The registry of a system contains a lot of good data that can be used forensic analysis. Parsing that data from dead box forensics (bit image) using RegRipper (rip.pl) will provide you with a lot of useful information. RegRipper is an automated HIVE parser that can parse the forensic contents
Linux
No Need to Unzip, Just Use Zcat or Zgrep
There will be times when you may encountered a zipped file and want to quickly parse it without having to unzip it. When the time comes, zcat and zgrep will be your savior. The usages of both are very straightforward but there are man pages for both for further reading.
Analyzing Various Memory Capture Formats
In a world where there are so many choices for capturing memory and analyzing it, I felt there would be some benefit in compiling a list for quick reference. FTK Imager – Outputs to .mem – Can be analyzed in Volatility Vol.py –f –profile= VMWare (.vmem) – .vmem and .vmsm
Network Grep for the Folks Who Love to Grep!
Network grep (ngrep) is a great program that allows you to search and filter network packets rather quickly. There is some resemblance to the well-known Linux grep program. Ngrep can analyze live traffic or saved pcaps. The man pages for ngrep are rather straightforward. Ngrep currently recognizes IPv4/ 6, TCP,
Extracting Data with Bulk Extractor
When it comes to forensics, styles and methodologies may vary from person to person (or organization). Some methods take longer than others and results may vary. One tool/ technique that I lean to time and time again is using Bulk Extractor. Bulk Extractor is a program that enables you to
Installing/Managing Linux Packages in an Offline Environment
A few good cheat sheets for installing/managing packages in an offline environment.
Linux Secure Copy (SCP)
SCP is a must for quick transfer of files in native environments. In order to interact with a Windows machine, an SSH server is needed on the system but you may be able to get around that be specifying a different port. Below are a few examples of how it
Traffic Generators
These tools will generate traffic and transmit it, retransmit traffic from a capture file, perhaps with changes, or permit you to edit traffic in a capture file and retransmit it. • Bit-Twist includes bittwist, to retransmit traffic from a capture file, and bittwiste, to edit a capture file and write
Unzip a file that is zipped many times
This script is used for unzipping zipped files inside of a zipped file. The zipped files are password protected. I developed this because it seems like every capture the flag I do, there is a scenario where this could be used. This Bash script can be found in my script
WMI on Linux
WMI is a great way to query Windows systems without being so intrusive. As of late, I have been dealing with it more and more. Typically, I use a Windows system to query another Windows system but the lack of speed inherit to the Windows OS always has me searching
Pushpin… Taking Reconnaissance to Another Level
If you are on the offensive side, part of your strategy encompasses reconnaissance at some point. If you are on the defensive side, there is still reconnaissance to be done in order to see what is available about you. Well, a great tool to add to your tool bag is
Splunk vs. ELK Stack
When conversing about log collection and correlation on an Enterprise level, Splunk usually always comes up in the conversation. While I am an avid Splunk fan, outside of the free version, it can be a little expensive. ELK (Elasticsearch, Logstash, and Kibana) is very comparable to Splunk, in my opinion.
Converting a DD image into a VM – pt. 2
This is part 2 of the tutorial to convert a DD image into a VM. The below instruction picks up from the position that one already got a DD image and has it unzipped and uncompressed. To finish the task, please read on. 1. Copy the target_image from your linux
Converting a DD image into a VM – pt. 1
A good buddy of mine introduced me to LiveView, which creates virtual machines from DD images. There were a number of other programs out there that can do the same thing but didn’t seem as smooth as LiveView is. One may be wondering why what is the need for
Skittle Grinder (Linux Log Collection)
Skittle Grinder is the de facto way of getting “kitchen sink” from a Linux system. It development stemmed from a gap we faced in the forensics realm but could be used for a base lining, auditing, or whatever you see fit. Skittle Grinder checks for rootkits, creates a tarball of
Collaboration with Elog
Elog is a great program used for collaboration in a LAN or WAN environment. Its very simple to use and easily customizable. This program is ideal for sharing notes or analyzing data and ensuring everyone else knows what is going on. There is an email function as well and the
Splitting up a Large VM for Easier Transmission
Here is the scenario: you have a VM that you want to transfer to another system over the Internet. The VM, in its entirety, is too big to transfer as is. So what do we do? Well, we could convert the .vmx into an .ova and then split it into
Renaming a Linux NIC interface
You may be wondering why this is even a topic of discussion. Well, certain Linux distros such as CentOS come with the main interface as eth0. For me, it’s not as big of a deal. The concern comes in when I am developing baselines and distributing them back into the
The One Page Linux Manual
For those trying to learn Linux, it can be a daunting task. The are a number plethora of resources online and built into the OS. For those just looking for something “light” and tangible, I recommend the one page Linux manual. It fits the bill for the most part (although
Creating a share on Linux and accessing via Windows
There are many times when there is data on a Linux system that needs to be moved to another system like Windows. Well, the question is how do you do that? The method that I have found to be the easiest is to use Samba. Below are the steps to
Parse and Extract PST and OST Mailboxes
Libpff is a powerful mail examination tool. The tool will allow you to examine and extract data without having to attach the PST to Outlook and has the ability to view emails that are encrypted. In my example below, I will be using the tool via the SANS SIFT workstation
Parsing Metadata with ExifTool
Its one thing to have a piece of data but its another thing to be able to get the metadata about said data. ExifTool (http://www.sno.phy.queensu.ca/~phil/exiftool/) is a tool that will allow just that. Its command line based but there is a GUI version as well called pyExifTool (https://hvdwolf.github.io/pyExifToolGUI/). The tool
Building a profile for Volatility
After capturing Linux memory using LiME (or your program of choice), we can analyze it using Volatility. In order to do so, you will need to build a profile for Volatility to use. The profile is based on the kernel/version of the system in which the memory capture was done
Linux Memory Capture with LiME
When doing forensics, grabbing a capture of the live memory is vital. There are a few different programs out there to accomplish the task but in my testing, I felt LiME was the best choice. It wasn’t intrusive at all on the system and was pretty straightforward. Once I compiled