A Blog on digital investigations

Welcome to Jan's blog on DF, IR, TI, REM...

Dockerized Snort3 for Rule Crafting and Triage Forensics


In this blog post, you'll learn about a dockerized setup of snort3 and its usage for offline and online analyses. I'll demonstrate its usage and value by creating a Snort rule to detect the loader dubbed SVCready.


Gradual Evidence Acquisition From an Erroneous Drive


A hard drive is a relatively fragile data store. After discovering the first indicators of a drive failure, the hard drive might suddenly die. The present blog post, therefore, discusses the gradual acquisition of evidence from an erroneous drive by utilizing the synergy of the open source tools ddrescue and partclone. To spare the mechanics of the drive and acquire the most critical data first, partclone is used to create a so-called domain file, where the used blocks of the file system are noted.


Defeating BlackMatter's string obfuscation


This blog post focuses on the various string obfuscation methods employed by the still relatively new ransomware BlackMatter and presents ways to decode those strings by leveraging Ghidra's scripting capabilities and the usage of the Unicorn engine for CPU emulation. The corresponding Ghidra scripts published on Github aim to aid future analyses of BlackMatter-samples, which employ the following string obfuscation techniques:


Understanding BlackMatter's API Hashing


The ransomware BlackMatter aims at stepping into the void, which was left by REvil's and DarkSide's (temporary) retreat. At this point in time this new ransomware seems to pose a serious threat. In this blogpost BlackMatter's API hashing mechanism is described in detail and a Ghidra-script is supplied 1 to aid future analyses.


Logical imaging with AFF4-L


Using AFF4-L containers is an efficient and forensically sound way of storing selectively imaged evidence. There exist two open source implementations to perform this task: c-aff4 and pyaff4. To image a directory with aff4.py, run:


Analyzing VM images


Virtualization is everywhere nowadays. So when you have to analyze an incident, you often come across virtual hard disks in the form of sparsely allocated VMDKs, VDIs, QCOW2s, and the like. To inspect the data in the virtual machine images you have several options to do so. guestmount is a helpful tool to perform a logical inspection of the file system, and qemu-nbd is a good choice to work on a raw block device without having to convert a sparsely allocated virtual disk into a raw image or rely on proprietary software.


Dump Linux process memory


If you need to acquire the process memory of a process running on a Linux system, you can use gcore 1 to create a core file or, alternatively, retrieve its memory areas from /proc/<PID>/maps and use GDB 2 itself to dump the content into a file. For a convenient way to do this, refer to a basic shell script hosted as a gist named dump_pmem.sh 3.


Hello World


Last week, I decided to start with blogging. Besides creating Github gists to document code and more complex command line snippets, I plan to share some personal findings in the context of DFIR, security engineering, threat intelligence, and the like, which I find helpful.

Other posts