Tuesday, January 29, 2013

Forensic Challanges & Future Plans

Some time ago (back in distant 2012) an open challenge was posted on twitter:

My response to this was posted on dropbox. In upcoming posts I will be covering some of the techniques used as well as finally addressing some of those unanswered questions I left dangling in my analysis:

* Use of the ChopShop gh0st_decode module to extract the commands used (Appendix A) as
well as the files themselves.
* Use of the mftparser command for volatility to extract the bat files from the $DATA
segments in RAM
* Reconstruction of command line activity over a PSEXEC session from memory

One other thing that was useful from this exercise was accurately reconstructing the IP addresses in use on the device being examined. For this I created a plugin for Volatility to do just that.

You can download the alpha release from dropbox. In a future post I will deconstruct how it works and ways to extend it.

The report, plugin, and other bits and pieces are now on my GitHub repo.


Blog Reboot

Well, after putting it off for years I have finally decided to re-launch this blog. Hopefully with more content than 1 now deleted post and a "welcome" posting :)
