archive
Tag: Analysis

2016/10/25

The Importance of Dual Tool Verification

Those of us working in the Digital Forensics and Incident Response realm rely on tools to harvest data for analysis, not to mention to perform the actual analysis. Let’s be honest: Without tools, we would have a dickens of a time doing our jobs. Unfortunately, this had led to examiners having an inherent high level[…]

2014/10/13

Deobfuscating JavaScript and Shellcode: Debugging + Dedicated Tools – Part 2/2

Welcome to Part II of a two-part series on JavaScript and shellcode deobfuscation! In our first video, we explored a few different methods to deobfuscate JavaScript. The first session resulted in a deobfuscated HTML page complete with malicious JavaScript. In this session, I cover how the malicious JavaScript works. Additionally, I debug the shellcode that[…]

2014/08/05

Deobfuscating JavaScript and Shellcode: Debugging + Dedicated Tools – Part 1/2

Welcome to Part I of a two-part series on JavaScript and shellcode deobfuscation! In this first video, I explore a few different methods using which one can deobfuscate JavaScript. I cover using a browser-based debugger along with various Windows and Linux tools to decode scripts. We explore deobfuscating JavaScript in a real-world environment using readily-available[…]

2014/05/24

NTUSER, SOFTWARE or SYSTEM Hive Registry Parser

Registry Parser There has been times where I would like to parse through a NTUSER, SYSTEM, SOFTWARE hive and pull back just the key and sub keys that have been modified between a certain date (which is one of the arguments for the below python script). Thanks to William Ballenthin for showing how this is[…]

2014/04/23

Tracer Fire 5 Series: Part 2.0 (Indy Category)

by InterDimensional_Shambler
Categories: Analysis
Tags: ,
Comments: Leave a Comment

Background: This is a continuation of the Tracer Fire 5 Series posts: http://malwerewolf.com/2014/03/tracer-fire-5-series-part-1-0-intro/ Tools Used: Kahu Security’s “converter” http://www.kahusecurity.com/tag/converter/ Your favorite hex editor (I use 010 Editor, McAfee’s File Insight, etc) GIF Exploder http://gif-explode.com/ 7-zip http://www.7-zip.org/download.html GIMP http://www.gimp.org/ Winamp/VLC/Audio Player ZIP Recovery http://www.softpedia.com/get/Compression-tools/Zip-Recovery.shtml Indy Category: This category had a little bit of everything; ciphertext, images,[…]

2014/04/09

Wireshark Primer: Manual Carve HTTP Objects

by InterDimensional_Shambler
Categories: Analysis, Network Forensics
Tags: ,
Comments: Leave a Comment

Wireshark Primer: Manual Carve HTTP Objects Description: This is the first wireshark primer article (there will be more) on how to manually carve HTTP objects from network dumps (PCAPs) using wireshark. A lot of this can be done automatically with tools like network miner, photorec, bulk extractor, and foremost but this article is meant to[…]

2014/03/17

Tracer Fire 5 Series: Part 1.1 (Code Category)

by InterDimensional_Shambler
Categories: Analysis
Tags: ,
Comments: Leave a Comment

Background: This is a continuation of the Tracer Fire 5 Series posts: http://malwerewolf.com/2014/03/tracer-fire-5-series-part-1-0-intro/ Tools Used: Kahu Security’s “converter” http://www.kahusecurity.com/tag/converter/ Your favorite hex editor (I use 010 Editor, McAfee’s File Insight, etc) Code Category: This might be a bit large for one post; but let’s get started! Code1: Original Puzzle: The answer for this page is[…]

2014/03/07

Tracer Fire 5 Series: Part 1.0 (Intro)

by InterDimensional_Shambler
Categories: Analysis
Tags: , ,
Comments: Leave a Comment

Background: If you are not familiar with Los Alamos National Laboratories’ “Tracer FIRE” events there is an ample description here: http://csr.lanl.gov/tf/. Basically it’s a week-long event with various infosec/IT puzzles (primarily focused on forensics) & brain-busters that cover (but are not limited to): Encryption / Encoding Malware Analysis / Reverse Engineering / De obfuscation Host[…]


Today is Monday
2017/10/23