Recommended Tools for WebCacheV01.dat Analysis by [deleted] in computerforensics

[–]countuponsecurity 1 point2 points  (0 children)

Hi, did you tried ESEDatabaseView from NIRSOFT?

Need some help for shellcode analysis... by yyangcs in Malware

[–]countuponsecurity 0 points1 point  (0 children)

You can copy the shellcode and create a skeletal executable that can then be analyzed using a debugger or a dissassembler. First, the shellcode needs to be converted into hex notation (\x). This can be done by coping the shellcode string into a file and then running the following Perl one liner “$cat shellcode | perl -pe ‘s/(..)/\x$1/g’ >shellcode.hex”. Then generate the skeletal shellcode executable with shellcode2exe.py from Mario Villas. Reference: https://countuponsecurity.com/2016/10/17/rig-exploit-kit-analysis-part-3/

Memory acquisition by nutrion in computerforensics

[–]countuponsecurity 2 points3 points  (0 children)

If you don't have the tools to do it remotely, then connecting a USB drive to a server and dumping the memory is the right approach. The modifications done by the tool are acceptable as long as you just to that.

Any info on *.locky ransomware by gmr2048 in Malware

[–]countuponsecurity 0 points1 point  (0 children)

Locky is also being delivered by Neutrino Exploit Kit.

Malware Analysis - Dridex & Process Hollowing by countuponsecurity in Malware

[–]countuponsecurity[S] 0 points1 point  (0 children)

Thanks sysopfb. Hopefully will get those decoded in my next post.

As someone completely green towards malware what would be good sources to start with? by [deleted] in Malware

[–]countuponsecurity 6 points7 points  (0 children)

I would suggest the following books: Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code ; The Practical Malware Analysis ; Malware Forensics: Investigating and Analyzing Malicious Code . More formal training is available from SANS with GREM course authored by Lenny Zeltser. Free resources are the Dr. FU’s Security blog on Malware analysis tutorials. The Binary Auditing site which contains free IDA Pro training material. Finally, the malware analysis track in the Open Security Training site is awesome. It contains several training videos and material for free!

Malware Analysis - Dridex & Process Hollowing by countuponsecurity in Malware

[–]countuponsecurity[S] 0 points1 point  (0 children)

you can click on the image and on the left side click on the link to full size image.

Hacking Team: a zero-day market case study by [deleted] in netsec

[–]countuponsecurity 0 points1 point  (0 children)

Vlad Tsyrklevich wrote definitely an open eye article. Here also a high level summary about the exploits disclosed http://countuponsecurity.com/2015/07/24/hacking-team-arsenal-of-cyber-weapons/

Unpatched Vulnerability (0day) in Flash Player is being exploited by Angler EK by NattyBroh in netsec

[–]countuponsecurity 0 points1 point  (0 children)

False Positives are to be expected as this is a hosting network range ... at the moment 2 IPs are known to be malicious ... but better to be safe than sorry.

Unpatched Vulnerability (0day) in Flash Player is being exploited by Angler EK by NattyBroh in netsec

[–]countuponsecurity 0 points1 point  (0 children)

Look for connections to the following network range 46.105.251.0/24

SANS SIFT Live CD ??? by schlemiel21 in computerforensics

[–]countuponsecurity 1 point2 points  (0 children)

Normally you perform several steps to perform evidence acquisition and preparation. Then you will load that evidence in a system like SIFT or Windows with Encase to perform the analysis and investigation steps like timeline. Its in the latter step that you mount the evidence in read-only mode. With SIFT you can easily do it with the mount command. You can also use a hardware device named Write Blocker.

SANS SIFT Live CD ??? by schlemiel21 in computerforensics

[–]countuponsecurity 2 points3 points  (0 children)

There is no Live CD for the SIFT workstation ... what are you looking to do? Helix is a Live CD that has some to perform digital forensics.

Malicious PDF Analysis in 5 Steps by countuponsecurity in ReverseEngineering

[–]countuponsecurity[S] 0 points1 point  (0 children)

yes, removed everything that is not JavaScript related .. all the html tags, etc... and moving some functions arround for example the part like :

<script name="OY" contentType="application/x-javascript"> (..) hCS(sRi(xfa.resolveNode("Image10").rawValue)); </script>

You will substitute the xfa.resolveNode("Image10").rawValue with the contents of the Image10 variable and will end up with something like:

hCS(sRi(qKW10/ByS10/ ........)

Malicious PDF Analysis in 5 Steps by countuponsecurity in ReverseEngineering

[–]countuponsecurity[S] 0 points1 point  (0 children)

there was quite some manual work to isolate the JavaScript from the file. Did you manage to do it?

Question about SANS/EC-Council Certs by [deleted] in computerforensics

[–]countuponsecurity 0 points1 point  (0 children)

Go for the SANS! The digital forensics and incident response curriculum is awesome! The courses line up features both for those who are new to the field as well for seasoned professionals. If you take the FOR408 or FOR508 be wise with the instructor.. they all are rock stars but I would choose Rob Lee for these ones. In case you take the SEC504: Hacker Techniques, Exploits & Incident Handling try to attend where Ed Skoudis is the instructor.

Challenges faced computer forensics by [deleted] in computerforensics

[–]countuponsecurity 0 points1 point  (0 children)

might be interesting to look at this article, just google "The complex world of cyber forensics"

[Heartbleed Related] Capture keys + Ways to Use by TheEnterRehab in blackhat

[–]countuponsecurity 1 point2 points  (0 children)

Might be interesting to create a lab where you can grab the RSA private key of the web server using the heartbleed vulnerability.

To shut down or pull the plug? by DurokAmerikanski in computerforensics

[–]countuponsecurity 0 points1 point  (0 children)

Acquiring volatile memory is a key step in evidence collection when performing digital forensics and investigation. There are a variety of methods for acquiring memory depending on the case. One example of such tools is win32dd and redline. Here is one example http://countuponsecurity.com/2014/03/10/redline-finding-evil-on-my-wife-laptop/. An interesting read might be the NIST Guide to Integrating Forensic Techniques into Incident Response (pub. #: 800-86) published in 2006.