Where did we start? From time to time, I still reminisce about my first ransomware investigation. The attack affected a family business in Florida during the summer of 2015. Business was humming along until one fateful morning when an employee arrived for their day of work, only to find that files stored on their servers were encrypted. I will never forget how devastated the ... READ MORE
Forensics
Footprinting the Target with Recon-ng
Thank you for dropping in for part 2 of our tutorial series on LaNMaSteR53's Recon-ng information gathering framework. Last time, we focused on the fundamentals of navigation within the tool, selecting, configuring and executing modules, and understanding the output. If you came across this page first, please drop back to Part 1 of the series to get a solid background on the ... READ MORE
Reconnaissance with Recon-ng
Intro to Recon-ng Reconnaissance is the first and arguably the most critical phase of any penetration test. It is the first step of the Attacker’s Methodology, and depending on how it is done will define how the test proceeds. This information gathering phase can be done countless different ways, but if it is not done correctly, you end up with very limited information and ... READ MORE
Email Hunting – Recon with Hunter.io
The Problem with OSINT... Something we as pentesters have to contend with on each of our engagements is recon. It is the nature of the beast with pentesting. Unlike Hugh Jackman, we cannot simply pull Hollywood magic out of our hats and break into networks on demand. If you want to successfully pull off the heist and get away with the loot, you need to do your homework ... READ MORE
Ghosts in the Machines
Methods for the prevention, detection, and removal of ghosts in digital networks We often find that clients are so focused on preventing attacks from malicious living humans that they completely neglect the threat posed by ghosts. With that in mind, today’s post focuses on defensive measures that can be implemented to (1) prevent ghost infestations; (2) detect paranormal ... READ MORE
Decrypting SSL Traffic with Wireshark
I recently was involved in an responding to an incident and one thing that was key to our investigation was decrypting SSL traffic. The attacker got a web shell on one of the servers and was mucking around with that. All of the traffic was over HTTPS, but we fortunately had the key. This allowed us to decrypt the traffic and view all of the commands issued. It was quite ... READ MORE
CTF – Malware Analysis Walkthrough
RSM hosted a capture the flag tournament for high school students at Mount Union back in April. This is the walkthrough for the forensics 400 CTF challenge. ("It should have been posted earlier, but it fell through the cracks." -patchwork). In my first walk-through I spent a lot of time talking about how I meant for the problem to be able to be solved without much prior ... READ MORE
Find Sensitive Data with Bulk Extractor
Bulk Extractor is a great tool for searching a file system for sensitive data. Bulk extractor ignores the file system and scans it linearly. This, in combination with parallel processing, makes the tool very fast. It will have an issue with fragmented files, but typically, files aren't fragmented. Follow the directions here for installation. Using BEViewer, the ... READ MORE
Real World Malware Analysis Part 4: Dynamic Analysis
Last time we used Malwr.com to automate a lot of our analysis, but the process was not without a few sticking points. Malware analysis typically falls into two categories, static and dynamic. These two really go hand-in-hand, and while it is possible to alternate between them, today we will focus on dynamic analysis. Remember to properly set up your lab environment! We are ... READ MORE
Collecting Volatile Data with AWK
On a recent forensics case, a coworker and I noticed some interesting logs on a Linux web server. TCPDump showed some strange traffic from a handful of IPs, but the access logs were not showing any visits from the offending addresses. The traffic was encrypted so it wasn't possible to see what was being sent, so we needed to do some additional digging. A lot is required to take ... READ MORE