Update to Image Mount Script

Several Months ago I wrote a python script that helped me mount Disk and partition images. You can read the original post here.
It worked but was lacking in some areas. Mostly in that it didn’t support GPT partition tables.

Thanks to  for poking me and  for the support I have rewritten the script and added a couple more features. It now uses MMLS for GPT support and  makes use of bdemount to work with bitlocker partitions.

Features:

  • MMLS support for GPT.
  • Mount Single Partition files.
  • Mount Multiple partitions from a disk image.
  • Supports E01 Files.
  • Supports Bitlocker with recovery key.

FS Types:

  • ntfs
  • fat16
  • fat32

The next revision will add support for Linux partitions.

This is a quick example mounting a Full Disk Bitlocked USB drive with the recovery key

root@siftw...
Read More

EnCase And AnalyzeMFT

I have some familiarity with Windows Forensics having passed my SANS 508 exam, However Chip is my resident Forensics expert so when he pointed me in the direction of  a blog post about running python scripts in EnCase I was immediately interested. I haven’t really played with EnCase and have been looking for a reason, this seems like a good one.

In this post @JamesHabben has introduced pdf-parser to EnCase. He also suggests a couple of other python scripts that could be of use which is where this post comes in. I have never tried writing an EnScript before so thankfully James has a detailed write-up.

AnalyzeMFT

Chip has a great write-up on how to use analyzemft here.

tldr; It parses a $MFT file in to an easy to read csv file.

The first thing we need to do is get analyzemft installe...

Read More

How Safe is Public Wifi

Imagine this scenario. . .

You’re sat at your favourite Coffee Shop and you connect to the local Wi-Fi. You login to Facebook and see what your friends are doing, jump on amazon to buy a gift you pay with PayPal and finally open your Gmail account to see all the confirmation emails.

What would you say if i told you there is a chance that someone else just intercepted all the usernames, passwords, emails and data you were sending and receiving?

What would you say if i told you it was worse than that and now you SmartPhone or laptop are infected and belong to an attacker who starts to send Premium rate texts and sells access to your laptop so it can be used as part of a bot net that steals banking and financial information.

Both of these scenarios are real and simple for an attacker to do...

Read More

Decoding NanoCore Rat

NanoCore is one of many Remote Access Trojans that are available. This particular rat is a so called premium rat which means it comes with a price tag. The current price to buy the latest version is $20. In the Authors own Words

nano_desc

However as this is a premium rat it is also one of the types that many coders try to crack and release, which is exactly what happened with an early release of this rat. Making it available to a much wider audience.

I have talked about some of my methods for walking through Java Rats i figured now would be a good time to walk you through my process for RATS written in .NET

Generating Samples

The first thing we need are samples that we can work with...

Read More

Viper – Binary Management and analysis Framework

Viper

When it comes to analyzing malware it can be a fairly complex affair. Depending on the complexity of the malware your analysing there are many approaches you can take and each of these will typically require the use of several tools or scripts. This is where http://viper.li comes in to play.

Created by Claudio ‘nex’ Guarnieri, viper is “A binary management and analysis framework dedicated to malware and exploit researchers.” It comes with some basic features that allow you to add search and work with samples. Where it comes into strength is through the community contributed modules. These modules greatly extend vipers functionality.

At the time of writing the current list of modules are as follows.

Commands

  • clear – Clear the console
  • close – Close the current session
  • delete – Delet...
Read More

Look inside a Dark Comet Campaign

As many of you who read this blog will know i have a fondness for researching RATS. In this post im going to stay on the same topic but im going to change the perspective. To date i have concentrated on understanding how the ‘Server’ was holding the configs and how to extract them.

Now im going to look at the data that is extracted by theses tools.

The Tool

DarkComet, a free ‘semi publicly’ available RAT. The client and the server for Dark Comet are well understood at this point and there are hundreds of blog posts by researchers far better then myself so im not going to dwell too much on these points except to say its easy to get hold of, its easy to use and its fairly powerful if it gets installed on your system.

If your unfortunate enough to become infected and even worse your infected ...

Read More

BSides London

This is a little late to post, but here it is anyway.

BSides is a framework for a security conference by the community for the community. it’s designed that anyone who can get a space and some sponsorship can organise a conference with a lot of the hard work already covered by the framework. T hats not to say that the organisers, volunteers and sponsors don’t put a lot of work in behind the scenes.

BSides London has been around for a couple of years and grows every year. This year I decided, with a little prompting, to submit a Talk and a Workshop. The talk didn’t make it on to the main agenda but my workshop did, A practical session showing how I reverse a RAT and extract the config. Small session with no more than 8 in attendance but feedback was positive.

One of the things that bsides L...

Read More

RAT Decoders

I have talked about decoding RATS several times now in previous posts and if you have read them you will know that im creating Static decoders for the most common Remote Access Trojans.

In this post ill be releasing a handful of the static decoders i have written so far.

I have set up a Repo on GitHub that will hold a collection of Python Scripts that will extract and decode the configuration settings from common rats.

Each of these decoders is already running on http://malwareconfig.com and has additional features that are not included in the scripts. like Snort rules IOC Files and VirusTotal Linking.

You can read more about MalwareConfig.com in upcoming posts or read more here http://malwareconfig.com/about

Current Rats

Here is a list of the currently supported RATS:

  • Adwind
  • Arcom
  • BlackN...
Read More

I Hear you like Mount Points

tl;dr

Having just finished my SANS 508 Course i want to share a quick script to help mount partitions and disk images acquired as part of a forensic analysis.

I Hear You Like Mount Points

The SANS 508 is an Advanced Computer Forensics course and the majority of the course is examining Disk Images. The course uses E01 Images of a single partition, this is done to simplify the classroom activities, copying full disk images is time consuming and detrimental to a learning experience.

How does this scale to real life? In the real world you will have mixes of Full disk images with multiple partitions and in some cases different formats for each partition, think dual Boot Linux and windows with recovery partitions. Needless to say real world examples can get complex quickly.

When it comes to the ...

Read More

MalwareConfig

For those of you who read this blog on a more regular basis you will know what i talking about, for those of you who just landed here let me explain.

My project over the last several months has been looking at Remote Access Trojans / Tools. My aim was not to discover how they operate, RATS for the most part operate in the same way.

What i was interested in was how to detect these RATS and more importantly how could i share the information I was gathering with anyone else who could make use of it. The data set will largely contain Samples from ‘Script Kiddies’ who mass target individuals just to get Slaves, but it will also capture samples that have been used by Crime Packs and potentially even APT Actors.

Most methods of capturing this data use sandboxes to run the sample and observe its b...

Read More