Volatility Workbench is a graphical user interface (GUI) for the Volatility tool. Volatility is a command line memory analysis and forensics tool for extracting artifacts from memory dumps. Volatility Workbench is free, open source and runs in Windows. It provides a number of advantages over the command line version including: No need of remembering […]
Heathrow Airport has been fined with £120k by the Information Commissioner Office for serious deficiencies in data protection The fact arose after a member of the airport staff personnel lost a memory stick last October; the device contained “confidential personal data”, which a user of the airport subsequently found, as reported by specialists in digital forensics from […]
XenoScan is a memory scanner which can be used to scan the memory of processes to locate the specific locations of important values. These types of tools are typically used when hacking video games, as they allow one to locate the values representing the game’s state in memory. XenoScan is written in C++ with a […]
CoffeeShot is an evasion framework that injects payload from Java-based programs into designated processes on Microsoft Windows. It assists blue team members in assessing the effectiveness of their anti-malware measures against malicious software written in Java. Red team members and pen testers can also use CoffeeShot to bypass the target’s security controls. It utilizes JNA […]
Among the ten major cyber threats identified by BSI in 2016, the use of portable peripheral devices ranks second. While the same agency suggests engaging in countermeasures aimed at implementing targeted procedures based on your organization’s specific structure, there seems to be no reason why companies cannot securely store their data on USB Memory Sticks. By combining preventative […]
deepin desktop edition is known to often preferred by the users who love to use a system that’s easy to use and good looking as well. In June, the developers of the distro shipped deepin 15.6 with 217 bug fixes and a new welcome program to let you customize your computer as per your preference. […]
Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber’s PowerShell attacks and the PowerShell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18. Usage is simple, just run Magic Unicorn (ensure Metasploit is installed if using Metasploit methods and […]
The goal of this volatility plugin is to extract a screenshot of all open X windows from a memory dump. Overview The plugin first dumps the X server memory mappings. These mappings are then given in input to a C program (loader), along with the output of Adam’s plugin. This C program mmaps (with the […]
The field of computer Forensics Analysis involves identifying, extracting, documenting, and preserving information that is stored or transmitted in electronic or magnetic form (that is, digital evidence) Forensics Analysis – Volatile Data: The data that is held in temporary storage in the system’s memory (including random access memory, cache memory, and the onboard memory of […]
Gnome has been Ubuntu’s default desktop environment for a while. Recently, some Ubuntu 17.10 users have started to observe a memory leak issue when running the Linux distro with Gnome Shell 3.26.2. The bug which was also present in Ubuntu 17.04 running Gnome Shell 3.23 doesn’t seem to be linked to a specific application. It […]
Introduction to Memory Leaks In Java Apps One of the core benefits of Java is the JVM, which is an out-of-the-box memory management. Essentially, we can create objects and the Java Garbage Collector will take care of allocating and freeing up memory for us. Nevertheless, memory leaks can still occur in Java applications. In this article, we’re going to […]
DAMM (Differential Analysis of Malware in Memory) is an open source memory analysis tool built on top of Volatility. It is meant as a proving ground for interesting new techniques to be made available to the community. These techniques are an attempt to speed up the investigation process through data reduction and codifying some expert knowledge. […]
Some work has been already published regarding the subject of cryptograhic keys security within DRAM. Basically, we need to find something that looks like a key (entropic and specific length) and then confirm its nature by analyzing the memory structure around it (C data types). The idea is to dump live memory of a process and use […]
The Volatility Foundation, the non-profit organization behind the Volatility Framework, sponsors the yearly Volatility Plugin Contest to acknowledge the best forensic tools built on the Volatility platform.
A Sophisticated Ursnif Malware variant using manipulated TLS call back Anti-Analysis Technique while injecting the Child Process for changing the entry point. TLS (Thread Local Storage) call backs used for additional initialization and termination that provided by Windows operating system. Malicious TLS Allows PE files to include malicious TLS callback functions to be executed prior to […]
Row-hammer is hardware bug that can cause bit-flips in physical RAM. Mark Seaborn and Thomas Dullien were the first to exploit the DRAM row-hammer bug to gain kernel privileges. Kaveh Razavi et al. pushed the exploitation of row-hammer bugs to the next level. They abused an OS feature – memory de-duplication – to surgically flip bits in a controlled way. They succeeded in flipping […]
Patch diffing is a common technique of comparing two binary builds of the same code – a known-vulnerable one and one containing a security fix. It is often used to determine the technical details behind ambiguously-worded bulletins, and to establish the root causes, attack vectors and potential variants of the vulnerabilities in question. The approach […]
Memoryze is a free memory forensic software that helps incident responders find evil in live memory. It can acquire and/or analyze memory images and on live systems can include the paging file in its analysis. Memoryze can: Image the full range of system memory (no reliance on API calls). Image a process’ entire address space to […]
A post-exploitation powershell tool for extracting juicy info from memory. mimikittenz mimikittenz is a post-exploitation powershell tool that utilizes the Windows function ReadProcessMemory() in order to extract plain-text passwords from various target processes. mimikittenz can also easily extract other kinds of juicy info from target processes using regex patterns including but not limited to: TRACK2 […]
The heap In this chapter we will look at the heap and malloc in order to answer some of the questions we ended with at the end of the previous chapter: Why doesn’t our allocated memory start at the very beginning of the heap (0x2050010 vs 02050000)? What are those first 16 bytes used for? […]
Hackers at the Google Project Zero team have discovered another critical Windows RCE vulnerability, the worst Windows RCE in recent memory. Security experts at Google Project Zero team have discovered another critical remote code execution (RCE) vulnerability in Microsoft Windows OS, but this time the hackers defined it as the worst Windows RCE in recent memory. […]