Digital First Response

Read Time: 10 Minutes Through the course of a year I participate in a number of Cyber Security Capture the Flags  (CTFs) events.  So in this posting, and others titled " Fun with Flags ", I plan to capture how I solved the different challenges that are presented.  To keep the blog light I will narrate only a challenge at a time.  It is important to blog about this topic since CTFs allow for DFIR Professionals to experience new challenges.  These challenges require the skills they have but the content might not match their day-to-day on the job challenges.   Figure 1: Fun with Flags Staarfaenger At the end of each year (since 2010 ?), SANS hosts their Holiday Hack Challenge.  These challenges so far have a had a Christmas Theme wrapped around them.  During the 2017 Holiday Hack Challenge  nine major questions were posed to participants.  I will scope the content of this post to the console challenges and hacking.  The content will derive from the following question po

Read Time: 5 Minutes In 2012, Hexacorn Ltd  posted a couple blogs on their website about decrypting VBN files:  the  original post and a second post . The team at Hexacorn Ltd identified that "...Symantec’s VBN files can be encrypted not only with 0x5A, but also 0xA5..." in their original research.  In their later posting disclosing that the encrypted is separated by a "...5 byte ‘chunk divider’ in a form of 0xF6 0x?? 0x?? 0xFF 0xFF. So, to reconstruct the encrypted Quarantine files, one needs to decrypt them with 0xA5 first and then remove the chunk dividers...".  Which are both valuable insights that I can confirm should be observed in the decryption of VBN files.   For 2018, here are a few more insights into the data structures and analysis considerations for decrypting VBN files: The first 388 bytes is reserved for the original directory and filename of the quarantined file The next 2052 bytes contains meta data regarding the detection to include: hostna