Please RT.Got #DFIR SKILLZ? Want #DFIR SKILLZ? Check out my latest challenge.docs.google.com/file/d/0B_xsNY…
— Jack Crook (@jackcr) November 28, 2012
My response to this was posted on dropbox. In upcoming posts I will be covering some of the techniques used as well as finally addressing some of those unanswered questions I left dangling in my analysis:
* Use of the ChopShop gh0st_decode module to extract the commands used (Appendix A) as
well as the files themselves.
* Use of the mftparser command for volatility to extract the bat files from the $DATA
segments in RAM
* Reconstruction of command line activity over a PSEXEC session from memory
One other thing that was useful from this exercise was accurately reconstructing the IP addresses in use on the device being examined. For this I created a plugin for Volatility to do just that.
You can download the alpha release from dropbox. In a future post I will deconstruct how it works and ways to extend it.
UPDATE:
The report, plugin, and other bits and pieces are now on my GitHub repo.
-B
No comments:
Post a Comment