tag:blogger.com,1999:blog-62970756825986475252024-03-05T08:57:48.270-08:00ForensicZoneA site for “Computer Crime” Investigators
Where we can share our tips, tricks and mistakes…ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.comBlogger34125tag:blogger.com,1999:blog-6297075682598647525.post-23243073962978903072019-01-01T04:34:00.000-08:002019-01-01T04:34:21.792-08:00KAI OS Forensics for Money and ProfitThe last month I have been forensically analyzing the KAI OS 2.5, formally FireFox OS. We are seeing a bunch of these feature phones in our lab.
Download KAI OS Forensics for Money and Profit
Download KAI OS CheetSheet
#kaios #firefoxos #forensics #reversingForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com3tag:blogger.com,1999:blog-6297075682598647525.post-68555173878755967692013-10-16T11:02:00.002-07:002013-10-22T16:11:08.589-07:00Wisconsin Association of Computer Crime Investigators 2013 Conference"Sup" (...been a long while)
PTFinderFE is obsolete do to the new innovations in Volatility.
(Updated 10/20/13)My New Volatility Batch File Maker does all that PTFinderFE did and MORE!!!
*****Known Issue with processing x64 memory and creating Memdump.bat, Procmemdump and Vaddump.bat files -Fix by 10-21-2013
The New Volatility Batch File Maker is a little kludgy but usable.
The Win8 (very beta ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com1tag:blogger.com,1999:blog-6297075682598647525.post-23249980109565196652012-10-12T13:32:00.000-07:002012-10-14T10:29:04.495-07:00WACCI Conference 2012 - Tip and Tricks NotesWisconsin Association Computer Crimes Investigator Conference 2012
Tip and Tricks Notes:
"Thank you" for all the great input.
Digital Intelligence
Forensic Scanner
RegRipper
CERT Tools (Registration Required)
Dumpit
Volatility
Shadowkit
OS Triage (Registration Required)
WeibeTech HotPlug
iSightPartners (Registration Required)
UPX ENCASE GREP Expression \xE0UPX\x00\x00ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com3tag:blogger.com,1999:blog-6297075682598647525.post-82595891510440606462011-01-25T16:12:00.000-08:002011-02-01T14:56:29.191-08:00EnScripts (EnPacks) to Carve iPhone SMS MessagesThese are tools to find SMS Messages from physical (carve) or logical files, recovered from an iPhone (DOWNLOAD). This tool is really meant to find unallocated SMS Messages in a Raw disk recovery of the user disk partition as extracted by tools (http://oreilly.com/catalog/9780596153595)like the one created by Johnathon Zdziarski. (http://www.zdziarski.com/blog/?page_id=503).If you obtain a ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com8tag:blogger.com,1999:blog-6297075682598647525.post-55018272308503909102010-10-17T11:48:00.000-07:002010-10-18T09:01:26.604-07:00New Win7 Process Enscript (Beta)I updated my Basic Memory Analysis Enscripts (Version 6) and rolled them out at the 2010 WACCI Conference. The newest addition is an Enscript to carve for Windows 7 Processes (Exited and Running).Important ---If you downloaded the new Enscripts prior to 10/17/2010 please update your download to Version 2.1 - I made some changes to the Win7 (Beta) Enscript.The magic number I am using is part of ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com2tag:blogger.com,1999:blog-6297075682598647525.post-57663285493767485372010-09-01T08:18:00.000-07:002010-09-01T14:48:27.512-07:00The Mystery of ROT (-29)I know if your reading my blog you've seen ROT13 and know it is used by Microsoft in the UserAssist Registry Key.But now I’ve found Microsoft using ROT(-29) or Rotate Minus 29 which is considerably more devious, then ROT13, for the forensic investigator. Do the following steps to uncover ROT(-29):1. First find a computer running Windows 7 or Vista.2. Open Notepad and type: “ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com0tag:blogger.com,1999:blog-6297075682598647525.post-43646014230064420582009-10-16T16:20:00.000-07:002009-10-20T08:57:57.948-07:00Walk-Through: Volatility Batch File Maker and Volatility's VadDump*********** The First 5 Steps are exactly the same as my last posted regarding Walk-Through: Volatility Batch File Maker and Volatility's ProcDump. The Walk-through Portion is repeated here for future discussions. Skip if applicable.******************1. Download the following files from Hogfly (Website)exemplar6.tar.gz.001exemplar6.tar.gz.002exemplar6.tar.gz.003In my example I placed the ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com1tag:blogger.com,1999:blog-6297075682598647525.post-66500373624489761862009-10-16T15:25:00.000-07:002009-10-17T16:11:26.733-07:00Walk-Through: Volatility Batch File Maker and Volatility's ProcDump1. Download the following files from Hogfly (Website)exemplar6.tar.gz.001exemplar6.tar.gz.002exemplar6.tar.gz.003In my example I placed the files in e:\exemlar6\ directory2. Add the downloaded files together and extract with the following cmd prompt code: Copy /b “exemplar6.tar.gz.001”+ “exemplar6.tar.gz.002”+” exemplar6.tar.gz.003” exemplar6.tar.gz3. Extract using WinRAR (exemplar6.tar.gz ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com1tag:blogger.com,1999:blog-6297075682598647525.post-46393788435503177962009-10-16T08:55:00.000-07:002009-10-16T15:40:29.921-07:00Volatility Batch File MakerThe Tool: VolatilityBatch File Maker DownloadI wanted to take the text output of the various tools (Ptfinder, PtFinderFE and Volatility >PsScan2) which identifies all the offsets for (running) processes and input that offset data into several Volatility tools (ProcDump, MemDmp and VadDump). This program creates three batch files. After running the batch files I can quickly leverage ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com3tag:blogger.com,1999:blog-6297075682598647525.post-65859345714915986392009-04-16T13:31:00.000-07:002009-04-16T13:44:20.768-07:00Sandman Shell: Batch files to Define environment variable _NT_SYMBOL_PATHI had the following a question from Mr Anonymous about Matthieu Suiche's Sandman Shell Project:“...the same happens with hibrshell. When I execute the command it crashes while "Retrieving Kernel Image base". I tried with 3 different hiberfil.sys files so I guess it's not the file. The bad thing is that I also tried with different pcs and it crashed too, this means that I have no idea of what it ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com0tag:blogger.com,1999:blog-6297075682598647525.post-18556463754881665912009-02-21T14:42:00.000-08:002009-02-21T15:55:34.617-08:00VMWare Running? Better Check for Different Windows Operating System's EPROCESS BlocksIdentify Multiple Windows OS Versions in a Single RAM Capture if the Host Machine is Running VMWare Machines.I often run VMWare Machines, on my host machine,so I can easily grab the machine's RAM contents by suspending the machine and analyzing the VMEM file. Nothing new there. But what is cool is when you run several VMWare machines (or just one) and grab the RAM of the host machine. If you ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com1tag:blogger.com,1999:blog-6297075682598647525.post-49355386022001568182009-01-28T18:05:00.000-08:002009-01-29T16:24:49.448-08:00Using Volatility (1.3_Beta), Volatility Plugin from Moyix, a test RAM Image (xp-laptop-2005-06-25.img) and a Windows Hash/Password Finder (SamInside or Cain and Abel) identify the passwords for the following users: Sarah, phoenix and the Administrator. 1. Run hivescan to get hive offsetscommand: python volatility hivescan -f "C:\Dump\xp-laptop-2005-06-25.img"Offset (hex) ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com12tag:blogger.com,1999:blog-6297075682598647525.post-82126133325116947892008-06-05T21:29:00.001-07:002008-12-09T06:26:34.410-08:00Winen.exe - RAM Imaging Tool Included in New Version of EncaseToday when I downloaded the latest version of Encase (6.11.0.43) I discovered winen.exe in the Encase Program Folder. Apparently winen.exe is the new RAM Acquisition Tool Provided by Guidance. Winen.exe is suppose to work on all variations of Windows higher then 2000.A search of Guidance Support Portal and I was able to down Winen.pdf. (Guidance Forum Access Required - 3 pages).The Winen ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com1tag:blogger.com,1999:blog-6297075682598647525.post-55774352609749964892008-05-19T21:44:00.000-07:002008-12-09T06:26:34.490-08:00I am presenting a two-day course on RAM Acquisition and RAM Analysis at Digital Intelligence. The course is June 10-12, 2008 and is FREE. The following is a quick synopsis of the training:RAM Analysis – Vista and BeyondEverything run on a computer passes through the RAM at one time or another. The trick is being able to identify data found in a RAM capture and relate it back to the item that ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com0tag:blogger.com,1999:blog-6297075682598647525.post-47854223230922050232008-05-03T16:54:00.000-07:002008-12-09T06:26:34.638-08:00BIOS Magic Numbers in RAM (Beta)A colleague of mine approached me after teaching a class on finding information in RAM. He asked me to prove a particular RAM acquisition came form a particular machine. My first thought was to run to the remnants from the registry. But do to paging of the registry and many false positives this proved a little more difficult then I originally thought... But as you guessed by the title I then ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com0tag:blogger.com,1999:blog-6297075682598647525.post-16875463677090715822008-05-02T21:44:00.000-07:002008-05-03T16:48:05.861-07:00RAM Enscript Version 1.0RAM ENSCRIPT UPDATED!!! DownloadThe new RAM Enscript contains:OS IdentificationProcesses (Exited / Running)Registry Remnants (UserAssist)MSHTML Remnants MFT Parser. Runs against RAM Dumps from Windows 2000 to Vista.Many Thanks to the First RAM Analysis Advance Class at IACIS- Thanks for the Hard Work.ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com0tag:blogger.com,1999:blog-6297075682598647525.post-72888581784407002692008-03-15T21:32:00.000-07:002008-12-09T06:26:48.549-08:00Practical of “15 Minute Virus Analysis”I want to show a practical of my “15 Minute Virus Analysis”
You must download the RADA Virus if you want to “play” along. The RADA Virus is a REAL VIRUS SO BE CAREFUL…
The RADA VIRUS was created several years ago to test other geeks participating in the HONEYNET Project. Also download one of the best solutions to the RADA Challenge (But don’t read the solution, yet…).
Make three folders in ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com0tag:blogger.com,1999:blog-6297075682598647525.post-88536047076432934922008-02-29T17:03:00.000-08:002008-03-15T13:16:08.855-07:00Fifteen Minute Malaware AnalysisTools:1. VMWARE Workstation or VMWARE Server (Sever=free)2. Windows 2000 (Small$)3. TextScan - Free (by AnalogX)http://www.analogx.com/contents/download/program/textscan.htm4. PtfinderFE - Free (PTFINDER by Andreas Schuster and Front-End by Richard McQuown)5. LSPM (SourceForge)- Free (by Harlan Carvey)Steps:1. Create a VMWARE Windows 2000 Machine. Keep the RAM 256 MB or less (Saves ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com0tag:blogger.com,1999:blog-6297075682598647525.post-83085350388461956522008-02-22T07:50:00.000-08:002008-02-22T08:35:50.812-08:00“Lest We Remember: Cold Boot Attacks on Encryption Keys"Seems like a team of Princeton students have put together a very well done website, research paper (pdf) and video regarding acquiring RAM. The jist of these items shows: Information stays in RAM after power loss and then degrades, cooling DRAM Chips will help prevent the decay of volatile memory and keys to Full Disk Encryption can be obtained by capturing RAM.The online community has ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com1tag:blogger.com,1999:blog-6297075682598647525.post-84089986668028015382008-01-27T20:43:00.000-08:002008-12-09T06:26:50.147-08:00XPSP3 - How this is going to affect RAM Analysis?Well to sum up XPSP3 (for RAM Analysis) I’d say the prognosis is great. The key offsets that I look for in the EPROCESS (Page Directory Base, Create Time Low, Create Time High, Exit Time Low, Exit Time High, PID, Image File Name) appear to be the same as XPSP2. The Kernel Program (NTOSKRNL.exe) I use to gauge the OS Version of the RAM is also similar to previous versions. I tried to use WindbgForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com2tag:blogger.com,1999:blog-6297075682598647525.post-46791763821597452782008-01-23T22:45:00.000-08:002008-12-09T06:26:50.165-08:00Speaking EngagementI am presenting a two-day course on RAM Acquisition and RAM Analysis at the International Association of Computer Investigative Specialists (IACIS) 2008 CFCE Course between April 28, 2008 through May 9, 2008 in Orlando, Florida.My sponsor is Digital Intelligence.The following is a quick synopsis of the training:RAM Analysis – Vista and BeyondEverything run on a computer passes through the RAM at ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com0tag:blogger.com,1999:blog-6297075682598647525.post-33845596876745651852008-01-22T21:36:00.000-08:002008-12-09T06:26:50.361-08:00RAM Capture MethodologyForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com1tag:blogger.com,1999:blog-6297075682598647525.post-70174485452999973862008-01-22T21:34:00.000-08:002008-01-22T21:35:39.111-08:00Guillotine Steps and ConditionsConditions: • Machine is On but Not Logged In. • Machine is On / Logged On / Not Running Encryption. (Bitlocker, Best Crypt…). (If running encryption make logical image immediately.) • You Have Physical Access to the Machine. • You Know What a Hard Drive Molex Cable Looks Like… (EasiestForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com0tag:blogger.com,1999:blog-6297075682598647525.post-1844483961499029592008-01-22T21:26:00.000-08:002008-12-09T06:26:50.621-08:00"Guillotine Method" for RAM Acquisition.Scenario#1 You come up to a desktop computer that you have legal authority to forensically analyze. The computer is powered up but sitting at the Windows Login Screen. No chance to get an image of the RAM so you pull the plug from the back of the machine and retreat to the lab. At the lab you discover that the hard drive has been encrypted with BITLOCKER. What could ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com9tag:blogger.com,1999:blog-6297075682598647525.post-67583944098724158972007-12-01T21:46:00.000-08:002008-01-22T21:49:07.197-08:00User Assist Data in the RAM DumpLately some good information has been posted on the web regarding the importance of the USER ASSIST. Especially by Didier Stevens (http://blog.didierstevens.com/programs/userassist/) and Harlan Carvey (http://windowsir.blogspot.com/) Recently and completely by coincidence I found some USER ASSIST Remnants in the RAM ForensicZonehttp://www.blogger.com/profile/07501220425644973307noreply@blogger.com0