解析メモ

マルウェア解析してみたり解析に役に立ちそうと思ったことをメモする場所。このサイトはGoogle Analyticsを利用しています。

4n6 Week 52 – 2022 - FORENSIC ANALYSIS

本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。Week 52 – 2022 は こちら からご確認いただけます。「Buy me a coffee」からカンパをすると喜ばれます。

FORENSIC ANALYSIS

CTF导航

  • Cyberdefenders蓝队-恶意软件流量分析3

Cyberdefenders蓝队-恶意软件流量分析3 渗透技巧 1周前 admin 99 0 0 1、题目简介 1.1 背景介绍 附加的 PCAP 属于 Exploitation Kit 感染。使用您最喜欢的工具对其进行分析并回答挑战问题 1.2 题目链接 //cyberdefenders.org/blueteam-ctf-challenges/21 2、题目解析 2.1 被感染的Windows 虚拟机的IP地址是什么 1.通过在wireshark中查看会话状态 开始网络分析的一个好地方是了解哪些主机在数据包捕获中进行通信,打开wireshark选择【统计】--【会话】,查看TCP会话状态。查看会话状态为192.168.137.1和192.168.137.1为内网IP地址 同时查询2个内网IP地址通信协议为DNS,判断失陷主机为192.168.137.62 ip.addr == 192.168.137.1 and ip.addr == 192.168.137.62 2.2 漏洞利用工具包 (EK) 的名称是什么?(两个字) 上传到恶意数据包分析平台查看,漏洞利用工具包名称为Angler...

Dr. Neal Krawetz at ‘The Hacker Factor Blog’

  • Weird Science

Forensafe

Investigating Windows Kaspersky Antivirus 23/12/2022 Friday Kaspersky Antivirus is a Russian based anti-virus protection software that uses a combination of signature-based malware detection, advanced machine learning along with a cloud based security database. It offer its users maximum protection from various types of threats including viruses, worms, ransomwares and many others.Digital Forensics Value of Kaspersky Antivirus Kaspersky Antivirus is one of the most popular antivirus software aro...

Howard Oakley at ‘The Eclectic Light Company’

  • Rolling logs and anti-malware scans

[…] LikeLike Leave a Reply Cancel reply Enter your comment here... Fill in your details below or click an icon to log in: Email (required) (Address never made public) Name (required) Website You are commenting using your WordPress.com account. ( Log Out / Change ) You are commenting using your Twitter account. ( Log Out / Change ) You are commenting using your Facebook account. ( Log Out / Change ) Cancel Connecting to %s Notify me of new comments via email. Notify me of new posts via email. Δ T...

Jason Wilkins at ‘Noob to Pro Forensics’

  • Drive Geometry, File Systems, and How Criminals Hide Data

Drive Geometry, File Systems, and How Criminals Hide DataDrive geometry and file systems are important concepts in computing, as they determine how data is stored and accessed on a storage device, such as a hard drive or flash drive. Understanding these concepts can be useful not only for managing data effectively, but also for detecting and preventing criminal activity.Drive geometry refers to the physical layout of a storage device, including the number of platters, the number of heads, and th...

Joe T. Sylve, Ph.D.

  • 2022 APFS Advent Challenge Day 13 – Data Streams

2022 APFS Advent Challenge Day 13 - Data Streams Monday, December 19, 2022 Data in APFS that is too large to store within records are stored elsewhere on disk and referenced by data streams (dstreams). Similar to non-resident attributes in NTFS, APFS data streams manage a set of extents that reference the number and order of blocks on the disk which contain external data. In this post, we will discuss how data streams are used in APFS to manage one or more forks of data in inodes as well as thei...

  • 2022 APFS Advent Challenge Day 14 – Sealed Volumes

2022 APFS Advent Challenge Day 14 - Sealed Volumes Tuesday, December 20, 2022 With the release of macOS 11, Apple added a security feature to APFS called sealed volumes. Sealed volumes can be used to cryptographically verify the contents of the read-only system volume as an additional layer of protection against rootkits and other malware that may attempt to replace critical components of the operating system. Sealed volumes have subtle differences from some of the properties of file systems tha...

  • 2022 APFS Advent Challenge Day 15 – Keybags

2022 APFS Advent Challenge Day 15 - Keybags Wednesday, December 21, 2022 APFS is designed with encryption in mind and removes the need for the Core Storage layer used to provide encryption in HFS+. When you enable encryption on a volume, the entire File System Tree and the contents of files within that volume are encrypted. The type of encryption depends on the capabilities of the hardware that it is running on. For example, hardware encryption is used for internal storage on devices that suppor...

  • 2022 APFS Advent Challenge Day 16 – Wrapped Keys

2022 APFS Advent Challenge Day 16 - Wrapped Keys Thursday, December 22, 2022 In our last post, we discussed both [Volume and Container Keybags](/post/2022/12/21/APFS-Keybags and how they protect wrapped Volume Encryption and Key Encryption Keys. Depending on whether the encrypted volume was migrated from an HFS+ encrypted Core Storage volume, there are subtle differences in how these keys are used. In this post, we will discuss the structure of these wrapped keys and how they can be used to acce...

  • 2022 APFS Advent Challenge Day 17 – Blazingly Fast Checksums with SIMD

2022 APFS Advent Challenge Day 17 - Blazingly Fast Checksums with SIMD Friday, December 23, 2022 Today’s post will take on a bit of a different style than the previous posts in this series. Among other things, I spent my day putting off writing the final APFS encryption blog post by pursuing another one of my New Year goals. Along the way, I wrote a Fletcher64 hashing function that can validate APFS objects at over 31 GiB/s on my 2017 iMac Pro. Rather than fighting my procrastination, I decided ...

  • Update: Blazingly Fast-er SIMD Checksums

Saturday, December 24, 2022 This is a quick update to yesterday’s post on using std::experimental::simd to speed up APFS Fletcher-64 calculations. It turns out that there were still some low-hanging optimizations that could be used to improve my code. I got better performance from my code by using a simple loop unrolling technique. Here’s the new version of the function. Notice that the only difference is that I’m now calculating more data per iteration of the loop. I’m using a lambda here to av...

Kyle Song

  • Phone Scam Series: USB Modem with Asterisk Analysis and Visualize artifacts

보이스피싱 시리즈: Asterisk 아티팩트 분석 및 시각화 4 minute read Kyle Song Hello World :D Follow Seoul, South Korea Email Facebook Table of Contents Case Study: USB Modem with Asterisk What is Asterisk? Key Artifacts Visualize Artifacts Dashboard RAW Data Wrap-up Reference Copyright (CC BY-NC 2.0) 보이스피싱 시리즈: Asterisk 아티팩트 분석 및 시각화 Previously we’ve covered the artifacts left when using the USB Modem through the program named Huawei Mobile Partner. The program only takes one modem at a time so you call, text one-o...

Magnet Forensics

  • Free Digital Forensics Tools Every Investigator Needs

Magnet Forensics offers a variety of free digital forensics tools designed to assist in many aspects of digital forensics and incident response (DFIR). Some of these have been helping examiners out for years and you may be familiar with them, others you may not even know about, so we’re collecting them here to give you an overview of what’s available. I spent a few years on the Training Team here at Magnet Forensics and the topic of free tools would come up regularly during classes. I was always...

Matt Muir at Cado Security

  • Kiss-a-Dog Discovered Utilizing a 20- Year-Old Process Hider

Maxim Suhanov

  • Do researchers handle exFAT volumes correctly?

Do researchers handle exFAT volumes correctly? December 18, 2022December 19, 2022 ~ msuhanov Let’s conduct a simple experiment. In the Ext4 file system, I create two files (“1.txt” and “2.txt”). touch 1.txt 2.txt Then, I gather file system metadata (including timestamps) for these files: sudo debugfs -R 'stat /path_to/the_file/1.txt' /dev/block_device sudo debugfs -R 'stat /path_to/the_file/2.txt' /dev/block_device In my case, the output is: For “1.txt”: Inode: 23918802 Type: regular Mode: 0644 ...

MuSecTech

  • Copying Files For Forensic Collection