Introduction to Penetration Testing – Part 2 – The Discovery Phase – Passive Reconnaissance « Forensic Focus – Articles. An Introduction to Penetration Testing – Part 1 « Forensic Focus – Articles. Information Security Wordle: RFC2196 – Site Security Handbook (Photo credit: purpleslog) In an earlier article, many moons ago (Sorry Jamie !)
, I stated my opinion that Forensics and Security were opposite sides of the same coin. I’ve felt very strongly that my skills as a Security Consultant have only been strengthened and expanded by the experiences I’ve gained with Forensics, both as part of the Forensic Focus community (again, apologies for my absence) and as part of my MSc (an ongoing epic spanning two Universities and many years).
There is a particular area of Security work that I think mirrors the skill set of Forensics more closely than others – and that is Penetration Testing. PenTest is probably the most bleeding edge, exciting and intellectually challenging thing in the InfoSec field – no matter how much I try, I struggle to get as excited about writing an “Acceptable Use Policy” as I do given free rein to attempt a “capture the flag” task on a corporate network.
Meet The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees) Using Image Offsets. Hal Pomeranz, Deer Run Associates One of the basic techniques we teach in SANS Forensic classes is "carving" out partition images from complete raw disk images.
All it takes is a little facility with mmls and dd. Here's a quick example of carving an NTFS partition out of a disk image to show you what I mean: $ mmls -t dos drive-image.ddDOS Partition TableOffset Sector: 0Units are in 512-byte sectors The bs=, skip=, and count= values are taken directly from the mmls output. Mostly we teach partition carving to get students up to speed with reading partition tables and manipulating various options of the dd command. Herding Cats: Windows Object Access Analysis on a Budget. I recently had to deal with a lot of archived Windows Security Logs (evtx files) spanning a fairly lengthy period of time.
The evtx binary was introduced with Windows Vista and can be found on all modern version of windows. The author of EVTX Parser has posted his work on documenting the evtx file structure here and has created a utility called EVTX Parser that will parse evtx binaries and store them as xml. A good overview of his research and tool is posted in a slide deck from the SANS Forensic Summit in 2010. There are a few additional free tools available to search and filter Windows event logs if you don't have a log management product. While the Windows event log supports the import of multiple evtx files, I can tell you through experience that the MMC will puke if you feed it a large amount of files. Microsoft provides a decent spreadsheet on Windows Security Event ID's and some documentation on the schema of events.
Another alternative is Windows Powershell. Associative Word List Generator. WhatWorks Summit Series Webcast: Digital Forensic Challenges: A Law Enforcement Perspective. Project_Overview. The CFReDS Project. Deeptoad - DeepToad is a library and a tool to clusterize similar files using fuzzy hashing. Elie / OWADE. Welcome to the OWADE (Offline Windows Analyzer and Data Extractor) project.
Introduction Owade was presented at the Blackhat USA 2011. You can download the slides and the white paper from here. Team The OWADE team is composed of Status Warning While OWADE DPAPI engine is stable, OWADE is in alpha version and is only available by checking out the code directly as we update it very frequently. Intelligent Information Security. Redline, Mandiant’s premier free tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile.
With Redline, users can: Thoroughly audit and collect all running processes and drivers from memory, file system metadata, registry data, event logs, network information, services, tasks, and web history.Analyze and view imported audit data, including narrowing and filtering results around a given timeframe using Redline’s Timeline functionality with the TimeWrinkle™ and TimeCrunch™ features.
Streamline memory analysis with a proven workflow for analyzing malware based on relative priority.Identify processes more likely worth investigating based on the Redline Malware Risk Index (MRI) score.Perform Indicator of Compromise (IOC) analysis. Artifact Timeline Creation and Analysis - Tool Release: log2timeline. Using timeline analysis during investigations can be extremely useful yet it sometimes misses important events that are stored inside files on the suspect system (log files, OS artifacts).
By solely depending on traditional filesystem timeline you may miss some context that is necessary to get a complete picture of what really happened. So to get "the big picture", or a complete and accurate description we need to dig deeper and incorporate information found inside artifacts or log files into our timeline analysis. These artifacts or log files could reside on the suspect system itself or in another device, such as a firewall or a proxy (or any other device that logs down information that might be relevant to the investigation). Unfortunately there are few tools out there that can parse and produce body files from the various artifacts found on different operating systems to include with the traditional filesystem analysis. VISTA and Windows 7 Shadow Volume Forensics. Shadow Copy Volume forensics will enable an investigator to examine data at many different time snapshots during aforensic examination.
While XP Restore Point snapshots only gather key files including the registry, the shadow copy volume will allow access to them all. Investigating shadow copy volumes in organizations might become a key investigative tool for both e-Discovery and traditional forensics. First off, ahats off to Troy Larson, Senior Forensic Investigator from Microsoft,whojust put this information out into the forensic community. In addition to his own research, Troy was able toquery theMicrosoft development team of the Volume Shadow Copy for additional capabilities.As a result, I have been a happy forensic investigator all day long playing withthe capability. Shadow Copy Volume Background.
2011 Forensics Challenge. DFRWS 2011 Forensics Challenge Given the variety and impending ubiquity of Android devices along with the wide range of crimes that can involve these systems as a source of evidence, the DFRWS has created two scenarios for the forensics challenge in 2011.
Scenario 1: Suspicious Death Donald Norby was found dead in his home with a single bullet to the head. It is unclear whether this is a suicide or homicide. The largest question revolves around the victim's potential connections to an organized criminal group called KRYPTIX. The device was acquired using what the agent considered to be industry best practices. Mounting Images Using Alternate Superblocks (Follow-Up) Note that the information in this article has beensupersededby a new technique that leverages the EXT4 file system drivers.
If your analysis system supports EXT4 (and most Linux distros do at this point), then I recommend looking at this article for more details. Several months ago, I blogged about using alternate superblocks to fake out the ext3 drivers so you could mount file system images read-only, even if they were needing journal recovery. However, due to recent changes in the ext file system driver the method I describe in my posting is no longer sufficient. IAEM. Data Recovery and Training. Credit Reporting Speech Material SkyDogCon Credit Reporting Speech Files -> Download Here <- My Hard Drive Died's Newest Video Podcast #14 - Shmoocon 2011 - Spindle Replacement The Shmoocon 2011 Slides and Animations: After you download the 65meg file, Unzip and Open .HTM & it will run the presentation.
< Download Slides > Shmoocon 2011 -Video: < Click Here > RegExtract v1.1.5. Downloads - Registry Browser. Freeware, Online tools, PHP scripts, Articles. Prototypes. Common Pitfalls of Forensic Processing of Blackberry Mobile Devices. By Eoghan Casey Digital forensic investigators who are not properly trained will alter evidentiary media or will misinterpret important information, potentially damaging a case. Pitfalls that less experienced practitioners encounter when processing Blackberry devices are discussed below with guidance on how to obtain the most useful information from these devices. We frequently encounter Blackberry devices in digital investigations that are not fully supported by commonly available forensic tools. Live Marshal™ Digital Forensic Software. Facebook Chat Forensics. BackgroundFacebook has a built in instant messaging facility which has grown in popularity along with the Facebook social networking site itself.
Many cases involve potential grooming offences in which the use of instant messaging needs to be investigated. The instant messaging facility creates a number of artefacts which are easily found and I know have been commentated on elsewhere. The purpose of this blog post is to suggest a methodology to automate the discovery and reporting of Facebook messages. For those who have not looked at this area in detail yet messages are cached in small html files with a file name P_xxxxxxxx.htm (or .txt). These messages can be found in browser cache, unallocated clusters, pagefiles, system restore points, the MFT as resident data and possibly other places. Debii.curtin.edu.au/~pedram/images/docs/survey_of_steganography_and_steganalytic_tools.pdf.
Audio steg : methods. In echo hiding, information is embedded in a sound file by introducing an echo into the discrete signal. Like the spread spectrum method, it too provides advantages in that it allows for a high data transmission rate and provides superior robustness when compared to the noise inducing methods. To hide the data successfully, three parameters of the echo are varied: amplitude, decay rate, and offset (delay time) from the original signal.
Spyhunter - Database Pen Testing. Hack in the box Magazine. Registry Virtualization. Registry virtualization is an application compatibility technology that enables registry write operations that have global impact to be redirected to per-user locations. This redirection is transparent to applications reading from or writing to the registry. It is supported starting with Windows Vista. This form of virtualization is an interim application compatibility technology; Microsoft intends to remove it from future versions of the Windows operating system as more applications are made compatible with Windows Vista and later versions of Windows. Therefore, it is important that your application does not become dependent on the behavior of registry virtualization in the system. Virtualization is intended only to provide compatibility for existing applications. For more information about building UAC-compliant applications, see the UAC Developer Guide.
Virtualization Overview Prior to Windows Vista, applications were typically run by administrators. Access Control: Understanding Windows File And Registry Permissions. Access Control Understanding Windows File And Registry Permissions. Information Center - What's New - December 2010. Windows Forensic Environment. You can now download the WinFE WinBuilder. %5Bit%5Ddeft_manuale_full. Live View. E-Evidence Information Center - Home. Category:VM Detection Test Tools. Breaking Forensic Images Booted as a Virtual Machine. Requirements. BHUSA09-Silberman-MetasploitAutopsy-PAPER.pdf (objeto application/pdf) DC-2010-Blunden-Uninvited-Guest-slides.pdf (objeto application/pdf)
Homepage. TrueCrypt Self-Bruteforce. Downloads - rapier - Project Hosting on Google Code.
Category "Vista event log" - Computer Forensic Blog. Quick Forensic Challenge.