System7

Spread the word, information is free.

Archive for category forensics

REMnux: Distro for Reversers

Jul 26

Posted by The Gunslinger in forensics, malware, news, security | No Comments

Lenny Zeltser, SANS Instructor, has released a customized distribution targeted at malware reverse engineers.  From the REMnux page:

REMnux is designed for running services that are useful to emulate within an isolated laboratory environment when performing behavioral malware analysis. As part of this process, the analyst typically infects another laboratory system with the malware sample and directs potentially-malicious connections to the REMnux system that’s listening on the appropriate ports.

REMnux is also useful for analyzing web-based malware, such as malicious JavaScript, Java programs, and Flash files. It also has tools for analyzing malicious documents, such as Microsoft Office and Adobe PDF files, and utilities for reversing malware through memory forensics. In these cases, malware may be loaded onto REMnux and analyzed directly on the REMnux system without requiring other systems to be present in the lab.

Tags: , ,

win32 memory capture & analysis cheat sheet

Jun 14

Posted by The Gunslinger in forensics, malware, microsoft, pentest, security | No Comments

A high level overview to perform live memory captures and analysis:

  1. capture memory via moonsol’s win32dd
  2. parse memory snapshot with mandiant’s memoryze
  3. analyze results via audit viewer
  4. or analyze using the volatility framework — neatly packaged in SAN’S Sift Workstation

Tags: ,

(Tool) FireShark: Aid for web incident response

Jun 13

Posted by The Gunslinger in forensics, news, security | No Comments

The tool of the day is FireShark, a free web analysis tool.  This is great to have in your toolbox for IR.  FireShark will generate a mind map of a given webpage — think of it being a graphical representation of NoScript i.e. the map for Amazon.com would show quantcast.com, google-analytics.com, facebook.com, and twitter.com connected because it loads javascript and or images from those pages.  The tool consists of a Firefox plugin with some additional perl scripts.

Now, if the authors would add geolocation to the maps we could quickly see if a site is pulling from a server in Russia or China would could be an obvious sign of infection….

Tags: ,

Forensics on Amazon’s Kindle

Jun 3

Posted by The Gunslinger in forensics, news | No Comments

I recently stumbled upon to great blog posts regarding Kindle forensics.  Eric Huber’s ‘A Fistful of Dongles’ blog has some interesting initial analysis on imaging the Kindle and key artifacts to zone in on.

Part 1: A Cursory Look at Kindle Forensics

Part 2: Additional Thoughts on Kindle Forensics

Some interesting data Eric discovered:

  • last book read w/ timestamp
  • position in the book
  • books loaded on device
  • strings user has searched for
  • *Remember with Kindle’s 3G ability you may want to use a Faraday bag

Tags: , ,

Analyzing Malicious PDF Documents

Apr 20

Posted by The Gunslinger in forensics, malware, news, security | No Comments

So you want to get your feet wet?

  1. Grab Didier Stevens tools here: http://blog.didierstevens.com/programs/pdf-tools/
  2. Grab malicious PDF samples here: http://www.malwaredomainlist.com/mdl.php?search=pdf+exploit&colsearch=All&quantity=50 *Be careful, these are live samples!
  3. Video Tutorial: Didier on analyzing a PDF Document: http://www.youtube.com/v/tHVi2wKCkTc
  4. You’re going to run into some heavily obfuscated JavaScript.  Read this article: http://isc.sans.org/diary.html?storyid=2358
  5. Other deobfuscation tools: Malzilla, SpiderMonkey (need to handle document.write), debug via Rhino, Firefox add-on (haven’t tried this one)

Tags: , , , ,

GPS Forensics & Google Earth

Nov 26

Posted by The Gunslinger in forensics | No Comments

I previously wrote about online GPS Forensic references and wanted to put them to use.  I had a suspicion that my girlfriend has been seeing another man.  When she was at work I grabbed her GPS (Garmin Nuvi 205) and connected it via USB (don’t forget a write blocker).  For Garmin models, the file you want to look for is “Current.gpx

Once I copied Current.gpx, I installed Google Earth.  Earth actually imports several different GPS data/location files. Earth parsed all the recent destinations entered into the GPS and loads them as waypoints.  It makes it very convenient to find out where someone has been, where they might live (home location), etc.  Think about all the applications i.e. rental car GPS units.

***If you don’t want to use Earth you can open the gpx file in a text editor (simple XML).  You’ll be looking at lat/longitude coordinates that you can plot yourself.

Windows Anti Forensics Tip of the Day…

Nov 11

Posted by The Gunslinger in forensics, microsoft | No Comments

I previously wrote about how to have your system automatically clear the pagefile before a reboot or shutdown.  There’s a couple other steps I recommend you make on your system…

Automatically permanently delete (Nuke on Delete)- Normally Delete sends files to the Recycle Bin and a Shift+Delete will permanently delete them.  With the registry tweak below the normal Delete will also behave as a permanent delete. ***Note: Delete does not mean a file is deleted.  It only frees up the file record and clusters so they _could_ be overwritten.

  1. Go to Start -> Run and type Regedit
  2. On the left hand side select the “+” to navigate to the following.
  3. HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ BitBucket
  4. On the right look for NukeOnDelete
  5. Right click it and set the key value for NukeOnDelete to 1

Scheduled Task to Zero out unused disk space – As I mentioned above a deleted file only insures that there is a _chance_ the file will be overwritten.  If you run the below command it will zero out all unused disk space which _should_ be good enough to prevent file content recovery. ***Note: The deleted file name will still be lying around until a new file happens to overwrite it.

>cipher /W:[directory_to_wipe]

Here’s my scheduled task: C:\WINDOWS\system32\cmd.exe /c cipher /W:C:\

Scheduled Task to Delete Recent Items – Even if you permanently delete a file and or use Eraser there’s a copy of the filename in your Recent directory.  I have the following scheduled task command which clears my Recent items once a day….

Task for Recent Items:

>C:\WINDOWS\system32\cmd.exe /c del “c:\documents and settings\[username]\recent\*.lnk”

Task for Recent Office Items:

>C:\WINDOWS\system32\cmd.exe /c del /Q “C:\Documents and Settings\[username]\Application Data\Microsoft\Office\Recent\*.*”

Eraser - I highly recommend using this great freeware utility.  One of many things it does is adds a new option in your content menu to permanently delete a file and zero out the contents all at the same time.

GPS Forensics

Oct 5

Posted by The Gunslinger in forensics | 1 Comment

There’s a new GPS forensics community starting up here: http://www.gpsforensics.org/  Some additional information can be found here: http://www.forensicswiki.org/wiki/GPS

I’m going to examine my Garmin 200W this evening.  It looks like a simple text editor will reveal raw trip data including waypoints, date & time stamps, latitude & longitude coordinates and elevations.

Adobe Flash control panel

Sep 8

Posted by The Gunslinger in forensics, privacy | No Comments

I previously wrote about Flash cookies which many folks are not aware of.  Well, I’ve just stumbled across a great article which describes how to manage your Flash cookies and other settings.  The “control panel” is located on Adobe’s website: Flash control panel.

If you navigate to the Global Storage Settings tab you can disable “Allow third-party Flash content…”

You can read the article here.

Update: There’s a forensic goldmine in C:\Documents and Settings\[username]\Application Data\Adobe\Flash Player\#SharedObjects\

Penetration Testing & Capture the Flag

Jul 23

Posted by The Gunslinger in forensics, hardware & software, news | 1 Comment

Penetration Testing

Nowadays penetration testing is where it’s at.  Whether trying to learn security, becoming a white hat, or consulting it’s a must have skill.  However, it can be intimidating on where to start.  Besides picking up books the next best way to learn is through capture the flag events.

Important truths about pen testing

Capture the Flag

Computer/hacking capture the flag events are usually team based timed events where you’re pitted against several opponents and trying to earn the highest score.  Points are awarded for both offensive and defensive maneuvers.  Typically each team will have a virtual machine they need to defend while trying to exploit vulnerabilities in other team’s VM.

The best place to find one in your area (besides attending a con) is your local 2600 chapter.  If they don’t hold CTFs then try a local information security club.  If you live in the mountains and can’t find either you can use Hack This Site which runs virtual CTF events 24/7.

Remember, hacker (white hat) and cracker (black hat).