REMnux is designed for running services that are useful to emulate within an isolated laboratory environment when performing behavioral malware analysis. As part of this process, the analyst typically infects another laboratory system with the malware sample and directs potentially-malicious connections to the REMnux system that’s listening on the appropriate ports.

REMnux is also useful for analyzing web-based malware, such as malicious JavaScript, Java programs, and Flash files. It also has tools for analyzing malicious documents, such as Microsoft Office and Adobe PDF files, and utilities for reversing malware through memory forensics. In these cases, malware may be loaded onto REMnux and analyzed directly on the REMnux system without requiring other systems to be present in the lab.

1. capture memory via moonsol’s win32dd
2. parse memory snapshot with mandiant’s memoryze
3. analyze results via audit viewer
4. or analyze using the volatility framework — neatly packaged in SAN’S Sift Workstation

Now, if the authors would add geolocation to the maps we could quickly see if a site is pulling from a server in Russia or China would could be an obvious sign of infection….

Part 1: A Cursory Look at Kindle Forensics

Part 2: Additional Thoughts on Kindle Forensics

Some interesting data Eric discovered:

• last book read w/ timestamp
• position in the book
• books loaded on device
• strings user has searched for
• *Remember with Kindle’s 3G ability you may want to use a Faraday bag

1. Grab Didier Stevens tools here: http://blog.didierstevens.com/programs/pdf-tools/
2. Grab malicious PDF samples here: http://www.malwaredomainlist.com/mdl.php?search=pdf+exploit&colsearch=All&quantity=50 *Be careful, these are live samples!
3. Video Tutorial: Didier on analyzing a PDF Document: http://www.youtube.com/v/tHVi2wKCkTc
4. You’re going to run into some heavily obfuscated JavaScript.  Read this article: http://isc.sans.org/diary.html?storyid=2358
5. Other deobfuscation tools: Malzilla, SpiderMonkey (need to handle document.write), debug via Rhino, Firefox add-on (haven’t tried this one)

Once I copied Current.gpx, I installed Google Earth.  Earth actually imports several different GPS data/location files. Earth parsed all the recent destinations entered into the GPS and loads them as waypoints.  It makes it very convenient to find out where someone has been, where they might live (home location), etc.  Think about all the applications i.e. rental car GPS units.

***If you don’t want to use Earth you can open the gpx file in a text editor (simple XML).  You’ll be looking at lat/longitude coordinates that you can plot yourself.

Automatically permanently delete (Nuke on Delete)- Normally Delete sends files to the Recycle Bin and a Shift+Delete will permanently delete them.  With the registry tweak below the normal Delete will also behave as a permanent delete. ***Note: Delete does not mean a file is deleted.  It only frees up the file record and clusters so they _could_ be overwritten.

1. Go to Start -> Run and type Regedit
2. On the left hand side select the “+” to navigate to the following.
3. HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ BitBucket
4. On the right look for NukeOnDelete
5. Right click it and set the key value for NukeOnDelete to 1

Scheduled Task to Zero out unused disk space – As I mentioned above a deleted file only insures that there is a _chance_ the file will be overwritten.  If you run the below command it will zero out all unused disk space which _should_ be good enough to prevent file content recovery. ***Note: The deleted file name will still be lying around until a new file happens to overwrite it.

>cipher /W:[directory_to_wipe]

Here’s my scheduled task: C:\WINDOWS\system32\cmd.exe /c cipher /W:C:\

Scheduled Task to Delete Recent Items – Even if you permanently delete a file and or use Eraser there’s a copy of the filename in your Recent directory.  I have the following scheduled task command which clears my Recent items once a day….

Task for Recent Items:

>C:\WINDOWS\system32\cmd.exe /c del “c:\documents and settings\[username]\recent\*.lnk”

Task for Recent Office Items:

>C:\WINDOWS\system32\cmd.exe /c del /Q “C:\Documents and Settings\[username]\Application Data\Microsoft\Office\Recent\*.*”

Eraser - I highly recommend using this great freeware utility.  One of many things it does is adds a new option in your content menu to permanently delete a file and zero out the contents all at the same time.

I’m going to examine my Garmin 200W this evening.  It looks like a simple text editor will reveal raw trip data including waypoints, date & time stamps, latitude & longitude coordinates and elevations.

If you navigate to the Global Storage Settings tab you can disable “Allow third-party Flash content…”

You can read the article here.

—

Update: There’s a forensic goldmine in C:\Documents and Settings\[username]\Application Data\Adobe\Flash Player\#SharedObjects\

Nowadays penetration testing is where it’s at.  Whether trying to learn security, becoming a white hat, or consulting it’s a must have skill.  However, it can be intimidating on where to start.  Besides picking up books the next best way to learn is through capture the flag events.

Important truths about pen testing

Capture the Flag

Computer/hacking capture the flag events are usually team based timed events where you’re pitted against several opponents and trying to earn the highest score.  Points are awarded for both offensive and defensive maneuvers.  Typically each team will have a virtual machine they need to defend while trying to exploit vulnerabilities in other team’s VM.

The best place to find one in your area (besides attending a con) is your local 2600 chapter.  If they don’t hold CTFs then try a local information security club.  If you live in the mountains and can’t find either you can use Hack This Site which runs virtual CTF events 24/7.

Remember, hacker (white hat) and cracker (black hat).