scudette.blogspot.com
Scudette in Wonderland: October 2008
http://scudette.blogspot.com/2008_10_01_archive.html
Thursday, October 2, 2008. Pstree - a volatility plugin. I have been lurking on the volatility irc channel (#volatility @ irc.freenode.net) and I overheard a challenge to make a pstree. Like plugin. I thought this would be a great way to learn more of the code base. Ed: After posting the initial version I had lots of discussions from the IRC channel. The next challenge was to recover the path and name of the binary for each task. There are lots of ways to do this and I was offered 3:. Push the Red Button.
scudette.blogspot.com
Scudette in Wonderland: The PMEM Memory acquisition suite
http://scudette.blogspot.com/2012/11/the-pmem-memory-acquisition-suite.html
Saturday, November 17, 2012. The PMEM Memory acquisition suite. Memory acquisition is the first step in memory analysis. Before any analysis can be done, we need to acquire the memory in the first place. There are a number of commercial solutions to acquire memory, but sadly open source solutions have been abandoned or not maintained (For example win32dd has been a popular solution many years ago but has now been commercialized and is no longer open source). These are the features it supports:. Optional ...
scudette.blogspot.com
Scudette in Wonderland: July 2008
http://scudette.blogspot.com/2008_07_01_archive.html
Wednesday, July 16, 2008. Digital Forensics Research Workshop Challenge. Every year the DFRWS. Guys put on a great forensic challenge and this year was no different. While last years challenge was very hard and not that realistic, this years challenge was designed to reflect what many people would experience in their work. The challenge was a simulated incident which involved network traffic, some file forensics and Linux memory forensics. This year I was lucky enough to be involved with the great team o...
scudette.blogspot.com
Scudette in Wonderland: Anti-forensics and memory analysis.
http://scudette.blogspot.com/2014/02/anti-forensics-and-memory-analysis.html
Friday, February 7, 2014. Anti-forensics and memory analysis. Recently there have been a number of talks around the place about anti-forensic techniques. The most recent example is the Shmoocon talk by Jake Williams and Alissa Torres:. ADD — Complicating Memory Forensics Through Memory Disarray. With the tool published here,. Attention Deficit Disorder (ADD). Which is a proof-of-concept "evidence planting" tool. Before that there was a blackhat talk. Anti-Forensic Resilient Memory Acquisition. In my opin...
scudette.blogspot.com
Scudette in Wonderland: Automatically detecting profiles.
http://scudette.blogspot.com/2012/12/automatically-detecting-profiles.html
Monday, December 10, 2012. Previous versions of Volatility required the profile to always be explicitly specified. This is fine if you know in advance what version of windows you have, but sometimes you receive an image taken by a third party which has no context - you don’t exactly know the version or patch level of the image. In previous versions of volatility you would need to run the imageinfo. Finding the kernel DTB. One of the first things Volatility does when opening the image is to detect the ker...
scudette.blogspot.com
Scudette in Wonderland: December 2012
http://scudette.blogspot.com/2012_12_01_archive.html
Monday, December 10, 2012. Previous versions of Volatility required the profile to always be explicitly specified. This is fine if you know in advance what version of windows you have, but sometimes you receive an image taken by a third party which has no context - you don’t exactly know the version or patch level of the image. In previous versions of volatility you would need to run the imageinfo. Finding the kernel DTB. One of the first things Volatility does when opening the image is to detect the ker...
scudette.blogspot.com
Scudette in Wonderland: Finding the Kernel Debugger Block
http://scudette.blogspot.com/2012/11/finding-kernel-debugger-block.html
Sunday, November 18, 2012. Finding the Kernel Debugger Block. The kernel debugger block (named KdDebuggerDataBlock of the type KDDEBUGGER DATA64) is important for many things that Volatility and debuggers do. For example, it has a reference to the PsActiveProcessHead which is the list head of all processes required for process listing. The second method which is used by Volatility itself is to scan for KdDebuggerDataBlock using a specific signature for a valid KDDEBUGGER DATA64. Unfortunately this method...
infosecmindstorm.blogspot.com
Jamal B's Blog - Infosec Mindstorm: Attacks on the stock market: some thoughts
http://infosecmindstorm.blogspot.com/2012/09/attacks-on-stock-market-some-thoughts.html
Jamal B's Blog - Infosec Mindstorm. Jamal Bandukwala's personal blog on information security related matters. The views expressed here are my own and are not of my employer or any organizations I might belong to or be affiliated with. Monday, September 3, 2012. Attacks on the stock market: some thoughts. Let's look at day-traders as an example:. When launching trades, you need to use trade execution software. Since these pieces of software have a smaller market share, I began to think about how many peop...
packetdude2.blogspot.com
Journey into Malware Forensics: Excellent Series on Analyzing PDF Malware
http://packetdude2.blogspot.com/2012/08/excellent-series-on-analyzing-pdf.html
Journey into Malware Forensics. Friday, August 10, 2012. Excellent Series on Analyzing PDF Malware. This is a great multi-part series from Spider Labs covering lots of tools and techniques for examining suspicious (or just plain malicious) PDF files. Honestly, the flood of malicious PDF tools seems to have slowed down, but eventually everything old is new again, right? Analyzing PDF Malware - Part 1 - SpiderLabs Anterior. Posted by Matt H. Subscribe to: Post Comments (Atom). Powershell Stuff, Windows 10.
scudette.blogspot.com
Scudette in Wonderland: July 2009
http://scudette.blogspot.com/2009_07_01_archive.html
Tuesday, July 21, 2009. I have been using the awesome screen program for a long time. I recently remembered that someone once gave me the following /.screenrc file:. Hardstatus string "%{.bW}%-w%{.rW}%n %t%{-}% w %=%{.G} %H %{.Y} %d/%m %C%a". Termcapinfo xterm xterms xs rxvt ti@:te@. I thought I will document this somewhere in case its useful to anyone. I found some code on the net to do completion and I added a bit of history. To do this you need to add the following files:. Import os.path, os. Return s...
