Digital First Response

  Read Time: 5 Minutes Continuing sharing my research that started last year I am releasing my slide deck for " REM(Containers) - The real Xanthe ".  I just presented on this and plan to continue to release content that addresses forensic analysis of containerization related technology and eventually relating that back to full CI/CD analysis.  The release list as of now looks like this: Docker Forensics* Malicious Container Analysis* K8S Forensics SAAS Containerization Forensics CI/CD Forensics Stay tuned for more content and leave your suggestions below!

  Read Time: 5 Minutes In 2020, I worked on several efforts that ranged from Malware targeting Mac OS X to Cloud Forensics.  For the remainder of 2021 I will be releasing the results of my research and I am leading with the release of my efforts on containerization forensics which is imbodied in my talk "Digital Forensics Applied to Containers: Enhancing Intruder Dilemma".  See a video of the original presentation at dc706 , most recent presentation at issacolga , the latest presentation slides , and a docker forensic cheatsheet .   Stay tuned for more content and leave your suggestions below!

  Read Time: 5 Minutes During 2019, I worked on several presentations for my local community.  After much work one of the presentations called " REM(Mach-O) Looking at Bad Apples " we felt might be ready for public consumption after sharing it in my local DEFCON community DC706 .  You can see my communities pre-screening of the content here .  I selected Atlanta B-SIDES 2020  and created a new cut of the content titled " REM(Mach-O)  Turning Jues to Wine ".  Also, updated a Mac OS X Reversing Quick Reference for attendees that were interested in building on the private learning that I was going to share.  Since the content was never presented I wanted to take the time to at least release the material via blogpost so it was generally available. Looking forward to building some new content before 2020 ends and hopefully present something fun in 2021!  Please leave comments if you have questions of course.

Read Time: 5 Minutes During the process of conducting malware analysis, or software vulnerability analysis, it is sometimes a necessity to perform windows kernel debugging . What has not been working reliably on Mac Os X was Vmware Fusion with a Windows guest setup with debugging enabled over serial. What did work reliably is enabling a windows guest with VT-x and then within that guest hosting a secondary windows guest configured for kernel debugging.  An example of this includes configuring the processor correctly on the Fusion guest to enable support of virtualization started by opening hardware settings for debugging client with ⌘E bring you to the screen in Figure 1: Figure 1: Select Processors and Memory Within your Processor and Memory settings you want to do the following: 1.  Provision enough resources for the host to function and to be able to allocate a secondary windows guest with appropriate amount of resources for the task. 2....

Read Time: 10 Minutes Keeping to the " Fun with Flags ", this post will demonstrate how I solved the third challenge for the  SANS Holiday Hack 2017 .  Building on the content in my last couple posts, see  Challenge 1  and Challenge 2 , I demonstrate how the Console Challenge was solved and any hacking required to capture the actual flag. Figure 1: Fun with Flags Staarfaenger For Challenge 3 the following question is posed:  "The North Pole engineering team uses a Windows SMB server for sharing documentation and correspondence. Using your access to the Letters to Santa server, identify and enumerate the SMB file-sharing server. What is the file server share name?" The hint "...please see Holly Evergreen in the Cryokinetic Magic Level" is provided.  So heading over to the challenge we try to locate our first terminal which can be seen in  Figure 2: Finding the Third Terminal. Figure 2: Finding the Third Terminal After a left click y...

Read Time: 15 Minutes On 17th of December 2017, I wrote a blog post reacting to Blackhat 2017 EU presentation on a new Process Hollowing Technique named  Doppelgänging .   The original presentation from Blackhat (BH) EU 2017 can now be found on youtube to be seen it's full glory.  At the time I did not have proof of concept (POC) code and just a day later Hasherzade wrote some POC  code / blogged about it. Figure 1:  Doppelgänging  Conceptual Model Leveraging his code I took a stab to see what I could find based on the observations I made in my blog post and leveraging current memory analysis techniques to see what other indicators I could spot.  From my blog post I cited references from the original presentation, at BH EU 2017, that included looking at the windows executive object "FILE_OBJECT" and the attribute "ImageFilePointer".  Also, I remarked that the NTFS $LogFile would give some valuable clues. Looking at the "FILE_OBJ...

Read Time: 5 Minutes In the spirit of this blog, this a quick post pointing those interested in learning some basics around  Reverse Engineering,  Digital Forensics, and Incident Response(RE+DFIR) to check out my  RE+DFIR101 Github .  I will continue to update the content there to include research, or practical exercises, that would-be RE+DFIR Practitioners can take advantage of. Please leave comments below and I look forward to sharing more experiences that I have on the daily with my readership. References Peter Staarfaenger. RE+DFIR101 Github.  "Fun with Flags".   https://citizenstaar.github.io/scar/