Tuesday, January 29, 2013

Forensic Challanges & Future Plans

Some time ago (back in distant 2012) an open challenge was posted on twitter:


My response to this was posted on dropbox. In upcoming posts I will be covering some of the techniques used as well as finally addressing some of those unanswered questions I left dangling in my analysis:

* Use of the ChopShop gh0st_decode module to extract the commands used (Appendix A) as
well as the files themselves.
* Use of the mftparser command for volatility to extract the bat files from the $DATA
segments in RAM
* Reconstruction of command line activity over a PSEXEC session from memory

One other thing that was useful from this exercise was accurately reconstructing the IP addresses in use on the device being examined. For this I created a plugin for Volatility to do just that.

You can download the alpha release from dropbox. In a future post I will deconstruct how it works and ways to extend it.

UPDATE:
The report, plugin, and other bits and pieces are now on my GitHub repo.

-B

Blog Reboot

Well, after putting it off for years I have finally decided to re-launch this blog. Hopefully with more content than 1 now deleted post and a "welcome" posting :)

-B