Year: 2014

The One Page Linux Manual

For those trying to learn Linux, it can be a daunting task. The are a number plethora of resources online and built into the OS. For those just looking for something “light” and tangible, I recommend the one page Linux manual. It fits the bill for the most part (although its actually two pages).

The One Page Linux Manual

Creating a share on Linux and accessing via Windows

There are many times when there is data on a Linux system that needs to be moved to another system like Windows. Well, the question is how do you do that? The method that I have found to be the easiest is to use Samba. Below are the steps to achieve the overall intent.

1) Install Samba. The below syntax is for Debian based systems. For RPM, do “yum install samba”

2) Configure a username and password that will be used to access the share. In this case, the user I will use is john as he is already a user on my system.


To broadcast a SSID or not to broadcast a SSID, that is the question

For some, wireless security and securing ones home network can mean a number of things. Some people feel that disabling the broadcast of their SSID gives them that extra layer of security. Depending on the context of the conversation at that time, I can somewhat see their perspective. From my standpoint, I will most of the time disagree with disabling SSID broadcasting. Mainly due to the commercial tools available that will decloak an SSID revealing it. My professional opinion is that everyone who does this is just trying to protect their network but it does intrigue me as to what is so important that they are trying to secure. With that said, the aforementioned could draw people to your network just to figure that out.

Everything we did in life has risks. So the risks here are 1) one can broadcast their SSID, blend in, and hope to not be attacked or 2) not broadcast and take the chance of someone not using any tools to identify cloaked networks.

Jump Bag Stuff

Wifi-Pineapple –

PWN Plug –

Read-Only Flash Drive –

SmartSniff –

Parse and Extract PST and OST Mailboxes

Libpff is a powerful mail examination tool. The tool will allow you to examine and extract data without having to attach the PST to Outlook and has the ability to view emails that are encrypted. In my example below, I will be using the tool via the SANS SIFT workstation as it is already installed. If you want to the program on a different distribution, the source code can be found at While I have an example below of parsing the information, I encourage you to check out the man pages as it is pretty short and straightforward.

Note: the PST I am using is called target_pst.pst

1) Export the PST.

2) Verify that a target.pst.export, target.pst.orphans, and target.pst.recovered directory are now present.

Parsing Metadata with ExifTool

Its one thing to have a piece of data but its another thing to be able to get the metadata about said data. ExifTool ( is a tool that will allow just that. Its command line based but there is a GUI version as well called pyExifTool ( The tool not only allows you to read the metadata but also change it, if necessary. A person could also add his or her own custom tags as well. Below is an example of using the program.

Note: My JPG file name is called pic11.jpg

1) Examine the file using ExifTool


Windows Memory Capture using DumpIt

One of the simplest tools for capturing memory from a Windows system is DumpIt. The program is very portable and saves the capture to wherever the program is ran from. Most people will run it from a flash drive but depending on your company’s security policy that may not be an option so one can run it from a network share as well. It is advised not to save the program to the system you want to capture from and run it from I was going to document the steps but there is no need, it is just that simple. Below is the link for the software and if need be, there is a video depicting the steps.

Memory Capture via Hibernation File

If you are having a hard time getting a memory capture using commercial tools, have no fear, Microsoft to the rescue! Starting with Win2K, each version of Windows has supported OS hibernation. When you put a system into hibernation, it creates a hiberfil.sys file on the root of the filesystem (in most cases, C:\). That in itself is a capture of memory. The only problem is that you can’t just right-click and copy the file as it is locked. You could possibly copy by booting into safe mode (I haven’t tried it), slave the hard drive to another system and copy that way, or use some third-party program. The one that I recommend is X-ways WinHex. There is a free version of the software but due to the size of the hibernation file, you will need the licensed version, which costs $222.

Assuming you have the licensed version, below are the steps to copy the hibernation file.

1) Verify there is a hiberfil.sys file on the root of your filesystem (most likely c:\). If the file is not there, ensure hibernation is enabled and then put your system into hibernation. Once powered off, turn it back on and check again.


Display Credentials For All Previous Wireless Networks Connected To

I was at a friend’s house and needed to connect my laptop to his network. My friend was reluctant to give me password to his network and decided to type it in himself. In his mind, he was just doing his part to provide some security to his home network, so I don’t blame him but it did spark my curiosity as to was there a way to pull the password. So I fired up PowerShell and began pegging away. The below code will return SSID and passwords for all systems the computer it is read from his connected to.

Determining what profile to use when analyzing Windows memory in Volatility

No need to guess or experiment with different profiles, let Volatility figure that out for you. In testing, this worked with all formats that Volatility supports. If you were the one to do the memory dump or if the file was labeled OS information, this wouldn’t be a concern or a needed step. To let the magic happen, follow the below.

This analyzes the memory capture metadata and displays which profile is suggested to be used.

The output will be something similiar to this:

Forensics Posters

Anybody getting into forensics knows its like putting on a pair of glasses and seeing things in a whole new light. Part of being able to identify bad or evil is being able to identify normal. In my opinion, SANS did a pretty good job depicting some common things to look for when beginning the forensics process. The posters can be found at the below link.

Building a profile for Volatility

After capturing Linux memory using LiME (or your program of choice), we can analyze it using Volatility. In order to do so, you will need to build a profile for Volatility to use. The profile is based on the kernel/version of the system in which the memory capture was done on. The maintainers of the Volatility Project have a repo of pre-built profiles on their page located at Carnegie Mellon University also has prebuilt profiles as well and they are located at
In order to build a profile, following the below instructions. For this demo, I am using a Kali 1.0.9 (Debian) system to build my profile on an Ubuntu system to do the analyzing on.

1) Install dwarfdump. On RedHat(Fedora)-based systems, this can be done by typing ‘yum install dwarfdump’

2) Download the necessary source code to compile the module.dwarf file

3) Change directory into the newly created vol-mem-profile directory


Linux Memory Capture with LiME

When doing forensics, grabbing a capture of the live memory is vital. There are a few different programs out there to accomplish the task but in my testing, I felt LiME was the best choice. It wasn’t intrusive at all on the system and was pretty straightforward. Once I compiled it, I loaded it up on my flash drive and on I went. Below are the steps I took to achieve it all.

Notes: I am using a Kali system and will be moving the compiled LiME program to the target using a flash drive.

1) Make a directory for LiME.

2) Change Directory into the newly created lime directory.