In my last article, we’d discussed the most important ways in which a rootkit enters a system and subsequently masks its presence so it isn’t detected. We’d also looked at two popular rootkit detectors in Tuluka and Gmer, and discussed what rootkit masking techniques they are able to identify […]
I was showing off a trick to export Firefox SQLite tables to a spread sheet, and while she is a forensics person, she had never ever heard of this trick. It is neat enough to know when working off an image to pull the entire history of a Firefox […]
A rootkit is a piece of software that is written by someone, who at the very least, wants to spy on specific system calls made by an application, for some purpose. It’ll usually hide itself from normal directory and process listings made either by native OS tools, or third […]
There is this misconception that iPhones are protected by the iPhone passcode. This may be true for non-jailbroken iPhones, but not for jailbroken ones.
It is possible to have root access to the iPhone file system using tools from libimobiledevice.org, even when the locked jailbroken iPhone is protected by the […]
Lets pick up where we left off with the rootkit and post-exploitation video (http://www.youtube.com/watch?v=izv1b-BTQFw). Except, we are now doing incident response.
First you’ll see some normal live forensics on the victim and come up with nothing. Then we show how using network forensics techniques (looking at the victim from the […]
SSL and network monitoring aren’t the most compatible of partners – even with the most sophisticated detection infrastructure in the world, you’ll not derive many useful indicators from the barren randomness of encrypted traffic. Consider the plight of the Sguil sensor shown below:
The webserver’s use of SSL means that […]
NEWSFLASH: AnyTown Local News reports this Monday morning that the recent spate of office break-ins has continued with a weekend raid on the downtown branch office of HugeMegaCorp. In a statement, HugeMegaCorp said that “when staff arrived at the office on Monday morning, two laptops and a router were […]
This analysis comes in handy in computer forensics cases such as porn or child pornography investigations. This video shows how to search through hundreds of thousands of images on a hard drive and find only those with human flesh tones in them. We also look at Slack/Free Space and […]
This makes sure that the drive is unmounted. It may generate an error if the drive is not mounted,
but that is ok.
mount -o rw /dev/sda1 /media/sda1
This will mount the drive as read/write, while the umask=000 options allows all users to read,
write, and execute files on the media.
This article was part of a talk presented at BSidesChicago.
Whats Up With These Pesky Shells?
Web servers have become one of the main targets of malicious activity and are often a weak point within an organization’s infrastructure. Web application code is often deployed and forgotten or unmaintained by an organization, […]
Alternate Data Streams are a way to store data on a machine that is not readily accessible to users. Using ADS, files are not easily accessible by Windows operating system and they do not show up in any file directory. Windows generates it’s own ADS files and most P2P […]
Sometimes the best evidence of a network intrusion resides in network or traffic logs. Snort is a well known open-source traffic analysis and network intrusion detection tool. However, using the logs from Snort we can also see how the intrusion happened, rather than just that an intrusion happened.
We’ll use Snort […]
In this video, we will review the wealth of forensic data stored on an iPhone 3Gs using Paraben’s Device Seizure software.
The iPhone is one of the most popular mobile devices on the market and that makes it a popular target for malware developers and data thieves.
Some of the types […]