使用免費工具建立惡意程式分析環境

5 Steps to Building a Malware Analysis Toolkit Using Free Tools

Examining the capabilities of malicious software allows your IT team to better assess the nature of a security incident, and may help prevent further infections. Here's how to set up a controlled malware analysis lab—for free.




A large number of computer intrusions involve some form of malicious software (malware), which finds its way to the victim's workstation or to a server. When investigating the incident, the IT responder typically seeks to answer questions such as: What actions can the malware specimen perform on the system? How does it spread? How, if at all, does it maintain contact with the attacker? These questions can all be answered by analyzing the offending malware in a controlled environment.
A simple analysis toolkit, built from free and readily available software, can help you and your IT team develop the skills critical to responding to today's security incidents. The steps below will help get you started. We'll focus on malware analysis in a Windows environment, since that platform is particularly popular among malware authors.

Step 1: Allocate physical or virtual systems for the analysis lab

A common approach to examining malicious software involves infecting a system with the malware specimen and then using the appropriate monitoring tools to observe how it behaves. This requires a laboratory system you can infect without affecting your production environment.
The most popular and flexible way to set up such a lab system involves virtualization software, which allows you to use a single physical computer for hosting multiple virtual systems, each running a potentially different operating system. Free virtualization software options include:
Running multiple virtual systems simultaneously on a single physical computer is useful for analyzing malware that seeks to interact with other systems, perhaps for leaking data, obtaining instructions from the attacker, or upgrading itself. Virtualization makes it easy to set up and use such systems without procuring numerous physical boxes.
Another useful feature of many virtualization tools is the ability to take instantaneous snapshots of the laboratory system. This way, you can record the state of the system before you infect it, and revert to the pristine environment with a click of a button at the end of your analysis.
If using virtualization software, install as much RAM into the physical system as you can, as the availability of memory is arguably the most important performance factor for virtualization tools. In addition, having a large hard drive will allow you to host many virtual machines, whose virtual file systems typically are stored as files on the physical system's hard drive.
Because malware may detect that it's running in a virtualized environment, some analysts prefer to rely on physical, rather than virtual, machines for implementing laboratory systems. Your old and unused PCs or servers can make excellent systems for your malware-analysis lab, which usually doesn't need high-performing CPUs or highly redundant hardware components.
To allow malware to reach its full potential in the lab, laboratory systems typically are networked with each other. This helps you observe the malicious program's network interactions. If using physical systems, you can connect them with each other using an inexpensive hub or a switch.

Step 2: Isolate laboratory systems from the production environment

You must take precautions to isolate the malware-analysis lab from the production network, to mitigate the risk that a malicious program will escape. You can separate the laboratory network from production using a firewall. Better yet, don't connect laboratory and production networks at all, to avoid firewall configuration issues that might allow malware to bypass filtering restrictions.
If your laboratory network is strongly isolated, you can use removable media to bring tools and malware into the lab. It's best to use write-once media, such as CDs, to prevent malicious software from escaping the lab's confines by writing itself to a USB key. If using a USB key, which is more convenient than a CD, get a model that includes a physical write-protect switch.
Some malware-analysis scenarios benefit from the lab being connected to the internet. Avoid using the production network for such connectivity. If possible, provision a separate, and usually inexpensive, internet connection, perhaps by dedicating a DSL line to this purpose. Avoid keeping the lab connected to the internet all the time to minimize the chance of malware in your lab attacking someone else's system on the internet.
If virtualizing your lab, be sure to keep up with security patches released by the virtualization-software vendor. Such software may have vulnerabilities that could allow malware to escape from the virtual system you infected and onto the physical host. Furthermore, don't use the physical machine that's hosting your virtualized lab for any other purpose.

Step 3: Install behavioral analysis tools

Before you're ready to infect your laboratory system with the malware specimen, you need to install and activate the appropriate monitoring tools. Free utilities that will let you observe how Windows malware interacts with its environment include:
  • File system and registry monitoring: Process Monitor and Capture BAT offer a powerful way to observe in real time how local processes read, write, or delete registry entries and files. These tools can help you understand how malware attempts to embed into the system upon infection.
  • Process monitoring: Process Explorer and Process Hacker replace the built-in Windows Task Manager, helping you observe malicious processes, including local network ports they may attempt to open.
  • Network monitoring: Wireshark and SmartSniff are network sniffers, which can observe laboratory network traffic for malicious communication attempts, such as DNS resolution requests, bot traffic, or downloads.
  • Change detection: Regshot is a lightweight tool for comparing the system's state before and after the infection, to highlight the key changes malware made to the file system and the registry.
Behavioral monitoring tools can give you a sense for the key capabilities of malicious software. For further details about its characteristics, you may need to roll up your sleeves and perform some code analysis.

Step 4: Install code-analysis tools

Examining the code that comprises the specimen helps uncover characteristics that may be difficult to obtain through behavioral analysis. In the case of a malicious executable, you rarely will have the luxury of access to the source code from which it was created. Fortunately, the following free tools can help you reverse compiled Windows executables:
  • Disassembler and debugger: OllyDbg and IDA Pro Freeware can parse compiled Windows executables and, acting as disassemblers, display their code as Intel x86 assembly instructions. These tools also have debugging capabilities, which allow you to execute the most interesting parts of the malicious program slowly and under highly controlled conditions, so you can better understand the purpose of the code.
  • Memory dumper: LordPE and OllyDump help obtain protected code located in the lab system's memory and dump it to a file. This technique is particularly useful when analyzing packed executables, which are difficult to disassemble because they encode or encrypt their instructions, extracting them into RAM only during run-time.

Step 5: Utilize online analysis tools

To round off your malware-analysis toolkit, add to it some freely available online tools that may assist with the reverse engineering process. One category of such tools performs automated behavioral analysis of the executables you supply. These applications look similar at first glance, but use different technologies on the back end. Consider submitting your malware specimen to several of these sites; depending on the specimen, some sites will be more effective than others. Such tools include:
(You can also see a longer list of free automated malware analysis services that can examine compiled Windows executables.)
Another set of potentially useful online tools provides details about websites that are suspected of hosting malicious code. Some of these tools examine the sites you specify in real time; others provide historical information. Consider submitting a suspicious URL to several of these sites, because each may offer a slightly different perspective on the website in question:
(You can also see a longer list of free on-line tools for looking up a potentially malicious website.)

Next Steps

With your initial toolkit assembled, start experimenting in the lab with malware you come across on the web, in your e-mail box, on your systems, and so on. There are several "cheat sheets" that can help you in this process, including:
Begin analysis with the tools and approaches most familiar to you. Then, as you become more familiar with the inner workings of the malware specimen, venture out of your comfort zone to try other tools and techniques. The tools I've listed within each step operate virtually identically. Since they're all free, you should feel free to try them all. You'll find that one tool will work better than another, depending on the situation. And with time, patience, and practice, you will learn to turn malware inside out.


使用VMWare分析惡意程式

Using VMware for Malware Analysis

Even if malware analysis is not your primary occupation, once in a while you may find yourself wondering about the nature of an unfamiliar malicious executable that crosses your desk. Starting your investigation with behavioral analysis—an observation of how the specimen interacts with the file system, the registry and the network—can rapidly produce useful results. Virtualization software such as VMware is incredibly helpful in this process.




Advantage of malware analysis with VMware

VMware allows for the simulation of multiple computers running simultaneously on a single physical system. There are several advantages to this approach for behavioral malware analysis, compared to a lab built using distinct physical infrastructure components:
  • It's often beneficial to have several systems in the analysis lab, so that the malware can interact with components of the simulated Internet. With VMware, it's possible to build a multi-component laboratory without the hulk of multiple physical boxes.
  • Being able to take a snapshot of the system's state before infecting it and taking periodic snapshots throughout the analysis saves time. This functionality provides an easy means of reverting to the desired system state almost instantaneously. VMware makes this simple with its integrated snapshot feature. VMware Workstation, a commercial product, allows multiple snapshots. VMware Server, which is a free product, supports only a single snapshot. VMware Player, also free, cannot take snapshots at all.
  • VMware's host-only networking option is convenient for interconnecting virtual systems using a simulated network without additional hardware. This setup also makes it less likely that an analyst would be tempted to connect the laboratory environment to the production network. The host-only network allows any virtual system to see all traffic on the simulated network when listening in promiscuous mode. This makes monitoring the specimen's network interactions easy.

Getting started with VMware malware analysis

Preparing a VMware-based analysis laboratory is simple. You need a system with plenty of RAM and disk space that will act as the physical host. You also need the necessary software: VMware Workstation or Server, and the installation media for the OS you'll deploy in the lab.
VMware emulates the computer's hardware, so you must install the OS into each virtual host created using VMware's new Virtual Machine Wizard. Once the OS is set up, install the VMware Tools package, which optimizes the system for operating within VMware. Then install the appropriate malware analysis software.
I recommend having virtual machines with different operating systems in the lab, each representing the OS that malware is likely to target. This enables observation of malicious programs in their native environments. If using VMware Workstation, take snapshots of the virtual system at different points during the security update installation process to analyze malware at the desired patch level.

Keeping production systems safe

When dealing with malware, take precautions not to infect production systems. Such breaches can happen when handling malware improperly or when a specimen exploits a weakness in the VMware setup and escapes its sandbox. There have been several publicly announced vulnerabilities in VMware that, in theory, could allow malicious code from the virtual system to find its way onto the physical host.
Here are some suggestions for mitigating these risks:
  • Keep up with security patches from VMware.
  • Dedicate the physical host to the VMware-based lab; don't use the system for other purposes.
  • Do not connect the physical laboratory system to your production network.
  • Monitor the physical host with host-based intrusion detection (IDS) software, such as a file-integrity checker.
  • Periodically re-image the physical host using cloning software, such as Norton Ghost. If this option is too slow, look to hardware modules, such as CoreRESTORE, for undoing changes to the system's state.
One of the challenges of using VMware for malware analysis is that malicious code can detect whether it is running within a virtual system, which indicates to the specimen that it is being analyzed. If you cannot modify the specimen's code to eliminate this functionality, you can reconfigure VMware to make it stealthier. Tom Liston and Ed Skoudis last year documented several VMware .vmx file settings you can insert to accomplish this. The biggest problem with these settings is that they may slow down the virtual system's performance. Also note that they're not supported by VMware.

Virtualization options and strategy

Of course, VMware is not the only option for virtualization software you can use for malware analysis. Common alternatives include Microsoft Virtual PC and Parallels Workstation.
Virtualization software provides a convenient and time-saving mechanism for building a malware analysis environment. Just be sure to establish the necessary controls to prevent malicious software from escaping your testing environment. With a fine-tuned lab, you will be well on your way toward making the most of your malware analysis skills.




一些惡意程式分析報告

Analyzing malware helps you understand the overall threat landscape. The next best thing to reverse-engineering malicious programs yourself is learning from other analysts’ reports.
Here are several excellent write-ups, authored by different researchers, which describe several types of malicious software:



  • Murofet exhibits file infection and password stealing abilities. Marco Giuliani at Prevx provided insightful analysis of this specimen.
  • Avzhan is a growing family of DDoS bots. Jeff Edwards at Arbor Networks offered a comprehensive overview of this family of malware.
  • Visal is an email worm that spreads links to malicious Windows executable files. It was thoroughly examined by SecureWorks.
  • The Hottest girls on Facebook” worm uses clickjacking and social engineering to propagate. It was researched by Krzysztof Kotowicz. George Deglin examined another example of a Facebook worm.
  • A malicious PDF file can split JavaScript across several objects. An example of this technique was documented by Tamas Rudnai at Websense.
  • Attacks often combine a malicious PDF file with a Windows executable. One such incident was analyzed by Curt Wilson.
I periodically post interesting malware analysis reports from across the web on the Reverse-Engineering Malware Course page on Facebook.
If you’d like to improve your own malware report-writing skills, take a look at my earlier note What to Include in a Malware Analysis Report, which includes a mind-map template.


轉自
http://blog.zeltser.com/post/1358737300/malware-analysis-reports

強拷免費軟體 Unstoppable copier

官網 http://www.roadkil.net/program.php/P...pable%20Copier
下載:http://www.roadkil.net/download.php?...6&ProgramID=29


這種軟體就是忽略錯誤的強拷軟體
同種軟體還有
收費的bad copy
Opensources   dd_rescue

跟一般專業強拷Clone 鏡像軟體以Sector 對拷不一同
Ustoppable  Copier以檔案結構去做 這樣好處是比較快

但少了Sector 對拷 會沒辦法處理MFT損毀狀況.

心得

OSSLab 測試了一個已完工 Case  如照片 等了10 hours  有做出來

這目錄1 GB 用PC3000 Data Extractor 50 mins 還原出來.
PC3000 Data Extractor 其實成本挺高的.  1 port = nt 10萬了.

一般使用者使用的話 要注意.

1.可以認盤 原目錄結構ok 才可以用.  這種狀況為硬碟非主頭磁頭受損或部份碟片有受損.

2.MFT 結構如果有問題不行 就要用setcor 對拷後再用Rstudio 去scan.

3.有異音時千萬不要用.基本上這樣已經代表磁頭或電機受損了.很容易再刮傷碟片

使用方法
選定來源與目標 再按複製就可


unstoppable.png

轉自 OSSLAB

iPhone Forensics White Paper

Authors: Andrew Hoog (GCFA,CCE) and Katie Strzempka
Released: November 2010


Independent Research and Reviews of iPhone Forensic Tools
This white paper is intended for forensic analysts, corporations and consumers who want to understand what personal information is stored on the iPhone and how to recover it. The research reveals the vast amount of personal information stored on Apple’s iPhone and reviews techniques and software for retrieving this information. For questions about our research or our services, please contact us.
Note: viaForensics is independent and is not compensated in any way by the makers of the software reviewed in this white paper.

  1. About this white paper
  2. iPhone Forensics Overview and Techniques
  3. Cellebrite UFED
  4. FTS iXAM
  5. Oxygen Forensic Suite 2010 PRO
  6. Micro Systemation XRY
  7. Lantern
  8. MacLock Pick
  9. Black Bag Technology Mobilyze
  10. Zdziarski Technique
  11. Paraben Device Seizure
  12. Mobile Sync Browser
  13. CellDEK
  14. EnCase Neutrino
  15. iPhone Analyzer
  16. Overall Rankings
  17. Report Conclusions 

惡意文件分析方法探討

Analyzing Malicious Documents Cheat Sheet

This cheat sheet outlines tips and tools for reverse-engineering malicious documents, such as Microsoft Office (DOC, XLS, PPT) and Adobe Acrobat (PDF) files.


General Approach

  1. Locate potentially malicious embedded code, such as shellcode, VBA macros, or JavaScript.
  2. Extract suspicious code segments from the file.
  3. If relevant, disassemble and/or debug shellcode.
  4. If relevant, deobfuscate and examine JavaScript, ActionScript, or VB macro code.
  5. Understand next steps in the infection chain.

Microsoft Office Binary File Format Notes

Structured Storage (OLE SS) defines a file system inside the binary Microsoft Office file.
Data can be “storage” (folder) and “stream” (file).
Excel stores data inside the “workbook” stream.
PowerPoint stores data inside the “PowerPoint Document” stream.
Word stores data inside various streams.

Tools for Analyzing Microsoft Office Files

OfficeMalScanner locates shellcode and VBA macros from MS Office (DOC, XLS, and PPT) files.
DisView disassembles bytes at a given offset of an MS Office file. (Part of OfficeMalScanner)
MalHost-Setup extracts shellcode from a given offset in an MS Office file and embeds it an EXE file for further analysis. (Part of OfficeMalScanner)
Offvis shows raw contents and structure of an MS Office file, and identifies some common exploits.
Office Binary Translator converts DOC, PPT, and XLS files into Open XML files (includes BiffView tool).
OfficeCat scans MS Office files for embedded exploits that target several known vulnerabilities.
FileHex (not free) and FileInsight hex editors can parse and edit OLE structures.

Useful MS Office Analysis Commands

OfficeMalScanner file.doc scan bruteLocate shellcode, OLE data, PE files in file.doc
OfficeMalScanner file.doc infoLocate VB macro code in file.doc (no XML files)
OfficeMalScanner file.docx inflateDecompress file.docx to locate VB code (XML files)
DisView file.doc 0x4500Disassemble shellcode at 0x4500 in file.doc
MalHost-Setup file.doc out.exe 0x4500Extract shellcode from file.doc’s offset 0x4500 and create it as out.exe

Adobe PDF File Format Notes

A PDF File is comprised of header, objects, cross-reference table (to locate objects), and trailer.
“/OpenAction” and “/AA” (Additional Action) specifies the script or action to run automatically.
 “/Names”, “/AcroForm”, “/Action” can also specify and launch scripts or actions.
“/JavaScript” specifies JavaScript to run.
 “/GoTo*” changes the view to a specified destination within the PDF or in another PDF file.
 “/Launch” launches a program or opens a document.
“/URI” accesses a resource by its URL.
“/SubmitForm” and “/GoToR” can send data to URL.
“/RichMedia” can be used to embed Flash in PDF.
“/ObjStm” can hide objects inside an Object Stream.
Be mindful of obfuscation with hex codes, such as “/JavaScript” vs. “/J#61vaScript”. (See examples)

Tools for Analyzing Adobe PDF Files

PDFiD identifies PDFs that contain strings associated with scripts and actions. (Part of PDF Tools)
PDF-parser identifies key elements of the PDF file without rendering it (Part of PDF Tools)
Origami Walker examines the structure of PDF files.
Origami pdfscan identifies PDFs that contain strings associated with scripts and actions.
Origami extractjs and Jsunpack-n’s pdf.py extract JavaScript from PDF files.
Sumatra PDF and MuPDF are lightweight and free viewers that may be used in place of Adobe Acrobat.
Malzilla can extract and decompress zlib streams from PDFs, and can help deobfuscate JavaScript.
Jsunpack-n can extract and decode JavaScript from pcap network captures, and can decode PDF files.
CWSandbox, Wepawet, and Jsunpack can analyze some aspects of malicious PDF files.

Useful PDF Analysis Commands

pdfid.py file.pdfLocate script and action-related strings in file.pdf
pdf-parser.py file.pdfShow file.pdf’s structure to identify suspect elements
pdfscan.rb file.pdfExamine and display file.pdf’s structure (Usage)
extractjs.rb file.pdfExtract JavaScript embedded in file.pdf
pdf.py file.pdfExtract JavaScript embedded in file.pdf

Additional Malicious File Analysis Tools

ExeFilter can filter scripts from Office and PDF files.
ViCheck.ca automatically examines malicious Office and PDF files.
VirusTotal can scan files with multiple anti-virus tools to identify some malicious documents.

References

Post-Scriptum

Special thanks for contributions and feedback to Pedro Bueno, Frank Boldewin, and Didier Stevens. If you have suggestions for improving this cheat sheet, please let me know.
This cheat sheet is distributed according to the Creative Commons v3 "Attribution" License. File version 1.9.
Take a look at my other security cheat sheets.



iOS Forensics & iBackupBot





iBackupBot

An iTunes Backup Manager Software for iPad, iPhone & iPod Touch



iBackupBot is an easy-to -use shareware/nagware tool allows an investigator to view and analyze the iOS backup files that reside on the computers end users use to manage their iOS devices. With iBackupBot, the investigator can view and analyze the iTunes backup files, and quickly identify the relevant files of interest. iBackupBot allows the investigator to view the device’s databases, images, SMS messages, notes, address book, call history calendar, and more. And, the applications allows the export of the data to CSV files for easier creation of charts for use in reports. Finally, most iOS tools are Mac-only tools (developed by Mac developers for Mac users). iBackupBot is a Microsoft Windows application, and therefore is more useful for forensic labs, where Windows is still the predominate operating system.


iBackupBot will also allow the viewing of all “captured text.” The iPhone has a spell checker to improve the accuracy of the on-screen keyboard. That feature saves a running log of recent keystrokes. Those keystrokes can be very revealing. For example, did the use enter in a search engine string that is relevant to the investigation? Or, did the user start to enter a note with relevant information, and then delete the note? This keylogging feature can contain a treasure-trove of valuable information.

Mandiant Memoryze 記憶體分析工具使用說明

Mandiant’s Memoryze tool is without question one of the best forensic tools available.  It is an incredibly powerful memory analysis suite that should be part of every incident responder’s toolkit.  It’s free, but requires some patience to traverse the learning curve.  Memoryze was built by Jamie Butler and Peter Silberman, a couple of hardcore memory / malware analysts that operate on a completely different level than most of us mere mortals.  In this post I’ll cover how to get started with Memoryze, because if you haven’t added memory analysis to your intrusion investigations, there is a whole lot of evil out there that you are missing.



Getting Started
The first step is to go out and download the tool.  An important thing to keep in mind is that Memoryze actually consists of two components: Memoryze and Audit Viewer.  Each must be downloaded individually from the free tools section of the Mandiant site.  The two tools are divided logically by function: Memoryze for data collection and analysis, and Audit Viewer for presenting and interacting with the collected information.  The split is also for practical purposes – the code behind Memoryze is taken from Mandiant’s MIR commercial incident response product, which should ensure continued support and development in the future.

Installing Memoryze on Removable media
Before adding Memoryze to our incident response kit, we first need to get it installed.  I typically keep a copy on a large USB thumbdrive, but you can put it virtually anywhere, including on a CD/DVD.  The process is simple:
msiexec /a MemoryzeSetup.msi /qb TARGETDIR=portable_drive_and_folder
This copies the necessary files to the portable drive, but there is one more step.   Several configuration and settings files are created the first time you run Memoryze.  So if you plan on putting it on read-only media, make sure you run it at least once from a writeable location.
While you are at it, go ahead and extract Audit Viewer to a folder on your removable device (no installation necessary).  It can be handy to have this tool with you when you are away from your forensic workstation and need to quickly look at a memory image.

Acquiring a Memory Image
The easiest way to acquire an image is using Memoryze via the command-line.  Audit Viewer has a mechanism to capture an image as well, but we’ll cover that in a later section.  A batch script is included called MemoryDD.bat.  MemoryDD generates a settings script and calls memoryze.exe with the proper parameters.
G:\memoryze\MemoryDD.bat –output G:\images
Your results will be placed in a nice folder structure allowing multiple memory images to be stored in the same output folder without confusion.  Output folders are formatted in the following manner:
.\Audits\<Machine Name>\<Date/Time of Acquisition>
While the acquisition process is easy, that doesn’t mean it is always foolproof. Memoryze requires loading a kernel-level driver, giving access to raw memory.  No driver, no memory image.  Several things can prevent the driver from being loaded, with the most common being not running the tool from an Administrator account (or an Administrator-level command prompt).  Another common hindrance is anti-virus software.  Malware also tries to access memory and as such any anti-malware solutions present may need to be disabled so they don’t block driver installation (see Figure 1).  If you are still failing to get an image after checking these things, I recommend trying a different acquisition tool.   I always keep backup tools like win32/64dd.exe and FTK Imager handy because even slight differences in a tool’s implementation can sometimes make a difference on a peculiar system.

Figure 1: Driver Installation Failure

Figure 1: Driver Installation Failure

Opening the Memory Image for Review
A key point to keep in mind is that Audit Viewer can be used to analyze and view any raw memory image – not just those captured by Memoryze.  That being said, we first need to take a step back and determine what operating system (OS) the memory image came from.  Memory structures can vary significantly by operating system, and even by patch level.  Thus every memory analysis tool must be specifically written to parse structures from a given OS.  I can’t tell you how many times I have had someone tell me that Memoryze is broken, just to find they are trying to analyze an unsupported platform like Windows XP SP 1.   Lucky for us, Memoryze supports a wide range of the most common Windows platforms:
Windows 2000 Service Pack 4 (32-bit)
Windows XP Service Pack 2 and Service Pack 3 (32-bit)
Windows Vista Service Pack 1 and Service Pack 2 (32-bit)
Windows 2003 Service Pack 2 (32-bit)
Windows 2003 Service Pack 2 (64-bit)
Windows 7 Service Pack 0 (32-bit) – beta
Windows 7 Service Pack 0 (64-bit)
Windows 2008 Service Pack 0 (64-bit) – beta
A memory image from a non-supported system is still valuable; it just can’t be analyzed using this tool.  Regardless of the current support available, you should still acquire a memory image.  Though you may have to perform manual analysis or wait until a tool arrives that supports that platform.
Assuming our image is from a supported OS, we will use Audit Viewer to open it for analysis.  Run auditviewer.exe and select “Configure Memoryze” (Figure 2).  While tempting, ignore the option “Open Existing Results” — it refers to re-opening an existing analysis file.

Figure 2: Configure Memoryze

Figure 2: Configure Memoryze

Click next and tell AuditViewer where your copy of memoryze.exe is located and where you would like to save the analysis results (Figure 3).
Figure 3: Specify Paths
Figure 3: Specify Paths

Next tell AuditViewer to analyze “dead” memory and browse to the location of the memory image just acquired.  (Figure 4)
Figure 4: Analyze Dead Memory
Figure 4: Analyze Dead Memory

Finally, the AuditViewer wizard will step you through a series of analysis and acquisition options.  Instead of covering these ad nauseam, I’ll use this opportunity to point you towards the excellent user guide (Userguide.pdf) that is included within the AuditViewer archive.  Mandiant does a great job of documenting their tools, and this is no exception.   At the conclusion of the wizard, a progress meter is displayed, culminating in an interactive view of all of the identified processes and their corresponding dlls, handles, memory sections, etc.  Expect processing to take some time, particularly if some of the more computationally intensive options were chosen.
Figure 5: Successful Loading of Dead Memory
Figure 5: Successful Loading of Dead Memory

A full primer on conducting memory analysis is out of scope for this How-To, but as a starting point I did want to mention a couple of tips.  First, you need to double-click the process you are interested in to populate the tabs on the right-hand side of Audit Viewer.  Second, look for the “Occurrences” column available in some of the tabs.  This feature is based on the Least Frequency of Occurrence (LFO) work that Peter Silberman has been touting.  The idea is simple, but very powerful: malware artifacts tend to be relatively unique across a filesystem or an enterprise.  By focusing on those outliers, you can often quickly identify a malicious dll or registry key.

Performing Live Memory Analysis
If memory analysis is finally coming into its own, then live memory analysis is the new cutting edge.  I credit Memoryze with bringing this technique into the mainstream.  It turns out that performing live memory analysis has some valuable benefits beyond just triage.   When Memoryze is utilized in live mode, it can include the system page file in its analysis as well as perform digital signature checks on all loaded executables.  This information is fed back into Memoryze’s Malware Rating Index (MRI), providing an amazingly fast way to identify a wide range of malware.  For more information on MRI, check out Silberman describing it on Mandiant’s blog (http://blog.mandiant.com/archives/741).

Performing a live analysis is relatively simple.  Plug your removeable device into the system you wish to analyze and execute AuditViewer.  Similar to opening a dead memory image, point AuditViewer to the Memoryze and output paths.  Then select “Acquire (and/or) Analyze Live Memory (Figure 6).    The rest of the wizard options will mirror those covered previously with the exception of additional features being available (like digital signature checks).   At the completion of the wizard, Memoryze will begin to analyze the host system’s memory, showing the AuditViewer GUI when complete.
Figure 6: Analyze Live Memory
Figure 6: Analyze Live Memory

Keep in mind that just because you are doing a live analysis doesn’t mean that you can’t also take a memory image first.  In most instances I recommend doing both.  You never know when you may want to go back and look for something in that original memory image.  To acquire a memory image using audit viewer, make sure to select “Memory Acquisition” when prompted for which acquisition methods you would like to use (Figure 7).  This is easy to miss, so read carefully!
Figure 7: Acquire Memory during Live Analysis
Figure 7: Acquire Memory during Live Analysis

轉自 SANS

CHFI 相關資料


CHFI 介紹

CHFI 重點整理

CHFI 題型

CHFI 投影片



參考引用來源:http://chfi.dyndns.org/

時間解析工具 - DCode




This release now supports the following date/time formats (Table 1) and will allow you to add a time zone bias.

Date / Time Format
Example
Date/Time Value
- Windows 64 bit (little endian)
FF03D2315FE1C701
Sat, 18 August 2007 06:15:37 UTC
- Windows 64 bit (big endian)
01C7E15F31D202FF
Sat, 18 August 2007 06:15:37 UTC
- Windows Cookie
1713586176, 30212469
Wed, 14 March 2012 00:00:00 UTC
- Windows 64 bit OLE
FBE8DF975D3FE340
Sun, 02 December 2007 22:11:42 UTC
- Windows SYSTEM Structure
D9070B00010002000600090013000000
Mon, 02 November 2009 06:09:19
- Hotmail / Email Filetime
CD4E55C3:01C7DD3E
Mon, 13 August 2007 00:13:40 UTC
- Unix 32 bit (little endian)
A2C3B446
Sat, 04 August 2007 18:21:22 UTC
- Unix 32 bit (big endian)
46C3B400
Thu, 16 August 2007 02:18:40 UTC
- Unix numeric
1170245478
Wed, 31 January 2007 12:11:18 UTC
- Google Chrome
12883423549317375
Sun, 05 April 2009 16:45:49 UTC
- Apple Mac Absolute
219216022
Thu, 13 December 2007 05:20:22 UTC
- MS-DOS wFatTime, wFatDate
3561A436
Fri, 04 May 2007 12:09:42 Local
- MS-DOS wFatDate, wFatTime
A4363561
Fri, 04 May 2007 12:09:42 Local
- HFS 32 bit (little endian)
CD4E55C3
Mon, 05 November 2007 22:50:53 Local
- HFS 32 bit (big endian)
C3554ECD
Sat, 23 February 2013 11:17:23 Local
- HFS+ (big endian)
CD4E55C3
Mon, 05 November 2007 22:50:53 UTC
- HFS+ (little endian)
C3554ECD
Mon, 05 November 2007 22:50:53 UTC
Table 1

During a forensic examination, you may need to decode a date or verify the date provided to you by forensic software.  This is where decode comes in.  Decode can take a decimal value or a HEX value and convert it into a date & time in a variety of formats. 

DCode is a great tool for date/time validation and dual tool verification.


惡意程式分析報告撰寫方法

What to Include in a Malware Analysis Report

In my SANS Institute course, I teach security and systems professionals how to reverse-engineer malicious software. The following note summarizes my recommendations for what to include in the report that describes the results of the malware analysis process.




A typical malware analysis report covers the following areas:
  • Summary of the analysis: Key takeaways should the reader get from the report regarding the specimen's nature, origin, capabilities, and other relevant characteristics
  • Identification: The type of the file, its name, size, hashes (such as MD5, SHA1, and ssdeep), malware names (if known), current anti-virus detection capabilities
  • Characteristics: The specimen's capabilities for infecting files, self-preservation, spreading, leaking data, interacting with the attacker, and so on
  • Dependencies: Files and network resources related to the specimen’s functionality, such as supported OS versions and required initialization files, custom DLLs, executables, URLs, and scripts
  • Behavioral and code analysis findings: Overview of the analyst's behavioral, as well as static and dynamic code analysis observations
  • Supporting figures: Logs, screenshots, string excerpts, function listings, and other exhibits that support the investigators analysis
  • Incident recommendations: Indicators for detecting the specimen on other systems and networks (a.k.a. "indicators of compromise"), and possible for eradication steps
Malware analysis should be performed according to a repeatable process. To accomplish this, the analyst should save logs, take screen shots, and maintain notes during the examination. This data will allow the person to create an analysis report with sufficient detail that will allow a similarly-skilled analyst to arrive at equivalent results.
A convenient way of keeping track of your observations during the reverse-engineering process is to use a mind map, which organizes your notes, links, and screenshots on a single easy-to-see canvas. You can download my mind map template for such a report; you need to use the free mind-mapping tool called FreeMind to load and edit the template.



轉自 http://zeltser.com/reverse-malware/malware-analysis-report.html

FileSeek 免費快速檔案內容搜尋軟體

fileseek-01
FileSeek是一款小巧、免費的搜尋軟體,搜尋檔案內容的速度還算快,也支援中文內容的搜尋。另外FileSeek還有兩個特色,一個是它不需要事先建立索引檔案,直接搜尋即可;另外一個是它支援搜尋一些特殊的檔案類型


搜尋檔案內容,用DocFetcher好?還是FileSeek好?
例如我想要在大量的Windows Live Writer專用檔中查出幾篇特定的部落格文章內容,但如果是使用DocFetcher的話無法支援「wpost」這個特殊副檔名,而使用FileSeek的話就可以搜尋wpost檔案類型中的內文
fileseek-02

另外FileSeek不需要事先建立索引資料庫的特色,也非常適合用來應付「臨時性」的內容搜索。雖然像是DocFetcher這類軟體在建立索引後,可以讓搜尋變得更快,但建立、更新索引資料庫本身也需要時間。
所以如果是你常常需要搜尋的文件資料夾,那麼推薦可以利用DocFetcher來建立索引後進行搜尋。但如果是臨時需要查詢內容的檔案資料夾,並且裡面有一些特殊文件類型需要檢索時,就推薦使用不需索引、支援特殊副檔名的FileSeek。
若是各位讀者還有其它更好用的「免費」檔案內容搜尋軟體想要推薦,也歡迎在本文留言提供。

  • FileSeek操作流程簡介
01.
下載安裝軟體後,直接啟動FileSeek,接著你可以在軟體主介面的左上方,輸入你想搜尋的各種條件。
  • 「Path」:選擇要搜尋的資料夾。
  • 「Include Files」:設定要搜尋的檔名、副檔名條件。例如「*.*」就是搜尋所有檔案,「*.wpost」就是只搜尋副檔名為wpost的檔案。
  • 「Exclude Files」:設定不要搜尋的檔名、副檔名條件。
  • 「Query」:輸入搜尋關鍵字。例如輸入「異塵行者」,就可以搜尋包含這個關鍵字內容的檔案。
按下〔Search〕便可以開始搜尋,但讓我們等一等,先看看其它的條件設定功能。
fileseek-03

02.
首先在「Path」欄位中,如果選擇〔Browse & Append〕,就可以加上多個不同資料夾,讓FileSeek同時去這些位在不同位置的資料夾中找檔案
fileseek-05

03.
而在「Query」中,你可以用空白鍵隔開多個關鍵字,接著在下方的「Search Mod」,選擇:
  • 「Match All Words」:必須符合所有關鍵字。
  • 「Match Any Words」:只要符合其中一個關鍵字。
來進行不同條件的搜尋。
fileseek-04

04.
另外FileSeek軟體主介面右上方的設定也很重要,其實,FileSeek預設是一個用來搜尋檔案名稱的軟體,而如果你想在搜尋時進行本文開頭所說的內容搜尋,則必須在這裡勾選特定項目:
Process file contents using File Handlers
只有勾選上面這一選項,才能在FileSeek中進行檔案內容的搜尋。
fileseek-07
而這部份其它的重要選項還有:
  • 「Search sub-folders」:搜尋時包含子資料夾。
  • Filter by Date Modified」:只搜尋特定日期範圍的檔案。
最後這個限定日期的搜尋條件設定,在實際查找大量工作進度文件時也很有幫助。

05.
完成前面的條件設定後,就可以開始搜尋。FileSeek的檔案內容搜尋速度算是滿快的,例如下圖中搜尋了4351個檔案,並找到其中有3016項包含了關鍵字內容,而這樣只花了大約一分鐘的時間。
另外在FileSeek主介面中,你可以看到找出來的檔案清單,並且直接預覽出現關鍵字的該段文字內容,關鍵字也會用黃色標明。
fileseek-06

06.
在操作FileSeek的過程中,對一般用戶來說應該是不需要進入後台設定做多餘的調整,基本上依照預設值,以及上面幾個主介面中的條件調整,就可以滿足檔案內容搜尋的需求了。
唯一我覺得或許可以稍微設定一下的地方,則是在進入「Settings」設定後的「Search」頁面,可以把頭兩個項目取消勾選,這樣在搜尋結果清單中會隱藏「查找錯誤」的部份,以免整個搜尋結果顯得混亂。
fileseek-08

  • 小結:
最後,如果以我的個人需求考量來看,我會同時保留Everything、DocFetcher、FileSeek三款各有特色的檔案搜尋軟體,並分別做如下利用:
  • Everything知道部分檔案名稱、想要開啟特定檔案時,用來快速搜尋檔案(因為真的超快)。
  • DocFetcher完全不知道檔案名稱,但知道要搜尋的內容關鍵字,並且固定常常會去查找的某幾個文件資料夾內容(因為可以事先建立索引讓搜尋加速)。
  • FileSeek完全不知道檔案名稱,但知道要搜尋的內容關鍵字,不過臨時需要在某個不常用資料夾中找檔案,或者該檔案類型DocFetcher沒有支援時。
而且FIleSeek還是有一些缺點,例如它反而無法搜尋txt的檔案內容。但既然都是免費軟體,所以只要懂得搭配使用,還是可以有效幫助工作效率。

轉自 電腦玩物

iPhone - 資料還原

iPhone Data Recovery: Recovers your Data quickly!

For All those who have lost there photos, sms, contacts and other files which are very much important for them. This software for iphone backup is very effective and efficient. You can easily Download the trial version and then buy the software to recover all your lost files from your iPhone. This software helps you to backup your iphone and transfer your files directly from iphone/ipod/iTouch to your computer. Try the software to See the Results. With various success stories the software is highly popular in the market as a backup software for iPhone.


The iPhone, a multimedia smart phone designed and sold by the world famous Apple Inc. It is a mobile phone which was most awaited by people all over the world. Its features are amazing and if you haven't seen this then when you see it first time, you will certainly shocked with the beauty, intelligence and performance of this multi-touch screen mobile phone. It has a very long list of amazing features which are unique rare in other mobile sets of different companies. 


It has the virtual keyboard, iPod, text messaging, e-mail browsing, Wi-Fi, Bluetooth, HSPDA, UMTS, quad- band GSM, EDGE, voicemail, 2 mega pixel camera and many more things which are unbelievable. With the latest model of iPhone "iPhone 3G", the internet access capacity touches the new heights. 3G data speeds are very faster (nearly 2.4 times) than previous versions of iPhone. You can say that it is an ultimate multimedia device and is perfect for people who need Business phone and entertainment device both in a single package. 


iPhone has large 8 GB and 16 GB memory space where you can store thousands of songs and personal documents like photo, video, e-mails with attachments, text files, ringtones and other downloaded items. If any problem occurs and data on your iPhone get corrupted then it is possible that if you not do something then you will surely loose little or all your data. You need to do the iPhone recovery process. iPhone data recovery is a process which is the necessary step to save your data. It's an important step for all those people who think that their iPhone has very precious data and you need to recover it any how.
You will need an iPhone Data Recovery Software to recover all the data of your iPhone if the sizes of the data files are too much.

The iPhone data recovery software does the following things:
  • It can recover all your data if "your drive is not formatted" message come on your computer screen.
  • It can retrieve both the formatting and deletion either by the Apple Mac OS or by Windows System.
  • It enables the data access even the disk partition volume is not known by your computer.
  • It provides the recovery of data because of the destructed file system or improper restoration.
  • It is a read only non destructive software program.
  • It optimizes your iPhone environment and the layout of music files.
After using the iPhone data recovery software, you will be sure that your money is not getting wasted and you are insured about the performance of your iPhone. These are available online on various websites which are selling these kinds of software. You need to download the trial version and if you are satisfied with its performance, switch to the standard paid full version of the iPhone data recovery software.

iPhone Backup

Are you unable to backup iphone data using iTunes?

Are you looking for an easy and efficient backup solution?

Want to know features of iphone backup software?

Since iphone is a multi utility device serving functions of mobile phone, multimedia, camera etc particularly including internet access, emails, SMS, contacts and other important data files. Such critical and immense day to day usage makes, iphone store house of customized data and records that can be accessed as required. This truly grants ease to people, however occurrence of even bit of faults can render all its data useless. It is so, as alike other storage media or system iphone may also observe unforeseen situation that leads to data loss. To cope up with these unwanted, uncertain situations iphone backup software comes into use. More for information regarding the details of iphone backup, the process involved etc.    iPhone Backup

USER GUIDE

Step:1

Connect iPhone to system after installing the iphone backup software. The software will automatically detect it and will show the lst of file from the iPhone.

Step:2

Choose the files you want to take backup and click on export button.

Step:3

After you click Export button, the under given window will pop up, you can choose either backup to computer or itunes directly. You can set the output folder at Advanced->Options before you transfer

Step:4

When backup is finished a window will pop up displaying message as 'export finished' after which you can see it from the location stored in
.

轉自 http://www.iphonedatarecovery.org/