dfc
Follow
Find
1.8K views | +0 today
dfc
Digital Forensics
Curated by Ludaohong
Your new post is loading...
Your new post is loading...
Scooped by Ludaohong
Scoop.it!

Update: New 25 GPU Monster Devours Passwords In Seconds

Update: New 25 GPU Monster Devours Passwords In Seconds | dfc | Scoop.it

Editor’s note: I’ve updated the article with some new (and in some cases) clarifying detail from Jeremi. I’ve left changes in where they were made. The biggest changes: 1) an updated link to slides 2) clarifying that VCL refers to Virtual OpenCL and 3) that the quote regarding 14char passwords falling in 6 minutes was for LM encrypted – not NTLM encrypted passwords. Long (8 char) NTLM passwords would take much longer…around 5.5 hours. - Paul

more...
No comment yet.
Scooped by Ludaohong
Scoop.it!

Volatility Labs: Solving the GrrCon Network Forensics Challenge with Volatility

Although participants were provided a memory sample, packet capture, and file system timeline, as a personal challenge our goal was to use only the provided memory sample. This required some very detailed investigation with Volatility and also a bit of Windows malware analysis skills. We believe that walking through the approach we took to solving the challenge will both showcase the power of memory analysis and Volatility, including newly released plugins, and also serve as a learning example for other investigators.

more...
No comment yet.
Scooped by Ludaohong
Scoop.it!

MemGator

MemGator | dfc | Scoop.it

MemGator is a memory file interrogation tool that automates the extraction of data from a memory file and compiles a report for the investigator. MemGator brings together a number of memory analysis tools such as the Volatility Framework and PTFinder into the one program. Data can be extracted in relation to memory details, processes, network connections, malware detection, passwords & encryption keys and the registry.

more...
No comment yet.
Scooped by Ludaohong
Scoop.it!

Improving APKInspektor

more...
No comment yet.
Scooped by Ludaohong
Scoop.it!

Good things happen when Forensics and Malware Analysis work together. - SpiderLabs Anterior

Good things happen when Forensics and Malware Analysis work together. - SpiderLabs Anterior | dfc | Scoop.it

First: If the service description is "Windows RPC Assistant" (which I've never heard of) Why is the executable named "mssvc.exe" and why is the service named "rcpassist" ?

Second: Is that a regex embedded in the executable? (\d{15,19}=\d{13,})

And third: What is t5701.dat?

more...
No comment yet.
Scooped by Ludaohong
Scoop.it!

Big Brother on a budget: How Internet surveillance got so cheap

Big Brother on a budget: How Internet surveillance got so cheap | dfc | Scoop.it
Deep packet inspection, petabyte-scale analytics create a "CCTV for networks."...
more...
No comment yet.
Scooped by Ludaohong
Scoop.it!

jessekornblum: Practical "Looks Like" Similarity

jessekornblum: Practical "Looks Like" Similarity | dfc | Scoop.it

We can make a "similarity score" for pictures by reducing the information contained in the picture and then comparing those reduced data. For example, Dr. Neil Krawetz described such a method on his blog [3]. The technique reduces any image to an 8x8 image, converts it to grayscale, throws away some bits from each pixel, and computes the average value of any pixel in this image. A signature is then constructed based on whether each pixel is above or below the average value. The result is a single 64-bit number which represents the image.

more...
No comment yet.
Scooped by Ludaohong
Scoop.it!

Forensic Log Parsing with Microsoft's LogParser | Symantec Connect Community

Trojan Files

Before we dig in to the actual log files, it may be useful to do a quick check of the newest files on the web site. If the intruder was able to create or modify files within the web content directories, he or she may have uploaded Trojan ASP scripts or executables. You might just get lucky and find these files. The following query lists the 20 newest files on the web site:

more...
No comment yet.
Scooped by Ludaohong
Scoop.it!

CSI:Internet - A trip into RAM - The H Security: News and Features

CSI:Internet - A trip into RAM - The H Security: News and Features | dfc | Scoop.it

It's Friday around lunch time, and I am looking forward to taking off early for the weekend when my cell phone rings. It's my friend Wolfgang, who nervously tells me that his bank just called to say his account has been temporarily blocked. Apparently, his bank data popped up on a Russian server, and 2,000 euros have already been withdrawn from his account...

more...
No comment yet.
Scooped by Ludaohong
Scoop.it!

Windows 8 Forensics: Reset and Refresh Artifacts

Windows 8 Forensics: Reset and Refresh Artifacts | dfc | Scoop.it
Windows 8 Forensics: Reset and Refresh Artifacts
Everything about the machine pre-refresh can be recovered, and is placed into a folder named windows.old. Information in regards to the migration process, old vs.
more...
No comment yet.
Scooped by Ludaohong
Scoop.it!

Low-level iOS forensics - Sogeti ESEC Lab

Low-level iOS forensics - Sogeti ESEC Lab | dfc | Scoop.it

iOS filesystem encryption and data protection mechanisms are now well documented and supported by many forensics tools. iOS devices use NAND flash memory as their main storage area, but physical imaging usually refers to a "dd image" of the logical partitions. The iOS Flash Translation Layer for current devices is software-based (implemented in iBoot and the kernel), which means that the CPU has direct access to raw NAND memory. In this post we will describe how to acquire a NAND image and use FTL metadata to recover deleted files on A4 devices. The information presented here is based on the great reverse engineering work done by the iDroid/openiBoot team.

more...
No comment yet.
Scooped by Ludaohong
Scoop.it!

libimobiledevice - Teaching Penguins to talk to fruits

libimobiledevice - Teaching Penguins to talk to fruits | dfc | Scoop.it
libimobiledevice is a software library that talks the protocols to support iPhone, iPod Touch, iPad and Apple TV devices on Linux without the need for jailbreaking.
more...
No comment yet.
Scooped by Ludaohong
Scoop.it!

AccessData to Unveil Version 2 of Its CIRT Platform at Black Hat USA 2012 | ForensicFocus.com

AccessData Group, the largest digital forensics technology company in the U.S. by revenue, today announced that it will introduce Version 2 of its Cyber Intelligence & Response Technology (CIRT 2) security platform at Black Hat USA 2012, July 21-26 in Las Vegas. CIRT is expected to have a major impact on enterprise IT security by delivering network forensics, computer forensics, large-scale data auditing, malware analysis and remediation capabilities in a single product. CIRT 2 enables incident responders and information assurance teams to view all critical data through a single pane of glass. It introduces Cerberus, the first integrated malware analysis and triage technology of its kind; in addition, CIRT 2 introduces removable media monitoring and now integrates with third-party alerting and security management platforms to allow CIRT to respond automatically when ...

more...
No comment yet.
Scooped by Ludaohong
Scoop.it!

Index of /hitbsecconf2012kul/materials

D1T1 - Barisani and Bianco - Practical Exploitation of Embedded Systems.pdf 10-Oct-2012 04:37 1.8M
D1T1 - Chris Wysopal - Data Mining a Mountain of Vulnerabilities.pdf 10-Oct-2012 06:45 3.0M
D1T1 - Lucas Adamski - Firefox OS and You.pdf 10-Oct-2012 11:55 3.7M
D1T1 - Petko Petkov - History of the JavaScript Security Arsenal.pdf 10-Oct-2012 09:25 4.6M
......

more...
No comment yet.
Scooped by Ludaohong
Scoop.it!

Windows Slowdown, Investigated and Identified

Windows Slowdown, Investigated and Identified | dfc | Scoop.it
I recently noticed that my Windows 7 home laptop was running slower than usual. It seemed to be spending a lot of time waiting on disk I/O. When I looked at Task Manager it showed that my laptop wa...
more...
No comment yet.
Scooped by Ludaohong
Scoop.it!

Russian FruitNinja Backdoor Analysis

Russian FruitNinja Backdoor Analysis | dfc | Scoop.it

The malware research analysis was done on the Android application to see the sophistication of real time malware writers and the application internals. Through the legitimate application markets are trying to clean all backdoor versions of application, it was observed that still some of the applications were able to carry malicious code despite all the efforts to plug the loopholes. This may attribute largely for Android because of its open and distributed development model. Following simple safeguards can help users to avoid such serious infections.

more...
No comment yet.
Scooped by Ludaohong
Scoop.it!

Major Milestone - The Hacker Factor Blog

Since my research partners don't want me to analyze porn on my blog, I'm turning to my fallback option. I'm enabling another analysis method on the FotoForensics site. When you view any picture, you'll see an analysis option called "JPEG %". This estimates the JPEG quality used when the picture was last saved.

more...
No comment yet.
Scooped by Ludaohong
Scoop.it!

江苏警方破网络违法犯罪案件642起 抓获1723人_资讯频道_凤凰网

常州破获“7.17”非法侵入计算机信息系统案。今年7月,常州市局网安支队接到本地网民张某报案,称其QQ号码被盗,号码内价值1000余元的Q币及其它虚拟货币失窃。经过两个月的网上侦查,常州网警基本查明有一犯罪团伙通过传播木马等手段盗取网民QQ号码及密码,并在互联网上销售,形成了盗号、洗号、售号“一条龙”非法产业链。据统计,该团伙平均每日盗取QQ号数量超过10万个。公安部对此案予以挂牌督办。9月初,常州市局网安支队会同钟楼分局出动100余名警力,分赴湖北、河南、黑龙江、四川等15个省市开展抓捕工作,抓获钮某、于某等26名犯罪嫌疑人,彻底摧毁了这一横跨数省的特大盗取、售卖QQ号的黑客犯罪团伙。

more...
No comment yet.
Scooped by Ludaohong
Scoop.it!

Searching With VirusTotal

Searching With VirusTotal | dfc | Scoop.it
Did you know that you can search VirusTotal? You don’t have to submit a file, but you can search for the report of a file has been submitted before. You use a cryptographic hash (MD5, SHA1, SHA256) to identify the file.

There are several tools to submit a batch of files to VirusTotal, but I didn’t find any that just searches VirusTotal for a list of search terms via VirusTotal’s API.

Thus I wrote my own Python program. It accepts a file with a list of hashes, and produces a CSV file with the result. Here is an example displayed with InteractiveSieve:

more...
No comment yet.
Scooped by Ludaohong
Scoop.it!

Reversing Google Play and Micro-Protobuf applications | Segmentation fault

Reversing Google Play and Micro-Protobuf applications | Segmentation fault | dfc | Scoop.it

This article first highights the limitations of existing projects. Then it focuses on the official Android client for Google Play and its internals, based on a Protobuf variant. Thanks to Androguard and its awesome static analysis features, I show how to automatically recover the .proto file of Google Play, enabling us to generate stubs for querying Google’s servers. Finally, I quickly introduce the unofficial API.

more...
No comment yet.
Scooped by Ludaohong
Scoop.it!

VOLIX

VOLIX | dfc | Scoop.it

This project aims to develop a software to extend the use and simplify the handling of the Volatility Framework .

more...
No comment yet.
Scooped by Ludaohong
Scoop.it!

Curriculum | MS in Digital Forensic Science | Graduate Studies

Curriculum | MS in Digital Forensic Science | Graduate Studies | dfc | Scoop.it
These are the course requirements that lead to the master's degree in Digital Forensic Science. Courses are subject to change.

Course Name
DIM 500: The Practice of Digital Investigation
DIM 550: Computer Forensics Laboratory Operation and Accreditation
DIM 570: Research Methodology
MBA 505: The Strategic Language of Business
DFS 510: Scripting for Digital Forensics
DFS 520: Operating System Analysis
DFS 530: Incident Response and Network Forensics
DFS 540: Malware Analysis
DFS 550: Mobile Device Analysis
DIM 560: Digital Investigation for Civil Litigation
DFS 580 & DFS 581: Capstone Research Projects 1& 2

more...
No comment yet.
Scooped by Ludaohong
Scoop.it!

Breaking into the OS X keychain

Breaking into the OS X keychain | dfc | Scoop.it

Update: I want to clear up some misconceptions. This is not a security bug in OS X. Everything works as designed. The point of this post was to show a post-exploitation technique and to release a tool for the job. I found this particular technique interesting because it is instantaneous, reliable across OS X versions, and requires no persistent changes in the system.

more...
No comment yet.
Scooped by Ludaohong
Scoop.it!

iPhone Forensics - on iOS 5

iPhone Forensics - on iOS 5 | dfc | Scoop.it
iPhone Forensics goal is extracting data and artifacts from iPhone without altering the information on the device. iPhone forensics can be performed on the backups made by iTunes (escrow key attack) or directly on the live device.
more...
No comment yet.
Scooped by Ludaohong
Scoop.it!

Key Twitter and Facebook Metadata Fields Forensic Investigators Need to be Aware of

Key Twitter and Facebook Metadata Fields Forensic Investigators Need to be Aware of | dfc | Scoop.it
Authentication of social media evidence can present significant challenges when you collect by screen shots, printouts or raw html feeds from an archive tool. This is just one reason why social med...
more...
No comment yet.