I hereby claim:
- I am adricnet on github.
- I am adricnet (https://keybase.io/adricnet) on keybase.
- I have a public key whose fingerprint is 9A4E C324 6D9C 6C83 0C4F 4518 4BA8 924C 0A5A 2903
To claim this, I am signing this object:
I hereby claim:
To claim this, I am signing this object:
make all-am | |
make[1]: Entering directory `/home/wdcforensics/rekall/tools/pmem' | |
/bin/bash ./libtool --tag=CXX --mode=link g++ -std=c++11 -g -Wall -O0 -g -O2 -all-static -o linpmem linpmem-pmem_imager.o linpmem-linux_pmem.o -laff4 -lglog -lglog | |
libtool: link: g++ -std=c++11 -g -Wall -O0 -g -O2 -static -o linpmem linpmem-pmem_imager.o linpmem-linux_pmem.o -laff4 -lglog | |
//usr/local/lib/libaff4.a(data_store.o): In function `RaptorParser::NewRaptorParser(DataStore*)': | |
/home/wdcforensics/aff4/src/data_store.cc:263: undefined reference to `raptor_new_world_internal' | |
/home/wdcforensics/aff4/src/data_store.cc:265: undefined reference to `raptor_new_parser' | |
/home/wdcforensics/aff4/src/data_store.cc:268: undefined reference to `raptor_parser_set_statement_handler' | |
/home/wdcforensics/aff4/src/data_store.cc:271: undefined reference to `raptor_parser_set_option' | |
/home/wdcforensics/aff4/src/data_store.cc:274: undefined reference to `raptor_new_uri' |
This answered some questions:
remnux@remnux:~/volatility-2.5$ for plugin in pslist psxview pstree connscann connections hivescan svcscan; do echo -n $plugin"|"; output=`python vol.py $plugin -h 2>&1 | grep 'Module Output Options:' | sed -e 's,Vola,,'| tail -1 `; echo $output; done
pslist|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
psxview|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
pstree|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
connscann|
connections|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
hivescan|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
svcscan|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
This week I had to deal with Encase tools output for some cases, and it's not likely to stop for awhile. I did some of this manually today and need to script that part, and then there's the actually hard part I need to think through.
The output I'm getting is the result of selecting some kinds of data and then exporting the results from Encase 7, rather than taking a PDF or RTF, which are much worse if you actually need to use the data for anything. It's tab separated columns of data, and is not an unfriendly format really but it does takes some work to get it into a state useful to do any analysis due to two things, which align with the two problems here:
Problem #1 is just a text data munging problem of the sort any scripter, sysadmin, or data analyst has probably already wrestled with and won against to some degree or another. The different data types are in columns seperated
In which I detail some things that the pretty nifty free[1] IOC Editor (or potentially the OpenIOC format, or MIR ?) just won't do for me. Some of these are explained in the very nice User Guide (UG). Maybe some of the other openioc tools can do more, like ioc_writer[2] ...
This is cramping my style and preventing me from even trying to implement some simple (...) use cases from past and present casework, such as
$ brew reinstall dosbox --with-debugger | |
==> Reinstalling homebrew/games/dosbox with --with-debugger | |
==> Downloading https://downloads.sourceforge.net/project/dosbox/dosbox/0.74/dosbox-0.74.tar.gz | |
Already downloaded: /Users/bsk/Library/Caches/Homebrew/dosbox-0.74.tar.gz | |
==> ./configure --prefix=/usr/local/Cellar/dosbox/0.74 --disable-sdltest --enable-core-inline --enable-debug --disable-dynrec | |
==> make install | |
Last 15 lines from /Users/bsk/Library/Logs/Homebrew/dosbox/02.make: | |
^ | |
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.11.sdk/usr/include/curses.h:322:16: note: forward declaration of '_win_st' | |
typedef struct _win_st WINDOW; |
No workee with debug on 10.11.4, will check 10.11.5 | |
``` | |
$ brew reinstall dosbox --with-debugger | |
==> Reinstalling homebrew/games/dosbox with --with-debugger | |
==> Downloading https://downloads.sourceforge.net/project/dosbox/dosbox/0.74/dosbox-0.74.tar.gz | |
Already downloaded: /Users/bsk/Library/Caches/Homebrew/dosbox-0.74.tar.gz | |
==> ./configure --prefix=/usr/local/Cellar/dosbox/0.74 --disable-sdltest --enable-core-inline --enable-debug --disable-dynrec | |
==> make install | |
Last 15 lines from /Users/bsk/Library/Logs/Homebrew/dosbox/02.make: |
Brad says:
Review the traffic and consult the alerts if necessary. You should be able to get the following information from the pcap:
The user's first and last name
The host name of the user's Windows computer
The MAC address of the user's Windows computer
What type(s) or item(s) of malware the user's computer is infected with.
How the user's computer got infected with the item(s) of malware.
PMA:
MDA (OST):
LoB (OST):
for public benefit and so I can do it easier then next N times
Here's how I have built a quick and dirty dynamic analysis environment from free (for personal education) stuff. Other people do this better and have documented it extensively, eg in fine books like PMA, MAC and online classes like OST's MDA and of course FOR610 {FIXME add some links to prior work}.
I've done this on Windows, (Ubuntu) Linux and Mac machines with VirtualBox with little trouble. You can use other host OSes if you known them well enough and can use another VM if you have it, but the setup is a little different.
There are dozens of greats tools and hundreds of useful ones. Once you know what you like, need you can expand the build, but for now keep it simple (KISS) and get to work learning a thing.
Major components: