InfoSec Weekly Roundtable/Discussion

[0E 800]

I will download vm and convert to liveiso for people who would rather boot from USB or install to hdd.

Might even optimize it by removing unity and using lxde or xfce. Thanks blindfuzzy for your time and proactive approach to educate this community.

[blindfuzzy]

The front page will now include links to the recordings so you guys don't have to sift through a million posts to find them.

[blindfuzzy]

Today's Discussion:

<blindfuzzy> Lets get started with Rekall
<blindfuzzy> What is Rekall? It's an advanced memory analysis solution.Historically a fork of the Volatility memory analysis framework Most code re-written/updated.Fully open source and GPL - all commits are public.Focus on: code quality - public code reviews. performance. ease of use as a library - Integrated into other tools.
* Synfer googles around
<blindfuzzy> aka it's awesome...and more specifcally it's awesome for live memory analysis
<blindfuzzy> http://www.rekall-forensic.com/
<blindfuzzy> ^Synfer
<Synfer> Was on it yep
<blindfuzzy> If you weren't here last week we talked about a SANS VM SIFT Workstation
<blindfuzzy> Rekall is one of the many tools included in that VM
<Synfer> Hmhm
<blindfuzzy> Typically the proccess for acquiring a memory image goes like this winpmem on malicious computer > mount memory image from winpmem into SIFT > start up Rekall and analize
<blindfuzzy> Rekall is different from all the other memory analysis tools because it doesnt rely on guessing global values and instead focuses on exact symbol information on the analyized system.
<blindfuzzy> Rekall holds over 200 different kernel profiles
<Synfer> :O
<blindfuzzy> Which takes guessing global values out the equation
<blindfuzzy> In turn making Rekall faster, more reliable and more acurate
<blindfuzzy> It works similar to a kernal debugger just without debugger blocking which malware can easily overwrite
<blindfuzzy> It also supports tools like Winpmem, OSXpmem, Linux pmem + LAMP tool
<blindfuzzy> Rekall has 3 user interfaces: Command line (my fav), Interactive, and a Web GUI
<blindfuzzy> Using the command line interface allows us to interactively examine data and script complex analysis
<blindfuzzy> The Web GUI is awesome too! IT allows the user to annontate notes, create a "mini" report, and persistent file storage in the form of Zip files errr based on Zip files if I remember
<blindfuzzy> The output of Rekall plugins is in JSON format. Which we know is machine readable and can be exported
<blindfuzzy> I was actually albe to siphon the data to a Splunk instance and analyize data further
<Synfer> Looks great, although I didn't really get interested in forensics I might have a look at it
<blindfuzzy> Getting into image formats with Rekall
<blindfuzzy> Traditionally acquisition tools (like dd) simply wrote out a RAW format image. This is by far the simplest image file format. In this format, the physical address space is written byte for byte directly into the image file.
<blindfuzzy>  The nice thing about a raw image is that you don’t need any special tools to read it - every byte in the file corresponds to the same address in physical memory. Some of the earliest memory analysis tools therefore only worked on RAW images.
<blindfuzzy> There are some issues with raw images
<blindfuzzy> No ability to store sparse regions - all reserved regions must be padded in the image with zeros giving a larger image size. For example if you have 4GB of RAM, there will be about 1GB PCI hole reserved for DMA (e.g. video cards), so the RAW image is actually 5GB in size.
<blindfuzzy> No support for compression, encryption etc. This is a problem because sometimes using a fast compressor can actually produce higher throughput by minimizing IO.
<blindfuzzy> No support for additional metadata. This is required for the acquisition tool to tell us these critical constants we need for analysis...
<blindfuzzy>  No support for embedding additional files, such as the pagefile, kernel image etc.
<blindfuzzy> There are some others used but none of them have the feaures we need
<blindfuzzy> The Microsoft Crashdump file, for example, is commonly used with windows images - however this is a proprietary, undocumented file format with no support for compression or embedding (although it supports some windows specific metadata) it is also non-extensible. I do not recommend acquiring with this format directly - if you need to analyze the image with the windows debugger I recommend using the Rekall "raw2dmp" plugin to create a dump file later.
<blindfuzzy> AFF4 format is built on top of the standard ZIP format. Which means we can use a regular zip program to check out an AFF4 volume
<blindfuzzy> AFF4 is pretty standard although raw files come in all the time for analysis
<blindfuzzy> so the winpmem command would look like this: winpmem_2.0.1.exe -o test.aff4
<blindfuzzy> Loading it into Rekall looks like this: "c:\Program Files\Rekall\rekal.exe" -f test.aff4
<blindfuzzy> More info here: http://forensicswiki.org/wiki/Rekall
<blindfuzzy> http://www.rekall-forensic.com/docs/References/Presentations/AntiForensic.html <---great presentation
<blindfuzzy> Thie biggest difference between Rekall and Volatility is Rekall is more modular and supports a great deal more
<blindfuzzy> The guys I know that work on Volatility would kill me for saying that but it's true
<blindfuzzy> Rekall can be a pain though
<blindfuzzy> It's a 'newish" concept. So there are bumps and bruises it has.
<blindfuzzy> Like with anything
<blindfuzzy> So I don;t want to get into all of Rekalls plugins because I will be covering those "live" next week. Where I will walk through the proccess of memory acquistion and sending the image to rekall and conducting intial analysis on the image using Rekall's plugins
<blindfuzzy> We'll examine a keylogger I wrote for SANS in the live show next week and get into more about using Rekall. This talk was ment to be something that got everyones "feet wet" persay

[blindfuzzy]

I'm getting lazy but this weeks topic was on: Tools are tools...and I don't mean that in a good way.

I pretty much bitched about how new people are coming in to the industry and relying heavily on tools and scanners and not having much manual testing skills. A big epidemic in the industry these days in my opinion.

STAY TUNED FOR THE LINK TO THE DISCUSSION!

[0E 800]

Meeting #6 (maybe its 7?)
1.27.2016

Tools are for tools:

https://www.youtube.com/watch?v=kPFTv5NvZb0

[blindfuzzy]

Meeting #6 (maybe its 7?)
1.27.2016

Tools are for tools:

https://www.youtube.com/watch?v=kPFTv5NvZb0

Thank you sir! Front page has been updated with the link.

[blindfuzzy]

This weeks topic will be on Dridex the banking trojan.

Quick resource here to spin you up on what exactly Dridex is and does...etc: https://www.us-cert.gov/ncas/alerts/TA15-286A

[blindfuzzy]

Front page has been updated with Meeting #7 video.

[blindfuzzy]

Tomorrows meeting has been cancelled. Can pm me for further details.

[blindfuzzy]

This weeks topic is: You can no haz mai dataz FBI

[0E 800]

@Sec_Meet

Meeting #8   02.17.2016

Apple vs FBI

https://www.youtube.com/watch?v=u-36WSkzlp4