Digital First Response

   Read Time: 5 Minutes Continuing sharing my research that started last year I am releasing my slide deck for " Digital Forensics Applied to K8S " and the presentations of this can be found here . I plan to continue to release content that addresses forensic analysis of containerization related technology and eventually relating that back to full CI/CD forensic analysis.  The release list as of now looks like this: Docker Forensics* Malicious Container Analysis* K8S Forensics* SAAS Containerization Forensics CI/CD Forensics Stay tuned for more content and leave your suggestions below!

  Read Time: 5 Minutes Continuing sharing my research that started last year I am releasing my slide deck for " REM(Containers) - The real Xanthe ".  I just presented on this and plan to continue to release content that addresses forensic analysis of containerization related technology and eventually relating that back to full CI/CD analysis.  The release list as of now looks like this: Docker Forensics* Malicious Container Analysis* K8S Forensics SAAS Containerization Forensics CI/CD Forensics Stay tuned for more content and leave your suggestions below!

  Read Time: 5 Minutes During 2019, I worked on several presentations for my local community.  After much work one of the presentations called " REM(Mach-O) Looking at Bad Apples " we felt might be ready for public consumption after sharing it in my local DEFCON community DC706 .  You can see my communities pre-screening of the content here .  I selected Atlanta B-SIDES 2020  and created a new cut of the content titled " REM(Mach-O)  Turning Jues to Wine ".  Also, updated a Mac OS X Reversing Quick Reference for attendees that were interested in building on the private learning that I was going to share.  Since the content was never presented I wanted to take the time to at least release the material via blogpost so it was generally available. Looking forward to building some new content before 2020 ends and hopefully present something fun in 2021!  Please leave comments if you have questions of course.

Read Time: 15 Minutes Keeping to the " Fun with Flags " theme, this post will demonstrate how I solved the second challenge for the SANS Holiday Hack 2017 .  Building on my last post, that dealt specifically with Challenge 1 , I will follow the same roadmap by focusing on console challenges and any hacking required to answer/capture the relevant flags. Figure 1: Fun with Flags Staarfaenger For Challenge 2 the following question is posed:  "Investigate the Letters to Santa application at https://l2s.northpolechristmastown.com . What is the topic of The Great Book page available in the web root of the server? What is Alabaster Snowball's password?". The "...hints associated with this challenge, Sparkle Redberry in the Winconceivable: The Cliffs of Winsanity Level can provide some tips." is provided.  So heading over to the challenge we try to locate our first terminal as seen in  Figure 2: Finding the SecondTerminal. Figure 2: Finding t...

Read Time: 5 Minutes In 2012, Hexacorn Ltd  posted a couple blogs on their website about decrypting VBN files:  the  original post and a second post . The team at Hexacorn Ltd identified that "...Symantec’s VBN files can be encrypted not only with 0x5A, but also 0xA5..." in their original research.  In their later posting disclosing that the encrypted is separated by a "...5 byte ‘chunk divider’ in a form of 0xF6 0x?? 0x?? 0xFF 0xFF. So, to reconstruct the encrypted Quarantine files, one needs to decrypt them with 0xA5 first and then remove the chunk dividers...".  Which are both valuable insights that I can confirm should be observed in the decryption of VBN files.   For 2018, here are a few more insights into the data structures and analysis considerations for decrypting VBN files: The first 388 bytes is reserved for the original directory and filename of the quarantined file The next 2052 bytes contains meta data regarding the detection...

Read Time: 10 Minutes Recently,  Catalin Cimpanu  released a article  about a new Process Hollowing Technique named Doppelgänging.  The highlights of the article include undocumented features of the Microsoft Windows operating system, antivirus inability to scan NTFS transactions, and  "...cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows".  The article further discloses that BlackHat EU would be releasing the presentation. So I found the  powerpoint of the presentation, titled Lost in Transaction: Process Doppelgänging , which  reveals the API Calls and some interesting assertions by the researchers.  You can find additional information about NTFS Transactions on Microsoft Developer Network (MSDN) shows some basic information regarding the API Calls referenced in the presentation.  The sequence of API calls according to the presentation is as fo...

Read Time: 5 Minutes Welcome to my first blog post!  I thought I would start off the blog by sharing thoughts on content that is publicly available on security topics that are of interest.  Recently I viewed Andrew Case's  The Need for Pro-active Defense and Threat Hunting Within Organizations  posted by Adrian Crenshaw  from the archive of recordings of presentations performed at BSides Tampa in 2015.   This video highlights contemporary considerations with respect to hostile third parties, comprised of professionals that operate with a thought-out trade-craft, who are motivated to break into an organization via their IT infrastructure.  Generally speaking the modern enterprise is faced with the Defender's Dilemma , blogged about by Richard Bejtlich, in which alert-centric security analytics fails to address in a timely manner the risk posed by these hostile third parties.  Andrew Case's presentation addresses this by delving into Thr...