ipython notebook poc memory forensics

416 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
416
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

ipython notebook poc memory forensics

  1. 1. 3/6/13 IPython Notebook Demo POC for scraping memory dumps of IP Addresses How to extract data out of a Memory Dump I [] ipr tm n 7: mot ie ipr src mot tut ipr hslb mot ahi "" " Dm PCfrsrpn mmr dmso I Adess eo O o caig eoy up f P drse "" " flnm ="ro/eko/e/emm ieae /otDstpmmdve" . . Open a file in a variable memory_dump I [] mmr_up=oe(ieae "b) n 3: eoydm pnflnm, r" I [] mmr_up n 4: eoydm Ot4: <pnfl ro/eko/e/emm,md b a 0a4d8 u[] oe ie /otDstpmmdve oe r t x368> . . . .127.0.0.1:8888/9eff193a-7992-4664-a42e-449b27966323/print 1/7
  2. 2. 3/6/13 IPython Notebook Here I build a byte reader data structure to buffer reads 18 bytes at a time I [] dfbt_edrmmr_up nme_ye) n 5: e yerae(eoydm, ubrbts: Ra tebts ed h ye bt =mmr_upra(ubrbts ye eoydm.ednme_ye) rtr bt eun ye I [] bt_edrmmr_up 1) n 7: yerae(eoydm, 8 Ot7: x0x8nca0e*+x0x1x1xcx0x1 u[] cadx0x8x1##000000 . . . This function reads and byte and creates and MD5 I [] dfhsigbt_edrmmr_up nme_ye) n 8: e ahn_yerae(eoydm, ubrbts: Ra tebtsadrtr M5 ed h ye n eun D bt =mmr_upra(ubrbts ye eoydm.ednme_ye) m=hslbm5) ahi.d( mudt(ye .paebt) hs_ye=mhxiet) ahbt .edgs( rtr bt,hs_ye eun ye ahbt . . .127.0.0.1:8888/9eff193a-7992-4664-a42e-449b27966323/print 2/7
  3. 3. 3/6/13 IPython Notebook POC rolling 18 byte block fuzzy hashing tool implemented in python I [0: f =oe(ieae "b) n 1] d pnflnm, r" i0 = freeeti rne(,6: o lmn n ag 05) bfe =hsigbt_edrf,1) ufr ahn_yerae(d 8 pitbfe rn ufr (cadx0x8x1##000000 d36c13e11213cb59) x0x8nca0e*+x0x1x1xcx0x1, fd79a1e8508338c4 (cafxfx8x1##000000 0639ffacedb64a62) x0x8nca0g,-x0x1x1xcx0x1, 7b4c0c82486fd694 (cahx0x8x1##000000 793c4b13e228fa20) x0x8nca0i+*x0x1x1xcx0x3, e34565a6bb7e255b (capx0x8x1##000000 cd1f770fb3b86f3d) x0x8nca0q.+x0x1x1xcx0x4, 614a22ee763d4923 (caJx0x8x1##000000 1fbf16bb1da067b8) x0x8nca0K/*x0x1x1xcx0x5, 785b6d4c6daa0512 (catx0x8x1$$000000 0faeed1a922d538b) x0x8nca0u*+x0x1x1xcx0x6, 176c844834f1586c (caLx0x8x1$#000000 2600a0d4ab2ead45) x0x8nca0N,*x0x1x1xcx0x7, 9f81a81d36c770db (caOx0x8nx1x0x8x1xb.000 6d8c72731e862543) x0x8nca0ca00##x1x0x1, ac858ab9129f1885 (0000ca0ca00$$00 c4483b38e787c4a4) x1xcx0x8x0x8nxcx0x8x1xb*+x0x1, 37afcd99bf081570 (0000ca00ca0ca00#x2, x1xcx0x8x0x8x1xbx0x8nxex0x8x1xc0 a70c2caea81a417b) c2c93886dcddbd8d (10000c0cccccccccc x2x3x0x1x1x0x0tx0x0x0x0x0x0x0x0x0x0, fb4e3ae67b16a75c) 5de06b9a8496bda7 (ccccccccc00aaaaaa x0x0x0x0x0x0x0x0xcxcx0x0x0x0x0x0xan, ff5741c3e907f412) 4c8ebe296b3c9055 (eeee 29e4c3747e5e38a8) nnnnnnnxfxaxaxannnnnnn, 1dda71491fd9d34c (00000000000000000 nxbxbxbxbxbxbxbxbxbxbxbxbxbxbxbxbxb, 344aa4527f82c05b) cea8675ccbdb975d (cccccccccfffffffff x0x0x0x0x0x0x0x0xexexfxfxfxfxfxfxfxf, 285f36ad9ccd6856) 2f47f13e4fcf6e12 (ffffffffffffffffff xfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxf, cdbfcf73c4d7b3db) e49c6f5d9f3e49db (ffffffffffffffffff xfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxf, cdbfcf73c4d7b3db) e49c6f5d9f3e49db (ffffffffffffffffff xfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxf, cdbfcf73c4d7b3db) e49c6f5d9f3e49db (ffffffffffffffffff xfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfx0xe, 778827377a095798) eea0f816b762ddcf (ffffffffffffffffff xexexexexexexexexexexexexexexexexexe, a604aa0424c13a13) 186352da94a2a3fe (ffffffffffffffffff xexexexexexexexexexexexexexexexexexe, a604aa0424c13a13) 186352da94a2a3fe (ffffffffffffffffff xfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxf, cdbfcf73c4d7b3db) e49c6f5d9f3e49db (ffffffffffffffffff xfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxf, cdbfcf73c4d7b3db) e49c6f5d9f3e49db (fffffffffffffefefe xfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxf, 641b5299d61fd819) 8a7fa649e1561163 (ffffffffffffffffff xfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxf, cdbfcf73c4d7b3db) e49c6f5d9f3e49db (ffffffffffffffffff xfxfxfxfxfxfxfxfxfxexfxfxfxfxfxfxfxf, 38e74902000f89a0) 9cfbd70402926dae (ffffffffffffcccccc xfxfxfxfxfxfxfxfxfxfxfx0x0x0x0x0x0x0, 6f458fd099c69cd4) a5343b1275b9e0cf (ccccccccccc000 x0x0x0x0x0x0x0x0x0x0xcxcxcxcnnnn, 04aa064bf5f99169) b46efaca3ed1b993 ( b67107f535835d3f) nnnnnnnnnnnnnnnnnn, 1b0184acc8b28d91 ( b67107f535835d3f) nnnnnnnnnnnnnnnnnn, 1b0184acc8b28d91 (aaaaaaaaaafffff nnnx0x0x0x0x0x0x0x0x0x0xexexexexe, 23cf4af308883dc0) a5b3cab9165f7938 (ffffffffeeeeebbbbb xexexexexexexexfxfxfxfxfx0x0x0x0x0x0, 45648183117d05b4) 5fedcf5511c0648c (bbbbbbbbbbbbbbbbbb x0x0x0x0x0x0x0x0x0x0x0x0x0x0x0x0x0x0, 608cc186bed65a3a) 3ebdc39932ad0357 (bbbbbbbbbbbbbeeeee x0x0x0x0x0x0x0x0x0x0x0x0x0xexexexexe,127.0.0.1:8888/9eff193a-7992-4664-a42e-449b27966323/print 3/7
  4. 4. 3/6/13 IPython Notebook 26eceb5fba16cc3b) ac8de2aa9e62b635 (eeeeeeeeeeeeeeeeee xexexexexexexexexexexexexexexfxfxfxf, 2e43457c6da5f5cf) b5546af8baa51df2 (eeeeeeeeeeeeeeeeee xfxfxfxfxexexexexexexexexexexexexexe, 4397099b03457506) 4e46820c152325f9 (eeeeeeeecccccccc00 xexexexexexexexex0x0xex0x0x0x0xcxcxc, 0eed77ba05be8559) de5e32f64082cec2 (000ccccccc0aaaaa xcxcxcx0x0x0x0x0x0xcx0x0x0x0x0xann, 6366bd4a7a990c57) 4a1e20387d64dee2 (0effffffffff nnnnnnxfx0xexexexexexexexexexe, 50822940e6f853c6) 0273ad09bf60944c (ffffffffffffffc0ff xexexexexexexexexexexexexexex0x8xexe, 660c649d2e309a7c) 7257c4f032c365fa (ffeeeeeeeeefffffff xexexfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxf, 18dc66292c32e2fd) bb7669973c58593e (ffffffffffffffffff xfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxf, cdbfcf73c4d7b3db) e49c6f5d9f3e49db (ffffffffffffffffff xfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxf, cdbfcf73c4d7b3db) e49c6f5d9f3e49db (ffffffffffffffffff xfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxf, cdbfcf73c4d7b3db) e49c6f5d9f3e49db (ffffffff 0cf796a9a6863247) xfxfxfxfxfxfxfxannnnnnnnnn, 3ebc6b1ec6b14119 ( b67107f535835d3f) nnnnnnnnnnnnnnnnnn, 1b0184acc8b28d91 (afffffffff 15b73a1d2516319c) nnnnnnnx0nxexexexexexexexexe, bc8158c169bb1f18 (ffffffffffffffeeee xexexexexexexexexexexexex0x0xexexexe, bee1ac49d75aa56f) 1c2cd1abc5361e18 (eeeeeeeeeeeeeeeeee xexexexexexexexexexexexexexexexexexe, 1da91ccb734047a2) 71ed7be1d2882aac (eeeeeeeeeeeeeeeeee xexexexexexexexexexexexexexexexexexe, 1da91ccb734047a2) 71ed7be1d2882aac (eeeeeeeeeeeeeeeeee xexexexexexexexexexexexexexexexexexe, 1da91ccb734047a2) 71ed7be1d2882aac (eeeeeeeffeffffffff xexexexexexfxexexfxfxexexexexexexexe, f41b6ab4285e86a7) f1b774ceefeaacfa (ffffffffffffffffff xexexexexexexexexexexexexexexexexexe, a604aa0424c13a13) 186352da94a2a3fe (ffffffffeeeeefffff xexexexexexexexfxfxfxfxfxexexexexexe, 0220ff3000ed8cd3) acfa5c37c4dd254f (ffffff00000.xcx0x1tx0x9, xexexexexexex0x1x1xcx00000a 17bf376b268b01e1) a87e5b83338d5921 (ca0dx0xbx200##0000 6d74ce449645d1ca) x0xbx1ca0fx0x1%$x1xcx0x1, f9da040c42d7335d . . . Demo to parse the mem file with 10 of 56 records each of length 18 I [] f =oe(ieae "b) n 6: d pnflnm, r" I [] i=0 n 7:127.0.0.1:8888/9eff193a-7992-4664-a42e-449b27966323/print 4/7
  5. 5. 3/6/13 IPython Notebook I [] n 8: Dm t pretemmfl wt 1 o 5 rcrsec o lnt 1 eo o as h e ie ih 0 f 6 eod ah f egh 8 freeeti rne(,0: o lmn n ag 01) bfe =bt_edrf,1) ufr yerae(d 8 pit10"" rn 0** piti rn sucAdes=src.nakfo(B,bfe,) oredrs tutupc_rm ufr0, src.nakfo(B,bfe,) tutupc_rm ufr1, src.nakfo(B,bfe,) tutupc_rm ufr2, src.nakfo(B,bfe,) tutupc_rm ufr3 pit"edn Suc I Ades rn Raig ore P drs" tm.le(.) iesep05 dsiaindrs =src.nakfo(B,bfe,) etntoAdes tutupc_rm ufr4, src.nakfo(B,bfe,) tutupc_rm ufr5, src.nakfo(B,bfe,) tutupc_rm ufr6, src.nakfo(B,bfe,) tutupc_rm ufr7 pit"edn DsiainI Ades rn Raig etnto P drs" tm.le(.) iesep05 sucPr =src.nakfo(H,ufr8 oreot tutupc_rmbfe,) dsiainot=src.nakfo(H,ufr1) etntoPr tutupc_rmbfe,0 poooUe =src.nakfo(H,ufr1) rtclsd tutupc_rmbfe,2 tmSap=src.nakfo(B,bfe,4, ietm tutupc_rm ufr1) src.nakfo(B,bfe,5, tutupc_rm ufr1) src.nakfo(B,bfe,6, tutupc_rm ufr1) src.nakfo(B,bfe,7 tutupc_rm ufr1) abcd=sucAdes ,,, oredrs efgh=dsiaindrs ,,, etntoAdes j=sucPr oreot k=dsiainot etntoPr pit"oredrs =" ""ji(sra0)srb0)src0)srd0)) rn sucAdes , ..on[t([],t([],t([],t([]] pit"etntoAdes=" ""ji(sre0)srf0)srg0)srh0)) rn dsiaindrs , ..on[t([],t([],t([],t([]] pit"oreot=" j0 rn sucPr , [] pit"etntoPr =" k0 rn dsiainot , [] pit"rtclsd=" poooUe rn poooUe , rtclsd pit"ietm =" tmSap rn tmSap , ietm tm.le() iesep2 ii1 =+ ************************************************** ************************************************** 0 sucAdes= 12181.0 oredrs 9.6.010 dsiaindrs = 1218111 etntoAdes 9.6..0 sucPr = 177 oreot 08 dsiainot= 103 etntoPr 14 poooUe = (5, rtclsd 26) tmSap= (1) (2) (,,(,) ietm (,, 1,, 0) 1) ************************************************** ************************************************** 1 sucAdes= 12181.0 oredrs 9.6.012 dsiaindrs = 2718113 etntoAdes 0.6..0 sucPr = 129 oreot 19 dsiainot= 155 etntoPr 15127.0.0.1:8888/9eff193a-7992-4664-a42e-449b27966323/print 5/7
  6. 6. 3/6/13 IPython Notebook poooUe = (5, rtclsd 26) tmSap= (1) (2) (,,(,) ietm (,, 1,, 0) 1) ************************************************** ************************************************** 2 sucAdes= 12181.0 oredrs 9.6.014 dsiaindrs = 1218115 etntoAdes 9.6..0 sucPr = 103 oreot 14 dsiainot= 177 etntoPr 08 poooUe = (5, rtclsd 26) tmSap= (1) (2) (,,(,) ietm (,, 1,, 0) 3) ************************************************** ************************************************** 3 sucAdes= 12181.1 oredrs 9.6.012 dsiaindrs = 1218113 etntoAdes 9.6..1 sucPr = 181 oreot 11 dsiainot= 103 etntoPr 14 poooUe = (5, rtclsd 26) tmSap= (1) (2) (,,(,) ietm (,, 1,, 0) 4) ************************************************** ************************************************** 4 sucAdes= 12181.4 oredrs 9.6.07 dsiaindrs = 121817 etntoAdes 9.6..5 sucPr = 107 oreot 26 dsiainot= 177 etntoPr 08 poooUe = (5, rtclsd 26) tmSap= (1) (2) (,,(,) ietm (,, 1,, 0) 5) ************************************************** ************************************************** 5 sucAdes= 12181.1 oredrs 9.6.016 dsiaindrs = 1218117 etntoAdes 9.6..1 sucPr = 178 oreot 08 dsiainot= 104 etntoPr 14 poooUe = (5, rtclsd 26) tmSap= (1) (2) (,,(,) ietm (,, 1,, 0) 6) ************************************************** ************************************************** 6 sucAdes= 12181.6 oredrs 9.6.07 dsiaindrs = 121817 etntoAdes 9.6..8 sucPr = 130 oreot 10 dsiainot= 177 etntoPr 08 poooUe = (5, rtclsd 26) tmSap= (1) (2) (,,(,) ietm (,, 1,, 0) 7) ************************************************** ************************************************** 7 sucAdes= 12181.9 oredrs 9.6.07 dsiaindrs = 12181. etntoAdes 9.6.01 sucPr = 420 oreot 30 dsiainot= 21 etntoPr 87 poooUe = (11, rtclsd 181) tmSap= (3,,(,,(,,(,) ietm (5) 1) 0) 1) ************************************************** ************************************************** 8 sucAdes= 11.. oredrs .208 dsiaindrs = 12181.2 etntoAdes 9.6.01 sucPr = 420 oreot 30 dsiainot= 21 etntoPr 87 poooUe = (08, rtclsd 178) tmSap= (3,,(3) (,,(,) ietm (6) 4,, 0) 1) ************************************************** **************************************************127.0.0.1:8888/9eff193a-7992-4664-a42e-449b27966323/print 6/7
  7. 7. 3/6/13 IPython Notebook 9 sucAdes= 11.. oredrs .208 dsiaindrs = 121811 etntoAdes 9.6..1 sucPr = 420 oreot 30 dsiainot= 39 etntoPr 54 poooUe = (30, rtclsd 420) tmSap= (1) (2) (5) (,) ietm (,, 1,, 3,, 2)127.0.0.1:8888/9eff193a-7992-4664-a42e-449b27966323/print 7/7

×