1. 3/6/13 IPython Notebook
Next Steps - Where do you go from here?
I [] fo Iyhncr.ipa ipr Iae
n 2: rm Pto.oedsly mot mg
fo Iyhncr.ipa ipr HM
rm Pto.oedsly mot TL
fo Iyhnlbdslyipr Yuueie
rm Pto.i.ipa mot oTbVdo
.
.
.
Google Rapid Response - GRR
I [] !pnhts/cd.ogecmpgr
n 4: oe tp:/oegol.o//r/
.
.
.
Keep the conversation going on Twitter
I [] !pnhts/titrcmbgnrdd
n 5: oe tp:/wte.o/isafue
.
.
.
Find all the material on this talk on Github
I [] !pnhts/gtu.o/isafue
n 6: oe tp:/ihbcmbgnrdd
.
127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 1/11
2. 3/6/13 IPython Notebook
.
.
I [] Iaeflnm=/sr/nie/eko/isafaoptc1pg)
n 6: mg(ieae"UesatgnDstpbgnrhdosak.n"
Ot6:
u[]
I [] Iaeflnm=/sr/nie/eko/isafore.n"
n 7: mg(ieae"UesatgnDstpbgnrjunypg)
Ot7:
u[]
127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 2/11
3. 3/6/13 IPython Notebook
.
.
.
Hadoop meets Sleuthkit
I [] !pnht:/w.luhi.r/s_aop
n 2: oe tp/wwsetktogtkhdo/
.
.
.
Python meets log2timeline
I [] !pnht:/ls.idln.e/
n 1: oe tp/paokdaadnt
.
.
.
127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 3/11
4. 3/6/13 IPython Notebook
DFIR and Machine Learning - Match made in heaven waiting to happen
I [] !pnht:/cktlanogsal/
n : oe tp/sii-er.r/tbe
I [] !pnht:/rp.asuld/psvltxe21/70pfdge_02i0_19s27.d
n : oe tp/dosdgth.eou/olet/0339/d/arpv0_09p0_131pf
.
.
.
.
Fuzzy Hashing with ssdeep
I [0: !pnht:/sepsucfrent
n 3] oe tp/sde.oreog.e/
I [] !pnht:/fw.r/06poedns1-onlmpf
n 1: oe tp/drsog20/rceig/2Krbu.d
.
.
.
Integration with Python Indicators of Compromise?
I [] !pnhts/gtu.o/efrnrpic
n 1: oe tp:/ihbcmjfbye/yo
.
.
.
Thanks to Hacker School NYC
127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 4/11
5. 3/6/13 IPython Notebook
Hacker School is a three-month, full-time school in New York for becoming a better programmer. We're free as in beer, and provide space, a little structure, time to focus,
and a friendly community of smart builders dedicated to self-improvement.
I [] !pnhts/wwhcesho.o/
n 8: oe tp:/w.akrcolcm
.
.
.
Memory Forensics Cheat Sheet
I [] !pnhts/bossn.r/optrfrnisfls21/4Mmr-oesc-ha-he-1pf
n 1: oe tp:/lg.asogcmue-oesc/ie/020/eoyFrnisCetSetv.d
.
.
.
Create images and graphs from arrays
I [2: X=n.ra(01234)
n 3] pary[,,,,]
Y=n.ra(35467)
pary[,,,,]
I [3: po(,)
n 3] ltXY
Ot3] [mtlti.ie.ieDa 09d5c]
u[3: <apolblnsLn2 t x4b8>
.
.
127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 5/11
6. 3/6/13 IPython Notebook
.
Here is the documentation I used in this presentation
I [] !pnhts/vltlt.ogeoecmsnbace/cdtedc/uoilhm
n 1: oe tp:/oaiiygolcd.o/v/rnhssuet/osttra.tl
.
.
.
Comparing MD5 APT1 Hashes agains files
I [7: at_ds=oe(/otDstpATm5)ralns)
n 2] p1m5 pn'ro/eko/P1d'.edie(
at_e_it=st[.ti(' frii at_ds0])
p1stls e(isrp'n) o n p1m5[:]
at_e_it
p1stls
Ot2] st[dfdb5d1629e03c8d'
u[7: e('394c1be00330f799,
'414ef6ff6f55d37e,
cf4fb1f83d13354c'
'838512df12695c14,
b8fea401516b231c'
'76facec58833028e,
6f25cfafe2cb954f'
'5a17b2bddef9aadd,
4a47b4e3e5d374ae'
'12fb54f4ee596acc,
f7f6610326e16e34'
'c581ab0950b83cd9,
5d764f5b2086bacb'
'5a1cbeae5a890608,
7ddcaa8dbbe9dc3f'
'eda7c98e9c657b11,
a1d8c59d7eb82bd9'
'432b3e0335ba37cc,
a41e6d028a75921d'
'7fa3dd9d74970bcf,
9342861bcb27b79e'
'9dfa2920f3048e1b,
3012601145c3caf4'
'b4d3ee18d446693c,
a45ae48a4647f6d5'
'e8b242e55ac18ffe,
566d802359961d81'
'20adc77b9b92ed90,
559b1cbf3119909c'
'919f42c6aa84ba3b,
dbc5b44f90ce03b9'
'00438ab6e7d1c17f,
28f638eedbef10ff'
'd51301fc4318f6de,
b1746c2facce6c90'
'032526b3eabb313d,
c148a7a932293b0c'
'80df3492df2c0341,
949b42104b08044c'
I [8: mmr_xctbe_D =oe(/otDstpad/iett)ralns)
n 2] eoyeeualsM5 pn'ro/eko/sffl.x'.edie(
mmr_xctbe_D_e_it=st[.pi([]frii mmr_xctbe_D[:]
eoyeeualsM5stls e(islt)0 o n eoyeeualsM50])
mmr_xctbe_D_e_it
eoyeeualsM5stls
Ot2] st[a5c0ed5e0b1bd7a4'
u[8: e('d2ede94466a18c2d,
'1670c62e0ff1289a,
17bd1eafce3467f7'
'7d2715886a6edcfa,
693f2b9f3d05e01a'
'10cd8542da536a05,
ee0251e198c0ffc9'
'd20b28911b256c20,
1b7bd0f6cee93481'
'695b79a55ddcfce9,
8caff207a8074ca7'
'32e792f69d9d5d6d,
38962a98d324979c'
'ee6d0d3570aef212,
1166eeb0a61965c3'
'a83026d74f1f3f8a,
5a631b929812b9a5'
'28d86314b7dea421,
83f77f3d79b09ee2'
'834ec4e08e0d2745,
6cce901bc8cd2d3d'
'113dbc77b05331b7,
2c8cacc65528182c'
'0af1d11a42ecc239,
170860cc009d39a2'
'ac46f47618d7b8b9,
b142c9ad3a5982f1'
'54e4de3260327e99,
8ae29850a2b9dc52'
'222a1ee61aeff79e,
b8310b54ab3cf42e'
'fcd7781259ea1153,
7fa85f5ffec6da46'
'906db338e7990b50,
86fc46a795f4f68e'
127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 6/11
7. 3/6/13 IPython Notebook
'73fff2c11b867ae2,
ea516872cb4e97a7'
'3427ad09e97ca777,
e4366e506751f6a2'
'd38f211de1eb7f0c,
6c45c4af5937e71b'
'2a9a29ad949a055f,
b535b9bfc90c9592'
'b2aa5f3c5a7b7a12,
76d16fc15d7826de'
'd13d4d66cf6af6e3,
99bf9dfedfdee22b'
'1921459849e542a3,
062a43fb9a50135e'
'ac61035ed6df4090,
e196a16c098febae'
'b1e896bbabe8d98c,
8b3049b2f741bfa5'
'7b16686e4fecb66f,
7c981c49f488bd25'
'10019523f9fbd4f6,
4e0bbf65b8554615'
'1a6eeac51644ca10,
8e74724bc185a71c'
'9f26513f5265a4c2,
e677ec380cea92a9'
'2feba20383d3cc3d,
101adc252bd18407'
'ac7e47f885635821,
76c8edefdcb1f1c8'
'5c24ee9f5cba8feb,
d2b87c22199b6a45'
'8faf99f43aeabbbc,
6055bbd692445032'
'251ba023f30c56e5,
d9d20b84dcc9d457'
'9f7941475684fb46,
684ffe7d6f9f62ad'
'fd674b83cb66f66b,
c28f8bf0a9d7bfb8'
'75c5b29e048fb8de,
2586a1d78a521f11'
'b04cb2e6318b551a,
1c7e4219ddd5de76'
'079125c38314e378,
8220e1c96f3c4641'
'6352dc9dc5a8a467,
e005fff772e19b01'
'e39077471a72a21b,
0d124fc2ee0e6f16'
'd9a54146752de389,
56832d59e63f6e9a'
'35bf2fae634a2ebd,
36d5e2c0b7fd2dd3'
'bcebb1005c6a4585,
11dd6736ab8da036'
'4aa7f884aeafb3d5,
4f1780bac6fd7d8a'
'22aedd905c47a7da,
91e0fc252fac78d4'
'c3afb8c08e1516a0,
521660c13c3f98ac'
'22db9e1f7529484d,
0f2cdfc202378f3c'
'427455c976aed8c0,
5c3b24b6f82b1038'
'fc94536cb252debc,
6d47fb377c42e1bc'
'5e2fe09a893f4d2a,
f915a7b9693ce534'
'b7ae0fac6733a81d,
5659927ac4b2f932'
'8ef7c0a2e67c3a03,
7bb0b71835ed6962'
'95d049bed0eb97ae,
fed31308a5da40df'
'999b69fc12696d5a,
6a318faa76d21504'
'196bea5a7cb5c72b,
6222726dac4a6443'
'b5633b0ee80b001e,
e7802c64c45b6498'
'1dee4d43c5600840,
297ddfaca326f86c'
'7718639785de3f1e,
d78fbd5eb88fcce0'
'6fae60ac31c476f4,
7bfbb90686585bf7'
'f9feef0849f299bd,
edec9feaec45d803'
'4dc9f0249098c82e]
d18d80b0e809ef47')
These sets are compared and any executables that are in APT1 hashes are returned
I [9: at_e_ititreto(eoyeeualsM5stls)
n 2] p1stls.nescinmmr_xctbe_D_e_it
Ot2] st[)
u[9: e(]
.
.
.
Comparing MD5 APT1 Hashes against files
"To denote the identity of a malicious binary or executable, analysts often use cryptographic hashing, which computes a hash value on a block of data, such that an
accidental or intentional change to the data will change the hash value...Fuzzy hashes and other block/rolling hash methods provide a continuous stream of hash values
for a rolling window over the binary. These methods produce hash values that allow analysts to assign a percentage score that indicates the amount of content that the
two files have in common. A recent type of fuzzy hashing, known as context triggered piecewise hashing, has gained enormous popularity in malware detection and
analysis in the form of an open-source tool called ssdeep." http://blog.sei.cmu.edu/post.cfm/fuzzy-hashing-techniques-in-applied-malware-analysis
127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 7/11
8. 3/6/13 IPython Notebook
Compare MD5 to Whitelisted MD5s
I [] !pnht:/w.slns.o/onod.t
n : oe tp/wwnr.itgvDwlashm
Compare MD5 to Blacklisted MD5s
I [] !pnht:/iusaecmhse/
n : oe tp/vrshr.o/ahs
.
.
.
Moar Reading on Fuzzy Hashing
I [5: !pnht:/hethuhscm21/12/oi-awr-rp-hoyadfzyhse/
n 3] oe tp/tratogt.o/030/8kngmlaegahter-n-uz-ahs
I [6: !pnht:/sepsucfrent
n 3] oe tp/sde.oreog.e/
I [7: !pnht:/eskrbu.o/rsnain/ds0.d
n 3] oe tp/jseonlmcmpeettoscfl7pf
.
.
.
Volatility Labs - Month of Volatility Plugins
I [] !pnht:/oaiiylb.lgptc/020/op1-oo-esospoessadhm
n 3: oe tp/vltlt-asboso.a21/9mv-1lgnssin-rcse-n.tl
.
.
.
127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 8/11
9. 3/6/13 IPython Notebook
Paper of Android Memory Analysis with Volatility
I [] !pnht:/optrfrnissn.r/umtacie/02adodmn-edn-eoyaqiiinadaayi-ihlm-n-
n 5: oe tp/cmue-oesc.asogsmi-rhvs21/nri-idraigmmr-custo-n-nlsswt-iead
.
.
.
Tool for monitoring installation routines of programs
I [] !pnht:/w.atucmisalto-oio.h
n 9: oe tp/wwmra.o/ntlainmntrpp
.
.
.
.
I [4: HM(<faeschts/vltlt.ogeoecmsnbace/cdtedc/ne.tlwdh10 hih=0 /fae"
n 3] TL"irm r=tp:/oaiiygolcd.o/v/rnhssuet/osidxhm it=00 egt40 irm>)
Ot3]
u[4:
Volatility Technology Preview Documentation.
1. Tutorial
2. User Manual
a. The Pmem Memory acquisition suite
3. Developer Information
4. References and Further Information
Last updated 20121115 10:38:39 CET
.
127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 9/11
10. 3/6/13 IPython Notebook
.
.
Cuckoobox, Volatility, Yara Video on YouTube
I [1: Yuueie(d"xnTuA" wdh60 hih=0)
n 1] oTbVdoi=mGjlfA, it=0, egt40
Ot1]
u[1:
.
.
.
Awesome Potential of Visualization for memory space and processes
I [0: !pnht:/itrs.o/i/53604203/
n 1] oe tp/pneetcmpn918188646
.
.
.
Books over blogs
127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 10/11
11. 3/6/13 IPython Notebook
I [] !pnht:/itrs.o/agebt/
n 7: oe tp/pneetcmdnleis
.
.
.
Awesome Team Responsible for Volatility
I [] !pnhts/cd.ogecmpvltlt/iiVltltTa
n 4: oe tp:/oegol.o//oaiiywk/oaiiyem
127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 11/11