Digital First Response

Read Time: 15 Minutes On 17th of December 2017, I wrote a blog post reacting to Blackhat 2017 EU presentation on a new Process Hollowing Technique named  Doppelgänging .   The original presentation from Blackhat (BH) EU 2017 can now be found on youtube to be seen it's full glory.  At the time I did not have proof of concept (POC) code and just a day later Hasherzade wrote some POC  code / blogged about it. Figure 1:  Doppelgänging  Conceptual Model Leveraging his code I took a stab to see what I could find based on the observations I made in my blog post and leveraging current memory analysis techniques to see what other indicators I could spot.  From my blog post I cited references from the original presentation, at BH EU 2017, that included looking at the windows executive object "FILE_OBJECT" and the attribute "ImageFilePointer".  Also, I remarked that the NTFS $LogFile would give some valuable clues. Looking at the "FILE_OBJ...

Read Time: 5 Minutes In the spirit of this blog, this a quick post pointing those interested in learning some basics around  Reverse Engineering,  Digital Forensics, and Incident Response(RE+DFIR) to check out my  RE+DFIR101 Github .  I will continue to update the content there to include research, or practical exercises, that would-be RE+DFIR Practitioners can take advantage of. Please leave comments below and I look forward to sharing more experiences that I have on the daily with my readership. References Peter Staarfaenger. RE+DFIR101 Github.  "Fun with Flags".   https://citizenstaar.github.io/scar/

Read Time: 15 Minutes Keeping to the " Fun with Flags " theme, this post will demonstrate how I solved the second challenge for the SANS Holiday Hack 2017 .  Building on my last post, that dealt specifically with Challenge 1 , I will follow the same roadmap by focusing on console challenges and any hacking required to answer/capture the relevant flags. Figure 1: Fun with Flags Staarfaenger For Challenge 2 the following question is posed:  "Investigate the Letters to Santa application at https://l2s.northpolechristmastown.com . What is the topic of The Great Book page available in the web root of the server? What is Alabaster Snowball's password?". The "...hints associated with this challenge, Sparkle Redberry in the Winconceivable: The Cliffs of Winsanity Level can provide some tips." is provided.  So heading over to the challenge we try to locate our first terminal as seen in  Figure 2: Finding the SecondTerminal. Figure 2: Finding t...

Read Time: 10 Minutes Through the course of a year I participate in a number of Cyber Security Capture the Flags  (CTFs) events.  So in this posting, and others titled " Fun with Flags ", I plan to capture how I solved the different challenges that are presented.  To keep the blog light I will narrate only a challenge at a time.  It is important to blog about this topic since CTFs allow for DFIR Professionals to experience new challenges.  These challenges require the skills they have but the content might not match their day-to-day on the job challenges.   Figure 1: Fun with Flags Staarfaenger At the end of each year (since 2010 ?), SANS hosts their Holiday Hack Challenge.  These challenges so far have a had a Christmas Theme wrapped around them.  During the 2017 Holiday Hack Challenge  nine major questions were posed to participants.  I will scope the content of this post to the console challenges and hacking.  The c...