3/6/13                                                      IPython Notebook   Next Steps - Where do you go from here?    ...
3/6/13                                                      IPython Notebook   .   .       I [] Iaeflnm=/sr/nie/eko/isafao...
3/6/13                                                      IPython Notebook   .   .   .   Hadoop meets Sleuthkit       I ...
3/6/13                                                      IPython Notebook   DFIR and Machine Learning - Match made in h...
3/6/13                                                                             IPython Notebook   Hacker School is a t...
3/6/13                                                      IPython Notebook   .   Here is the documentation I used in thi...
3/6/13                                                                           IPython Notebook                     73ff...
3/6/13                                                      IPython Notebook   Compare MD5 to Whitelisted MD5s       I [] ...
3/6/13                                                               IPython Notebook   Paper of Android Memory Analysis w...
3/6/13                                                      IPython Notebook   .   .   Cuckoobox, Volatility, Yara Video o...
3/6/13                                                      IPython Notebook       I [] !pnht:/itrs.o/agebt/        n 7: o...
Upcoming SlideShare
Loading in …5
×

Learning iPython Notebook Volatility Memory Forensics

903 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
903
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Learning iPython Notebook Volatility Memory Forensics

  1. 1. 3/6/13 IPython Notebook Next Steps - Where do you go from here? I [] fo Iyhncr.ipa ipr Iae n 2: rm Pto.oedsly mot mg fo Iyhncr.ipa ipr HM rm Pto.oedsly mot TL fo Iyhnlbdslyipr Yuueie rm Pto.i.ipa mot oTbVdo . . . Google Rapid Response - GRR I [] !pnhts/cd.ogecmpgr n 4: oe tp:/oegol.o//r/ . . . Keep the conversation going on Twitter I [] !pnhts/titrcmbgnrdd n 5: oe tp:/wte.o/isafue . . . Find all the material on this talk on Github I [] !pnhts/gtu.o/isafue n 6: oe tp:/ihbcmbgnrdd .127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 1/11
  2. 2. 3/6/13 IPython Notebook . . I [] Iaeflnm=/sr/nie/eko/isafaoptc1pg) n 6: mg(ieae"UesatgnDstpbgnrhdosak.n" Ot6: u[] I [] Iaeflnm=/sr/nie/eko/isafore.n" n 7: mg(ieae"UesatgnDstpbgnrjunypg) Ot7: u[]127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 2/11
  3. 3. 3/6/13 IPython Notebook . . . Hadoop meets Sleuthkit I [] !pnht:/w.luhi.r/s_aop n 2: oe tp/wwsetktogtkhdo/ . . . Python meets log2timeline I [] !pnht:/ls.idln.e/ n 1: oe tp/paokdaadnt . . .127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 3/11
  4. 4. 3/6/13 IPython Notebook DFIR and Machine Learning - Match made in heaven waiting to happen I [] !pnht:/cktlanogsal/ n : oe tp/sii-er.r/tbe I [] !pnht:/rp.asuld/psvltxe21/70pfdge_02i0_19s27.d n : oe tp/dosdgth.eou/olet/0339/d/arpv0_09p0_131pf . . . . Fuzzy Hashing with ssdeep I [0: !pnht:/sepsucfrent n 3] oe tp/sde.oreog.e/ I [] !pnht:/fw.r/06poedns1-onlmpf n 1: oe tp/drsog20/rceig/2Krbu.d . . . Integration with Python Indicators of Compromise? I [] !pnhts/gtu.o/efrnrpic n 1: oe tp:/ihbcmjfbye/yo . . . Thanks to Hacker School NYC127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 4/11
  5. 5. 3/6/13 IPython Notebook Hacker School is a three-month, full-time school in New York for becoming a better programmer. Were free as in beer, and provide space, a little structure, time to focus, and a friendly community of smart builders dedicated to self-improvement. I [] !pnhts/wwhcesho.o/ n 8: oe tp:/w.akrcolcm . . . Memory Forensics Cheat Sheet I [] !pnhts/bossn.r/optrfrnisfls21/4Mmr-oesc-ha-he-1pf n 1: oe tp:/lg.asogcmue-oesc/ie/020/eoyFrnisCetSetv.d . . . Create images and graphs from arrays I [2: X=n.ra(01234) n 3] pary[,,,,] Y=n.ra(35467) pary[,,,,] I [3: po(,) n 3] ltXY Ot3] [mtlti.ie.ieDa 09d5c] u[3: <apolblnsLn2 t x4b8> . .127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 5/11
  6. 6. 3/6/13 IPython Notebook . Here is the documentation I used in this presentation I [] !pnhts/vltlt.ogeoecmsnbace/cdtedc/uoilhm n 1: oe tp:/oaiiygolcd.o/v/rnhssuet/osttra.tl . . . Comparing MD5 APT1 Hashes agains files I [7: at_ds=oe(/otDstpATm5)ralns) n 2] p1m5 pnro/eko/P1d.edie( at_e_it=st[.ti( frii at_ds0]) p1stls e(isrpn) o n p1m5[:] at_e_it p1stls Ot2] st[dfdb5d1629e03c8d u[7: e(394c1be00330f799, 414ef6ff6f55d37e, cf4fb1f83d13354c 838512df12695c14, b8fea401516b231c 76facec58833028e, 6f25cfafe2cb954f 5a17b2bddef9aadd, 4a47b4e3e5d374ae 12fb54f4ee596acc, f7f6610326e16e34 c581ab0950b83cd9, 5d764f5b2086bacb 5a1cbeae5a890608, 7ddcaa8dbbe9dc3f eda7c98e9c657b11, a1d8c59d7eb82bd9 432b3e0335ba37cc, a41e6d028a75921d 7fa3dd9d74970bcf, 9342861bcb27b79e 9dfa2920f3048e1b, 3012601145c3caf4 b4d3ee18d446693c, a45ae48a4647f6d5 e8b242e55ac18ffe, 566d802359961d81 20adc77b9b92ed90, 559b1cbf3119909c 919f42c6aa84ba3b, dbc5b44f90ce03b9 00438ab6e7d1c17f, 28f638eedbef10ff d51301fc4318f6de, b1746c2facce6c90 032526b3eabb313d, c148a7a932293b0c 80df3492df2c0341, 949b42104b08044c I [8: mmr_xctbe_D =oe(/otDstpad/iett)ralns) n 2] eoyeeualsM5 pnro/eko/sffl.x.edie( mmr_xctbe_D_e_it=st[.pi([]frii mmr_xctbe_D[:] eoyeeualsM5stls e(islt)0 o n eoyeeualsM50]) mmr_xctbe_D_e_it eoyeeualsM5stls Ot2] st[a5c0ed5e0b1bd7a4 u[8: e(d2ede94466a18c2d, 1670c62e0ff1289a, 17bd1eafce3467f7 7d2715886a6edcfa, 693f2b9f3d05e01a 10cd8542da536a05, ee0251e198c0ffc9 d20b28911b256c20, 1b7bd0f6cee93481 695b79a55ddcfce9, 8caff207a8074ca7 32e792f69d9d5d6d, 38962a98d324979c ee6d0d3570aef212, 1166eeb0a61965c3 a83026d74f1f3f8a, 5a631b929812b9a5 28d86314b7dea421, 83f77f3d79b09ee2 834ec4e08e0d2745, 6cce901bc8cd2d3d 113dbc77b05331b7, 2c8cacc65528182c 0af1d11a42ecc239, 170860cc009d39a2 ac46f47618d7b8b9, b142c9ad3a5982f1 54e4de3260327e99, 8ae29850a2b9dc52 222a1ee61aeff79e, b8310b54ab3cf42e fcd7781259ea1153, 7fa85f5ffec6da46 906db338e7990b50, 86fc46a795f4f68e127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 6/11
  7. 7. 3/6/13 IPython Notebook 73fff2c11b867ae2, ea516872cb4e97a7 3427ad09e97ca777, e4366e506751f6a2 d38f211de1eb7f0c, 6c45c4af5937e71b 2a9a29ad949a055f, b535b9bfc90c9592 b2aa5f3c5a7b7a12, 76d16fc15d7826de d13d4d66cf6af6e3, 99bf9dfedfdee22b 1921459849e542a3, 062a43fb9a50135e ac61035ed6df4090, e196a16c098febae b1e896bbabe8d98c, 8b3049b2f741bfa5 7b16686e4fecb66f, 7c981c49f488bd25 10019523f9fbd4f6, 4e0bbf65b8554615 1a6eeac51644ca10, 8e74724bc185a71c 9f26513f5265a4c2, e677ec380cea92a9 2feba20383d3cc3d, 101adc252bd18407 ac7e47f885635821, 76c8edefdcb1f1c8 5c24ee9f5cba8feb, d2b87c22199b6a45 8faf99f43aeabbbc, 6055bbd692445032 251ba023f30c56e5, d9d20b84dcc9d457 9f7941475684fb46, 684ffe7d6f9f62ad fd674b83cb66f66b, c28f8bf0a9d7bfb8 75c5b29e048fb8de, 2586a1d78a521f11 b04cb2e6318b551a, 1c7e4219ddd5de76 079125c38314e378, 8220e1c96f3c4641 6352dc9dc5a8a467, e005fff772e19b01 e39077471a72a21b, 0d124fc2ee0e6f16 d9a54146752de389, 56832d59e63f6e9a 35bf2fae634a2ebd, 36d5e2c0b7fd2dd3 bcebb1005c6a4585, 11dd6736ab8da036 4aa7f884aeafb3d5, 4f1780bac6fd7d8a 22aedd905c47a7da, 91e0fc252fac78d4 c3afb8c08e1516a0, 521660c13c3f98ac 22db9e1f7529484d, 0f2cdfc202378f3c 427455c976aed8c0, 5c3b24b6f82b1038 fc94536cb252debc, 6d47fb377c42e1bc 5e2fe09a893f4d2a, f915a7b9693ce534 b7ae0fac6733a81d, 5659927ac4b2f932 8ef7c0a2e67c3a03, 7bb0b71835ed6962 95d049bed0eb97ae, fed31308a5da40df 999b69fc12696d5a, 6a318faa76d21504 196bea5a7cb5c72b, 6222726dac4a6443 b5633b0ee80b001e, e7802c64c45b6498 1dee4d43c5600840, 297ddfaca326f86c 7718639785de3f1e, d78fbd5eb88fcce0 6fae60ac31c476f4, 7bfbb90686585bf7 f9feef0849f299bd, edec9feaec45d803 4dc9f0249098c82e] d18d80b0e809ef47) These sets are compared and any executables that are in APT1 hashes are returned I [9: at_e_ititreto(eoyeeualsM5stls) n 2] p1stls.nescinmmr_xctbe_D_e_it Ot2] st[) u[9: e(] . . . Comparing MD5 APT1 Hashes against files "To denote the identity of a malicious binary or executable, analysts often use cryptographic hashing, which computes a hash value on a block of data, such that an accidental or intentional change to the data will change the hash value...Fuzzy hashes and other block/rolling hash methods provide a continuous stream of hash values for a rolling window over the binary. These methods produce hash values that allow analysts to assign a percentage score that indicates the amount of content that the two files have in common. A recent type of fuzzy hashing, known as context triggered piecewise hashing, has gained enormous popularity in malware detection and analysis in the form of an open-source tool called ssdeep." http://blog.sei.cmu.edu/post.cfm/fuzzy-hashing-techniques-in-applied-malware-analysis127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 7/11
  8. 8. 3/6/13 IPython Notebook Compare MD5 to Whitelisted MD5s I [] !pnht:/w.slns.o/onod.t n : oe tp/wwnr.itgvDwlashm Compare MD5 to Blacklisted MD5s I [] !pnht:/iusaecmhse/ n : oe tp/vrshr.o/ahs . . . Moar Reading on Fuzzy Hashing I [5: !pnht:/hethuhscm21/12/oi-awr-rp-hoyadfzyhse/ n 3] oe tp/tratogt.o/030/8kngmlaegahter-n-uz-ahs I [6: !pnht:/sepsucfrent n 3] oe tp/sde.oreog.e/ I [7: !pnht:/eskrbu.o/rsnain/ds0.d n 3] oe tp/jseonlmcmpeettoscfl7pf . . . Volatility Labs - Month of Volatility Plugins I [] !pnht:/oaiiylb.lgptc/020/op1-oo-esospoessadhm n 3: oe tp/vltlt-asboso.a21/9mv-1lgnssin-rcse-n.tl . . .127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 8/11
  9. 9. 3/6/13 IPython Notebook Paper of Android Memory Analysis with Volatility I [] !pnht:/optrfrnissn.r/umtacie/02adodmn-edn-eoyaqiiinadaayi-ihlm-n- n 5: oe tp/cmue-oesc.asogsmi-rhvs21/nri-idraigmmr-custo-n-nlsswt-iead . . . Tool for monitoring installation routines of programs I [] !pnht:/w.atucmisalto-oio.h n 9: oe tp/wwmra.o/ntlainmntrpp . . . . I [4: HM(<faeschts/vltlt.ogeoecmsnbace/cdtedc/ne.tlwdh10 hih=0 /fae" n 3] TL"irm r=tp:/oaiiygolcd.o/v/rnhssuet/osidxhm it=00 egt40 irm>) Ot3] u[4: Volatility Technology Preview Documentation. 1. Tutorial 2. User Manual a. The Pmem Memory acquisition suite 3. Developer Information 4. References and Further Information Last updated 2012­11­15 10:38:39 CET .127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 9/11
  10. 10. 3/6/13 IPython Notebook . . Cuckoobox, Volatility, Yara Video on YouTube I [1: Yuueie(d"xnTuA" wdh60 hih=0) n 1] oTbVdoi=mGjlfA, it=0, egt40 Ot1] u[1: . . . Awesome Potential of Visualization for memory space and processes I [0: !pnht:/itrs.o/i/53604203/ n 1] oe tp/pneetcmpn918188646 . . . Books over blogs127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 10/11
  11. 11. 3/6/13 IPython Notebook I [] !pnht:/itrs.o/agebt/ n 7: oe tp/pneetcmdnleis . . . Awesome Team Responsible for Volatility I [] !pnhts/cd.ogecmpvltlt/iiVltltTa n 4: oe tp:/oegol.o//oaiiywk/oaiiyem127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 11/11

×