Digital First Response

Read Time: 15 Minutes On 17th of December 2017, I wrote a blog post reacting to Blackhat 2017 EU presentation on a new Process Hollowing Technique named  Doppelgänging .   The original presentation from Blackhat (BH) EU 2017 can now be found on youtube to be seen it's full glory.  At the time I did not have proof of concept (POC) code and just a day later Hasherzade wrote some POC  code / blogged about it. Figure 1:  Doppelgänging  Conceptual Model Leveraging his code I took a stab to see what I could find based on the observations I made in my blog post and leveraging current memory analysis techniques to see what other indicators I could spot.  From my blog post I cited references from the original presentation, at BH EU 2017, that included looking at the windows executive object "FILE_OBJECT" and the attribute "ImageFilePointer".  Also, I remarked that the NTFS $LogFile would give some valuable clues. Looking at the "FILE_OBJ...

Read Time: 5 Minutes In the spirit of this blog, this a quick post pointing those interested in learning some basics around  Reverse Engineering,  Digital Forensics, and Incident Response(RE+DFIR) to check out my  RE+DFIR101 Github .  I will continue to update the content there to include research, or practical exercises, that would-be RE+DFIR Practitioners can take advantage of. Please leave comments below and I look forward to sharing more experiences that I have on the daily with my readership. References Peter Staarfaenger. RE+DFIR101 Github.  "Fun with Flags".   https://citizenstaar.github.io/scar/

Read Time: 15 Minutes Keeping to the " Fun with Flags " theme, this post will demonstrate how I solved the second challenge for the SANS Holiday Hack 2017 .  Building on my last post, that dealt specifically with Challenge 1 , I will follow the same roadmap by focusing on console challenges and any hacking required to answer/capture the relevant flags. Figure 1: Fun with Flags Staarfaenger For Challenge 2 the following question is posed:  "Investigate the Letters to Santa application at https://l2s.northpolechristmastown.com . What is the topic of The Great Book page available in the web root of the server? What is Alabaster Snowball's password?". The "...hints associated with this challenge, Sparkle Redberry in the Winconceivable: The Cliffs of Winsanity Level can provide some tips." is provided.  So heading over to the challenge we try to locate our first terminal as seen in  Figure 2: Finding the SecondTerminal. Figure 2: Finding t...