cyberattaques
- POYNTING PRESENTE LA NOUVELLE ANTENNE OMNI-291, SPECIALE MILIEU MARITIME, CÔTIER ET MILIEU HUMIDE
- Flexera Software Les utilisateurs français de PC progressent dans l'application de correctifs logiciels, mais des défis de tailles subsistent
- Riverbed lance SD-WAN basé sur le cloud
- Fujitsu multi-récompensé VMware lui décerne plusieurs Partner Innovation Awards à l'occasion du Partner Leadership Summit
- Zscaler Private Access sécuriser l'accès à distance en supprimant les risques inhérents aux réseaux privés virtuels
- QNAP annonce la sortie de QTS 4.2.1
- Une enquête réalisée par la société de cyber sécurité F-Secure a décelé des milliers de vulnérabilités graves, potentiellement utilisables par des cyber criminels pour infiltrer l'infrastru
- Trouver le juste équilibre entre une infrastructure dédiée et cloud le dilemme de la distribution numérique
- 3 juin - Fleurance - Cybersécurité Territoires
- Cyber-assurances Seules 40 pourcents des entreprises françaises sont couvertes contre les violations de sécurité et les pertes de données
- Des étudiants de l'ESIEA inventent CheckMyHTTPS un logiciel qui vérifie que vos connexions WEB sécurisées ne sont pas interceptées
- Les produits OmniSwitch d'Alcatel-Lucent Enterprise ALE gagnent en sécurité pour lutter contre les cyber-attaques modernes

Dernier articles de SecuObs :
- DIP, solution de partage d'informations automatisée
- Sqreen, protection applicative intelligente de nouvelle génération
- Renaud Bidou (Deny All): "L'innovation dans le domaine des WAFs s'oriente vers plus de bon sens et d'intelligence, plus de flexibilité et plus d'ergonomie"
- Mises à jour en perspective pour le système Vigik
- Les russes ont-ils pwn le système AEGIS ?
- Le ministère de l'intérieur censure une conférence au Canada
- Saut d'air gap, audit de firmware et (in)sécurité mobile au programme de Cansecwest 2014
- GCHQ: Le JTRIG torpille Anonymous qui torpille le JTRIG (ou pas)
- #FIC2014: Entrée en territoire inconnu
- Le Sénat investit dans les monnaies virtuelles

Revue de presse internationale :
- VEHICLE CYBERSECURITY DOT and Industry Have Efforts Under Way, but DOT Needs to Define Its Role in Responding to a Real-world Attack
- Demand letter served on poll body over disastrous Comeleak breach
- The Minimin Aims To Be The Simplest Theremin
- Hacking group PLATINUM used Windows own patching system against it
- Hacker With Victims in 100 Nations Gets 7 Years in Prison
- HPR2018 How to make Komboucha Tea
- Circuit Bender Artist bends Fresnel Lens for Art
- FBI Director Suggests iPhone Hacking Method May Remain Secret
- 2016 Hack Miami Conference May 13-15, 2016
- 8-bit Video Wall Made From 160 Gaming Keyboards
- In An Era Of Decline, News Sites Can t Afford Poor Web Performance
- BeautifulPeople.com experiences data breach 1m affected
- Swedish Air Space Infringed, Aircraft Not Required
- Why cybercriminals attack healthcare more than any other industry
- Setting the Benchmark in the Network Security Forensics Industry

Annuaire des videos
- FUZZING ON LINE PART THREE
- Official Maltego tutorial 5 Writing your own transforms
- Official Maltego tutorial 6 Integrating with SQL DBs
- Official Maltego tutorial 3 Importing CSVs spreadsheets
- install zeus botnet
- Eloy Magalhaes
- Official Maltego tutorial 1 Google s websites
- Official Maltego tutorial 4 Social Networks
- Blind String SQL Injection
- backdoor linux root from r57 php shell VPS khg crew redc00de
- How To Attaque Pc With Back Track 5 In Arabique
- RSA Todd Schomburg talks about Roundup Ready lines available in 2013
- Nessus Diagnostics Troubleshooting
- Panda Security Vidcast Panda GateDefender Performa Parte 2 de 2
- MultiPyInjector Shellcode Injection

Revue Twitter
- RT @fpalumbo: Cisco consistently leading the way ? buys vCider to boost its distributed cloud vision #CiscoONE
- @mckeay Looks odd... not much to go on (prob some slideshow/vid app under Linux)
- [SuggestedReading] Using the HTML5 Fullscreen API for Phishing Attacks
- RT @BrianHonan: Our problems are not technical but cultural. OWASP top 10 has not changed over the years @joshcorman #RSAC
- RT @mikko: Wow. Apple kernels actually have a function called PE_i_can_has_debugger:
- [Blog Spam] Metasploit and PowerShell payloads
- PinkiePie Strikes Again, Compromises Google Chrome in Pwnium Contest at Hack in the Box: For the second time thi...
- @mikko @fslabs y'all wldn't happen to have lat/long data sets for other botnets, wld you? Doing some research (free/open info rls when done)
- RT @nickhacks: Want to crash a remote host running Snow Leopard? Just use: nmap -P0 -6 --script=targets-ipv6-multicast-mld #wishiwaskidding
- An inexpensive proxy service called is actually a front for #malware distribution -

Mini-Tagwall
Revue de presse : security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone

+ de mots clés pour la revue de presse

Annuaires des videos : curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit

+ de mots clés pour les videos

Revue Twitter : security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall

+ de mots clés pour la revue Twitter

Top bi-hebdo des articles de SecuObs
- [Ettercap – Partie 2] Ettercap par l'exemple - Man In the Middle et SSL sniffing
- [Infratech - release] version 0.6 de Bluetooth Stack Smasher
- [IDS Snort Windows – Partie 2] Installation et configuration
- [Infratech - vulnérabilité] Nouvelle version 0.8 de Bluetooth Stack Smasher
- Mises à jour en perspective pour le système Vigik
- USBDumper 2 nouvelle version nouvelles fonctions !
- EFIPW récupère automatiquement le mot de passe BIOS EFI des Macbook Pro avec processeurs Intel
- La sécurité des clés USB mise à mal par USBDUMPER
- Une faille critique de Firefox expose les utilisateurs de Tor Browser Bundle
- Installation sécurisée d'Apache Openssl, Php4, Mysql, Mod_ssl, Mod_rewrite, Mod_perl , Mod_security

Top bi-hebdo de la revue de presse
- StackScrambler and the Tale of a Packet Parsing Bug

Top bi-hebdo de l'annuaire des videos
- DC++ Botnet. How To DDos A Hub With Fake IPs.
- Comment creer un server botnet!!!!(Réseau de pc zombies)
- Defcon 14 Hard Drive Recovery Part 3

Top bi-hebdo de la revue Twitter
- RT @secureideas: I believe that all the XSS flaws announced are fixed in CVS. Will test again tomorrow if so, release 1.4.3. #BASESnort
- Currently, we do not support 100% of the advanced PDF features found in Adobe Reader... At least that's a good idea.
- VPN (google): German Foreign Office Selects Orange Business for Terrestrial Wide: Full
- @DisK0nn3cT Not really, mostly permission issues/info leak...they've had a couple of XSS vulns but nothing direct.
- Swatting phreaker swatted and heading to jail: A 19-year-old American has been sentenced to eleven years in pris..
- RT @fjserna You are not a true hacker if the calc.exe payload is not the scientific one... infosuck.org/0x0035.png

Top des articles les plus commentés
- [Metasploit 2.x – Partie 1] Introduction et présentation
- Microsoft !Exploitable un nouvel outil gratuit pour aider les développeurs à évaluer automatiquement les risques
- Webshag, un outil d'audit de serveur web
- Les navigateurs internet, des mini-systèmes d’exploitation hors de contrôle ?
- Yellowsn0w un utilitaire de déblocage SIM pour le firmware 2.2 des Iphone 3G
- CAINE un Live[CD|USB] pour faciliter la recherche légale de preuves numériques de compromission
- Nessus 4.0 placé sous le signe de la performance, de l'unification et de la personnalisation
- [Renforcement des fonctions de sécurité du noyau Linux – Partie 1] Présentation
- [IDS Snort Windows – Partie 1] Introduction aux IDS et à SNORT
- Origami pour forger, analyser et manipuler des fichiers PDF malicieux

Automating DFIR - How to series on programming libtsk with python Part 2

Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS

Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]

S'abonner au fil RSS global de la revue de presse



Automating DFIR - How to series on programming libtsk with python Part 2

Par Hacking Exposed Computer Forensics Blog
Le [2015-02-20] à 06:52:29



Présentation : Hello Reader, In our last post, part 1 click here to read it, we printed out a partition table from a forensic image. Now you might have noticed that the image we are using for these first posts is a VHD and not an E01. VHD and other raw image formats are supported directly by pytsk so for our first couple of posts it will be easier to work with them, once we get beyond the basics I'll then bring pyewf and its corresponding libewf lbraries into our code examples and we will begin using all different types of image formats in our DFIR Wizardry even getting into shadow copy access and more So stick with me if you want to go step by step. If you don't want to go step by step and you have the programming experence to leap ahead then I would suggest jumping straight to the sample code that comes with the following projects pytsk sample code https github.com py4n6 pytsk tree master samples libewf sample code https github.com libyal libewf wiki Development dfvfs sample code https github.com log2timeline dfvfs tree master examples Now with that out of the way let's move on to the next step of our DFIR Wizard program. In the first post, we can call that DFIRW v1, we accessed an image and printed out the partition table. Now let's extend out example and extract a file from the image. First let's remember where we left off, here is the code we last worked with usr bin python Sample program or step 1 in becoming a DFIR Wizard No license as this code is simple and free import sys import pytsk3 imagefile Stage2.vhd imagehandle pytsk3.Img_Info imagefile partitionTable pytsk3.Volume_Info imagehandle for partition in partitionTable print partition.addr, partition.desc, pourcentsss pourcentss pourcents partition.start, partition.start 512 , partition.len Now to access a file stored in a forensic image we already have the main thing we need, a python libtsk object that provides functions to access the volume stored within the forensic image. Next we need an object that will give us access to the file system on a volume we choose. In the case of this example image there is only one valid file system and that is the second partition on the disk which is NTFS. If you remember from the previous post our NTFS partition info looked like this 2 NTFS 0x07 128s 65536 1042432 This becomes important in this next step because we need to tell libtsk where our file system is that we want to open. To do that we need to call a new function called FS_Info which takes two important pieces of information to work, the name of the variable that is storing our image object we made already and the offset to where our file system begins on the partition we want to examine. If you remember from the last post we said that the value 65536 was the absolute offset to the beginning of the NTFS partition so we already have the information we need Let's add that on to our program. usr bin python Sample program or step 2 in becoming a DFIR Wizard No license as this code is simple and free import sys import pytsk3 imagefile Stage2.vhd imagehandle pytsk3.Img_Info imagefile partitionTable pytsk3.Volume_Info imagehandle for partition in partitionTable print partition.addr, partition.desc, pourcentsss pourcentss pourcents partition.start, partition.start 512 , partition.len filesystemObject pytsk3.FS_Info imagehandle, offset 65536 You can see we've added one new line to the bottom of our program, we've made a new variable called filesystemObject which because we passed in the offset to our NTFS partition now gives us access to the underlying filesystem contained within t That's great you say, but how do we actually access a file Well in later examples I'll show how to recurse through a file system to search, find, hash and all sorts of other good things but to begin with let's just grab something. One of the files you can always expect on a NTFS drive is the master file table which goes by the name of MFT. So let's grab that usr bin python Sample program or step 2 in becoming a DFIR Wizard No license as this code is simple and free import sys import pytsk3 imagefile Stage2.vhd imagehandle pytsk3.Img_Info imagefile partitionTable pytsk3.Volume_Info imagehandle for partition in partitionTable print partition.addr, partition.desc, pourcentsss pourcentss pourcents partition.start, partition.start 512 , partition.len filesystemObject pytsk3.FS_Info imagehandle, offset 65536 fileobject filesystemObject.open MFT Great now we have a new variable called fileobject which contains our access to all the things libtsk can tell us about the file MFT located at the root of file system. If you want to play with this program later you can change MFT to the full path of any other file you want. For now though let's focus on the MFT which is a useful file in its own right and many times we want to extract it and parse it with external parses to get at some of the more obscure metadata. Let's start by gathering some information about the MFT file like What is its inode number libtsk has a metadata structure we can use to provide this. It's stored in the info.meta.addr value which in our code we would fully reference it as fileobject.meta.addr What is the file name, in case in the future we are accessing files by inode libtsk has a separate structure just for file names than it does metadata. While NTFS combines the storage of these two structures into one location the MFT many other file systems don't instead they store the file name in the directory that links to the file. The filename is stored in info.name.name and we would fully reference it as fileobject.info.name.name What is the creation time Creation time and all the other time stamps of a file are always important to us. The value that libtsk returns to us is the time in epoch Stored UTC . The creation timestamp is stored in info.meta.crtime and we would fully reference it is fileobject.info.meta.crtime For a full list of what metadata properties you can access go here http www.sleuthkit.org sleuthkit docs api-docs structTSK__FS__META.html So let's add in some code to print out all this useful information about MFT in our image usr bin python Sample program or step 2 in becoming a DFIR Wizard No license as this code is simple and free import sys import pytsk3 imagefile Stage2.vhd imagehandle pytsk3.Img_Info imagefile partitionTable pytsk3.Volume_Info imagehandle for partition in partitionTable print partition.addr, partition.desc, pourcentsss pourcentss pourcents partition.start, partition.start 512 , partition.len filesystemObject pytsk3.FS_Info imagehandle, offset 65536 fileobject filesystemObject.open MFT print File Inode ,fileobject.info.meta.addr print File Name ,fileobject.info.name.name print File Creation Time , fileobject.info.meta.crtime Awesome Now we can access a file stored in an image and print out information about it However, you'll notice if you run this example that the creation time printed isn't what you expect. The timestamp value being returned here is in epoch form, meaning the number of seconds that have passed since midnight 1 1 1970 UTC. So we need some help from the standard python libraries in getting this epoch timestamp into a human readable timestamp. The python standard library datetime will do just that for us Inside of the datetime library is a function called 'fromtimestamp' which when combined with 'strftime' will allow us to convert our epoch value into a human readable timestamp of our liking That's right you can make the timestamp show up in any format you want to match american, european and other database specific timestamp formats. To add in the datetime library we need to add a new import statement near the beginning of our program, import datetime, I put it in bold in the program below. Then we need to use the two functions we talked about below which we reference with the library name first datetime and then the function name in the library datetime.datetime followed by the function we want to call fromtimestamp and then how we want the timestamp printed strftime . All combined you get the program as you see below usr bin python Sample program or step 2 in becoming a DFIR Wizard No license as this code is simple and free import sys import pytsk3 import datetime imagefile Stage2.vhd imagehandle pytsk3.Img_Info imagefile partitionTable pytsk3.Volume_Info imagehandle for partition in partitionTable print partition.addr, partition.desc, pourcentsss pourcentss pourcents partition.start, partition.start 512 , partition.len filesystemObject pytsk3.FS_Info imagehandle, offset 65536 fileobject filesystemObject.open MFT print File Inode ,fileobject.info.meta.addr print File Name ,fileobject.info.name.name print File Creation Time ,datetime.datetime.fromtimestamp fileobject.info.meta.crtime .strftime 'pourcentsY-pourcentsm-pourcentsd pourcentsH pourcentsM pourcentsS' So to break this down further, instead of just printing the epoch value we are now printing the human readable value of the creation timestamp. We are doing this conversion with the datetime library by calling it as datetime.datetime.fromtimestamp. We are passing fromtimestamp the full reference to our selected files creation timestamp fileobject.info.meta.crtime and then we are appending onto this a string formatting command. strftime or string format time is allowing us to control how the timestamp will be printed. Here we are passing pourcentsY for the full four digit year, pourcentsm for the two digit month, pourcentsd for the two digit date and then the 24 hour time version of the time with pourcentsH for hour pourcentsM for minute and pourcentsS for seconds. You can change the ordering anyway you want to make the timestamp format fit your needs. For the full list of timestamp formatting codes go here http strftime.org Ok now for the next part which many of you have been waiting for, how do I get a file out of this image Would you believe me if I said all we need is three more lines of code Well you should usr bin python Sample program or step 2 in becoming a DFIR Wizard No license as this code is simple and free import sys import pytsk3 import datetime imagefile Stage2.vhd imagehandle pytsk3.Img_Info imagefile partitionTable pytsk3.Volume_Info imagehandle for partition in partitionTable print partition.addr, partition.desc, pourcentsss pourcentss pourcents partition.start, partition.start 512 , partition.len filesystemObject pytsk3.FS_Info imagehandle, offset 65536 fileobject filesystemObject.open MFT print File Inode ,fileobject.info.meta.addr print File Name ,fileobject.info.name.name print File Creation Time ,datetime.datetime.fromtimestamp fileobject.info.meta.crtime .strftime 'pourcentsY-pourcentsm-pourcentsd pourcentsH pourcentsM pourcentsS' outfile open 'DFIRWizard-output', 'w' filedata fileobject.read_random 0,fileobject.info.meta.size outfile.write filedata We are opening a file for writing, I called the file we are writing to DFIRWizard-output, using the open function and letting python know we want to write to this file using the 'w' flag. We are storing the file handle for writing to this file in the variable outfile. The final line then looks like outfile open 'DFIRWizard-output', 'w' To read the contents of the file we use function read_random which takes two parameters the offset from the start of the file where we want to start reading and how many bytes of data we want to read. We are then reading in the contents of the MFT from the beginning 0 to the end fileobject.info.meta.size is the size of the file in bytes and storing the data read into a variable called filedata. Now when you are working with large files or lots of files this isn't the best way to read the data. You'll likely want to buffer it and do reads and writes in a loop, but to keep it simple we are making it one line. The final line then looks like filedata fileobject.read_random 0,fileobject.info.meta.size Last we are writing the data we just read into filedata into out output file 'DFIRWizard-output' using the write method that is available to all file objects. We do this by calling the file object outfile with the method write and passing the write method the variable we want to write to the file filedata . So when is all said and done it looks like outfile.write filedata That's it Our second version of DFIR Wizard is done You can try this yourself or download my version from the series Github at https github.com dlcowen dfirwizard blob master dfirwizard-v2.py In the third part of this series we will show how to do the same thing against a live system

Les mots clés de la revue de presse pour cet article : python
Les videos sur SecuObs pour les mots clés : python
Les éléments de la revue Twitter pour les mots clé : python



AddThis Social Bookmark Widget



Les derniers articles du site "Hacking Exposed Computer Forensics Blog" :

- Automating DFIR - How to series on programming libtsk with python Part 10
- Automating DFIR - How to series on programming libtsk with python Part 9
- Forensic Lunch 2 27 15 - Ben LeMere, Lee Whitfield and Robin Keir
- Automating DFIR - How to series on programming libtsk with python Part 8
- Automating DFIR - How to series on programming libtsk with python Part 7
- Automating DFIR - How to series on programming libtsk with python Part 6
- Automating DFIR - How to series on programming libtsk with python Part 5
- Automating DFIR - How to series on programming libtsk with python Part 4
- Automating DFIR - How to series on programming libtsk with python Part 3
- Automating DFIR - How to series on programming libtsk with python Part 2




S'abonner au fil RSS global de la revue de presse

Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]



Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 88.190.17.190 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.190.17.190 to any 80"
- Nous contacter par mail




SecuToolBox :

Mini-Tagwall des articles publiés sur SecuObs :

Mini-Tagwall de l'annuaire video :

Mini-Tagwall des articles de la revue de presse :

Mini-Tagwall des Tweets de la revue Twitter :