Thursday, December 15, 2011

Attack the Kill Chain MindMap

If we look at the past 12 months it hardly seems a day goes by, whereby a news article is posted of an attack or compromise.

These range from small family businesses trying to gain an online advantage (especially in todays climate) to large scale businesses which provide services which impact our everyday life.

In 2009 Mike Cloppert posted Security Intelligence: Attacking the Kill Chain the article was an excellent example of foresight (And from someone deep in the trenches).
The article was part of a series on Security Intelligence which I feel has even more importance as we come to an end of 2011.

I’m not really big on predictions, but i will make this one.

I guarantee that more articles will be written in 2012 which describe online attacks.(Fairly certain this will be a safe bet).

As an Industry we need to stop using the old Ostrich approach and “bury our heads in the sand”. The attacks are going to come, lets try and find a way to deal with them through being open and sharing the experience of how the compromise occurred.

“Defence in Depth” is not just about multiple layers of technology, its also about Knowledge Sharing, if i know what to look for its also my duty to pass that on so others can prevent the same mistake\compromise from happening.

I have produced a Mindmap of what I feel are the key points of the article. The Mindmap is based on my interpretation of the original article.

Please read the original article, if you work in the Information Security space try to incorporate  them in to your everyday life.

A higher resolution image can be found here

Tuesday, May 31, 2011

Volatility Script for Windows

Well I've decided to make more of an effort to use my blog.

First article will be a a new windows based volatility script I've developed based on the one from lg's blog (

There are few prerequisites, just follow the instructions on the Volatility Wiki site:

The report also makes use of the script from
just download the plugin and drop the file in the plugins directory.

Make sure all your environment variables have been set up for Python and Perl (Instructions can be found on numerous sites ).

Drop the batch file into the volatility directory and make sure you update the following:

Your Case Directory and dumps directory, this can be where ever you like on your machine.
  • mkdir C:\Forensics\Training\Images\mem\%yyyy%%mm%%dd%
  • mkdir C:\Forensics\Training\Images\mem\%yyyy%%mm%%dd%\dumps
You should also check and set-up the following:

set VOLDIR="C:\Forensics\vol\vol1.4\%VOLDIR%\"
set PYTHON="C:\Python27\python.exe"
set PERL="C:\Perl\bin\perl.exe"

Running the script
I generally run the script in the following way:
  1. Open a command prompt and change directory to the volatility directory.
Next to run the script type the following, remember if the path contains spaces use quotes around the parameter.

volscript.bat <path-to-memory-dump> <name-of-report>

The script can take a while to complete but once the script has finished you will have one report which you can analyse.

That was the easy part, the hard part comes with analysing the report and identifying if the machine is compromised in some way.

Over the coming weeks I will provide more posts on analysing the output from the images hosted at Michael Hale Ligh's site:

In my opinion the Malware Analyst Cookbook has to be considered the de-facto standard when it comes to analysing malware and memory analysis, simply put you have to buy this book.

I'll periodically post updates to the script.

The script can be found here just rename the file to .bat there is also a sample report taken from the zeus sample from the Malware Cookbook site.

---Update 13/03/2012---
Added naft by Didier Stevens to automate dumping network traffic as part of the automated script.

Just download all the files and put in the same directory as and volscript remember to add to naft_pfef and naft_uf to C:\Python27\Lib

Once the pcap file has been created you can use NetWitness, Netminer or Wireshark to analyse the file.