I've been working hard on forensic and malware related courses lately and having a lot of fun with it. I had almost forgotten how cool it was working on and learning this material. I thought I'd give a little update on my activities, so here it is. Take your No-Doz, this may be the longest post I've ever done.
Forensic and Malware Courses
In my last post, I mentioned that I was working on the Practical Malware Analysis and Triage (PMAT) class over at the TCM Academy. I finished the course recently and found it was a very worthwhile course to take.
PMAT was a lot of fun for me. I've always enjoyed looking at malware, but I had never taken a course or really tried to get past the absolute basics. This course was a well designed and taught introduction to malware analysis. The course author/instructor is Matt Kiely The course covered the important topics of setting up your lab and covering how to use it safely. Multiple malware samples were made available for analysis including wannacry ransomware. The course started off with basic dynamic and static analysis and then moved into advanced versions. Also covered were binary patching, maldocs, shell code mobile device malware.
The course involved the use of both Windows and Linux investigation tools. The lab was setup so that you ran both the Windows FlareVM and the Remnux Linux VM for different tasks. Occasionally you needed to run both at the same time, such as using Inetsim on Remnux for the malware sample running on FlareVM to connect to, so you need a computer with high enough specs to run both at the same time.
If you're interested in learning more about malware analysis, I strongly encourage you to check out this course.
Now that I'm done with PMAT, I'm working on another course, also at TCM This class is called Practical Windows Forensics (PWF). The course author/instructor is Markus Schober. I'm over halfway through it and enjoying it very much. In my case, it's serving as both a refresher on things I "used to know" and teaching me things I never knew as well.
One of the things I've really enjoyed working with in the class is using the Eric Zimmerman tools. I had never used any of them before and I see now why everyone talks about them so much.
In PWF to this point, I've really liked learning again about NTFS artifacts. I had never really known much about the USN journal and it's forensic value, so finding out how to access this information has been great.
I'll follow up when I've completed the class. I intend to go back over some topics again before truly being done with it.
I bought another malware related course this morning on a LinkedIn contacts recommendation. I purchased Reverse Engineering and Malware Analysis Fundamentals on Udemy. The course author is Paul Chin. I'm not going to start it until I've finished the other courses I'm taking.
I'm kind of "on-hold" with the GRC class I mentioned last time. I've gotten so excited about forensic and malware training that I just put that one aside for the time being. It's a great class and I'll get back to it, but I've just got too many other things grabbing my attention right now.
Tools
Jobparer.py
Some years ago, Jamie Levy wrote jobparser.py for parsing Windows .job files. The script was written for Python 2.x. Recently I have been working on a short course on Cyber5W Academy called Investigating Windows Scheduled Tasks and it called for the use of Jamie's script in one part. I, like many only have Python 3 installed on my Linux laptop, so this morning I converted the script to work in Python 3. The conversion was partially done with a conversion tool and I manually fixed what it wasn't able to. I sent it to Jamie and she said she would add it to the Github page.
(edited to clarify that I used an online Python at https://python2to3.com/ conversion tool to help me convert the script. It missed quite a few things, so I manually fixed the rest. No, it wasn't chatgpt or anything like that 🤣)
Qu1ckSc0pe
I wanted to talk about a couple investigation tools I only recently learned about. The first one is called Qu1ckSc0pe and you can find it HERE. According to the Github page, Qu1ckSc0pe is and "All-in-One malware analysis tool for analyze Windows, Linux, OSX binaries, Document files, APK files and Archive files". To this point, I've only tried Qu1cksc0pe with Windows executables, but as you can see it's capable of far more.
Qu1ckSc0pe iterates through the file being examined and pulls out a great deal of information. It pulls strings and does Yara rule matching, highlights "interesting" imports and other patterns, pulls out the time/date stamp and file hashes and much more. If you provide your VirusTotal API key, it can also check for VirusTotal detections and report on those.
This is an excellent tool I can see myself using a lot. Go check it out!
Events-Ripper
Events-Ripper...sound at all familiar? It should. If you've ever used the great RegRipper, then you might guess Events-Ripper comes from the same place and you'd be right. Both are the creations of Harlan Carvey and Events-Ripper is operated in much the same way as RegRipper, except it's goal is to parse evtx files for you. Specifically (according to the Github page),
"the current plugins extract value from the following Windows Event Logs:Security.evtx System.evtx Application.evtx Microsoft-Windows-Windows Defender%4Operational.evtx Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx"
Using Events-Ripper for the first time on an investigation requires you to create an "events" text file by running a batch file. The batch file relies on logparser and evtxparse. This might be done like this:
wevtx.bat c:\case\*.evtx c:\case\events.txt
Once the events.txt file (or whatever you want to call it) is done, you run the main program along with the appropriate plugin to get the data you're looking for. The syntax is like this:
erip -f c:\cases\events.txt -p <plugin-name>
or
erip -f c:\cases\events.txt -a
to run all the plugins once
Also, using -r will allow you to run a profile instead of just a single plugin. The tool works quickly, printing the output to the terminal you're working in or you can redirect the output to a text file.
One thing that I love about this is how Harlan included investigative tips or hints in the output of many plugins. This helps you know how the data might be useful to you or indicative of certain things.
So, this post has gone on far longer than I expected, so I'll end it here. I'll be posting again soon.
"Using Events-Ripper for the first time on an investigation..."
ReplyDeleteThe idea behind Events Ripper isn't to just run Events Ripper; Events Ripper makes use of the "events file", an intermediate file format between raw data and timeline. I opted to use this method because I'm already creating a timeline, so why not use what's available? And because each event is listed on a single line, this provided for an efficient means for developing pivot points.
The point is not to run Events Ripper by itself; run Events Ripper to provide insight and pivot points into your timeline.
Yea, I was just trying to give an overview of the tool. Understood that it's not something you do just for the sake of doing it.
Delete