Volatile Memory Analysis With Volatility : Coreflood Trojan
Introduction This is the first post of multi part series in which we will walk through basics of volatile Memory analysis with Volatility. Though some knowledge of Windows Internal is desirable but I will try to cover things as we progress. In this post, we will start with analyzing Coreflood Trojan with basic command and […]
Root Me: Active Directory -GPO
Category: Forensic The challenge involves analyzing .pcap file having multiple protocols. In this particular challenge we need to analyze SMB protocol and find the missing flag. Prerequisites: Knowledge of a network capture analyzing tool. Knowledge of the group policy. Knowledge of Python You can find the challenge at below link : https://www.root-me.org/en/Challenges/Forensic/Active-Directory-GPO Statement During a security audit, […]
Root Me: SSL — HTTP exchange
Category: Network The challenge involves analyzing .pcap file having multiple protocols. In this particular challenge we need to analyze HTTPs protocol and find the missing flag. Prerequisites: Knowledge of a network capture analyzing tool. Knowledge of the HTTPS protocols. You can find the challenge at below link : https://www.root-me.org/en/Challenges/Network/SSL-HTTP-exchange Statement This challenge comes from the 19th DEFCON […]
ROOT-Me.org Network Challenges
ROOT-Me.org Network FTP-authentication Challenges In this challenge a pcap file is provided and we have to find the user password To start with download the pcap file and open it in Wireshark. In the first three lines we can see 2 way TCP Handshake (Syn, Ack, Syn-Ack) between source and destination server. Next we can […]
Volatility Forensic Analysis: R2D2 Malware
Hunting R2D2 Malware To start on this malware expedition, please download image from here . Once image file is downloaded, lets find out more about it by using volatility imageinfo plugin C:\volatility>volatility.exe -f 0zapftis.vmem imageinfoVolatility Foundation Volatility Framework 2.6INFO : volatility.debug : Determining profile based on KDBG search… Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86) AS […]
Root-me Command and Control Challenges
In this post we will go through command and control challenges on https://www.root-me.org/. Since , this challenge is still open we will not post the answers but will only document the steps and approach that was taken to solve the challenges. Command & Control — level 2 Find workstations hostname from memory dump The first approach that came into my […]
Forensic Analysis: jackcr difr challenge
After completing Cridex Malware analysis decided to take up jackcr difr challenge for further learning . I will continue to use Volatility Open Source Framework for this analysis .Also, you can read, Cridex Malware analysis here Challenge The challenge consist of 4 memory dumps and one packet capture. Two memory dumps from user machines , 1 memory dump […]
Forensic Memory Analysis with Volatility
After analyzing multiple dump files via Windbg, the next logical step was to start with Forensic Memory Analysis. After going through lots of youtube videos I decided to use Volatility — A memory forensics analysis platform to being my journey into Memory analysis. Why Volatility It is written in python and python is my go to scripting […]
Windows Process
In this post we will take a closer look at Windows Process. We will start with defining different parts of a process, look briefly into Virtual Address space and then will take a closer look into internal data structure and threads. A process is a container inside which a program executes. At a very high […]
Setting Up Windows 2019Virtualbox VM for Kernel Mode Debugging
I’ve been reading on Windows Memory Management and decided to take a deeper dive into Windows Memory Management. For this I decided to use Windbg in Kernel mode, attach it to 2019 VM . I am documenting the steps for future reference. For installing windbg preview please refer to my previous post Before we start we […]