Learning iPython Notebook Volatility Memory Forensics

3/6/13 IPython Notebook

Next Steps - Where do you go from here?

I [] fo Iyhncr.ipa ipr Iae
n 2: rm Pto.oedsly mot mg
fo Iyhncr.ipa ipr HM
rm Pto.oedsly mot TL
fo Iyhnlbdslyipr Yuueie
rm Pto.i.ipa mot oTbVdo

.

.

.

Google Rapid Response - GRR

I [] !pnhts/cd.ogecmpgr
n 4: oe tp:/oegol.o//r/

.

.

.

Keep the conversation going on Twitter

I [] !pnhts/titrcmbgnrdd
n 5: oe tp:/wte.o/isafue

.

.

.

Find all the material on this talk on Github

I [] !pnhts/gtu.o/isafue
n 6: oe tp:/ihbcmbgnrdd

.

127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 1/11


.

.

I [] Iaeflnm=/sr/nie/eko/isafaoptc1pg)
n 6: mg(ieae"UesatgnDstpbgnrhdosak.n"

Ot6:
u[]

I [] Iaeflnm=/sr/nie/eko/isafore.n"
n 7: mg(ieae"UesatgnDstpbgnrjunypg)

Ot7:
u[]

127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 2/11


.

.

.

Hadoop meets Sleuthkit

I [] !pnht:/w.luhi.r/s_aop
n 2: oe tp/wwsetktogtkhdo/

.

.

.

Python meets log2timeline

I [] !pnht:/ls.idln.e/
n 1: oe tp/paokdaadnt

.

.

.

127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 3/11


DFIR and Machine Learning - Match made in heaven waiting to happen

I [] !pnht:/cktlanogsal/
n : oe tp/sii-er.r/tbe

I [] !pnht:/rp.asuld/psvltxe21/70pfdge_02i0_19s27.d
n : oe tp/dosdgth.eou/olet/0339/d/arpv0_09p0_131pf

.

.

.

.

Fuzzy Hashing with ssdeep

I [0: !pnht:/sepsucfrent
n 3] oe tp/sde.oreog.e/

I [] !pnht:/fw.r/06poedns1-onlmpf
n 1: oe tp/drsog20/rceig/2Krbu.d

.

.

.

Integration with Python Indicators of Compromise?

I [] !pnhts/gtu.o/efrnrpic
n 1: oe tp:/ihbcmjfbye/yo

.

.

.

Thanks to Hacker School NYC

127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 4/11


Hacker School is a three-month, full-time school in New York for becoming a better programmer. We're free as in beer, and provide space, a little structure, time to focus,
and a friendly community of smart builders dedicated to self-improvement.

I [] !pnhts/wwhcesho.o/
n 8: oe tp:/w.akrcolcm

.

.

.

Memory Forensics Cheat Sheet

I [] !pnhts/bossn.r/optrfrnisfls21/4Mmr-oesc-ha-he-1pf
n 1: oe tp:/lg.asogcmue-oesc/ie/020/eoyFrnisCetSetv.d

.

.

.

Create images and graphs from arrays

I [2: X=n.ra(01234)
n 3] pary[,,,,]
Y=n.ra(35467)
pary[,,,,]

I [3: po(,)
n 3] ltXY

Ot3] [mtlti.ie.ieDa 09d5c]
u[3: <apolblnsLn2 t x4b8>

.

.

127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 5/11


.

Here is the documentation I used in this presentation

I [] !pnhts/vltlt.ogeoecmsnbace/cdtedc/uoilhm
n 1: oe tp:/oaiiygolcd.o/v/rnhssuet/osttra.tl

.

.

.

Comparing MD5 APT1 Hashes agains files

I [7: at_ds=oe(/otDstpATm5)ralns)
n 2] p1m5 pn'ro/eko/P1d'.edie(
at_e_it=st[.ti(' frii at_ds0])
p1stls e(isrp'n) o n p1m5[:]
at_e_it
p1stls

Ot2] st[dfdb5d1629e03c8d'
u[7: e('394c1be00330f799,
'414ef6ff6f55d37e,
cf4fb1f83d13354c'
'838512df12695c14,
b8fea401516b231c'
'76facec58833028e,
6f25cfafe2cb954f'
'5a17b2bddef9aadd,
4a47b4e3e5d374ae'
'12fb54f4ee596acc,
f7f6610326e16e34'
'c581ab0950b83cd9,
5d764f5b2086bacb'
'5a1cbeae5a890608,
7ddcaa8dbbe9dc3f'
'eda7c98e9c657b11,
a1d8c59d7eb82bd9'
'432b3e0335ba37cc,
a41e6d028a75921d'
'7fa3dd9d74970bcf,
9342861bcb27b79e'
'9dfa2920f3048e1b,
3012601145c3caf4'
'b4d3ee18d446693c,
a45ae48a4647f6d5'
'e8b242e55ac18ffe,
566d802359961d81'
'20adc77b9b92ed90,
559b1cbf3119909c'
'919f42c6aa84ba3b,
dbc5b44f90ce03b9'
'00438ab6e7d1c17f,
28f638eedbef10ff'
'd51301fc4318f6de,
b1746c2facce6c90'
'032526b3eabb313d,
c148a7a932293b0c'
'80df3492df2c0341,
949b42104b08044c'

I [8: mmr_xctbe_D =oe(/otDstpad/iett)ralns)
n 2] eoyeeualsM5 pn'ro/eko/sffl.x'.edie(
mmr_xctbe_D_e_it=st[.pi([]frii mmr_xctbe_D[:]
eoyeeualsM5stls e(islt)0 o n eoyeeualsM50])
mmr_xctbe_D_e_it
eoyeeualsM5stls

Ot2] st[a5c0ed5e0b1bd7a4'
u[8: e('d2ede94466a18c2d,
'1670c62e0ff1289a,
17bd1eafce3467f7'
'7d2715886a6edcfa,
693f2b9f3d05e01a'
'10cd8542da536a05,
ee0251e198c0ffc9'
'd20b28911b256c20,
1b7bd0f6cee93481'
'695b79a55ddcfce9,
8caff207a8074ca7'
'32e792f69d9d5d6d,
38962a98d324979c'
'ee6d0d3570aef212,
1166eeb0a61965c3'
'a83026d74f1f3f8a,
5a631b929812b9a5'
'28d86314b7dea421,
83f77f3d79b09ee2'
'834ec4e08e0d2745,
6cce901bc8cd2d3d'
'113dbc77b05331b7,
2c8cacc65528182c'
'0af1d11a42ecc239,
170860cc009d39a2'
'ac46f47618d7b8b9,
b142c9ad3a5982f1'
'54e4de3260327e99,
8ae29850a2b9dc52'
'222a1ee61aeff79e,
b8310b54ab3cf42e'
'fcd7781259ea1153,
7fa85f5ffec6da46'
'906db338e7990b50,
86fc46a795f4f68e'

127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 6/11


'73fff2c11b867ae2,
ea516872cb4e97a7'
'3427ad09e97ca777,
e4366e506751f6a2'
'd38f211de1eb7f0c,
6c45c4af5937e71b'
'2a9a29ad949a055f,
b535b9bfc90c9592'
'b2aa5f3c5a7b7a12,
76d16fc15d7826de'
'd13d4d66cf6af6e3,
99bf9dfedfdee22b'
'1921459849e542a3,
062a43fb9a50135e'
'ac61035ed6df4090,
e196a16c098febae'
'b1e896bbabe8d98c,
8b3049b2f741bfa5'
'7b16686e4fecb66f,
7c981c49f488bd25'
'10019523f9fbd4f6,
4e0bbf65b8554615'
'1a6eeac51644ca10,
8e74724bc185a71c'
'9f26513f5265a4c2,
e677ec380cea92a9'
'2feba20383d3cc3d,
101adc252bd18407'
'ac7e47f885635821,
76c8edefdcb1f1c8'
'5c24ee9f5cba8feb,
d2b87c22199b6a45'
'8faf99f43aeabbbc,
6055bbd692445032'
'251ba023f30c56e5,
d9d20b84dcc9d457'
'9f7941475684fb46,
684ffe7d6f9f62ad'
'fd674b83cb66f66b,
c28f8bf0a9d7bfb8'
'75c5b29e048fb8de,
2586a1d78a521f11'
'b04cb2e6318b551a,
1c7e4219ddd5de76'
'079125c38314e378,
8220e1c96f3c4641'
'6352dc9dc5a8a467,
e005fff772e19b01'
'e39077471a72a21b,
0d124fc2ee0e6f16'
'd9a54146752de389,
56832d59e63f6e9a'
'35bf2fae634a2ebd,
36d5e2c0b7fd2dd3'
'bcebb1005c6a4585,
11dd6736ab8da036'
'4aa7f884aeafb3d5,
4f1780bac6fd7d8a'
'22aedd905c47a7da,
91e0fc252fac78d4'
'c3afb8c08e1516a0,
521660c13c3f98ac'
'22db9e1f7529484d,
0f2cdfc202378f3c'
'427455c976aed8c0,
5c3b24b6f82b1038'
'fc94536cb252debc,
6d47fb377c42e1bc'
'5e2fe09a893f4d2a,
f915a7b9693ce534'
'b7ae0fac6733a81d,
5659927ac4b2f932'
'8ef7c0a2e67c3a03,
7bb0b71835ed6962'
'95d049bed0eb97ae,
fed31308a5da40df'
'999b69fc12696d5a,
6a318faa76d21504'
'196bea5a7cb5c72b,
6222726dac4a6443'
'b5633b0ee80b001e,
e7802c64c45b6498'
'1dee4d43c5600840,
297ddfaca326f86c'
'7718639785de3f1e,
d78fbd5eb88fcce0'
'6fae60ac31c476f4,
7bfbb90686585bf7'
'f9feef0849f299bd,
edec9feaec45d803'
'4dc9f0249098c82e]
d18d80b0e809ef47')

These sets are compared and any executables that are in APT1 hashes are returned

I [9: at_e_ititreto(eoyeeualsM5stls)
n 2] p1stls.nescinmmr_xctbe_D_e_it

Ot2] st[)
u[9: e(]

.

.

.

Comparing MD5 APT1 Hashes against files

"To denote the identity of a malicious binary or executable, analysts often use cryptographic hashing, which computes a hash value on a block of data, such that an
accidental or intentional change to the data will change the hash value...Fuzzy hashes and other block/rolling hash methods provide a continuous stream of hash values
for a rolling window over the binary. These methods produce hash values that allow analysts to assign a percentage score that indicates the amount of content that the
two files have in common. A recent type of fuzzy hashing, known as context triggered piecewise hashing, has gained enormous popularity in malware detection and
analysis in the form of an open-source tool called ssdeep." http://blog.sei.cmu.edu/post.cfm/fuzzy-hashing-techniques-in-applied-malware-analysis

127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 7/11


Compare MD5 to Whitelisted MD5s

I [] !pnht:/w.slns.o/onod.t
n : oe tp/wwnr.itgvDwlashm

Compare MD5 to Blacklisted MD5s

I [] !pnht:/iusaecmhse/
n : oe tp/vrshr.o/ahs

.

.

.

Moar Reading on Fuzzy Hashing

I [5: !pnht:/hethuhscm21/12/oi-awr-rp-hoyadfzyhse/
n 3] oe tp/tratogt.o/030/8kngmlaegahter-n-uz-ahs

I [6: !pnht:/sepsucfrent
n 3] oe tp/sde.oreog.e/

I [7: !pnht:/eskrbu.o/rsnain/ds0.d
n 3] oe tp/jseonlmcmpeettoscfl7pf

.

.

.

Volatility Labs - Month of Volatility Plugins

I [] !pnht:/oaiiylb.lgptc/020/op1-oo-esospoessadhm
n 3: oe tp/vltlt-asboso.a21/9mv-1lgnssin-rcse-n.tl

.

.

.

127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 8/11


Paper of Android Memory Analysis with Volatility

I [] !pnht:/optrfrnissn.r/umtacie/02adodmn-edn-eoyaqiiinadaayi-ihlm-n-
n 5: oe tp/cmue-oesc.asogsmi-rhvs21/nri-idraigmmr-custo-n-nlsswt-iead

.

.

.

Tool for monitoring installation routines of programs

I [] !pnht:/w.atucmisalto-oio.h
n 9: oe tp/wwmra.o/ntlainmntrpp

.

.

.

.

I [4: HM(<faeschts/vltlt.ogeoecmsnbace/cdtedc/ne.tlwdh10 hih=0 /fae"
n 3] TL"irm r=tp:/oaiiygolcd.o/v/rnhssuet/osidxhm it=00 egt40 irm>)

Ot3]
u[4:

Volatility Technology Preview Documentation.
1. Tutorial
2. User Manual
a. The Pmem Memory acquisition suite
3. Developer Information
4. References and Further Information

Last updated 20121115 10:38:39 CET

.

127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 9/11


.

.

Cuckoobox, Volatility, Yara Video on YouTube

I [1: Yuueie(d"xnTuA" wdh60 hih=0)
n 1] oTbVdoi=mGjlfA, it=0, egt40

Ot1]
u[1:

.

.

.

Awesome Potential of Visualization for memory space and processes

I [0: !pnht:/itrs.o/i/53604203/
n 1] oe tp/pneetcmpn918188646

.

.

.

Books over blogs

127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 10/11


I [] !pnht:/itrs.o/agebt/
n 7: oe tp/pneetcmdnleis

.

.

.

Awesome Team Responsible for Volatility

I [] !pnhts/cd.ogecmpvltlt/iiVltltTa
n 4: oe tp:/oegol.o//oaiiywk/oaiiyem

127.0.0.1:8888/6f10bc63-098a-499f-bd64-38e40467f465/print 11/11

Learning iPython Notebook Volatility Memory Forensics

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (7)

Semelhante a Learning iPython Notebook Volatility Memory Forensics

Semelhante a Learning iPython Notebook Volatility Memory Forensics (20)

Mais de Vincent Ohprecio

Mais de Vincent Ohprecio (7)

Último

Último (20)

Learning iPython Notebook Volatility Memory Forensics