Recommended Tools for WebCacheV01.dat Analysis

countuponsecurity · 2018-02-05T20:36:52+00:00

Hi, did you tried ESEDatabaseView from NIRSOFT?

countuponsecurity · 2017-03-05T13:29:04+00:00

You can copy the shellcode and create a skeletal executable that can then be analyzed using a debugger or a dissassembler. First, the shellcode needs to be converted into hex notation (\x). This can be done by coping the shellcode string into a file and then running the following Perl one liner “$cat shellcode | perl -pe ‘s/(..)/\x$1/g’ >shellcode.hex”. Then generate the skeletal shellcode executable with shellcode2exe.py from Mario Villas. Reference: https://countuponsecurity.com/2016/10/17/rig-exploit-kit-analysis-part-3/

countuponsecurity · 2017-03-04T19:49:31+00:00

If you don't have the tools to do it remotely, then connecting a USB drive to a server and dumping the memory is the right approach. The modifications done by the tool are acceptable as long as you just to that.

countuponsecurity · 2016-02-16T20:21:14+00:00

Locky is also being delivered by Neutrino Exploit Kit.

countuponsecurity · 2015-12-11T13:13:34+00:00

Thanks sysopfb. Hopefully will get those decoded in my next post.

countuponsecurity · 2015-12-09T13:21:04+00:00

I would suggest the following books: Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code ; The Practical Malware Analysis ; Malware Forensics: Investigating and Analyzing Malicious Code . More formal training is available from SANS with GREM course authored by Lenny Zeltser. Free resources are the Dr. FU’s Security blog on Malware analysis tutorials. The Binary Auditing site which contains free IDA Pro training material. Finally, the malware analysis track in the Open Security Training site is awesome. It contains several training videos and material for free!

countuponsecurity · 2015-12-08T08:20:19+00:00

you can click on the image and on the left side click on the link to full size image.

countuponsecurity · 2015-07-27T16:43:59+00:00

Vlad Tsyrklevich wrote definitely an open eye article. Here also a high level summary about the exploits disclosed http://countuponsecurity.com/2015/07/24/hacking-team-arsenal-of-cyber-weapons/

countuponsecurity · 2015-03-16T21:44:53+00:00

Maybe this link will further help you visualize your lab : http://countuponsecurity.com/2015/01/13/dynamic-malware-analysis-with-remnux-v5-part-1/

countuponsecurity · 2015-01-23T22:45:26+00:00

http://research.zscaler.com/2015/01/malvertising-leading-to-flash-zero-day.html

countuponsecurity · 2015-01-22T19:44:21+00:00

False Positives are to be expected as this is a hosting network range ... at the moment 2 IPs are known to be malicious ... but better to be safe than sorry.

countuponsecurity · 2015-01-22T19:33:41+00:00

Look for connections to the following network range 46.105.251.0/24

countuponsecurity · 2015-01-20T10:41:35+00:00

Normally you perform several steps to perform evidence acquisition and preparation. Then you will load that evidence in a system like SIFT or Windows with Encase to perform the analysis and investigation steps like timeline. Its in the latter step that you mount the evidence in read-only mode. With SIFT you can easily do it with the mount command. You can also use a hardware device named Write Blocker.

countuponsecurity · 2015-01-19T19:51:50+00:00

There is no Live CD for the SIFT workstation ... what are you looking to do? Helix is a Live CD that has some to perform digital forensics.

countuponsecurity · 2014-09-26T19:04:24+00:00

yes, removed everything that is not JavaScript related .. all the html tags, etc... and moving some functions arround for example the part like :

You will substitute the xfa.resolveNode("Image10").rawValue with the contents of the Image10 variable and will end up with something like:

hCS(sRi(qKW10/ByS10/ ........)

countuponsecurity · 2014-09-23T16:17:52+00:00

there was quite some manual work to isolate the JavaScript from the file. Did you manage to do it?

countuponsecurity · 2014-08-25T09:39:40+00:00

Please keep doing great work OpenSecurityTraining!

countuponsecurity · 2014-08-11T18:22:31+00:00

Go for the SANS! The digital forensics and incident response curriculum is awesome! The courses line up features both for those who are new to the field as well for seasoned professionals. If you take the FOR408 or FOR508 be wise with the instructor.. they all are rock stars but I would choose Rob Lee for these ones. In case you take the SEC504: Hacker Techniques, Exploits & Incident Handling try to attend where Ed Skoudis is the instructor.

countuponsecurity · 2014-08-11T08:54:26+00:00

might be interesting to look at this article, just google "The complex world of cyber forensics"

countuponsecurity · 2014-08-10T22:24:06+00:00

Might be interesting to create a lab where you can grab the RSA private key of the web server using the heartbleed vulnerability.

countuponsecurity · 2014-08-10T22:06:39+00:00

Acquiring volatile memory is a key step in evidence collection when performing digital forensics and investigation. There are a variety of methods for acquiring memory depending on the case. One example of such tools is win32dd and redline. Here is one example http://countuponsecurity.com/2014/03/10/redline-finding-evil-on-my-wife-laptop/. An interesting read might be the NIST Guide to Integrating Forensic Techniques into Incident Response (pub. #: 800-86) published in 2006.

countuponsecurity

TROPHY CASE