I hereby claim:
- I am adricnet on github.
- I am adricnet (https://keybase.io/adricnet) on keybase.
- I have a public key whose fingerprint is 9A4E C324 6D9C 6C83 0C4F 4518 4BA8 924C 0A5A 2903
To claim this, I am signing this object:
Adric Net adricnet
adricnet
/ keybase.md
Created
September 25, 2014 22:32
adricnet
/ gist:d865082f4ef0407d8636
Created
October 16, 2015 00:54
something harshing pmem static build
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| make all-am | |
| make[1]: Entering directory `/home/wdcforensics/rekall/tools/pmem' | |
| /bin/bash ./libtool --tag=CXX --mode=link g++ -std=c++11 -g -Wall -O0 -g -O2 -all-static -o linpmem linpmem-pmem_imager.o linpmem-linux_pmem.o -laff4 -lglog -lglog | |
| libtool: link: g++ -std=c++11 -g -Wall -O0 -g -O2 -static -o linpmem linpmem-pmem_imager.o linpmem-linux_pmem.o -laff4 -lglog | |
| //usr/local/lib/libaff4.a(data_store.o): In function `RaptorParser::NewRaptorParser(DataStore*)': | |
| /home/wdcforensics/aff4/src/data_store.cc:263: undefined reference to `raptor_new_world_internal' | |
| /home/wdcforensics/aff4/src/data_store.cc:265: undefined reference to `raptor_new_parser' | |
| /home/wdcforensics/aff4/src/data_store.cc:268: undefined reference to `raptor_parser_set_statement_handler' | |
| /home/wdcforensics/aff4/src/data_store.cc:271: undefined reference to `raptor_parser_set_option' | |
| /home/wdcforensics/aff4/src/data_store.cc:274: undefined reference to `raptor_new_uri' |
adricnet
/ volatility plugin output format support.md
Last active
November 21, 2015 20:19
This answered some questions:
remnux@remnux:~/volatility-2.5$ for plugin in pslist psxview pstree connscann connections hivescan svcscan; do echo -n $plugin"|"; output=`python vol.py $plugin -h 2>&1 | grep 'Module Output Options:' | sed -e 's,Vola,,'| tail -1 `; echo $output; done
pslist|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
psxview|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
pstree|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
connscann|
connections|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
hivescan|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
svcscan|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
adricnet
/ Encase output into something.md
Last active
February 6, 2016 03:22
Encase output into something a bit more useful?
This week I had to deal with Encase tools output for some cases, and it's not likely to stop for awhile. I did some of this manually today and need to script that part, and then there's the actually hard part I need to think through.
The output I'm getting is the result of selecting some kinds of data and then exporting the results from Encase 7, rather than taking a PDF or RTF, which are much worse if you actually need to use the data for anything. It's tab separated columns of data, and is not an unfriendly format really but it does takes some work to get it into a state useful to do any analysis due to two things, which align with the two problems here:
- The way the data is laid out in the output text file
- The way the data is split into multiple pieces for each data type
Problem #1 is just a text data munging problem of the sort any scripter, sysadmin, or data analyst has probably already wrestled with and won against to some degree or another. The different data types are in columns seperated
adricnet
/ IocEditorFeatures.md
Last active
June 9, 2016 21:37
Some things IOC editor can't do today
In which I detail some things that the pretty nifty free[1] IOC Editor (or potentially the OpenIOC format, or MIR ?) just won't do for me. Some of these are explained in the very nice User Guide (UG). Maybe some of the other openioc tools can do more, like ioc_writer[2] ...
- Compare numbers, like file.size >= or <=
- Process trees, in the manner of other products
- Combine types in an boolean expression (UG)
- Any fancy hashing, like ssdeep or imphash
This is cramping my style and preventing me from even trying to implement some simple (...) use cases from past and present casework, such as
- IExplore.exe launches thing ... which launch things ... which launch vssadmin.exe (early Cryptowall)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ brew reinstall dosbox --with-debugger | |
| ==> Reinstalling homebrew/games/dosbox with --with-debugger | |
| ==> Downloading https://downloads.sourceforge.net/project/dosbox/dosbox/0.74/dosbox-0.74.tar.gz | |
| Already downloaded: /Users/bsk/Library/Caches/Homebrew/dosbox-0.74.tar.gz | |
| ==> ./configure --prefix=/usr/local/Cellar/dosbox/0.74 --disable-sdltest --enable-core-inline --enable-debug --disable-dynrec | |
| ==> make install | |
| Last 15 lines from /Users/bsk/Library/Logs/Homebrew/dosbox/02.make: | |
| ^ | |
| /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.11.sdk/usr/include/curses.h:322:16: note: forward declaration of '_win_st' | |
| typedef struct _win_st WINDOW; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| No workee with debug on 10.11.4, will check 10.11.5 | |
| ``` | |
| $ brew reinstall dosbox --with-debugger | |
| ==> Reinstalling homebrew/games/dosbox with --with-debugger | |
| ==> Downloading https://downloads.sourceforge.net/project/dosbox/dosbox/0.74/dosbox-0.74.tar.gz | |
| Already downloaded: /Users/bsk/Library/Caches/Homebrew/dosbox-0.74.tar.gz | |
| ==> ./configure --prefix=/usr/local/Cellar/dosbox/0.74 --disable-sdltest --enable-core-inline --enable-debug --disable-dynrec | |
| ==> make install | |
| Last 15 lines from /Users/bsk/Library/Logs/Homebrew/dosbox/02.make: |
adricnet
/ WIP-MTA-20160513.md
Last active
April 14, 2020 16:23
Brad says:
Review the traffic and consult the alerts if necessary. You should be able to get the following information from the pcap:
The user's first and last name
The host name of the user's Windows computer
The MAC address of the user's Windows computer
What type(s) or item(s) of malware the user's computer is infected with.
How the user's computer got infected with the item(s) of malware.
PMA:
- Labs : next is 9-1 … trying 7-1 before 9-1 for IDA practice
- Reading: 12: Hooking
MDA (OST):
- Labs: PIvy
- slides: skimmed all
LoB (OST):
adricnet
/ QD-DA-lab.md
Last active
March 5, 2018 04:44
quick and dirty dynamic analysis environment from free (for personal education) stuff
for public benefit and so I can do it easier then next N times
Here's how I have built a quick and dirty dynamic analysis environment from free (for personal education) stuff. Other people do this better and have documented it extensively, eg in fine books like PMA, MAC and online classes like OST's MDA and of course FOR610 {FIXME add some links to prior work}.
I've done this on Windows, (Ubuntu) Linux and Mac machines with VirtualBox with little trouble. You can use other host OSes if you known them well enough and can use another VM if you have it, but the setup is a little different.
There are dozens of greats tools and hundreds of useful ones. Once you know what you like, need you can expand the build, but for now keep it simple (KISS) and get to work learning a thing.
Major components:
OlderNewer