SlideShare ist ein Scribd-Unternehmen logo

Learning iPython Notebook Volatility Memory Forensics

Vincent Ohprecio
Vincent Ohprecio
Technologie
1 von 11
Downloaden Sie, um offline zu lesen
3/6/13 IPython Notebook Next Steps - Where do you go from here? I [] fo Iyhncr.ipa ipr Iae n 2: rm Pto.oedsly mot mg fo Iyhncr.ipa ipr HM rm Pto.oedsly mot TL fo Iyhnlbdslyipr Yuueie rm Pto.i.ipa mot oTbVdo . . . Google Rapid Response - GRR I [] !pnhts/cd.ogecmpgr n 4: oe tp:/oegol.o//r/ . . . Keep the conversation going on Twitter I [] !pnhts/titrcmbgnrdd n 5: oe tp:/wte.o/isafue . . . Find all the material on this talk on Github I [] !pnhts/gtu.o/isafue n 6: oe tp:/ihbcmbgnrdd . 127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 1/11
3/6/13 IPython Notebook . . I [] Iaeflnm=/sr/nie/eko/isafaoptc1pg) n 6: mg(ieae"UesatgnDstpbgnrhdosak.n" Ot6: u[] I [] Iaeflnm=/sr/nie/eko/isafore.n" n 7: mg(ieae"UesatgnDstpbgnrjunypg) Ot7: u[] 127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 2/11
3/6/13 IPython Notebook . . . Hadoop meets Sleuthkit I [] !pnht:/w.luhi.r/s_aop n 2: oe tp/wwsetktogtkhdo/ . . . Python meets log2timeline I [] !pnht:/ls.idln.e/ n 1: oe tp/paokdaadnt . . . 127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 3/11
3/6/13 IPython Notebook DFIR and Machine Learning - Match made in heaven waiting to happen I [] !pnht:/cktlanogsal/ n : oe tp/sii-er.r/tbe I [] !pnht:/rp.asuld/psvltxe21/70pfdge_02i0_19s27.d n : oe tp/dosdgth.eou/olet/0339/d/arpv0_09p0_131pf . . . . Fuzzy Hashing with ssdeep I [0: !pnht:/sepsucfrent n 3] oe tp/sde.oreog.e/ I [] !pnht:/fw.r/06poedns1-onlmpf n 1: oe tp/drsog20/rceig/2Krbu.d . . . Integration with Python Indicators of Compromise? I [] !pnhts/gtu.o/efrnrpic n 1: oe tp:/ihbcmjfbye/yo . . . Thanks to Hacker School NYC 127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 4/11
3/6/13 IPython Notebook Hacker School is a three-month, full-time school in New York for becoming a better programmer. We're free as in beer, and provide space, a little structure, time to focus, and a friendly community of smart builders dedicated to self-improvement. I [] !pnhts/wwhcesho.o/ n 8: oe tp:/w.akrcolcm . . . Memory Forensics Cheat Sheet I [] !pnhts/bossn.r/optrfrnisfls21/4Mmr-oesc-ha-he-1pf n 1: oe tp:/lg.asogcmue-oesc/ie/020/eoyFrnisCetSetv.d . . . Create images and graphs from arrays I [2: X=n.ra(01234) n 3] pary[,,,,] Y=n.ra(35467) pary[,,,,] I [3: po(,) n 3] ltXY Ot3] [mtlti.ie.ieDa 09d5c] u[3: <apolblnsLn2 t x4b8> . . 127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 5/11
3/6/13 IPython Notebook . Here is the documentation I used in this presentation I [] !pnhts/vltlt.ogeoecmsnbace/cdtedc/uoilhm n 1: oe tp:/oaiiygolcd.o/v/rnhssuet/osttra.tl . . . Comparing MD5 APT1 Hashes agains files I [7: at_ds=oe(/otDstpATm5)ralns) n 2] p1m5 pn'ro/eko/P1d'.edie( at_e_it=st[.ti(' frii at_ds0]) p1stls e(isrp'n) o n p1m5[:] at_e_it p1stls Ot2] st[dfdb5d1629e03c8d' u[7: e('394c1be00330f799, '414ef6ff6f55d37e, cf4fb1f83d13354c' '838512df12695c14, b8fea401516b231c' '76facec58833028e, 6f25cfafe2cb954f' '5a17b2bddef9aadd, 4a47b4e3e5d374ae' '12fb54f4ee596acc, f7f6610326e16e34' 'c581ab0950b83cd9, 5d764f5b2086bacb' '5a1cbeae5a890608, 7ddcaa8dbbe9dc3f' 'eda7c98e9c657b11, a1d8c59d7eb82bd9' '432b3e0335ba37cc, a41e6d028a75921d' '7fa3dd9d74970bcf, 9342861bcb27b79e' '9dfa2920f3048e1b, 3012601145c3caf4' 'b4d3ee18d446693c, a45ae48a4647f6d5' 'e8b242e55ac18ffe, 566d802359961d81' '20adc77b9b92ed90, 559b1cbf3119909c' '919f42c6aa84ba3b, dbc5b44f90ce03b9' '00438ab6e7d1c17f, 28f638eedbef10ff' 'd51301fc4318f6de, b1746c2facce6c90' '032526b3eabb313d, c148a7a932293b0c' '80df3492df2c0341, 949b42104b08044c' I [8: mmr_xctbe_D =oe(/otDstpad/iett)ralns) n 2] eoyeeualsM5 pn'ro/eko/sffl.x'.edie( mmr_xctbe_D_e_it=st[.pi([]frii mmr_xctbe_D[:] eoyeeualsM5stls e(islt)0 o n eoyeeualsM50]) mmr_xctbe_D_e_it eoyeeualsM5stls Ot2] st[a5c0ed5e0b1bd7a4' u[8: e('d2ede94466a18c2d, '1670c62e0ff1289a, 17bd1eafce3467f7' '7d2715886a6edcfa, 693f2b9f3d05e01a' '10cd8542da536a05, ee0251e198c0ffc9' 'd20b28911b256c20, 1b7bd0f6cee93481' '695b79a55ddcfce9, 8caff207a8074ca7' '32e792f69d9d5d6d, 38962a98d324979c' 'ee6d0d3570aef212, 1166eeb0a61965c3' 'a83026d74f1f3f8a, 5a631b929812b9a5' '28d86314b7dea421, 83f77f3d79b09ee2' '834ec4e08e0d2745, 6cce901bc8cd2d3d' '113dbc77b05331b7, 2c8cacc65528182c' '0af1d11a42ecc239, 170860cc009d39a2' 'ac46f47618d7b8b9, b142c9ad3a5982f1' '54e4de3260327e99, 8ae29850a2b9dc52' '222a1ee61aeff79e, b8310b54ab3cf42e' 'fcd7781259ea1153, 7fa85f5ffec6da46' '906db338e7990b50, 86fc46a795f4f68e' 127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 6/11
3/6/13 IPython Notebook '73fff2c11b867ae2, ea516872cb4e97a7' '3427ad09e97ca777, e4366e506751f6a2' 'd38f211de1eb7f0c, 6c45c4af5937e71b' '2a9a29ad949a055f, b535b9bfc90c9592' 'b2aa5f3c5a7b7a12, 76d16fc15d7826de' 'd13d4d66cf6af6e3, 99bf9dfedfdee22b' '1921459849e542a3, 062a43fb9a50135e' 'ac61035ed6df4090, e196a16c098febae' 'b1e896bbabe8d98c, 8b3049b2f741bfa5' '7b16686e4fecb66f, 7c981c49f488bd25' '10019523f9fbd4f6, 4e0bbf65b8554615' '1a6eeac51644ca10, 8e74724bc185a71c' '9f26513f5265a4c2, e677ec380cea92a9' '2feba20383d3cc3d, 101adc252bd18407' 'ac7e47f885635821, 76c8edefdcb1f1c8' '5c24ee9f5cba8feb, d2b87c22199b6a45' '8faf99f43aeabbbc, 6055bbd692445032' '251ba023f30c56e5, d9d20b84dcc9d457' '9f7941475684fb46, 684ffe7d6f9f62ad' 'fd674b83cb66f66b, c28f8bf0a9d7bfb8' '75c5b29e048fb8de, 2586a1d78a521f11' 'b04cb2e6318b551a, 1c7e4219ddd5de76' '079125c38314e378, 8220e1c96f3c4641' '6352dc9dc5a8a467, e005fff772e19b01' 'e39077471a72a21b, 0d124fc2ee0e6f16' 'd9a54146752de389, 56832d59e63f6e9a' '35bf2fae634a2ebd, 36d5e2c0b7fd2dd3' 'bcebb1005c6a4585, 11dd6736ab8da036' '4aa7f884aeafb3d5, 4f1780bac6fd7d8a' '22aedd905c47a7da, 91e0fc252fac78d4' 'c3afb8c08e1516a0, 521660c13c3f98ac' '22db9e1f7529484d, 0f2cdfc202378f3c' '427455c976aed8c0, 5c3b24b6f82b1038' 'fc94536cb252debc, 6d47fb377c42e1bc' '5e2fe09a893f4d2a, f915a7b9693ce534' 'b7ae0fac6733a81d, 5659927ac4b2f932' '8ef7c0a2e67c3a03, 7bb0b71835ed6962' '95d049bed0eb97ae, fed31308a5da40df' '999b69fc12696d5a, 6a318faa76d21504' '196bea5a7cb5c72b, 6222726dac4a6443' 'b5633b0ee80b001e, e7802c64c45b6498' '1dee4d43c5600840, 297ddfaca326f86c' '7718639785de3f1e, d78fbd5eb88fcce0' '6fae60ac31c476f4, 7bfbb90686585bf7' 'f9feef0849f299bd, edec9feaec45d803' '4dc9f0249098c82e] d18d80b0e809ef47') These sets are compared and any executables that are in APT1 hashes are returned I [9: at_e_ititreto(eoyeeualsM5stls) n 2] p1stls.nescinmmr_xctbe_D_e_it Ot2] st[) u[9: e(] . . . Comparing MD5 APT1 Hashes against files "To denote the identity of a malicious binary or executable, analysts often use cryptographic hashing, which computes a hash value on a block of data, such that an accidental or intentional change to the data will change the hash value...Fuzzy hashes and other block/rolling hash methods provide a continuous stream of hash values for a rolling window over the binary. These methods produce hash values that allow analysts to assign a percentage score that indicates the amount of content that the two files have in common. A recent type of fuzzy hashing, known as context triggered piecewise hashing, has gained enormous popularity in malware detection and analysis in the form of an open-source tool called ssdeep." http://blog.sei.cmu.edu/post.cfm/fuzzy-hashing-techniques-in-applied-malware-analysis 127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 7/11
3/6/13 IPython Notebook Compare MD5 to Whitelisted MD5s I [] !pnht:/w.slns.o/onod.t n : oe tp/wwnr.itgvDwlashm Compare MD5 to Blacklisted MD5s I [] !pnht:/iusaecmhse/ n : oe tp/vrshr.o/ahs . . . Moar Reading on Fuzzy Hashing I [5: !pnht:/hethuhscm21/12/oi-awr-rp-hoyadfzyhse/ n 3] oe tp/tratogt.o/030/8kngmlaegahter-n-uz-ahs I [6: !pnht:/sepsucfrent n 3] oe tp/sde.oreog.e/ I [7: !pnht:/eskrbu.o/rsnain/ds0.d n 3] oe tp/jseonlmcmpeettoscfl7pf . . . Volatility Labs - Month of Volatility Plugins I [] !pnht:/oaiiylb.lgptc/020/op1-oo-esospoessadhm n 3: oe tp/vltlt-asboso.a21/9mv-1lgnssin-rcse-n.tl . . . 127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 8/11
3/6/13 IPython Notebook Paper of Android Memory Analysis with Volatility I [] !pnht:/optrfrnissn.r/umtacie/02adodmn-edn-eoyaqiiinadaayi-ihlm-n- n 5: oe tp/cmue-oesc.asogsmi-rhvs21/nri-idraigmmr-custo-n-nlsswt-iead . . . Tool for monitoring installation routines of programs I [] !pnht:/w.atucmisalto-oio.h n 9: oe tp/wwmra.o/ntlainmntrpp . . . . I [4: HM(<faeschts/vltlt.ogeoecmsnbace/cdtedc/ne.tlwdh10 hih=0 /fae" n 3] TL"irm r=tp:/oaiiygolcd.o/v/rnhssuet/osidxhm it=00 egt40 irm>) Ot3] u[4: Volatility Technology Preview Documentation. 1. Tutorial 2. User Manual a. The Pmem Memory acquisition suite 3. Developer Information 4. References and Further Information Last updated 2012­11­15 10:38:39 CET . 127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 9/11
3/6/13 IPython Notebook . . Cuckoobox, Volatility, Yara Video on YouTube I [1: Yuueie(d"xnTuA" wdh60 hih=0) n 1] oTbVdoi=mGjlfA, it=0, egt40 Ot1] u[1: . . . Awesome Potential of Visualization for memory space and processes I [0: !pnht:/itrs.o/i/53604203/ n 1] oe tp/pneetcmpn918188646 . . . Books over blogs 127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 10/11
3/6/13 IPython Notebook I [] !pnht:/itrs.o/agebt/ n 7: oe tp/pneetcmdnleis . . . Awesome Team Responsible for Volatility I [] !pnhts/cd.ogecmpvltlt/iiVltltTa n 4: oe tp:/oegol.o//oaiiywk/oaiiyem 127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 11/11

Empfohlen

Dasbodh
Dasbodh Dasbodh
Dasbodh Vinay Chavan
 
Robert lewis 4.4_ppp_slideshow_final
Robert lewis 4.4_ppp_slideshow_finalRobert lewis 4.4_ppp_slideshow_final
Robert lewis 4.4_ppp_slideshow_finalJim Lewis
 
事件模型探究
事件模型探究事件模型探究
事件模型探究ematrix
 
Pictorico Cantu 1
Pictorico Cantu 1Pictorico Cantu 1
Pictorico Cantu 1Claudia Ivt San
 
Mi vida
Mi vidaMi vida
Mi vidaaitorginervalor
 
Mi vida
Mi vidaMi vida
Mi vidaaitorginervalor
 
Cameroun - Repertoire des projets prioritaires à besoins de financement
Cameroun - Repertoire des projets prioritaires à besoins de financementCameroun - Repertoire des projets prioritaires à besoins de financement
Cameroun - Repertoire des projets prioritaires à besoins de financementinvestincameroon
 
Manual of MS-Access / Excel / VBA Project
Manual of MS-Access / Excel / VBA ProjectManual of MS-Access / Excel / VBA Project
Manual of MS-Access / Excel / VBA Projectcormacsharpe
 

Empfohlen

Dasbodh
Dasbodh Dasbodh
Dasbodh Vinay Chavan
 
Robert lewis 4.4_ppp_slideshow_final
Robert lewis 4.4_ppp_slideshow_finalRobert lewis 4.4_ppp_slideshow_final
Robert lewis 4.4_ppp_slideshow_finalJim Lewis
 
事件模型探究
事件模型探究事件模型探究
事件模型探究ematrix
 
Pictorico Cantu 1
Pictorico Cantu 1Pictorico Cantu 1
Pictorico Cantu 1Claudia Ivt San
 
Mi vida
Mi vidaMi vida
Mi vidaaitorginervalor
 
Mi vida
Mi vidaMi vida
Mi vidaaitorginervalor
 
Cameroun - Repertoire des projets prioritaires à besoins de financement
Cameroun - Repertoire des projets prioritaires à besoins de financementCameroun - Repertoire des projets prioritaires à besoins de financement
Cameroun - Repertoire des projets prioritaires à besoins de financementinvestincameroon
 
Manual of MS-Access / Excel / VBA Project
Manual of MS-Access / Excel / VBA ProjectManual of MS-Access / Excel / VBA Project
Manual of MS-Access / Excel / VBA Projectcormacsharpe
 
Biotechnology2
Biotechnology2Biotechnology2
Biotechnology2sharkyea
 
Leroy Wainwright Professional Persona Project
Leroy Wainwright Professional Persona ProjectLeroy Wainwright Professional Persona Project
Leroy Wainwright Professional Persona ProjectLeroy S. Wainwright II
 
LT SAP HANAネットワークプロトコル初段
LT SAP HANAネットワークプロトコル初段LT SAP HANAネットワークプロトコル初段
LT SAP HANAネットワークプロトコル初段Koji Shinkubo
 
Microsoft SharePoint를 활용한 개발환경 구축
Microsoft SharePoint를 활용한 개발환경 구축Microsoft SharePoint를 활용한 개발환경 구축
Microsoft SharePoint를 활용한 개발환경 구축OnGameServer
 
Ga log
Ga logGa log
Ga logSerdar Güngör
 
Cells
CellsCells
Cellsvizilly
 
Pruebas de hipotesis
Pruebas de hipotesisPruebas de hipotesis
Pruebas de hipotesisJuan Timoteo Cori
 
ipython notebook poc memory forensics
ipython notebook poc memory forensicsipython notebook poc memory forensics
ipython notebook poc memory forensicsVincent Ohprecio
 
Demonstration using Jupyter R
Demonstration using Jupyter RDemonstration using Jupyter R
Demonstration using Jupyter R宁 梅
 
Sp 2010 eng2
Sp 2010 eng2Sp 2010 eng2
Sp 2010 eng2Paraná Banco
 
Table financiere
Table financiereTable financiere
Table financierestoune123
 
PE보다 스크립트 - 핵인싸 악성코드의 진단 우회방식
PE보다 스크립트 - 핵인싸 악성코드의 진단 우회방식PE보다 스크립트 - 핵인싸 악성코드의 진단 우회방식
PE보다 스크립트 - 핵인싸 악성코드의 진단 우회방식HeungSoo Kang
 
CAR Emails 6.12.02 (b)
CAR Emails 6.12.02 (b)CAR Emails 6.12.02 (b)
CAR Emails 6.12.02 (b)Obama White House
 
Ateliers péda (ACM)
Ateliers péda (ACM)Ateliers péda (ACM)
Ateliers péda (ACM)NicoBarto
 
SonShine Magazine Teaser - Christian Comic / Book / Magazine
SonShine Magazine Teaser - Christian Comic / Book / MagazineSonShine Magazine Teaser - Christian Comic / Book / Magazine
SonShine Magazine Teaser - Christian Comic / Book / MagazineJoel S Godi
 
Cpu utilization
Cpu utilizationCpu utilization
Cpu utilizationRahimullah Hashimi
 
Technical challenges with file formats
Technical challenges with file formatsTechnical challenges with file formats
Technical challenges with file formatsAnge Albertini
 
CEI Email 6.3.03 (a)
CEI Email 6.3.03 (a)CEI Email 6.3.03 (a)
CEI Email 6.3.03 (a)Obama White House
 
Singleton coty ppp
Singleton coty pppSingleton coty ppp
Singleton coty pppCoty Singleton
 
ปัจจัยที่ทำให้ระบบโรงเรียนประสบความสำเร็จ
ปัจจัยที่ทำให้ระบบโรงเรียนประสบความสำเร็จปัจจัยที่ทำให้ระบบโรงเรียนประสบความสำเร็จ
ปัจจัยที่ทำให้ระบบโรงเรียนประสบความสำเร็จkunkrooyim
 
Corso di linguaggio C
Corso di linguaggio CCorso di linguaggio C
Corso di linguaggio CGalliate Linux User Group
 
CAR Email 5.16.03
CAR Email 5.16.03CAR Email 5.16.03
CAR Email 5.16.03Obama White House
 

Weitere ähnliche Inhalte

Was ist angesagt?

Biotechnology2
Biotechnology2Biotechnology2
Biotechnology2sharkyea
 
Leroy Wainwright Professional Persona Project
Leroy Wainwright Professional Persona ProjectLeroy Wainwright Professional Persona Project
Leroy Wainwright Professional Persona ProjectLeroy S. Wainwright II
 
LT SAP HANAネットワークプロトコル初段
LT SAP HANAネットワークプロトコル初段LT SAP HANAネットワークプロトコル初段
LT SAP HANAネットワークプロトコル初段Koji Shinkubo
 
Microsoft SharePoint를 활용한 개발환경 구축
Microsoft SharePoint를 활용한 개발환경 구축Microsoft SharePoint를 활용한 개발환경 구축
Microsoft SharePoint를 활용한 개발환경 구축OnGameServer
 

Was ist angesagt? (7)

Biotechnology2
Biotechnology2Biotechnology2
Biotechnology2
 
Leroy Wainwright Professional Persona Project
Leroy Wainwright Professional Persona ProjectLeroy Wainwright Professional Persona Project
Leroy Wainwright Professional Persona Project
 
LT SAP HANAネットワークプロトコル初段
LT SAP HANAネットワークプロトコル初段LT SAP HANAネットワークプロトコル初段
LT SAP HANAネットワークプロトコル初段
 
Microsoft SharePoint를 활용한 개발환경 구축
Microsoft SharePoint를 활용한 개발환경 구축Microsoft SharePoint를 활용한 개발환경 구축
Microsoft SharePoint를 활용한 개발환경 구축
 
Ga log
Ga logGa log
Ga log
 
Cells
CellsCells
Cells
 
Pruebas de hipotesis
Pruebas de hipotesisPruebas de hipotesis
Pruebas de hipotesis
 

Ähnlich wie Learning iPython Notebook Volatility Memory Forensics

ipython notebook poc memory forensics
ipython notebook poc memory forensicsipython notebook poc memory forensics
ipython notebook poc memory forensicsVincent Ohprecio
 
Demonstration using Jupyter R
Demonstration using Jupyter RDemonstration using Jupyter R
Demonstration using Jupyter R宁 梅
 
Table financiere
Table financiereTable financiere
Table financierestoune123
 
PE보다 스크립트 - 핵인싸 악성코드의 진단 우회방식
PE보다 스크립트 - 핵인싸 악성코드의 진단 우회방식PE보다 스크립트 - 핵인싸 악성코드의 진단 우회방식
PE보다 스크립트 - 핵인싸 악성코드의 진단 우회방식HeungSoo Kang
 
Ateliers péda (ACM)
Ateliers péda (ACM)Ateliers péda (ACM)
Ateliers péda (ACM)NicoBarto
 
SonShine Magazine Teaser - Christian Comic / Book / Magazine
SonShine Magazine Teaser - Christian Comic / Book / MagazineSonShine Magazine Teaser - Christian Comic / Book / Magazine
SonShine Magazine Teaser - Christian Comic / Book / MagazineJoel S Godi
 
Technical challenges with file formats
Technical challenges with file formatsTechnical challenges with file formats
Technical challenges with file formatsAnge Albertini
 
ปัจจัยที่ทำให้ระบบโรงเรียนประสบความสำเร็จ
ปัจจัยที่ทำให้ระบบโรงเรียนประสบความสำเร็จปัจจัยที่ทำให้ระบบโรงเรียนประสบความสำเร็จ
ปัจจัยที่ทำให้ระบบโรงเรียนประสบความสำเร็จkunkrooyim
 
February 2020 Calendar of Events
February 2020 Calendar of EventsFebruary 2020 Calendar of Events
February 2020 Calendar of EventsFloodwoodvern
 
Itsecteam shell
Itsecteam shellItsecteam shell
Itsecteam shellady36
 
How to I/O?
How to I/O?How to I/O?
How to I/O?C4Media
 

Ähnlich wie Learning iPython Notebook Volatility Memory Forensics (20)

ipython notebook poc memory forensics
ipython notebook poc memory forensicsipython notebook poc memory forensics
ipython notebook poc memory forensics
 
Demonstration using Jupyter R
Demonstration using Jupyter RDemonstration using Jupyter R
Demonstration using Jupyter R
 
Sp 2010 eng2
Sp 2010 eng2Sp 2010 eng2
Sp 2010 eng2
 
Table financiere
Table financiereTable financiere
Table financiere
 
PE보다 스크립트 - 핵인싸 악성코드의 진단 우회방식
PE보다 스크립트 - 핵인싸 악성코드의 진단 우회방식PE보다 스크립트 - 핵인싸 악성코드의 진단 우회방식
PE보다 스크립트 - 핵인싸 악성코드의 진단 우회방식
 
CAR Emails 6.12.02 (b)
CAR Emails 6.12.02 (b)CAR Emails 6.12.02 (b)
CAR Emails 6.12.02 (b)
 
Ateliers péda (ACM)
Ateliers péda (ACM)Ateliers péda (ACM)
Ateliers péda (ACM)
 
SonShine Magazine Teaser - Christian Comic / Book / Magazine
SonShine Magazine Teaser - Christian Comic / Book / MagazineSonShine Magazine Teaser - Christian Comic / Book / Magazine
SonShine Magazine Teaser - Christian Comic / Book / Magazine
 
Cpu utilization
Cpu utilizationCpu utilization
Cpu utilization
 
Technical challenges with file formats
Technical challenges with file formatsTechnical challenges with file formats
Technical challenges with file formats
 
CEI Email 6.3.03 (a)
CEI Email 6.3.03 (a)CEI Email 6.3.03 (a)
CEI Email 6.3.03 (a)
 
Singleton coty ppp
Singleton coty pppSingleton coty ppp
Singleton coty ppp
 
ปัจจัยที่ทำให้ระบบโรงเรียนประสบความสำเร็จ
ปัจจัยที่ทำให้ระบบโรงเรียนประสบความสำเร็จปัจจัยที่ทำให้ระบบโรงเรียนประสบความสำเร็จ
ปัจจัยที่ทำให้ระบบโรงเรียนประสบความสำเร็จ
 
Corso di linguaggio C
Corso di linguaggio CCorso di linguaggio C
Corso di linguaggio C
 
CAR Email 5.16.03
CAR Email 5.16.03CAR Email 5.16.03
CAR Email 5.16.03
 
CAR Email 5.16.03 (a)
CAR Email 5.16.03 (a)CAR Email 5.16.03 (a)
CAR Email 5.16.03 (a)
 
February 2020 Calendar of Events
February 2020 Calendar of EventsFebruary 2020 Calendar of Events
February 2020 Calendar of Events
 
Itsecteam shell
Itsecteam shellItsecteam shell
Itsecteam shell
 
Keyserv
KeyservKeyserv
Keyserv
 
How to I/O?
How to I/O?How to I/O?
How to I/O?
 

Mehr von Vincent Ohprecio

iPython Notebook Volatility Memory Forensics SilentBanker
iPython Notebook Volatility Memory Forensics SilentBankeriPython Notebook Volatility Memory Forensics SilentBanker
iPython Notebook Volatility Memory Forensics SilentBankerVincent Ohprecio
 
iPython Notebook Volatility For Memory Forensics
iPython Notebook Volatility For Memory ForensicsiPython Notebook Volatility For Memory Forensics
iPython Notebook Volatility For Memory ForensicsVincent Ohprecio
 
iPhone Forensics Without iPhone using iTunes Backup
iPhone Forensics Without iPhone using iTunes BackupiPhone Forensics Without iPhone using iTunes Backup
iPhone Forensics Without iPhone using iTunes BackupVincent Ohprecio
 
Forensic Challenge 10 - FC5 Attack Dataset Visualization
Forensic Challenge 10 - FC5 Attack Dataset VisualizationForensic Challenge 10 - FC5 Attack Dataset Visualization
Forensic Challenge 10 - FC5 Attack Dataset VisualizationVincent Ohprecio
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshortVincent Ohprecio
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortVincent Ohprecio
 

Mehr von Vincent Ohprecio (7)

iPython Notebook Volatility Memory Forensics SilentBanker
iPython Notebook Volatility Memory Forensics SilentBankeriPython Notebook Volatility Memory Forensics SilentBanker
iPython Notebook Volatility Memory Forensics SilentBanker
 
iPython Notebook Volatility For Memory Forensics
iPython Notebook Volatility For Memory ForensicsiPython Notebook Volatility For Memory Forensics
iPython Notebook Volatility For Memory Forensics
 
iPhone Forensics Without iPhone using iTunes Backup
iPhone Forensics Without iPhone using iTunes BackupiPhone Forensics Without iPhone using iTunes Backup
iPhone Forensics Without iPhone using iTunes Backup
 
Forensic Challenge 10 - FC5 Attack Dataset Visualization
Forensic Challenge 10 - FC5 Attack Dataset VisualizationForensic Challenge 10 - FC5 Attack Dataset Visualization
Forensic Challenge 10 - FC5 Attack Dataset Visualization
 
Big databigideasit4bc
Big databigideasit4bcBig databigideasit4bc
Big databigideasit4bc
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshort
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades short
 

Kürzlich hochgeladen

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

Kürzlich hochgeladen (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

Learning iPython Notebook Volatility Memory Forensics

  • 1. 3/6/13 IPython Notebook Next Steps - Where do you go from here? I [] fo Iyhncr.ipa ipr Iae n 2: rm Pto.oedsly mot mg fo Iyhncr.ipa ipr HM rm Pto.oedsly mot TL fo Iyhnlbdslyipr Yuueie rm Pto.i.ipa mot oTbVdo . . . Google Rapid Response - GRR I [] !pnhts/cd.ogecmpgr n 4: oe tp:/oegol.o//r/ . . . Keep the conversation going on Twitter I [] !pnhts/titrcmbgnrdd n 5: oe tp:/wte.o/isafue . . . Find all the material on this talk on Github I [] !pnhts/gtu.o/isafue n 6: oe tp:/ihbcmbgnrdd . 127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 1/11
  • 2. 3/6/13 IPython Notebook . . I [] Iaeflnm=/sr/nie/eko/isafaoptc1pg) n 6: mg(ieae"UesatgnDstpbgnrhdosak.n" Ot6: u[] I [] Iaeflnm=/sr/nie/eko/isafore.n" n 7: mg(ieae"UesatgnDstpbgnrjunypg) Ot7: u[] 127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 2/11
  • 3. 3/6/13 IPython Notebook . . . Hadoop meets Sleuthkit I [] !pnht:/w.luhi.r/s_aop n 2: oe tp/wwsetktogtkhdo/ . . . Python meets log2timeline I [] !pnht:/ls.idln.e/ n 1: oe tp/paokdaadnt . . . 127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 3/11
  • 4. 3/6/13 IPython Notebook DFIR and Machine Learning - Match made in heaven waiting to happen I [] !pnht:/cktlanogsal/ n : oe tp/sii-er.r/tbe I [] !pnht:/rp.asuld/psvltxe21/70pfdge_02i0_19s27.d n : oe tp/dosdgth.eou/olet/0339/d/arpv0_09p0_131pf . . . . Fuzzy Hashing with ssdeep I [0: !pnht:/sepsucfrent n 3] oe tp/sde.oreog.e/ I [] !pnht:/fw.r/06poedns1-onlmpf n 1: oe tp/drsog20/rceig/2Krbu.d . . . Integration with Python Indicators of Compromise? I [] !pnhts/gtu.o/efrnrpic n 1: oe tp:/ihbcmjfbye/yo . . . Thanks to Hacker School NYC 127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 4/11
  • 5. 3/6/13 IPython Notebook Hacker School is a three-month, full-time school in New York for becoming a better programmer. We're free as in beer, and provide space, a little structure, time to focus, and a friendly community of smart builders dedicated to self-improvement. I [] !pnhts/wwhcesho.o/ n 8: oe tp:/w.akrcolcm . . . Memory Forensics Cheat Sheet I [] !pnhts/bossn.r/optrfrnisfls21/4Mmr-oesc-ha-he-1pf n 1: oe tp:/lg.asogcmue-oesc/ie/020/eoyFrnisCetSetv.d . . . Create images and graphs from arrays I [2: X=n.ra(01234) n 3] pary[,,,,] Y=n.ra(35467) pary[,,,,] I [3: po(,) n 3] ltXY Ot3] [mtlti.ie.ieDa 09d5c] u[3: <apolblnsLn2 t x4b8> . . 127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 5/11
  • 6. 3/6/13 IPython Notebook . Here is the documentation I used in this presentation I [] !pnhts/vltlt.ogeoecmsnbace/cdtedc/uoilhm n 1: oe tp:/oaiiygolcd.o/v/rnhssuet/osttra.tl . . . Comparing MD5 APT1 Hashes agains files I [7: at_ds=oe(/otDstpATm5)ralns) n 2] p1m5 pn'ro/eko/P1d'.edie( at_e_it=st[.ti(' frii at_ds0]) p1stls e(isrp'n) o n p1m5[:] at_e_it p1stls Ot2] st[dfdb5d1629e03c8d' u[7: e('394c1be00330f799, '414ef6ff6f55d37e, cf4fb1f83d13354c' '838512df12695c14, b8fea401516b231c' '76facec58833028e, 6f25cfafe2cb954f' '5a17b2bddef9aadd, 4a47b4e3e5d374ae' '12fb54f4ee596acc, f7f6610326e16e34' 'c581ab0950b83cd9, 5d764f5b2086bacb' '5a1cbeae5a890608, 7ddcaa8dbbe9dc3f' 'eda7c98e9c657b11, a1d8c59d7eb82bd9' '432b3e0335ba37cc, a41e6d028a75921d' '7fa3dd9d74970bcf, 9342861bcb27b79e' '9dfa2920f3048e1b, 3012601145c3caf4' 'b4d3ee18d446693c, a45ae48a4647f6d5' 'e8b242e55ac18ffe, 566d802359961d81' '20adc77b9b92ed90, 559b1cbf3119909c' '919f42c6aa84ba3b, dbc5b44f90ce03b9' '00438ab6e7d1c17f, 28f638eedbef10ff' 'd51301fc4318f6de, b1746c2facce6c90' '032526b3eabb313d, c148a7a932293b0c' '80df3492df2c0341, 949b42104b08044c' I [8: mmr_xctbe_D =oe(/otDstpad/iett)ralns) n 2] eoyeeualsM5 pn'ro/eko/sffl.x'.edie( mmr_xctbe_D_e_it=st[.pi([]frii mmr_xctbe_D[:] eoyeeualsM5stls e(islt)0 o n eoyeeualsM50]) mmr_xctbe_D_e_it eoyeeualsM5stls Ot2] st[a5c0ed5e0b1bd7a4' u[8: e('d2ede94466a18c2d, '1670c62e0ff1289a, 17bd1eafce3467f7' '7d2715886a6edcfa, 693f2b9f3d05e01a' '10cd8542da536a05, ee0251e198c0ffc9' 'd20b28911b256c20, 1b7bd0f6cee93481' '695b79a55ddcfce9, 8caff207a8074ca7' '32e792f69d9d5d6d, 38962a98d324979c' 'ee6d0d3570aef212, 1166eeb0a61965c3' 'a83026d74f1f3f8a, 5a631b929812b9a5' '28d86314b7dea421, 83f77f3d79b09ee2' '834ec4e08e0d2745, 6cce901bc8cd2d3d' '113dbc77b05331b7, 2c8cacc65528182c' '0af1d11a42ecc239, 170860cc009d39a2' 'ac46f47618d7b8b9, b142c9ad3a5982f1' '54e4de3260327e99, 8ae29850a2b9dc52' '222a1ee61aeff79e, b8310b54ab3cf42e' 'fcd7781259ea1153, 7fa85f5ffec6da46' '906db338e7990b50, 86fc46a795f4f68e' 127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 6/11
  • 7. 3/6/13 IPython Notebook '73fff2c11b867ae2, ea516872cb4e97a7' '3427ad09e97ca777, e4366e506751f6a2' 'd38f211de1eb7f0c, 6c45c4af5937e71b' '2a9a29ad949a055f, b535b9bfc90c9592' 'b2aa5f3c5a7b7a12, 76d16fc15d7826de' 'd13d4d66cf6af6e3, 99bf9dfedfdee22b' '1921459849e542a3, 062a43fb9a50135e' 'ac61035ed6df4090, e196a16c098febae' 'b1e896bbabe8d98c, 8b3049b2f741bfa5' '7b16686e4fecb66f, 7c981c49f488bd25' '10019523f9fbd4f6, 4e0bbf65b8554615' '1a6eeac51644ca10, 8e74724bc185a71c' '9f26513f5265a4c2, e677ec380cea92a9' '2feba20383d3cc3d, 101adc252bd18407' 'ac7e47f885635821, 76c8edefdcb1f1c8' '5c24ee9f5cba8feb, d2b87c22199b6a45' '8faf99f43aeabbbc, 6055bbd692445032' '251ba023f30c56e5, d9d20b84dcc9d457' '9f7941475684fb46, 684ffe7d6f9f62ad' 'fd674b83cb66f66b, c28f8bf0a9d7bfb8' '75c5b29e048fb8de, 2586a1d78a521f11' 'b04cb2e6318b551a, 1c7e4219ddd5de76' '079125c38314e378, 8220e1c96f3c4641' '6352dc9dc5a8a467, e005fff772e19b01' 'e39077471a72a21b, 0d124fc2ee0e6f16' 'd9a54146752de389, 56832d59e63f6e9a' '35bf2fae634a2ebd, 36d5e2c0b7fd2dd3' 'bcebb1005c6a4585, 11dd6736ab8da036' '4aa7f884aeafb3d5, 4f1780bac6fd7d8a' '22aedd905c47a7da, 91e0fc252fac78d4' 'c3afb8c08e1516a0, 521660c13c3f98ac' '22db9e1f7529484d, 0f2cdfc202378f3c' '427455c976aed8c0, 5c3b24b6f82b1038' 'fc94536cb252debc, 6d47fb377c42e1bc' '5e2fe09a893f4d2a, f915a7b9693ce534' 'b7ae0fac6733a81d, 5659927ac4b2f932' '8ef7c0a2e67c3a03, 7bb0b71835ed6962' '95d049bed0eb97ae, fed31308a5da40df' '999b69fc12696d5a, 6a318faa76d21504' '196bea5a7cb5c72b, 6222726dac4a6443' 'b5633b0ee80b001e, e7802c64c45b6498' '1dee4d43c5600840, 297ddfaca326f86c' '7718639785de3f1e, d78fbd5eb88fcce0' '6fae60ac31c476f4, 7bfbb90686585bf7' 'f9feef0849f299bd, edec9feaec45d803' '4dc9f0249098c82e] d18d80b0e809ef47') These sets are compared and any executables that are in APT1 hashes are returned I [9: at_e_ititreto(eoyeeualsM5stls) n 2] p1stls.nescinmmr_xctbe_D_e_it Ot2] st[) u[9: e(] . . . Comparing MD5 APT1 Hashes against files "To denote the identity of a malicious binary or executable, analysts often use cryptographic hashing, which computes a hash value on a block of data, such that an accidental or intentional change to the data will change the hash value...Fuzzy hashes and other block/rolling hash methods provide a continuous stream of hash values for a rolling window over the binary. These methods produce hash values that allow analysts to assign a percentage score that indicates the amount of content that the two files have in common. A recent type of fuzzy hashing, known as context triggered piecewise hashing, has gained enormous popularity in malware detection and analysis in the form of an open-source tool called ssdeep." http://blog.sei.cmu.edu/post.cfm/fuzzy-hashing-techniques-in-applied-malware-analysis 127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 7/11
  • 8. 3/6/13 IPython Notebook Compare MD5 to Whitelisted MD5s I [] !pnht:/w.slns.o/onod.t n : oe tp/wwnr.itgvDwlashm Compare MD5 to Blacklisted MD5s I [] !pnht:/iusaecmhse/ n : oe tp/vrshr.o/ahs . . . Moar Reading on Fuzzy Hashing I [5: !pnht:/hethuhscm21/12/oi-awr-rp-hoyadfzyhse/ n 3] oe tp/tratogt.o/030/8kngmlaegahter-n-uz-ahs I [6: !pnht:/sepsucfrent n 3] oe tp/sde.oreog.e/ I [7: !pnht:/eskrbu.o/rsnain/ds0.d n 3] oe tp/jseonlmcmpeettoscfl7pf . . . Volatility Labs - Month of Volatility Plugins I [] !pnht:/oaiiylb.lgptc/020/op1-oo-esospoessadhm n 3: oe tp/vltlt-asboso.a21/9mv-1lgnssin-rcse-n.tl . . . 127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 8/11
  • 9. 3/6/13 IPython Notebook Paper of Android Memory Analysis with Volatility I [] !pnht:/optrfrnissn.r/umtacie/02adodmn-edn-eoyaqiiinadaayi-ihlm-n- n 5: oe tp/cmue-oesc.asogsmi-rhvs21/nri-idraigmmr-custo-n-nlsswt-iead . . . Tool for monitoring installation routines of programs I [] !pnht:/w.atucmisalto-oio.h n 9: oe tp/wwmra.o/ntlainmntrpp . . . . I [4: HM(<faeschts/vltlt.ogeoecmsnbace/cdtedc/ne.tlwdh10 hih=0 /fae" n 3] TL"irm r=tp:/oaiiygolcd.o/v/rnhssuet/osidxhm it=00 egt40 irm>) Ot3] u[4: Volatility Technology Preview Documentation. 1. Tutorial 2. User Manual a. The Pmem Memory acquisition suite 3. Developer Information 4. References and Further Information Last updated 2012­11­15 10:38:39 CET . 127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 9/11
  • 10. 3/6/13 IPython Notebook . . Cuckoobox, Volatility, Yara Video on YouTube I [1: Yuueie(d"xnTuA" wdh60 hih=0) n 1] oTbVdoi=mGjlfA, it=0, egt40 Ot1] u[1: . . . Awesome Potential of Visualization for memory space and processes I [0: !pnht:/itrs.o/i/53604203/ n 1] oe tp/pneetcmpn918188646 . . . Books over blogs 127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 10/11
  • 11. 3/6/13 IPython Notebook I [] !pnht:/itrs.o/agebt/ n 7: oe tp/pneetcmdnleis . . . Awesome Team Responsible for Volatility I [] !pnhts/cd.ogecmpvltlt/iiVltltTa n 4: oe tp:/oegol.o//oaiiywk/oaiiyem 127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 11/11