| Last Call for Volatility Bugs Before Release |
[Jul. 30th, 2009|06:37 am] |
The Volatility Framework is looking to wrap up our month-long call for bugs before the next official release. The framework is a great way to experiment with memory forensics on Windows XP systems and I recommend it for anybody interested in this new field. You can grab the last official release, Version 1.3 Beta 1 from the web site or the latest code (patched yesterday!) directly from http://code.google.com/p/volatility/ before the final release next week.
If you find something that should be fixed, please either leave a comment here or write to the developers mailing list. We appreciate the feedback and are looking forward to big release Real Soon NowTM. |
|
|
| Volatility Call for Bugs |
[Jul. 5th, 2009|12:38 pm] |
We are aiming to release a new version of the Volatility Framework for memory analysis at the start of August 2009. Although no software is ever perfect, we'd like to publish the best possible code. As such, we're asking everybody to please test out the current version and tell us about any bugs they find.
The code is available on the Volatility homepage on Google Code. As noted on their site, you can download the latest version using Subversion as follows:
svn checkout http://volatility.googlecode.com/svn/trunk/ volatility-read-only
You can download some sample memory images from NIST or hogfly's memory exemplar project, but please feel free to test the framework with your own memory images. Lots of testing has been done with the above images, so the best way to find new bugs is with new memory images! Remember the framework only supports Windows XP Service Pack 2 and 3.
When you find a bug, you can post a comment here, visit the developers on IRC at #Volatility on freenode.net, or write to the developer's mailing list.
Even better than finding a bug is fixing one! By all means please take a stab at fixing whatever problems you find. The best way to submit patches is to make changes to the checked out code and generate a patch file. You can create a patch file like this:
svn diff > mypatches
Here's an example patch to let Volatility run on big-endian systems. Good hunting! |
|
|
| Fixing the 'suspicious.py' Volatility module |
[Feb. 14th, 2009|11:06 am] |
Several people have asked about the following error when using the suspicious.py plugin for Volatility:
Traceback (most recent call last):
File "volatility", line 219, in
main()
File "volatility", line 201, in main
MemoryRegistry.Init()
File "/Users/jessek/Volatility-1.3_Beta/forensics/registry.py", line 269, in Init
OBJECT_CLASSES = VolatilityObjectRegistry(object2.Object)
File "/Users/jessek/Volatility-1.3_Beta/forensics/registry.py", line 244, in __init__
raise Exception("Object %s has already been defined by %s" % (obj,self.objects[obj]))
Exception: Object _EPROCESS has already been defined by class 'example3._eprocess'="'example3._EPROCESS'">
The error is caused by a collision of the _EPROCESS object in suspicious.py and example3.py. The easiest way to solve the problem is to remove example3.py from the memory_plugins directory. |
|
|
| Using Fuzzy Hashing from C# |
[Jan. 15th, 2009|06:06 pm] |
Recently ssdeep user Jose Cintron wanted to use fuzzy hashing in a C# program. After some significant head scratching he came up with the following code necessary to use at least part of the DLL from his program:
using System.Runtime.InteropServices; // Needed for DllImport
public class ssdeepWrapper
{
// fuzzy.dll should be somewhere in the path or specify exactly
// where to find it.
[DllImport("fuzzy.dll")]
public static extern int fuzzy_hash_filename(string fname,
StringBuilder result);
[DllImport("fuzzy.dll")]
public static extern int fuzzy_compare(string sig1, string sig2);
}Any thoughts? Has anybody else tried using fuzzy hashing from a different language? |
|
|
| Foremost version 2.0 is coming |
[Jul. 16th, 2007|11:38 pm] |
After a long break I have once again taken an interest in the active development of Foremost. One of the first major programs I ever wrote, it's a program for extracting files based on their headers and footers. Nick Mikus has been maintaining it for the past two years and has been doing an excellent job. But the time has come for me to step in again. Right now I'm updating the code for version 2.0 which should be ready by the end of the summer.
The biggest (visible) change will be support for the Advanced Forensic Format or AFF. You can read all about it on the Forensics Wiki. It's a library that allows programs to directly access compressed disk images, either in native AFF, EnCase, and EWF formats.
With the advent of CarvFS, this new version of Foremost may not be such an innovation for *nix users. But it should be a boon for Windows users. For the first time Foremost will be available, fully supported, for the Win32 platform. This means you'll be able to download and run a version of Foremost for your Windows box without all of that mucking about with Cygwin. (Don't get me wrong, Cygwin rocks, but it's not always available on an analysis machine.)
What else would you like to see in the new Foremost? I'll be working on the existing feature requests and bugs, but what else do you need? |
|
|
| Open Source Encase Tools |
[May. 13th, 2007|10:53 pm] |
Although I had heard of the project before, this week I got a chance to around with the tools from the libewf project. It's designed to parse the Expert Witness Compression Format (EWF) which is used in both EnCase and SMART images. Very cool! |
|
|
| Parsing web server logs for search queries |
[Feb. 24th, 2007|10:39 am] |
I've been looking at my web server logs recently because, well, I'm a geek and my wife is out of town. Using some homebrew scripts I've been able to get a peek at what people have been searching for when they reach my web site.
Every time you view a web page your computer sends a bunch of information to the web server sending you the page. Not only does your computer ask for a particular page, but it also says which page you are coming from. For example, if you're viewing http://www.whitehouse.gov/ and click on the link for http://svr.gov.ru/ [1], the svr.gov.ru web server is told that you came from www.whitehouse.gov. The site that sent you to a new web site is called the referring site and the specific page you were on is called the referring URL [2].
The referring URL can be very informative when dealing with search engines. When you run a search on Google for example, your search terms appears in the URL. For example, searching for "Happy Puppies" on Google sends me to the page http://www.google.com/search?hl=en&q=%22Happy+Puppies%22&btnG=Google+Search. See the words "Happy Puppies" in there? If the user then clicks on a link from that page, the Google URL, including the search term, is sent to the web site hosting the search result.
For example, let's say that somebody searches for the phrase "jesse kornblum" on Google and then follows a link to my site. My computer will record something like this in the log:
18.72.0.3 - - [01/Jan/1904:15:34:11 -0500] "GET /porn/goats/hotgoat07.html HTTP/1.0" 200 8417 "http://www.google.com/search?hl=en&q=jesse+kornblum" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
In this record, we see somebody from the IP address 18.72.0.3 used Google to search for "jesse kornblum" at 3:34pm on 1 Jan 1904. The logging format, although complete, can be a little tedious to read by hand. Thus I wrote a ( quick and dirty script to parse out the search terms. )
Most of the searches involved my name, tools I had written, presentations I had given, or something else that made sense. But along with those have been some really interesting queries:
Zoey the dog
zoey naked
naked zoey
luke for zoey
WHY DOGS HIDE UNDER THE BED
caninity
a bigger dog
Zoey ER
tennis zoey
play bows
zoey 18
7508736 BIOS
3efea3144abee232fda1719d2c1a4066
under the clothes
18 inches
goat farm
cow and goat
your a goat
farm cow
koala gif
out of time the horse
horse run
goat milks
horse cow
in peril
[1] This is the web site for the Служба внешней разведки (Sluzhba Vneshney Razvedki), or the Russian Foreign Intelligence Service.
[2] My proxy server, Privoxy, helps me by always sending the referring URL as belonging to the new site I'm visiting. For example, if I'm visiting http://www.whitehouse.gov/pages/context04.html and click on the link for http://svr.gov,ru/, my computer sends the referring URL as http://www.svr.ru/. |
|
|
| dcfldd Clarification |
[Jan. 24th, 2007|03:59 pm] |
There has been some confusion regarding my involvement in the dcfldd project. Although I submitted a patch and helped create the web site, the real author is Nicholas Harbour. He wrote the original program and has been maintaining it since. I'm flattered people would associate my name with such a great product, but the credit belongs to Nick! |
|
|
| Five Sample Windows Memory Images |
[Jan. 6th, 2007|12:22 pm] |
Windows memory analysis hit the big time during with 2005 DFRWS Memory Analysis Challenge. A lot of great work has been done since then, but for the most part has been limited to Windows 2000 systems. I believe that part of that limitation stemmed from the lack of memory images from other operating systems. It's hard to make a point about Windows XP memory images when there's no image that everybody shares.
That's why Brian Carrier and I have published five new Windows memory images for academics, tool developers, and practitioners to work with. Three of them come from a standalone machine with 1GB of RAM running Windows 2000, Windows 2003, and Windows Vista Beta 2. The other two images both come a laptop running Windows XP. To my knowledge, none of these machines had any kind of malicious software running on them. Enjoy! |
|
|
| Push data to the pagefile |
[Oct. 11th, 2006|11:15 am] |
One of the next steps in Windows memory analysis will be to parse the paging file (aka virtual memory). The operating system stores data here when it doesn't fit into main memory. A number of researchers have sought a way to reliably push data to the pagefile so that they can practice finding it.
I've written a simple program that attempts to allocate an infinite amount of memory and thus pushes other things out to the pagefile. The program's copyright notice is longer than the code and is available as a Windows executable or source code. Quitting the program by hitting Control-C will free up everything again. Have fun! |
|
|
| The Washington Post Learns |
[Mar. 26th, 2006|09:46 am] |
A few weeks ago The Washington Post made a serious error putting metadata in an image online that essentially outed a confidential source. It appears they have learned their lesson. Today's edition contains a similar style picture (i.e. only the subject's left eye is visible) with the caption "Patricia, 56, of the District has been HIV positive for 20 years and has lost a sister and a young nephew to complications of AIDS. Still, only a handful of friends know her secret." Thankfully, the metadata for this image contains only:PLEASE DO NOT LIGHTEN THIS IMAGE WHICH WAS DELIBERATELY SHOT TO MAKE THE SUBJECT UNRECOGNIZIBLE ** SLUG: ST-AIDS2 PHOTOGRAPHER: NIKKI KAHN/THE WASHINGTON POST DATE 03/22/2006 LOCATION: Women's Collective Washington DC. CAPTION: Patricia, 56, of Washington, D.C., is HIV positive. She is photographed at Women's Collective in Washington, D.C., on Wednesday, March 22, 2006. Staff photo imported to Merlin on Sat Mar 25 18:09:03. The full article is "Once at Front Line of AIDS War, District Is Now Fighting Blind." |
|
|
| LJ Information Leak |
[Jan. 23rd, 2005|09:34 pm] |
This issue may have been beaten to death before, but I've noticed an interesting information leak with LiveJournal. If you have a lot of friends, you can make make groups of friends and filter your friends page according. For example, if you have a group of friends called "people-from-work" you can view just these people's entries using the URL http://www.livejournal.com/~username/friends/people-from-work.
Although other users shouldn't be able to see the names you've given your friend groups, if you click on a link from your filtered friends page, the current URL will be passed to the new web server as the referring page. The referring page is recorded in the web server's log files. For example, here's what an entry from my log files would look like. Notice the filter they used for me:
63.161.169.137 - - [23/Jan/2005:10:31:50 -0500] "GET /page.html HTTP/1.1" 200 1089 "http://www.livejournal.com/~username/friends/unpatriotic-scum" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
So if I want to see what filters you are using, all I have to do is make a link to something on my site that you are sure to click on and check my web server logs. Are you using filters? If so, are the names for those filters something you'd rather other people not see? Has this issue been reported to the LJ staff? Should it be included in the FAQ? |
|
|
| A research opportunity |
[Nov. 17th, 2004|01:15 pm] |
Yesterday I was talking to ![[info]](http://l-stat.livejournal.com/img/userinfo.gif) bkdelong about what percentage of Internet devices comply with RFC 1918 (Allocation for Private Internets). I had no idea, and Google wasn't much help. Here are the questions I'd like to see answered:
- If a packet with a forged header is injected into the network at end location $_ (for all $_ in the Internet), will it reach its destination?
- If a packet with a forged header is injected into the network on a backbone, will it reach and its endpoint?
- Are there pathways on the Internet that allow packets with forged headers? (Would these be the "dark alleys" of the Internet?) <-- Don't you love research projects that come with their own press release titles?)
Has anybody done a study like this? Would anybody have the resources to help me to do? I would need the ability to inject custom crafted packets at points and measure if they were recieved at other endpoints and at points along the way. |
|
|
| Damn bugs! |
[Mar. 25th, 2004|05:44 pm] |
Today I discovered a bug in the md5deep program I released last week. Although I've already fixed the problem and put out a new version, it always aggravates me when this happens. Grr! Would anybody be interested in doing full time software testing for my work? |
|
|
| Your tax dollars spent on hash |
[Mar. 2nd, 2004|02:27 pm] |
Well, sort of.
The National Institute of Standards and Technology (NIST) has a project called the National Software Reference Library (NSRL). In their words, "The NSRL provides a repository of known software, file profiles, and file signatures for use by law enforcement and other organizations in computer forensics investigations." It's a collection of hashes, like those generated by my program md5deep, for major software packages, viruses, trojans, etc; files that you would want to identify on your system. (md5deep can read NSRL files as input for matching!)
This summer, NSRL is sponsoring a conference to discuss hashing tools and techniques called Hash-a-pa-looza. I put in for a speaking slot this morning. |
|
|
| The zip file of life, the universe, and everything |
[Feb. 18th, 2004|06:31 am] |
| [ | Tags | | | geek, hacking | ] |
| [ | Current Mood |
| |  geeky | ] |
| [ | Current Music |
| | Chicane - Saltwater | ] |
In a recent debate over zip files and e-mail virus scanners, I found quite possibly the world's coolest zip file. The file is only 42K, but when fully expanded, is over 4.5 petabytes. (For the uninitiated, a petabyte comes after terabyte, which comes after gigabyte.) No, it doesn't have much practical value, but it's a very cool proof of concept! |
|
|
| navigation |
| [ |
viewing |
| |
most recent entries |
] |
| |
|
|
angry