Digital First Response

Read Time: 5 Minutes In the spirit of this blog, this a quick post pointing those interested in learning some basics around  Reverse Engineering,  Digital Forensics, and Incident Response(RE+DFIR) to check out my  RE+DFIR101 Github .  I will continue to update the content there to include research, or practical exercises, that would-be RE+DFIR Practitioners can take advantage of. Please leave comments below and I look forward to sharing more experiences that I have on the daily with my readership. References Peter Staarfaenger. RE+DFIR101 Github.  "Fun with Flags".   https://citizenstaar.github.io/scar/

Read Time: 15 Minutes Keeping to the " Fun with Flags " theme, this post will demonstrate how I solved the second challenge for the SANS Holiday Hack 2017 .  Building on my last post, that dealt specifically with Challenge 1 , I will follow the same roadmap by focusing on console challenges and any hacking required to answer/capture the relevant flags. Figure 1: Fun with Flags Staarfaenger For Challenge 2 the following question is posed:  "Investigate the Letters to Santa application at https://l2s.northpolechristmastown.com . What is the topic of The Great Book page available in the web root of the server? What is Alabaster Snowball's password?". The "...hints associated with this challenge, Sparkle Redberry in the Winconceivable: The Cliffs of Winsanity Level can provide some tips." is provided.  So heading over to the challenge we try to locate our first terminal as seen in  Figure 2: Finding the SecondTerminal. Figure 2: Finding t...

Read Time: 5 Minutes In 2012, Hexacorn Ltd  posted a couple blogs on their website about decrypting VBN files:  the  original post and a second post . The team at Hexacorn Ltd identified that "...Symantec’s VBN files can be encrypted not only with 0x5A, but also 0xA5..." in their original research.  In their later posting disclosing that the encrypted is separated by a "...5 byte ‘chunk divider’ in a form of 0xF6 0x?? 0x?? 0xFF 0xFF. So, to reconstruct the encrypted Quarantine files, one needs to decrypt them with 0xA5 first and then remove the chunk dividers...".  Which are both valuable insights that I can confirm should be observed in the decryption of VBN files.   For 2018, here are a few more insights into the data structures and analysis considerations for decrypting VBN files: The first 388 bytes is reserved for the original directory and filename of the quarantined file The next 2052 bytes contains meta data regarding the detection...

Read Time: 5 Minutes Welcome to my first blog post!  I thought I would start off the blog by sharing thoughts on content that is publicly available on security topics that are of interest.  Recently I viewed Andrew Case's  The Need for Pro-active Defense and Threat Hunting Within Organizations  posted by Adrian Crenshaw  from the archive of recordings of presentations performed at BSides Tampa in 2015.   This video highlights contemporary considerations with respect to hostile third parties, comprised of professionals that operate with a thought-out trade-craft, who are motivated to break into an organization via their IT infrastructure.  Generally speaking the modern enterprise is faced with the Defender's Dilemma , blogged about by Richard Bejtlich, in which alert-centric security analytics fails to address in a timely manner the risk posed by these hostile third parties.  Andrew Case's presentation addresses this by delving into Thr...