VolUtility Version 1.0 Release

      2 Comments on VolUtility Version 1.0 Release

It’s a week late but I finally have enough testing done that I’m happy to call this a 1.0 release. :) If you’re not sure what VolUtility is then read some of the earlier posts: VolUtility a web front end VolUtility release 0.2 Solving GrrCon 2015 Solving GrrCon 2016 tldr; It’s a web front end for the Volatility memory analysis… Read more »

Solving GrrCon 2016 DFIR Challenge

      4 Comments on Solving GrrCon 2016 DFIR Challenge

It’s that time of year again and Wyatt Roersma has released the 2016 GrrCon DFIR Challenge. At the time of writing it’s still available to register and download the images from https://ir.e-corp.biz. Once again as these are memory images I am going to try to solve the challenge solely using VolUtility. Word of warning I reveal all the answers :p For the… Read more »

Extracting LastPass Site Credentials from Memory

      12 Comments on Extracting LastPass Site Credentials from Memory

Let me start by stating this is not an exploit or a vulnerability in LastPass. This is just extracting any data that may remain in memory during a forensics acquisition. At some point the data must be in clear. I was reading the Art Of Memory Forensics, (if you don’t own this i highly recommend it. ) On one of the… Read more »

USB Rubber Ducky and a New ToolKit

      3 Comments on USB Rubber Ducky and a New ToolKit

USB Rubber Ducky The USB Rubber Ducky is a product designed and Sold by Hak5. Essentially its a USB keyboard without any keys that you can pre-program a set of keystrokes on to. When the device is plugged in, its installed as a generic keyboard and will then type whatever you have scripted it to use. Duck Code Duck code is how… Read more »

Solving GrrCon15 Memory Challenge with VolUtility

After seeing that Brian Baskin and Tony Cook had published a writeup solving the GrrCon 2015 Memory challenges I thought this would be an ideal way of testing VolUtility, A way to make sure that i have covered all the features, and if not then how to try and add them so it does. Plus it looked like fun :)… Read more »

VolUtility Release 0.2

      2 Comments on VolUtility Release 0.2

Just a quick update on the new VolUtility release. If you missed the first post telling you what VolUtility is you can read it here. VolUtility a web front end for the volatility framework. Along with several bug fixes and general code tidy the following features have been added or improved. Support Linux and Mac memory images. Adds a config file… Read more »

VolUtility a web front end for the volatility framework.

Several months ago i finally managed to attend the SANS memory forensics course (FOR526) . Taught by the very knowledgeable @sibertor. The course covers memory structures and focuses on the two key frameworks for memory analysis, Volatility and Rekall. Im not going to get in to which is best, each has their uses and most times I will flip between… Read more »

Security Onion – Command Injection Vulnerability

      No Comments on Security Onion – Command Injection Vulnerability
seconion_capme

I recently needed to deploy an IDS and full packet capture on a small network. Fortunately the open source community has had such a thing for a while. Security Onion. A Linux distro for intrusion detection, network security monitoring, and log management. It’s based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, ELSA, Xplico, NetworkMiner, and many other… Read more »

DarkComet – Hacking The Hacker

      2 Comments on DarkComet – Hacking The Hacker

Before I begin this post let me get the following statements out of the way. I Am NOT A Lawyer. The use of the Tools and Techniques discussed in this post may not be legal in your country. The original credit for the discovery belongs to Shawn Denbow and Jesse Hertz. All I did was expand on their POC. Back in… Read more »

Viper – Modules – Office

      No Comments on Viper – Modules – Office

This follows on from the post detailing the basic usage of viper. If you have not read that post I would start there. An index of all the modules can be found here. Office The office module is designed to extract meta data and stream information from a variety of office formats. As before this will showcase the analysis features of Viper… Read more »