Welcome to Jan's blog on DF, IR, TI, REM...
In this blog post, you'll learn about a dockerized setup of snort3
and its usage for offline and online analyses. I'll demonstrate its
usage and value by creating a Snort rule to detect the loader dubbed
SVCready.
A hard drive is a relatively fragile data store. After discovering the
first indicators of a drive failure, the hard drive might suddenly die.
The present blog post, therefore, discusses the gradual acquisition of
evidence from an erroneous drive by utilizing the synergy of the open
source tools ddrescue
and partclone
. To spare the
mechanics of the drive and acquire the most critical data first,
partclone
is used to create a so-called domain file, where the used
blocks of the file system are noted.
This blog post focuses on the various string obfuscation methods employed by the still relatively new ransomware BlackMatter and presents ways to decode those strings by leveraging Ghidra's scripting capabilities and the usage of the Unicorn engine for CPU emulation. The corresponding Ghidra scripts published on Github aim to aid future analyses of BlackMatter-samples, which employ the following string obfuscation techniques:
(...)The ransomware BlackMatter aims at stepping into the void, which was left by REvil's and DarkSide's (temporary) retreat. At this point in time this new ransomware seems to pose a serious threat. In this blogpost BlackMatter's API hashing mechanism is described in detail and a Ghidra-script is supplied 1 to aid future analyses.
(...)
Using AFF4-L containers is an efficient and forensically sound way of storing selectively imaged evidence. There exist two open source implementations to perform this task: c-aff4 and pyaff4. To image a directory with aff4.py
, run:
Virtualization is everywhere nowadays. So when you have to analyze an
incident, you often come across virtual hard disks in the form of
sparsely allocated VMDKs, VDIs, QCOW2s, and the like. To inspect the
data in the virtual machine images you have several options to do so.
guestmount
is a helpful tool to perform a logical inspection of the
file system, and qemu-nbd
is a good choice to work on a raw block
device without having to convert a sparsely allocated virtual disk
into a raw image or rely on proprietary software.
If you need to acquire the process memory of a process running on a
Linux system, you can use gcore
1 to create a core file or,
alternatively, retrieve its memory areas from /proc/<PID>/maps
and
use GDB 2 itself to dump the content into a file. For a
convenient way to do this, refer to a basic shell script hosted as a
gist named dump_pmem.sh
3.
Last week, I decided to start with blogging. Besides creating Github gists to document code and more complex command line snippets, I plan to share some personal findings in the context of DFIR, security engineering, threat intelligence, and the like, which I find helpful.
(...)