tag:blogger.com,1999:blog-24875151280067619052024-03-05T01:31:32.676-08:00TheHexNinjaSlicing, Dicing and Splicing Hex in the interests of forensics and data recovery.Unknownnoreply@blogger.comBlogger8125tag:blogger.com,1999:blog-2487515128006761905.post-29266127361928405882021-10-23T17:36:00.006-07:002021-10-23T18:33:36.764-07:00Shhh we're still hunting Phishers Part 2<p>Welcome back Phish hunters.</p><p>So the first part of the blog series (is two a series?) we looked at different encoding schemes Phishers use in crafting their phishing emails to avoid detection. </p><p>We looked at the two 'easy' ones URL encoding and Base64. After a while you can detect these by sight in pages of logs or code pretty easily.</p><p>This next one is a little more complicated. </p><p>But lets start with knowing that html code has to play by the rules of what the browser can interpret, so we can use that to help with our decode.</p><p>From our first URL encoding we see the javascript function <b>unescape </b>:</p><p></p><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguAgptkUTdq8rxaycquhqY-76c3cztUMeNQwWew5oTFEMppFA9G8VjMLq3rZXJHPsJkYZTZYm-QkpNZvAvj6vBHyL71Tc_0ZuOS2iN5AcUxfCRMnAb8wHQy2N2MxEozsOJNWUXq_URztrI/s2420/2021-10-23_08h33_09.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="143" data-original-width="2420" height="38" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguAgptkUTdq8rxaycquhqY-76c3cztUMeNQwWew5oTFEMppFA9G8VjMLq3rZXJHPsJkYZTZYm-QkpNZvAvj6vBHyL71Tc_0ZuOS2iN5AcUxfCRMnAb8wHQy2N2MxEozsOJNWUXq_URztrI/w640-h38/2021-10-23_08h33_09.png" width="640" /></a></div><br /><br /></div><br /> In the BASE64 we see clear references of the base64 keyword:<p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj48sfWMbDuleGqXOFWfiFIUGoeaDltYOKeho3qzMwQI1HCUAOtwWkUDdSFBCCs3I7LJhYrYM-qIIYrw1qKsiykkGJdpW0XJpaT38mwFlWm8Pj9Lk2iH2lt0-PXNuGWxaSY5v4bgOdtbTgf/s1128/2021-10-23_08h36_20.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="374" data-original-width="1128" height="212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj48sfWMbDuleGqXOFWfiFIUGoeaDltYOKeho3qzMwQI1HCUAOtwWkUDdSFBCCs3I7LJhYrYM-qIIYrw1qKsiykkGJdpW0XJpaT38mwFlWm8Pj9Lk2iH2lt0-PXNuGWxaSY5v4bgOdtbTgf/w640-h212/2021-10-23_08h36_20.png" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><br /></div><br />Now what can we determine if the html coded looks like this!<p></p><p></p><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihUADcYo3gVMAZ3_kuaK8w80N5Ztr1mULNFMkx-tf4irBBqsDB38ECplCjJWQ9vfl9vmef0ZKD_gDf92MueeZSJlRGouc1K0lG_0oDKuZ5emwmH6McW2RSsxm0YaTGcP7Joon3Yy9u-mJ7/s1522/2021-10-24_08h59_23.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="752" data-original-width="1522" height="316" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihUADcYo3gVMAZ3_kuaK8w80N5Ztr1mULNFMkx-tf4irBBqsDB38ECplCjJWQ9vfl9vmef0ZKD_gDf92MueeZSJlRGouc1K0lG_0oDKuZ5emwmH6McW2RSsxm0YaTGcP7Joon3Yy9u-mJ7/w640-h316/2021-10-24_08h59_23.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div style="text-align: left;">We can see that the JavaScript has clearly been obfuscated to avoid human readability and also mail scanners.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">We see in the first few lines that there is a function function(p,a,c,k,e,r) . We see this and other weird techniques that do character replacement/substition etc anything to make it hard to read.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">This (p,a,c,k,e,r) function is common routine that can be evaluated using the javascript unpacker website kindly provided here https://matthewfl.com/unPacker.html .</div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhF6q95XnmL_2iHeFvH7dz-OmQmz7yhM4OU5xkxB-DBa0K9VU1dQjzGkiQtqCBUM0t9JAS_D-_ESgY2oOnCGNoKg7dObb2pmpEsOmYcG5AfqxyIRkF2-qhtwn2wwN7Jfz0JAXMT9CSQfOv1/s1513/2021-10-24_09h22_20.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1324" data-original-width="1513" height="560" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhF6q95XnmL_2iHeFvH7dz-OmQmz7yhM4OU5xkxB-DBa0K9VU1dQjzGkiQtqCBUM0t9JAS_D-_ESgY2oOnCGNoKg7dObb2pmpEsOmYcG5AfqxyIRkF2-qhtwn2wwN7Jfz0JAXMT9CSQfOv1/w640-h560/2021-10-24_09h22_20.png" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><br /></div>This converts to an <b>document.write(atob </b>function<b> </b>and we are back to base64 encoding again. encoding1(encoding2(data)) </div><div style="text-align: left;"><br /></div><div style="text-align: left;">Check out the atob function here https://html.spec.whatwg.org/multipage/webappapis.html#atob</div><div style="text-align: left;"><br /></div><div style="text-align: left;">The based64 decoded unpacked javascript contains three of these atob functions. So we can take each content string within the atob function and back to CyberChef to see what it contains .. exciting. </div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><br /></div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDNMc2kRNeoc-prCQiFiYJNfW5pfD0HO2DCOa1Q9EQtLP3yqJJcyYrPFN76sCwHUUR5JTk9CWnSG0E-WFK2vLnASTAvQnPLnm4YXXOfHi0JDlgGZg6hyphenhyphen5scJjXOKJIUYsx03Bt17BOnzag/s2048/2021-10-24_09h41_39.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1352" data-original-width="2048" height="422" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDNMc2kRNeoc-prCQiFiYJNfW5pfD0HO2DCOa1Q9EQtLP3yqJJcyYrPFN76sCwHUUR5JTk9CWnSG0E-WFK2vLnASTAvQnPLnm4YXXOfHi0JDlgGZg6hyphenhyphen5scJjXOKJIUYsx03Bt17BOnzag/w640-h422/2021-10-24_09h41_39.png" width="640" /></a></div><br /><div style="text-align: left;">Ok so this appears to be adding EventListeners to disable certain keys including:</div></div><p></p><div> <i><span style="font-size: x-small;">// disable F12 key</span></i></div><div class="separator" style="clear: both; text-align: center;"><div style="text-align: left;"><div><i><span style="font-size: x-small;"> if(e.keyCode == 123) {</span></i></div><div><i><span style="font-size: x-small;"><br /></span></i></div><div><i><span style="font-size: x-small;"> // disable I key</span></i></div><div><i><span style="font-size: x-small;"> if(e.ctrlKey && e.shiftKey && e.keyCode == 73){</span></i></div><div><i><span style="font-size: x-small;"><br /></span></i></div><div><i><span style="font-size: x-small;">// disable J key</span></i></div><div><i><span style="font-size: x-small;"> if(e.ctrlKey && e.shiftKey && e.keyCode == 74) {</span></i></div><div><i><span style="font-size: x-small;"><br /></span></i></div><div><i><span style="font-size: x-small;"> // Prevent Ctrl+s = disable save</span></i></div><div><i><span style="font-size: x-small;"> if (event.ctrlKey && (event.keyCode === 85 || event.keyCode === 83 || event.keyCode ===65 )) {</span></i></div><div><i><span style="font-size: x-small;"><br />// disable U key</span></i></div><div><i><span style="font-size: x-small;">(e.ctrlKey && e.keyCode == 85) {</span></i></div></div><div style="text-align: left;"><br /></div><div style="text-align: left;">F12: Disables a set of tools that you can use to design, debug, or view webpage source code and behavior</div><div style="text-align: left;">Ctrl Shift I: Disables opening the Developer Tools panel</div><div style="text-align: left;">Ctrl+J: Disables opening the console tab in the Developer Tools panel</div><div style="text-align: left;">Ctrl+s : Disables saving the page</div><div style="text-align: left;">Ctrl + U: Disables opening the browser source code page</div></div><div class="separator" style="clear: both; text-align: center;"><div style="text-align: left;"><div><br /></div><div><br /></div><div>So basically the Phisher doesn't want us to look behind the curtain Dorothy!!</div><div><br /></div><div>If we add the 3rd atob base64 encoded string into CyberChef it decodes nicely to readable html</div><div><br /></div><div>Interesting in this case the Phisher had hacked a legitimate WordPress site and saved some icons, images and css style sheets. </div><div><br /></div><div>I find 9/10 of the hacked sites used in Phishing campaigns are running WordPress. So please ensure you your WordPress sites are up to date with their plugins and patching. </div><div><br /></div><div>It is also good to send the website owner/host an email to let them know their website is compromised.</div><div><br /></div><div>One hacked WP site we found was being used to store a PHP script and a nice text file of hundreds of username and passwords that had been captured. We called the business, sent emails and still months later the page was still up! </div><div><br /></div><div>I may have flooded it with hundreds of illegitimate username/passwords credentials to attempt to frustrate the Phishers and slow them down.</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWu0OXnlqRzIE5HpPmwcAdCcnwtD5AFUpS9rKsxunzAybose6aakMDjDJxt8cKMPnVexY1wwStO0K_YqXOCahTSq6nlkOthXsfLu9LnAtlVPAVi_bpxKzWz4PwB-GGHBaLLG_ST246f2iN/s1810/2021-10-24_10h26_52.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1006" data-original-width="1810" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWu0OXnlqRzIE5HpPmwcAdCcnwtD5AFUpS9rKsxunzAybose6aakMDjDJxt8cKMPnVexY1wwStO0K_YqXOCahTSq6nlkOthXsfLu9LnAtlVPAVi_bpxKzWz4PwB-GGHBaLLG_ST246f2iN/w640-h356/2021-10-24_10h26_52.png" width="640" /></a></div><br /><div><br /></div><div>The stored images appear on the webpage looks familiar. Also, the victim's email was already prefilled. </div><div><br /></div><div>So seems legit!</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhN7S7t6H9u2fbzYRFxf2KRZcrs_EiGm8vy8xjbXahyf_PGXdlYwXp5Ys2UTg9hU8ekgxO6dDjQGSLf6qXXWBHeX3l8b1AhEGxSYV8sFOd912H0ffhUgH7w2eavX6UKny_LNZ0a3qHEgC3J/s1241/2021-10-24_11h10_00.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="915" data-original-width="1241" height="472" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhN7S7t6H9u2fbzYRFxf2KRZcrs_EiGm8vy8xjbXahyf_PGXdlYwXp5Ys2UTg9hU8ekgxO6dDjQGSLf6qXXWBHeX3l8b1AhEGxSYV8sFOd912H0ffhUgH7w2eavX6UKny_LNZ0a3qHEgC3J/w640-h472/2021-10-24_11h10_00.png" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><br /></div><br /></div><div><br /></div><div>Later in the page we find some more base64 so now we are at the third level of encoding inception. encoding1(encoding2(encoding3(data).</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBQQuBGjE4cDPn-ERdkgthjWin_mY5E6MS9v_g8KXbuCyIUbDCULRG81YVBnYYxJznemmE1-l2fOJQvjCY0UPIn8mIuPqu9rXqC3o8gmnV_NxhY4ZSAcY5ItBgnyiUDfxAS5y8UFlzZgr6/s1867/2021-10-24_10h38_31.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1081" data-original-width="1867" height="370" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBQQuBGjE4cDPn-ERdkgthjWin_mY5E6MS9v_g8KXbuCyIUbDCULRG81YVBnYYxJznemmE1-l2fOJQvjCY0UPIn8mIuPqu9rXqC3o8gmnV_NxhY4ZSAcY5ItBgnyiUDfxAS5y8UFlzZgr6/w640-h370/2021-10-24_10h38_31.png" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><div class="separator" style="clear: both; text-align: center;"><br /></div>Decoding that block we find it decodes to be a GIF (does ask me to pronounce it, it will certainly divide my six viewers). GIFs are usually not that interesting and contain animated arrows, progress bars etc to trick the victim to thing something is happening. </div><div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuwymW246ewynwCEPJVQl8Wzf7C1QVEOa7GrHyuHOTCCAIB6GZUVxvruGMgVmZhCGPJTamGZw2rMTpWpB3RYrWB4U6BRMZRJUrBRJQOzVk9pu8kQxtTmCGzlh_2HjVKRahUD7wAbvEu6iP/s1900/2021-10-24_10h40_26.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="866" data-original-width="1900" height="292" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuwymW246ewynwCEPJVQl8Wzf7C1QVEOa7GrHyuHOTCCAIB6GZUVxvruGMgVmZhCGPJTamGZw2rMTpWpB3RYrWB4U6BRMZRJUrBRJQOzVk9pu8kQxtTmCGzlh_2HjVKRahUD7wAbvEu6iP/w640-h292/2021-10-24_10h40_26.png" width="640" /></a></div><br /></div><div style="text-align: left;"><br /></div><div style="text-align: left;">The next section of the html code contains a function to capture and POST your credentials.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">They code typically contain a email address validity checker via regex.</div><div style="text-align: left;">The code also typically contain a hard coded error when you enter your password the first time. </div><div style="text-align: left;"><br /></div><div style="text-align: left;">These are both to check if you are just trying rubbish looking credentials to confirm if this website if legitimate.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Once you add your second password they then usually take you to.</div><div style="text-align: left;">1. Microsoft login page www.office.com ,or</div><div style="text-align: left;">2. An error page, or</div><div style="text-align: left;">3. Something specific to original email but not valid. </div><div style="text-align: left;"><br /></div><div style="text-align: left;">In this case, the original Phishing email contained an alert that the victim had an important voicemail waiting for them, Once the went down the rabbit hole it took you to a website that contained an mp3 of voice mail!! The victim was left confused by voicemail that had nothing to do with them, so thought it must have been a wrong number.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">But within minutes the account was logged into using the stolen credentials and the phishing email had been hard-deleted by the Phisher and then account mayhem!</div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHrkPxmvkRRzaNMNWPulZm26HtrLBJKCOD5P26-bN-I3TrlVo9kTGuf1W7k07urvrjbp5rDrCbaHKKf2_Otf6tZlymf2UUVlAXW-dkbSeEohcbwx6lNeCvPOj85EaBmaU13yakcCf3UL7h/s2048/2021-10-24_10h49_06.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1148" data-original-width="2048" height="359" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHrkPxmvkRRzaNMNWPulZm26HtrLBJKCOD5P26-bN-I3TrlVo9kTGuf1W7k07urvrjbp5rDrCbaHKKf2_Otf6tZlymf2UUVlAXW-dkbSeEohcbwx6lNeCvPOj85EaBmaU13yakcCf3UL7h/w640-h359/2021-10-24_10h49_06.png" width="640" /></a></div><br /><div style="text-align: left;"><br /></div><div style="text-align: left;"><br /></div><div style="text-align: left;">Now we need to get back to reality from the these layers of encoding. </div><div style="text-align: left;"><br /></div><div style="text-align: left;">Hopefully this has given you an idea of the lengths Phishers will go to to obfuscate their intentions so they can slip into your mail without detection.</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><p style="background-color: white; font-family: "Trebuchet MS", Trebuchet, Verdana, sans-serif; font-size: 13.2px;">Until next time, the hexninja says:</p><p style="background-color: white; font-family: "Trebuchet MS", Trebuchet, Verdana, sans-serif; font-size: 13.2px;"><i>Down the rabbit hole</i></p><p style="background-color: white; font-family: "Trebuchet MS", Trebuchet, Verdana, sans-serif; font-size: 13.2px;"><i>Phishers encoding data</i></p><p style="background-color: white; font-family: "Trebuchet MS", Trebuchet, Verdana, sans-serif; font-size: 13.2px;"><i>How low can you go</i></p><p style="background-color: white; font-family: "Trebuchet MS", Trebuchet, Verdana, sans-serif; font-size: 13.2px;"><span style="background-color: transparent;"> </span></p></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgp8IBoomtBlo6bBrFHp1hi_qYcmVkz7yUtqPGS3dI4APvhPX7WVNe_BTThXJTrlEkktl9SC-Ymr9Dne_3vZ9tS9hOeU1NAlWcil2jLvsCCCNEjiD37wBuSP_dTDX72U5RyKBuYxX7-P8MJ/s1252/1122563.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="700" data-original-width="1252" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgp8IBoomtBlo6bBrFHp1hi_qYcmVkz7yUtqPGS3dI4APvhPX7WVNe_BTThXJTrlEkktl9SC-Ymr9Dne_3vZ9tS9hOeU1NAlWcil2jLvsCCCNEjiD37wBuSP_dTDX72U5RyKBuYxX7-P8MJ/w640-h358/1122563.jpg" width="640" /></a></div><br /><div style="text-align: left;"><br /></div></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2487515128006761905.post-34195426942326497252021-10-22T04:54:00.000-07:002021-10-22T04:54:11.878-07:00Shhh we're hunting Phishers... %50%68%69%73%68%69%6E%67 or UGhpc2hpbmc= <p>So the HexNinja has been spending a lot of time going Phishing. Well more correctly examining phishing emails and watching them evolve and do their best to avoid SPAM detection while also gaining your confidence.</p><p>One of the questions I get asked is how the Phishing email got into our mail system without being flagged as malicious.</p><p></p><div class="separator" style="clear: both; text-align: center;"> <br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh41-UKrjrSHzyHoBh3YjtfAb1cHUsWmdgSKAGVpRSWDgNeCPzXSEWhktsFswTOdpZDucrmSo67iq2ta1Ek0L50JDJu3hmlhUXBMChGP2tR3NiJqI-iZpFFmVX8AmcaHsElKHXJlJzmrsjV/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="411" data-original-width="249" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh41-UKrjrSHzyHoBh3YjtfAb1cHUsWmdgSKAGVpRSWDgNeCPzXSEWhktsFswTOdpZDucrmSo67iq2ta1Ek0L50JDJu3hmlhUXBMChGP2tR3NiJqI-iZpFFmVX8AmcaHsElKHXJlJzmrsjV/w215-h356/image.png" width="215" /></a><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGDvODEWFyRuh6Ivs163H5UN_MVrDOh-z7ChEOansna3De8ifKgaa4epHrCM5YbhRlU5rmTMyAkn-tXaEOW9qkjABVKGfxckFGjgj1ieZb2nTVr7Z8k0g0s7PnZW886zDPO3QfVNaHws5H/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="378" data-original-width="340" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGDvODEWFyRuh6Ivs163H5UN_MVrDOh-z7ChEOansna3De8ifKgaa4epHrCM5YbhRlU5rmTMyAkn-tXaEOW9qkjABVKGfxckFGjgj1ieZb2nTVr7Z8k0g0s7PnZW886zDPO3QfVNaHws5H/" width="216" /></a></div></div><br /><br /><p></p><p>Besides obvious issues of SPF DKIM DMARC or lack thereof I am finding many phishing emails containing htm attachments. </p><p>They always have a great title like <b style="font-style: italic;">Remittance #763.htm </b>or <i><b>Invoice #692.htm</b> </i>and if your job is to process payments and balance the books and the email has come from a known contact that is a customer or supplier then the motivation to open a htm attachment is high.</p><p>Examining the contents of many htm files they don't look like human readable htm formats. To obfuscate their contents they will rely on a one or a combination of encoding to hide their true intentions and also so fool your email protection systems.</p><p>So armed with CyberChef <a href="https://gchq.github.io/CyberChef/" target="_blank">https://gchq.github.io/CyberChef/</a> we can begin experimenting with how the files are encoded.</p><p>The four main techniques I am seeing are:</p><p></p><ul style="text-align: left;"><li>URL encoding</li><li>Base64</li><li>Hexidecimal encoding</li><li>Javascript packing</li></ul><div>In this first post I will look at URL and BASE64 encoding.</div><div><div>In this second post I will look at Hexidecimal and Javascript packing.</div><div><br /></div></div><div>The more difficult decodes involve a combination of these but lets walk before we run.</div><div><br /></div><h2 style="text-align: left;">URL ENCODING</h2><div><br /></div><div>So if we open the htm file in a text editor and we see something like this</div><div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxWumCFGcrBD7DXdD-Aev6p-ef9UGLAUHp-2nCwCZkswbs6cSBDWV5ECuHlaj4XUNBvuzF8oRK3lfVzFLYNPQshC64e5-j4sQ9P-XqyVfc3m5HlrbhZ-vil3qLrtV4J-UDd_XMbasOF_q7/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="293" data-original-width="1706" height="110" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxWumCFGcrBD7DXdD-Aev6p-ef9UGLAUHp-2nCwCZkswbs6cSBDWV5ECuHlaj4XUNBvuzF8oRK3lfVzFLYNPQshC64e5-j4sQ9P-XqyVfc3m5HlrbhZ-vil3qLrtV4J-UDd_XMbasOF_q7/w640-h110/image.png" width="640" /></a></div><br /><br /></div></div>We can see that the quoted block has been url encoded and wrapped in a javascript decode function 'unescape'. </div><div><br /></div><div>URL encoding is a way that website url and wepages can encoded special characters such as spaces %20 or other special characters. Normally a url string only encoded these special characters in but it can also be used to encode a whole string. </div><div>Basically it converts the string to bytes, encoded each byte to hex and separates each byte with a %.</div><div><br /></div><div>Eg www.thehexninja.com would be </div><div><br /></div><div> %77%77%77%2e%74%68%65%68%65%78%6e%69%6e%6a%61%2e%63%6f%6d</div><p></p><p>Try pasting that string into your browser and it automatically resolves to www.thehexninja.com.</p><p>We can get Cyberchef to do the heavy lifting of url decoding. We can copy all the encoded block within the quotes and paste it into Cyberchef using the URL Decode function as shown below.</p><p></p><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQ3Mt8xFjwdy7ldbeKhGs1yHSID9PQC2ONycYYtUQaDnUOMkF3R4xjRNF7Wyu8FQb3SF4YAOBnzQNfpUXnZCKSD9ehq9pjZDUfPBdsj2USh0lSYwRe3svlIoqXeYpk78nM82x_7X-RDgoq/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="1353" data-original-width="2048" height="422" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQ3Mt8xFjwdy7ldbeKhGs1yHSID9PQC2ONycYYtUQaDnUOMkF3R4xjRNF7Wyu8FQb3SF4YAOBnzQNfpUXnZCKSD9ehq9pjZDUfPBdsj2USh0lSYwRe3svlIoqXeYpk78nM82x_7X-RDgoq/w640-h422/image.png" width="640" /></a></div><br /><br /></div></div><br />This would obviously render to a simple embedded link as shown below<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEht1_SMv42DLw5UfWI9-Ey3cJRnEn_2N__Tp-1Lml5rHHEpjMQyvNL4xg4kx97Q35xOOwtiZ5uI5CFU_JbUE3UP_KVOGVkIfPG3UTJPcRBwuQoKkDgFZO4WSvp_i-7CJ2u9WOSGvbIr4trA/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="417" data-original-width="1138" height="235" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEht1_SMv42DLw5UfWI9-Ey3cJRnEn_2N__Tp-1Lml5rHHEpjMQyvNL4xg4kx97Q35xOOwtiZ5uI5CFU_JbUE3UP_KVOGVkIfPG3UTJPcRBwuQoKkDgFZO4WSvp_i-7CJ2u9WOSGvbIr4trA/w640-h235/image.png" width="640" /></a></div><br /><p></p><p>So we can see how this simple technique can be used to evade basic mail scanners, especially if the embedded link is not malicious such as a OneDrive, DropBox, SharePoint or a page on a another website.<br /><br /></p><h2 style="text-align: left;">Base64 Encoding</h2><p>Sometimes the htm attachment contains base64 encoded sections, typically images prefixed with the type of image images/png or images/jpg</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYCba6xOTbbtnzXHmSFcCmTWtp7oawk9exu64j5K7bha4h9fRUG97RJgK6IVYMVoRuN7mwws00H8PMYUZl9q6OAEqViKWyuznVMnWwzXIjZbVO4PFUgn6Rt8WXscQKR_aqJCdlcPOhHhvd/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="862" data-original-width="2428" height="229" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYCba6xOTbbtnzXHmSFcCmTWtp7oawk9exu64j5K7bha4h9fRUG97RJgK6IVYMVoRuN7mwws00H8PMYUZl9q6OAEqViKWyuznVMnWwzXIjZbVO4PFUgn6Rt8WXscQKR_aqJCdlcPOhHhvd/w640-h229/image.png" width="640" /></a></div><br /><br /><p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8rW9yqK5wxwMH-OE_sQ5mwqsaT5MsfxPHvjjcagb2i3lNv4ZpkF7P8deoUKS8ZmOk4kLtmoNlpsZAUxMV1qDz55PaUpzPyXDdGVkAWU-rrhG45ZukrJWisjs-TaF0492ewZnJqqWMeKzc/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="731" data-original-width="2417" height="194" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8rW9yqK5wxwMH-OE_sQ5mwqsaT5MsfxPHvjjcagb2i3lNv4ZpkF7P8deoUKS8ZmOk4kLtmoNlpsZAUxMV1qDz55PaUpzPyXDdGVkAWU-rrhG45ZukrJWisjs-TaF0492ewZnJqqWMeKzc/w640-h194/image.png" width="640" /></a></div><br />We can copy these encoded sections and paste into cyberchef (From Base 64)<p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUT3Cl_m0K9cgyiBwDC7yKNU7m3zjbQIcGAk-19k5vrQOTcH7G7W-OpvgvWTKwhQc08aecR1h-y44d6RbWXHKvkMFymWzImJ2K6MQYbbWf2HeSWyb7BKkbbrLXiPWmZso2Dgmu285PU_A9/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="1323" data-original-width="2048" height="414" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUT3Cl_m0K9cgyiBwDC7yKNU7m3zjbQIcGAk-19k5vrQOTcH7G7W-OpvgvWTKwhQc08aecR1h-y44d6RbWXHKvkMFymWzImJ2K6MQYbbWf2HeSWyb7BKkbbrLXiPWmZso2Dgmu285PU_A9/w640-h414/image.png" width="640" /></a></div><br />We can now paste the Hex output into a hexeditor and save it as a JPG <b>(image/jpeg)</b> or PNG <b>(image/png). </b><p></p><p>The first PNG image decodes to</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOWMa_4vZDavUEH04S0PMYlAYPa3vYMwNE0SH843ZXInDBvANbl8sPlPWYUVXdXycLDNCA_bPhjy7xsxHAf1SJLYuxiR1OPh2RQ9mCo5E55KhrV6Jk4M4FmcB0Ju8dKDep5tOcBKAZuGba/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="132" data-original-width="125" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOWMa_4vZDavUEH04S0PMYlAYPa3vYMwNE0SH843ZXInDBvANbl8sPlPWYUVXdXycLDNCA_bPhjy7xsxHAf1SJLYuxiR1OPh2RQ9mCo5E55KhrV6Jk4M4FmcB0Ju8dKDep5tOcBKAZuGba/" width="227" /></a></div><br /><br /><p></p><p>The second image is a JPG and renders as:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3NwP5PrvOWg-XXHwK09oIKD6VFM8xXuH72j42d3yAOufjpuKEJqa7plCrqE1QLMB2UtmGOjZfvKRlzBo_iOKGzE2lGAyMNWzEw3QeevWFjzIHyZCA9HMdBdXgz4QqcCGqVRxcGZX7skTN/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="1151" data-original-width="2048" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3NwP5PrvOWg-XXHwK09oIKD6VFM8xXuH72j42d3yAOufjpuKEJqa7plCrqE1QLMB2UtmGOjZfvKRlzBo_iOKGzE2lGAyMNWzEw3QeevWFjzIHyZCA9HMdBdXgz4QqcCGqVRxcGZX7skTN/w640-h360/image.png" width="640" /></a></div><p><br /></p>The 3rd image decodes to:<p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGwmFZyA0dTwm4xR-BykptFAftbdhe6g2hoyFt0hfhYVizbczI9V153epoRbch6yAX4Mhg9gCAKRrhnAH13smxMX2NhyphenhyphenrvOk47VtugCaGzFX4GM9sW4r9Yq2S1vv_fEIrIb8NRdLs14KpW/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="1039" data-original-width="1107" height="375" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGwmFZyA0dTwm4xR-BykptFAftbdhe6g2hoyFt0hfhYVizbczI9V153epoRbch6yAX4Mhg9gCAKRrhnAH13smxMX2NhyphenhyphenrvOk47VtugCaGzFX4GM9sW4r9Yq2S1vv_fEIrIb8NRdLs14KpW/w400-h375/image.png" width="400" /></a></div><br />The forth image decodes to <p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEIojYr32zp5C6nIkfZq3d9PF-ecm_6YtKP0hrEXkIntKslXa36tXCH9mJoI3v7eYxvWBMNT3bKOKTXaJeO2eRiJEeADRVKhk0zcXiDrOoedPWBhxbgXDDfOi6E8nbbj-wG-wrHO2yXAPI/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="84" data-original-width="362" height="74" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEIojYr32zp5C6nIkfZq3d9PF-ecm_6YtKP0hrEXkIntKslXa36tXCH9mJoI3v7eYxvWBMNT3bKOKTXaJeO2eRiJEeADRVKhk0zcXiDrOoedPWBhxbgXDDfOi6E8nbbj-wG-wrHO2yXAPI/" width="320" /></a></div><br /><br /><p></p><p>When these images are overlayed they appear as</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuaYvDABUCFLxcrQa9AVq0NWbckq8L7LtnKkqgC_CZ5mq_HMlhqVsJrtYwkGCczmcEo5SfB9vhQw9QAGn9Lxb0iOu2MMZcGwHmcRAogKAWgJT7YxebMtEiAeUfM8crZILApJbLibDXUazy/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="1059" data-original-width="2048" height="331" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuaYvDABUCFLxcrQa9AVq0NWbckq8L7LtnKkqgC_CZ5mq_HMlhqVsJrtYwkGCczmcEo5SfB9vhQw9QAGn9Lxb0iOu2MMZcGwHmcRAogKAWgJT7YxebMtEiAeUfM8crZILApJbLibDXUazy/" width="640" /></a></div><br /><br /><p></p><p>This is the classic spoofed Microsoft Office 365. </p><p>Hiding beneath the enticing image/webpage is the the code which basically accepts a post of the password and username in a POST to a google form, essentially capturing the victims credentials </p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZoUf3U3ORN3WjHUwX-hmgSt-dCX6N1damBEX8QJ2ipE5SOQtW3TCJ3SytQapNcdQKUayt6sy7durzOK5jxKRtq4nOghKkPACNq1-BI9piNqkUSYm-BuSmaLrhxueSPuIlap92VcKp5ybu/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="609" data-original-width="1538" height="254" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZoUf3U3ORN3WjHUwX-hmgSt-dCX6N1damBEX8QJ2ipE5SOQtW3TCJ3SytQapNcdQKUayt6sy7durzOK5jxKRtq4nOghKkPACNq1-BI9piNqkUSYm-BuSmaLrhxueSPuIlap92VcKp5ybu/w640-h254/image.png" width="640" /></a></div><br /> <p></p><p>Until next time, the hexninja says:</p><p><i>Stop Sneaky Phishers!</i></p><p><i>Encoding to Hide Data</i></p><p><i>Never Trust The Phish</i></p><p><br /></p><p><br /></p>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2487515128006761905.post-40780187943231505022021-04-18T23:03:00.001-07:002021-04-18T23:03:44.602-07:00Getting hashes to Virus Total from an Isolated Virtual Machine
<div><br /></div><h2 style="text-align: left;"><br /></h2><div><br /></div>Sometimes when I am testing in a Virtual Machine (VM) I really lock down the isolation. <div><br /></div><div>No shared folders. </div><div><br /></div><div>No bidirectional clipboards. </div><div><br /></div><div>No network. </div><div><br /></div><div>I may be paranoid but it is 'mildly discomforting' to see malware (ransomware) under test, encrypt your shared folder and then your host AV or Bitdefender start to lose it with Virus detections. </div><div><br /></div><div>This usually doesn't happen but when it does you can have a cold sweat moment that somehow the malware has not only jumped to a shared folder and doing what it does best. It is normally just a detection of the encrypted file or ransom note but once I have transferred the files for testing it is a good idea to check and double check your isolation. </div><div><br /></div><div>At a first pass when looking for suspected malware dll or exe files I like to upload the hash or suspicious files to Virus Total or Hybrid Analysis</div><div><br /></div><div>https://www.virustotal.com/gui/home/search</div><div><br /></div><div>OR</div><div><br /></div><div>https://www.hybrid-analysis.com/</div><div><br /></div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfIFOY2RjXJKCRxDbhBDVzVt-eEaxz7OAxwUswPetPwkQRTWceDl2EoBOzjlCDU41KRpDb1dQ7XmT0VtPA99yOcaIbzqoqEHLmzrF1JjNwkE-w9P6NgkcYGhFtVmwgu2vo3POouOWZ4V4-/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="1059" data-original-width="1347" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfIFOY2RjXJKCRxDbhBDVzVt-eEaxz7OAxwUswPetPwkQRTWceDl2EoBOzjlCDU41KRpDb1dQ7XmT0VtPA99yOcaIbzqoqEHLmzrF1JjNwkE-w9P6NgkcYGhFtVmwgu2vo3POouOWZ4V4-/" width="305" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3y0YlHTId5Ooe83hU779DkOIyrfdmpUQRkvcDrGVRjipWZYCjIZFYhNtby22zSxTEoN8zaMOUauTtg6HOypZFcubIeVZaJQQQJyVrrCPMTBodu9NfHjULl47Su3nV590HK1c1hlzGYmcb/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="1032" data-original-width="1533" height="215" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3y0YlHTId5Ooe83hU779DkOIyrfdmpUQRkvcDrGVRjipWZYCjIZFYhNtby22zSxTEoN8zaMOUauTtg6HOypZFcubIeVZaJQQQJyVrrCPMTBodu9NfHjULl47Su3nV590HK1c1hlzGYmcb/" width="320" /></a></div></div><br />However with an isolated system I am also limited by how to check the hash. I can't copy it across from the VM guest to host or check directly in a browser as I have isolated my VM. </div><div><br /></div><div>During this last year of Covid-19 I have used more QR codes than I have ever have so I had a thought to create a script that calculates the hash and generates a QR code that embeds the hash in the url so it will redirect to a prefilled Virus Total or Hybrid Analysis. </div><div><br /></div><div>I can then get the script to show the QR code on the screen and I can capture it in the host or even use a mobile phone to capture the QR to a browser .</div><div><br /></div><div>Normally, I code in Python but thought I would punish myself and see if I could do it in Python3 and C#.</div><div><br /></div><h2 style="text-align: left;">Python 3 </h2><div>The python code uses a QR code generating library <b>pyqrcode </b> and the <b>hashlib</b> library.</div><div><br /></div><div>These can be installed using pip </div><div><br /></div><div>https://pypi.org/project/PyQRCode/</div><div>https://pypi.org/project/hashlib/</div><div><br /></div><div><b>>pip install PyQRCode</b></div><div><b>>pip install hashlib</b></div><div><b><br /></b></div><div>The general functional flow is </div><div>1. Get filename from argument</div><div>2. Calculate SHA256 hash</div><div>3. Append SHA256 hash to url string ie 'https://www.virustotal.com/gui/file/'+ sha256_hash</div><div>4. Generate and display the QR code of this url</div><div><br /></div><div>The python script is called from the command line using the suspicious file as an argument to call the function with the suspect file<b> </b></div><div><b>> python3 qrcode_gen.py c:\abc.exe</b></div><div><b><br /></b></div><div style="text-align: left;"><br /></div><!--HTML generated using hilite.me--><div style="background: rgb(39, 40, 34); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: #f92672;">import</span> <span style="color: #f8f8f2;">pyqrcode</span>
<span style="color: #f92672;">import</span> <span style="color: #f8f8f2;">argparse</span>
<span style="color: #f92672;">import</span> <span style="color: #f8f8f2;">hashlib</span>
<span style="color: #f92672;">import</span> <span style="color: #f8f8f2;">os</span>
<span style="color: #f8f8f2;">BUF_SIZE</span> <span style="color: #f92672;">=</span> <span style="color: #ae81ff;">1048576</span>
<span style="color: #66d9ef;">def</span> <span style="color: #a6e22e;">calc_hashes</span><span style="color: #f8f8f2;">(filename):</span>
<span style="color: #f8f8f2;">md5</span> <span style="color: #f92672;">=</span> <span style="color: #f8f8f2;">hashlib</span><span style="color: #f92672;">.</span><span style="color: #f8f8f2;">md5()</span>
<span style="color: #f8f8f2;">sha256</span> <span style="color: #f92672;">=</span> <span style="color: #f8f8f2;">hashlib</span><span style="color: #f92672;">.</span><span style="color: #f8f8f2;">sha256()</span>
<span style="color: #66d9ef;">with</span> <span style="color: #f8f8f2;">open(filename,</span> <span style="color: #e6db74;">'rb'</span><span style="color: #f8f8f2;">)</span> <span style="color: #66d9ef;">as</span> <span style="color: #f8f8f2;">fp:</span>
<span style="color: #66d9ef;">while</span> <span style="color: #f8f8f2;">True:</span>
<span style="color: #f8f8f2;">data</span> <span style="color: #f92672;">=</span> <span style="color: #f8f8f2;">fp</span><span style="color: #f92672;">.</span><span style="color: #f8f8f2;">read(BUF_SIZE)</span>
<span style="color: #66d9ef;">if</span> <span style="color: #f92672;">not</span> <span style="color: #f8f8f2;">data:</span>
<span style="color: #66d9ef;">break</span>
<span style="color: #66d9ef;">return</span> <span style="color: #f8f8f2;">md5</span><span style="color: #f92672;">.</span><span style="color: #f8f8f2;">hexdigest()</span><span style="color: #f92672;">.</span><span style="color: #f8f8f2;">upper(),sha256</span><span style="color: #f92672;">.</span><span style="color: #f8f8f2;">hexdigest()</span><span style="color: #f92672;">.</span><span style="color: #f8f8f2;">upper()</span>
<span style="color: #75715e;"># input file to create sha256 hash</span>
<span style="color: #f8f8f2;">parser</span> <span style="color: #f92672;">=</span> <span style="color: #f8f8f2;">argparse</span><span style="color: #f92672;">.</span><span style="color: #f8f8f2;">ArgumentParser()</span>
<span style="color: #f8f8f2;">parser</span><span style="color: #f92672;">.</span><span style="color: #f8f8f2;">add_argument(</span><span style="color: #e6db74;">'filename'</span><span style="color: #f8f8f2;">)</span>
<span style="color: #f8f8f2;">args</span> <span style="color: #f92672;">=</span> <span style="color: #f8f8f2;">parser</span><span style="color: #f92672;">.</span><span style="color: #f8f8f2;">parse_args()</span>
<span style="color: #f8f8f2;">md5_hash,sha265_hash</span><span style="color: #f92672;">=</span><span style="color: #f8f8f2;">calc_hashes(args</span><span style="color: #f92672;">.</span><span style="color: #f8f8f2;">filename)</span>
<span style="color: #f8f8f2;">vt_url</span><span style="color: #f92672;">=</span><span style="color: #e6db74;">'https://www.virustotal.com/gui/file/'</span><span style="color: #f92672;">+</span> <span style="color: #f8f8f2;">sha265_hash</span>
<span style="color: #66d9ef;">print</span><span style="color: #f8f8f2;">(vt_url)</span>
<span style="color: #f8f8f2;">qr</span> <span style="color: #f92672;">=</span> <span style="color: #f8f8f2;">pyqrcode</span><span style="color: #f92672;">.</span><span style="color: #f8f8f2;">create(vt_url)</span>
<span style="color: #f8f8f2;">qr</span><span style="color: #f92672;">.</span><span style="color: #f8f8f2;">show()</span>
</pre></div>
<h2 style="text-align: left;"><div class="separator" style="clear: both; text-align: left;"><span style="font-size: small; font-weight: normal;">This QR code image will pop up in the image viewer and we can capture it with a phone camera app or QR code scanner.</span></div><div class="separator" style="clear: both; text-align: left;"><span style="font-size: small; font-weight: normal;"> </span></div><div class="separator" style="clear: both; text-align: left;"><span style="font-weight: normal;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcX0xcAV6EFqb5cgDBEXXOKwpDEgaw_esY5HrZ48yCjtcf1KCLmLEZzfFowvOfvJIhBjOli9gVVYs_rNXDDTTwLBsW14X2ll9aLOcAoQaXZ9E8Pc2YI3YP3_g_PL2dng7T3paCBQ94YQE_/s1756/2021-04-19_15h37_59.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: small;"><img border="0" data-original-height="1756" data-original-width="1388" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcX0xcAV6EFqb5cgDBEXXOKwpDEgaw_esY5HrZ48yCjtcf1KCLmLEZzfFowvOfvJIhBjOli9gVVYs_rNXDDTTwLBsW14X2ll9aLOcAoQaXZ9E8Pc2YI3YP3_g_PL2dng7T3paCBQ94YQE_/s320/2021-04-19_15h37_59.png" /></span></a></div><span style="font-size: small;"><br /></span><div class="separator" style="clear: both; text-align: left;"><span style="font-size: small;">The linked URL will then open up and we can see this was a Wannacry malware. </span></div><br /><br /></span></div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhclqbCZ1Ey7aQUC4twp22Y3Qq9_pGxyH9rTEzLX-efZMsDrOZKv989kcJqBylGbAyjPwBcUT_n_7MedXMijHE0WL33e06qB6TFgYpPNJQCoAOe6a-SfLd1SOTFVNXIPzli1Tu6vALKGOk-/s1498/2021-04-19_15h40_46.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1498" data-original-width="1022" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhclqbCZ1Ey7aQUC4twp22Y3Qq9_pGxyH9rTEzLX-efZMsDrOZKv989kcJqBylGbAyjPwBcUT_n_7MedXMijHE0WL33e06qB6TFgYpPNJQCoAOe6a-SfLd1SOTFVNXIPzli1Tu6vALKGOk-/s320/2021-04-19_15h40_46.png" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><div class="separator" style="clear: both; text-align: center;"><br /></div></div><br /></h2><h2 style="text-align: left;">C#</h2><div>The C# program uses two libraries, System.Security.Cryptography to calculate the hashes and ZXing to create the QR code.</div><div><br /></div><div>Unlike the Python version this C# requires a location to store the image that we parse to the command line program. A memory only version is underway but it is a little more complicated.</div><div><br /></div><div><b>>qr_hash.exe C:\tmp\123.txt C:\tmp\123.jpg</b></div><div><br /></div><div>The workflow is much the same as the python version except that it saves the QR image as a JPG then it uses a shell process to open the image in the default image viewer.</div><div><br /></div><div><br /><!--HTML generated using hilite.me--><div style="background: rgb(39, 40, 34); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: #66d9ef;">using</span> <span style="color: #f8f8f2;">System;</span>
<span style="color: #66d9ef;">using</span> <span style="color: #f8f8f2;">System.Security.Cryptography;</span>
<span style="color: #66d9ef;">using</span> <span style="color: #f8f8f2;">System.IO;</span>
<span style="color: #66d9ef;">using</span> <span style="color: #f8f8f2;">ZXing;</span>
<span style="color: #66d9ef;">using</span> <span style="color: #f8f8f2;">System.Drawing;</span>
<span style="color: #66d9ef;">using</span> <span style="color: #f8f8f2;">System.Diagnostics;</span>
<span style="color: #66d9ef;">namespace</span> <span style="color: #f8f8f2;">QR_Hash</span>
<span style="color: #f8f8f2;">{</span>
<span style="color: #66d9ef;">class</span> <span style="color: #a6e22e;">Program</span>
<span style="color: #f8f8f2;">{</span>
<span style="color: #66d9ef;">static</span> <span style="color: #66d9ef;">void</span> <span style="color: #a6e22e;">Main</span><span style="color: #f8f8f2;">(</span><span style="color: #66d9ef;">string</span><span style="color: #f8f8f2;">[]</span> <span style="color: #f8f8f2;">args)</span>
<span style="color: #f8f8f2;">{</span>
<span style="color: #66d9ef;">if</span> <span style="color: #f8f8f2;">(args.Length</span> <span style="color: #f8f8f2;">==</span> <span style="color: #ae81ff;">2</span><span style="color: #f8f8f2;">)</span>
<span style="color: #f8f8f2;">{</span>
<span style="color: #66d9ef;">string</span> <span style="color: #f8f8f2;">filenpath</span> <span style="color: #f8f8f2;">=</span> <span style="color: #f8f8f2;">args[</span><span style="color: #ae81ff;">0</span><span style="color: #f8f8f2;">];</span>
<span style="color: #66d9ef;">string</span> <span style="color: #f8f8f2;">imagepath</span> <span style="color: #f8f8f2;">=</span> <span style="color: #f8f8f2;">args[</span><span style="color: #ae81ff;">1</span><span style="color: #f8f8f2;">];</span>
<span style="color: #66d9ef;">string</span> <span style="color: #f8f8f2;">hash_string;</span>
<span style="color: #66d9ef;">if</span> <span style="color: #f8f8f2;">(File.Exists(filenpath)</span> <span style="color: #f8f8f2;">==</span> <span style="color: #66d9ef;">true</span><span style="color: #f8f8f2;">)</span>
<span style="color: #f8f8f2;">{</span>
<span style="color: #66d9ef;">using</span> <span style="color: #f8f8f2;">(</span><span style="color: #66d9ef;">var</span> <span style="color: #f8f8f2;">sha256</span> <span style="color: #f8f8f2;">=</span> <span style="color: #f8f8f2;">SHA256.Create())</span>
<span style="color: #f8f8f2;">{</span>
<span style="color: #66d9ef;">using</span> <span style="color: #f8f8f2;">(</span><span style="color: #66d9ef;">var</span> <span style="color: #f8f8f2;">stream</span> <span style="color: #f8f8f2;">=</span> <span style="color: #f8f8f2;">File.OpenRead(filenpath))</span>
<span style="color: #f8f8f2;">{</span>
<span style="color: #66d9ef;">var</span> <span style="color: #f8f8f2;">hash</span> <span style="color: #f8f8f2;">=</span> <span style="color: #f8f8f2;">sha256.ComputeHash(stream);</span>
<span style="color: #f8f8f2;">hash_string</span> <span style="color: #f8f8f2;">=</span> <span style="color: #f8f8f2;">BitConverter.ToString(hash).Replace(</span><span style="color: #e6db74;">"-"</span><span style="color: #f8f8f2;">,</span> <span style="color: #e6db74;">""</span><span style="color: #f8f8f2;">).ToLowerInvariant();</span>
<span style="color: #f8f8f2;">}</span>
<span style="color: #f8f8f2;">}</span>
<span style="color: #66d9ef;">var</span> <span style="color: #f8f8f2;">QCwriter</span> <span style="color: #f8f8f2;">=</span> <span style="color: #66d9ef;">new</span> <span style="color: #f8f8f2;">BarcodeWriter();</span>
<span style="color: #f8f8f2;">QCwriter.Format</span> <span style="color: #f8f8f2;">=</span> <span style="color: #f8f8f2;">BarcodeFormat.QR_CODE;</span>
<span style="color: #f8f8f2;">QCwriter.Options</span> <span style="color: #f8f8f2;">=</span> <span style="color: #66d9ef;">new</span> <span style="color: #f8f8f2;">ZXing.Common.EncodingOptions</span>
<span style="color: #f8f8f2;">{</span>
<span style="color: #f8f8f2;">Width</span> <span style="color: #f8f8f2;">=</span> <span style="color: #ae81ff;">400</span><span style="color: #f8f8f2;">,</span>
<span style="color: #f8f8f2;">Height</span> <span style="color: #f8f8f2;">=</span> <span style="color: #ae81ff;">400</span>
<span style="color: #f8f8f2;">};</span>
<span style="color: #66d9ef;">string</span> <span style="color: #f8f8f2;">vt_url</span> <span style="color: #f8f8f2;">=</span> <span style="color: #e6db74;">"https://www.virustotal.com/gui/file/"</span> <span style="color: #f8f8f2;">+</span> <span style="color: #f8f8f2;">hash_string;</span>
<span style="color: #66d9ef;">var</span> <span style="color: #f8f8f2;">result</span> <span style="color: #f8f8f2;">=</span> <span style="color: #f8f8f2;">QCwriter.Write(vt_url);</span>
<span style="color: #66d9ef;">using</span> <span style="color: #f8f8f2;">(</span><span style="color: #66d9ef;">var</span> <span style="color: #f8f8f2;">g</span> <span style="color: #f8f8f2;">=</span> <span style="color: #f8f8f2;">Graphics.FromImage(result))</span>
<span style="color: #66d9ef;">using</span> <span style="color: #f8f8f2;">(</span><span style="color: #66d9ef;">var</span> <span style="color: #f8f8f2;">font</span> <span style="color: #f8f8f2;">=</span> <span style="color: #66d9ef;">new</span> <span style="color: #f8f8f2;">Font(FontFamily.GenericMonospace,</span> <span style="color: #ae81ff;">8</span><span style="color: #f8f8f2;">))</span>
<span style="color: #66d9ef;">using</span> <span style="color: #f8f8f2;">(</span><span style="color: #66d9ef;">var</span> <span style="color: #f8f8f2;">brush</span> <span style="color: #f8f8f2;">=</span> <span style="color: #66d9ef;">new</span> <span style="color: #f8f8f2;">SolidBrush(Color.Black))</span>
<span style="color: #66d9ef;">using</span> <span style="color: #f8f8f2;">(</span><span style="color: #66d9ef;">var</span> <span style="color: #f8f8f2;">format</span> <span style="color: #f8f8f2;">=</span> <span style="color: #66d9ef;">new</span> <span style="color: #f8f8f2;">StringFormat()</span> <span style="color: #f8f8f2;">{</span> <span style="color: #f8f8f2;">Alignment</span> <span style="color: #f8f8f2;">=</span> <span style="color: #f8f8f2;">StringAlignment.Center</span> <span style="color: #f8f8f2;">})</span>
<span style="color: #f8f8f2;">{</span>
<span style="color: #66d9ef;">int</span> <span style="color: #f8f8f2;">margin</span> <span style="color: #f8f8f2;">=</span> <span style="color: #ae81ff;">5</span><span style="color: #f8f8f2;">,</span> <span style="color: #f8f8f2;">textHeight</span> <span style="color: #f8f8f2;">=</span> <span style="color: #ae81ff;">30</span><span style="color: #f8f8f2;">;</span>
<span style="color: #66d9ef;">var</span> <span style="color: #f8f8f2;">rect</span> <span style="color: #f8f8f2;">=</span> <span style="color: #66d9ef;">new</span> <span style="color: #f8f8f2;">RectangleF(margin,</span> <span style="color: #f8f8f2;">result.Height</span> <span style="color: #f8f8f2;">-</span> <span style="color: #f8f8f2;">textHeight,</span>
<span style="color: #f8f8f2;">result.Width</span> <span style="color: #f8f8f2;">-</span> <span style="color: #ae81ff;">2</span> <span style="color: #f8f8f2;">*</span> <span style="color: #f8f8f2;">margin,</span> <span style="color: #f8f8f2;">textHeight);</span>
<span style="color: #f8f8f2;">g.DrawString(vt_url,</span> <span style="color: #f8f8f2;">font,</span> <span style="color: #f8f8f2;">brush,</span> <span style="color: #f8f8f2;">rect,</span> <span style="color: #f8f8f2;">format);</span>
<span style="color: #f8f8f2;">}</span>
<span style="color: #f8f8f2;">result.Save(imagepath);</span>
<span style="color: #66d9ef;">var</span> <span style="color: #f8f8f2;">p</span> <span style="color: #f8f8f2;">=</span> <span style="color: #66d9ef;">new</span> <span style="color: #f8f8f2;">Process();</span>
<span style="color: #f8f8f2;">p.StartInfo</span> <span style="color: #f8f8f2;">=</span> <span style="color: #66d9ef;">new</span> <span style="color: #f8f8f2;">ProcessStartInfo(@imagepath)</span>
<span style="color: #f8f8f2;">{</span>
<span style="color: #f8f8f2;">UseShellExecute</span> <span style="color: #f8f8f2;">=</span> <span style="color: #66d9ef;">true</span>
<span style="color: #f8f8f2;">};</span>
<span style="color: #f8f8f2;">p.Start();</span>
<span style="color: #f8f8f2;">}</span>
<span style="color: #f8f8f2;">}</span>
<span style="color: #f8f8f2;">}</span>
<span style="color: #f8f8f2;">}</span>
<span style="color: #f8f8f2;">}</span>
</pre></div><br /></div><div>This C# version also add a nice URL link to the bottom of the image </div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWGQbIaxB75MWQtwLh9kypAphktCn_nAXzDPeZGn5bTIXwAyGarRu350fiT8VB8GvsKsxeUE9jPkuxyKvxgDTGYp-DsLuqsi91V9PAoNOmG-YYgX2X8AIp_OF4HHL3DwPZb5ExmIH6HV6N/s701/2021-04-19_15h32_44.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="672" data-original-width="701" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWGQbIaxB75MWQtwLh9kypAphktCn_nAXzDPeZGn5bTIXwAyGarRu350fiT8VB8GvsKsxeUE9jPkuxyKvxgDTGYp-DsLuqsi91V9PAoNOmG-YYgX2X8AIp_OF4HHL3DwPZb5ExmIH6HV6N/s320/2021-04-19_15h32_44.png" width="320" /></a></div><br /><div>So there you have it, 2 basic programs to help you get the hash out of a VM via the screen. Noice!</div><div><br /></div><div>As the hex ninja says.</div><div><br /></div><div><i>Finding malware now,</i></div><div><i>Is easy with QR codes,</i></div><div><i>Keep safe from malware </i></div><div><br /></div><div><br /></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2487515128006761905.post-44064943098335942952020-10-10T20:30:00.003-07:002020-10-10T20:30:40.380-07:00<h1 style="text-align: center;">Capturing Windows Memory</h1><p>It has been a while since my last post. Changing jobs pointed me in a different direction for a while but as George and Frank Constanza would say. "I'm back baby!"</p><div class="separator" style="clear: both; text-align: center;"><img border="0" data-original-height="1066" data-original-width="1086" height="257" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirnip_ZW-XsyP3eZXH8nZO1oVJwsnII9CkKTb_wOD3VsukKIMcHu8meAfUd1Z0hBrg9g09tqwcATNP1qUbKtoBJnQZNrQnbervAGbnU1XnysBMoUh2ynaHBXJKDqY3snVPf_ZhE0-7yagU/w262-h257/Screen+Shot+2020-10-11+at+10.10.03+am.png" width="262" /></div><p><br /></p><p>I recently had to look into windows memory capture to do some offline analysis of running processes.</p><p>My normal 'goto' tool for taking a forensic image and memory capture is usually FTK Imager. It is pretty robust and ninja proof. </p><p>You can copy the install directory to an external USB and it will run nicely as a portable version. When we run this it obviously loads into memory which be present when we capture the system memory.</p><p>I started to think of if there were any other tools that could do memory analysis and compare some of there features such as </p><p></p><ol style="text-align: left;"><li>Memory Footprint - smaller and less processes is better</li><li>Portable - I don't really want to install it on the system in question</li><li>Fast - Memory capture is often the first stage of a Incident Response so I it to be fast</li><li>Access privilege required - do I need to be admin or can I run this a least privilege user.</li><li>Stand alone - Do I need to buy the whole forensic suite or can I just get the memory capture tool</li><li>Price - gratis is good but a low cost good tool is OK too.</li><li>Easy of use - I don't want to fumble in the field with pesky undocumented command line switches.</li></ol><p></p><p>While there has been numerous blogs on some of the available tools I was mainly interested on the footprint and speed. If the tool was loaded into memory the risk is that some of the data of interest may be popped out.</p><p>After some quick browsing it seems the current options are (in no order of preference):</p><p></p><ol style="text-align: left;"><li>FTK Imager</li><li>Belkasoft</li><li>Magnet RAM</li><li>Process Hacker</li><li>Winen</li><li>MDD</li><li>Mandiant Memoryze</li><li>WindowsSCOPE</li><li>WinPmem</li><li>Dumpit</li></ol><div>The next step was to see if my google fu was able to find the memory capture applications as some of these have dropped on and off hosting sites. </div><div><br /></div><h3 style="text-align: left;">FTK Imager</h3><div>Used for forensic imaging and live viewing of disks but can also do memory capture.</div><div>Has the option to capture pagefile.sys at same time which is nice.</div><div>It does require you to install it first (not on your target machine) then copy the install directory to a USB for portable use. </div><div><br /></div><div>Time: 2m:37s</div><div>Memory: 11.6MB</div><div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><img alt="" data-original-height="883" data-original-width="774" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9chc2YRolwYwiIB2qIwy7VLXZrZtEQlJkauW-LDRGUjnrg9G5B5jcctfv93-GpoMs0svdDLcahTAZoTyoPOD4oQogKRumI-EBGeBtHhVASR7XVYoCRWKxk194J-CQcmXSEGikO8MeZsk_/w315-h360/image.png" width="315" /></div><div class="separator" style="clear: both; text-align: center;">Install Directory of FTK Imager</div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><img alt="" data-original-height="558" data-original-width="975" height="282" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhcYWsjFbwBWjWCtrNmASfAr2Otzi_qj05YFXh20XuueygwkbLazHua9qP9AsRsH-uqEr1EnU-sGRib1U5JZ9ZVSLCgUFlL32mx84bgfmEprnxZyMPbU5MSDOzdKPrsWgx9eIIFX8qUc4v/w493-h282/image.png" width="493" /></div><div class="separator" style="clear: both; text-align: center;">FTK Imager GUI</div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><img alt="" data-original-height="355" data-original-width="398" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheTcjpLevw-3zWIt0756R_UULLaOLtXlFZHyvijyk3KlqUMHiVMskktStIUazZkViK2R-7Uqm__TmR2f6fZDvC4PWLukuhJ7CV9SETMdN0A-5iLRIMgvbKFwEVaxJ2kgdZcUeIT3U-4hb2/" width="269" /></div><div class="separator" style="clear: both; text-align: center;">FTK Imager GUI options</div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTWvH0-P2EwRzPOwD9Bjlp7UES3Nl-WvMzJ8Tl6oCci1zcM6_WWGWHSKav-0eAfFlkmNirOfMYTd9gv2Lz4MkCIid1bNRUrM40NQ8dqNuoA84rKrjGeEa1J-VVtCqfoZ8ot0QxinrvF2Ew/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="90" data-original-width="948" height="53" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTWvH0-P2EwRzPOwD9Bjlp7UES3Nl-WvMzJ8Tl6oCci1zcM6_WWGWHSKav-0eAfFlkmNirOfMYTd9gv2Lz4MkCIid1bNRUrM40NQ8dqNuoA84rKrjGeEa1J-VVtCqfoZ8ot0QxinrvF2Ew/w565-h53/image.png" width="565" /></a></div><div class="separator" style="clear: both; text-align: center;">FTK Imager Memory Footprint</div><br /><br /></div></div></div></div></div><h3 style="text-align: left;">Belkasoft - RAM-CAPTURER</h3><div>Simple to use from a USB.</div><div>Time: 2m:22s</div><div><div>Memory: 7.7MB.</div></div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><img alt="" data-original-height="169" data-original-width="806" height="67" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8adxUMmD9zqFqRgb6DOM6ma4PaA2SkqwlksfPkgM99SJCoWHaJz6-1gy4WRypmE4p-jKqyADZAde-DDmdx_iwdZBmSwMXEl4kk2Wfla6RwUhoEW6kEN94h2SyY7ex-UrVw2Xvm0KDTZ7E/" width="320" /></div><div class="separator" style="clear: both; text-align: center;">Belkasoft RAM Capturer Install directory</div><br /><br /></div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><img alt="" data-original-height="346" data-original-width="668" height="166" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZ6DyXmg9dVxQfafKiccbffz_HxgtHjIAbPcqulF_RhiVnTiopdUfT1MdoW_rsRGx8qUpoiKGZ9ZcNE6BG4bQ8aueX4iO-Qy8wgUlO-ZL4n9-Ivh6j172Em5wY3642hddVF_m08p4TZ-QU/" width="320" /></div><div class="separator" style="clear: both; text-align: center;">Belkasoft RAM Capturer GUI</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><div class="separator" style="clear: both; text-align: center;"><img alt="" data-original-height="91" data-original-width="1012" height="55" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOZlnE8G-de0ppDzSL3zq6o2P1AB4WlhFyvgYOJDVYQbC1lpHQjQps3OQ_pnhMis-YcTvkxvc5u-kdNS3mI8l4ghAv-a9jBDR3VnQo5eUsyzAVfu6r2buimPDRYIjd0n3fNc8JqwC66Hve/w609-h55/image.png" width="609" /></div><div class="separator" style="clear: both; text-align: center;">Belkasoft RAM Capturer Memory Footprint</div><div class="separator" style="clear: both; text-align: center;"><br /></div><h3 style="clear: both; text-align: left;">Magnet - RAM</h3><div class="separator" style="clear: both; text-align: left;">Has the option to segment but otherwise pretty straightforward.</div><div class="separator" style="clear: both; text-align: left;">Time: 4m:01s</div><div class="separator" style="clear: both; text-align: left;">Memory: 6.8MB</div><div class="separator" style="clear: both; text-align: left;"><br /><br /><div class="separator" style="clear: both; text-align: center;"><img alt="" data-original-height="114" data-original-width="632" height="84" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdQ9-_dxE7Bu9sqh_nO0d616SYAdF_Vr1PF_1CEDASBLbn7Kr9vMG9EQX89-Ul-iFgRRIyolRnRyl9L_7IT4YB2QkEJ8SHUe1o7r6ZLuFPAGf_tvuwMcaMgTfsUVLocmPgGxw-NUf_KkMO/w464-h84/image.png" width="464" /></div><div class="separator" style="clear: both; text-align: center;">Magnet RAM Install Directory</div></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><img alt="" data-original-height="336" data-original-width="727" height="148" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXsmoL3LBKK6KtnrE3Fsih6lC8ptS3judoBD920LGgaS01LG21zzCKUqtqHm0UnDevb3AMx3A8mCw-oCZRKlmyTUdTpa6yQlO86elheRlEGpujawwTeQyhKWVn59hhymwBq0fIjV84CffH/" width="320" /></div><div class="separator" style="clear: both; text-align: center;">Magnet RAM GUI</div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><img alt="" data-original-height="78" data-original-width="1000" height="49" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9mxEpL5kR36jHvj9EI1rMQs1hyqVxMwuxZfdRF465ZG9m7WthCZSd5g9Y4GY969C9hdhosTM7CZ172kfbcMDBJEP9kNXuV1VGguXCVE5vJgUpkuXP6Rp1XRpsuiLXyp51cc0uosovInJN/w628-h49/image.png" width="628" /></div><div class="separator" style="clear: both; text-align: center;">Magnet RAM Memory Footprint</div><div class="separator" style="clear: both; text-align: center;"><br /></div></div><h3 style="text-align: left;">Process Hacker</h3><div style="text-align: left;">While this is a powerful tool it is more granular than required and probably better for live analysis as it allows you to inspect individual processes and dump the memory used by them but not a total memory dump.</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><img alt="" data-original-height="206" data-original-width="771" height="121" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7K7k8_ct5cjkUK9OJchYMAaDzLqAU-e0wqlFJnrDVUMG9Ub6Tt4godaXbgTq4R0rkwvw_FDQG_k_Qui53cuyre0GXiAluHzSrf1hkHvZ2XEQJWoUYeZIvYMbjHYWmLag1eodbBoq4TJtg/w455-h121/image.png" width="455" /></div><div class="separator" style="clear: both; text-align: center;">Process Hacker Install directory</div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><img alt="" data-original-height="463" data-original-width="975" height="152" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhX5i-j02P0k36JDzoS37GK5L4pKp_uE-UYnmPHl0LSLH7KH7KmtacGXs184xjVw9ZNS22nHmgBj4-RC-V_1mfyuewVRmNYa-CwoGdjUEhwueSu_Rlk90_61QyHBtA7zxm47k6opweL0O89/" width="320" /></div><div class="separator" style="clear: both; text-align: center;">Process Hacker GUI</div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><img alt="" data-original-height="64" data-original-width="988" height="41" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPi1EcFXNLYlgdmtJWPpqmLB56aNx-z7s2KJI8zgE4LOQ_azCToefpVcfIywdsiuVgQAK4Jd6ONw9i2oTE1LkL2BAbBNs0ud8OAS-Te88V2DWaoCd1Mff0ZznAeSe3eOWYLvasA08oYy9f/w626-h41/image.png" width="626" /></div><div class="separator" style="clear: both; text-align: center;">Process Hacker Memory Footprint</div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><h3 style="clear: both; text-align: left;">MDD</h3><div style="text-align: left;">I couldn't get this to work successfully. 😢</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><img alt="" data-original-height="251" data-original-width="772" height="104" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFDdApXtH6yBvFfHG8lQDyQTGZ_-2Y_igHn7CiScvDst6B8TBqQtRiIRHTQfDNbC19IliXgfv6PLKfThjh0VmLbnADr3kcEAXczik-kEM3WUWLsdmphFIXMTIOOakPUMgXGLy9SqPMqLT3/" width="320" /></div><br /> </div><h3 style="text-align: left;">Mandiant Memoryze</h3><div style="text-align: left;">This downloads as an msi for installing but it can be run from an USB without installing by using a command line option to install it onto a USB.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">msiexec /a E:\Download\\MemoryzeSetup3.0.msi /qb TARGETDIR=E:\Memory_Acquisition\Mandiant_memoryze</div><div style="text-align: left;"><br /></div><div style="text-align: left;">It doesn't appear to have support after Win 7 so the testing of this one on hold.</div><div style="text-align: left;"><br /></div><h3 style="text-align: left;">WindowsSCOPE</h3><div style="text-align: left;">This requires a $1 to try it registration but looking and the 1 year cost of $7,699 for a single year decided not to pursue this. </div><h3 style="text-align: left;">DumpIt</h3><div style="text-align: left;">This app disappeared for a while and I was very keen to test it. A new version came back via the author Matt Suiche at <a href="https://my.comae.com">https://my.comae.com</a> but even though I created an account I could never login ?? and got a Failed to Fetch error when logging in. If anyone has tested a newer version let me know.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">I did find an older version that ran fine. <a href="https://github.com/thimbleweed/All-In-USB/blob/master/utilities/DumpIt/DumpIt.exe" target="_blank">https://github.com/thimbleweed/All-In-USB/blob/master/utilities/DumpIt/DumpIt.exe</a></div><div style="text-align: left;"><br /></div><div style="text-align: left;">It does a capture in place so if you run it from an external USB make sure it is big enough for the capture as it doesn't allow you to select a destination location. </div><div style="text-align: left;"><br /></div><div style="text-align: left;">Time: 2m:34s</div><div style="text-align: left;">Memory: 7.1MB</div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><img alt="" data-original-height="128" data-original-width="793" height="83" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhE6puedtykxcJBqenocZp5ichO49PX_H4M1G4Sgypcuk2lc5RDUCIf7ioHiIZESEIYHJwWVca_y3lA_W2LDT50_i-BFuxOG2P9cFMzueZzIY56yVy45oiIsGBAPGJiEFfDpN-MgtLxLHJf/w512-h83/image.png" width="512" /></div><div class="separator" style="clear: both; text-align: center;">DumpIt Install Directory</div><br /><br /></div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><img alt="" data-original-height="246" data-original-width="636" height="124" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheQivxCPysmad7BceEsgcO_Ur1acVR0J_VZOAHua4ebvDJMcbAI7jq6wrqsD4Ie3z60JwIGPBtPd0W1P7MabHGQ7lc2wrQw8KYUObR-O6ov31bdcFGY79dYAOTmFju-N1t5L_TzRC1i1Sn/" width="320" /></div><div class="separator" style="clear: both; text-align: center;">DumpItcommand line</div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><img alt="" data-original-height="97" data-original-width="950" height="73" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwJKYbj98Iv9kKgsId98RlcfdPOSVucQk288P8T65icZZpKhk5CUf9OudLzgLn1tqJgGICsxt5pUIJ4DUbTuhfyI8FjZHXPcZ7l3YWFp71PbuLBqPyf2LsGY1Lniz3RcG3RsAi2itQrTqo/w710-h73/image.png" width="710" /></div>DumpIt Memory Footprint<br /><br /></div></div></div><br /><h3 style="text-align: left;">Testing Summary</h3><div style="text-align: left;">So the major features I was looking for were a small footprint, easy to use and speed. The table below shows a summary of the four tools that met our needs.</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><img alt="" data-original-height="150" data-original-width="508" height="140" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEaXneZxoYfwEpWiksKn8h_EPaF2ZsTvGUAqVOrUl6EpgU56GS8Unvgpkb1fMKwEP5eKrwFwwgRfNXBCkR9WHG0O9P9aSmXRoTxzBISaDY0PDPvbsge855yrJBwivsT1vZuCSQMnQUSR3h/w478-h140/image.png" width="478" /></div><br /><br /></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;">For speed, Belkasoft is slightly faster on my DELL laptop but it will depend on the system you are running it on. </div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Magnet RAM has the smallest footprint at 6.8MB.</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">FTK Imager is also fast, with slightly larger footprint but it has more than just RAM capture functionality. It can also forensically acquire hard drives so if I wanted to also do a forensic disk image or forensically copy files it maybe easier to use this than changing programs. </div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">But, if I had to just do a memory capture Belkasoft or Magnet RAM might be a good choices. </div><div class="separator" style="clear: both; text-align: left;"> </div><div class="separator" style="clear: both; text-align: left;">DumpIt may be a nice choice if I just wanted a simple double click and it stores it in the same directory. </div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Now to analyse the memory captures.... that may be for another post.</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div>Until the next post TheHexNinja says:</div><div><br /></div><div><i>Memory Capture </i></div><div><i>Easy When You Know Your Tools </i></div><div><i>Now To Analyse </i></div></div></div><div style="text-align: left;"><br /></div><br /><h3 style="text-align: left;">References</h3><div>1. Tool URLs</div><div><google-sheets-html-origin><table border="1" cellpadding="0" cellspacing="0" dir="ltr" style="border-collapse: collapse; border: none; font-family: Arial; font-size: 10pt; table-layout: fixed; width: 0px;" xmlns="http://www.w3.org/1999/xhtml"><colgroup><col width="197"></col><col width="408"></col></colgroup><tbody><tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"Tool"}" style="border: 1px solid rgb(204, 204, 204); font-weight: bold; overflow: hidden; padding: 2px 3px; vertical-align: bottom;">Tool</td><td data-sheets-value="{"1":2,"2":"URL"}" style="border: 1px solid rgb(204, 204, 204); font-weight: bold; overflow: hidden; padding: 2px 3px; vertical-align: bottom;">URL</td></tr><tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"FTK Imager"}" style="border: 1px solid rgb(204, 204, 204); overflow: hidden; padding: 2px 3px; vertical-align: bottom;">FTK Imager</td><td data-sheets-hyperlink="https://accessdata.com/product-download" data-sheets-value="{"1":2,"2":"https://accessdata.com/product-download"}" style="border: 1px solid rgb(204, 204, 204); color: #1155cc; overflow: hidden; padding: 2px 3px; text-decoration-line: underline; vertical-align: bottom;"><a class="in-cell-link" href="https://accessdata.com/product-download" target="_blank">https://accessdata.com/product-download</a></td></tr><tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"Belkasoft RAM-CAPTURER"}" style="border: 1px solid rgb(204, 204, 204); overflow: hidden; padding: 2px 3px; vertical-align: bottom;">Belkasoft RAM-CAPTURER</td><td data-sheets-hyperlink="https://belkasoft.com/ram-capturer" data-sheets-value="{"1":2,"2":"https://belkasoft.com/ram-capturer"}" style="border: 1px solid rgb(204, 204, 204); color: #1155cc; overflow: hidden; padding: 2px 3px; text-decoration-line: underline; vertical-align: bottom;"><a class="in-cell-link" href="https://belkasoft.com/ram-capturer" target="_blank">https://belkasoft.com/ram-capturer</a></td></tr><tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"Magnet RAM"}" style="border: 1px solid rgb(204, 204, 204); font-family: "Times New Roman"; font-size: 12pt; overflow: hidden; padding: 2px 3px; vertical-align: bottom;">Magnet RAM</td><td data-sheets-hyperlink="https://www.magnetforensics.com/resources/magnet-ram-capture/" data-sheets-value="{"1":2,"2":"https://www.magnetforensics.com/resources/magnet-ram-capture/"}" style="border: 1px solid rgb(204, 204, 204); color: #1155cc; overflow: hidden; padding: 2px 3px; text-decoration-line: underline; vertical-align: bottom;"><a class="in-cell-link" href="https://www.magnetforensics.com/resources/magnet-ram-capture/" target="_blank">https://www.magnetforensics.com/resources/magnet-ram-capture/</a></td></tr><tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"Process Hacker"}" style="border: 1px solid rgb(204, 204, 204); font-family: "Times New Roman"; font-size: 12pt; overflow: hidden; padding: 2px 3px; vertical-align: bottom;">Process Hacker</td><td data-sheets-hyperlink="https://processhacker.sourceforge.io/" data-sheets-value="{"1":2,"2":"https://processhacker.sourceforge.io/"}" style="border: 1px solid rgb(204, 204, 204); color: #1155cc; overflow: hidden; padding: 2px 3px; text-decoration-line: underline; vertical-align: bottom;"><a class="in-cell-link" href="https://processhacker.sourceforge.io/" target="_blank">https://processhacker.sourceforge.io/</a></td></tr><tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"Winen"}" style="border: 1px solid rgb(204, 204, 204); font-family: "Times New Roman"; font-size: 12pt; overflow: hidden; padding: 2px 3px; vertical-align: bottom;">Winen</td><td data-sheets-hyperlink="https://github.com/Velocidex/WinPmem" data-sheets-value="{"1":2,"2":"https://github.com/Velocidex/WinPmem"}" style="border: 1px solid rgb(204, 204, 204); color: #1155cc; overflow: hidden; padding: 2px 3px; text-decoration-line: underline; vertical-align: bottom;"><a class="in-cell-link" href="https://github.com/Velocidex/WinPmem" target="_blank">https://github.com/Velocidex/WinPmem</a></td></tr><tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"MDD"}" style="border: 1px solid rgb(204, 204, 204); font-family: "Times New Roman"; font-size: 12pt; overflow: hidden; padding: 2px 3px; vertical-align: bottom;">MDD</td><td data-sheets-hyperlink="https://sourceforge.net/projects/mdd/" data-sheets-value="{"1":2,"2":"https://sourceforge.net/projects/mdd/"}" style="border: 1px solid rgb(204, 204, 204); color: #1155cc; overflow: hidden; padding: 2px 3px; text-decoration-line: underline; vertical-align: bottom;"><a class="in-cell-link" href="https://sourceforge.net/projects/mdd/" target="_blank">https://sourceforge.net/projects/mdd/</a></td></tr><tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"Mandiant Memoryze"}" style="border: 1px solid rgb(204, 204, 204); font-family: "Times New Roman"; font-size: 12pt; overflow: hidden; padding: 2px 3px; vertical-align: bottom;">Mandiant Memoryze</td><td data-sheets-hyperlink="https://www.fireeye.com/services/freeware/memoryze.html" data-sheets-value="{"1":2,"2":"https://www.fireeye.com/services/freeware/memoryze.html"}" style="border: 1px solid rgb(204, 204, 204); color: #1155cc; overflow: hidden; padding: 2px 3px; text-decoration-line: underline; vertical-align: bottom;"><a class="in-cell-link" href="https://www.fireeye.com/services/freeware/memoryze.html" target="_blank">https://www.fireeye.com/services/freeware/memoryze.html</a></td></tr><tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"WindowsSCOPE"}" style="border: 1px solid rgb(204, 204, 204); font-family: "Times New Roman"; font-size: 12pt; overflow: hidden; padding: 2px 3px; vertical-align: bottom;">WindowsSCOPE</td><td data-sheets-hyperlink="http://www.windowsscope.com/try-it/" data-sheets-value="{"1":2,"2":"http://www.windowsscope.com/try-it/"}" style="border: 1px solid rgb(204, 204, 204); color: #1155cc; overflow: hidden; padding: 2px 3px; text-decoration-line: underline; vertical-align: bottom;"><a class="in-cell-link" href="http://www.windowsscope.com/try-it/" target="_blank">http://www.windowsscope.com/try-it/</a></td></tr><tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"WinPmem"}" style="border: 1px solid rgb(204, 204, 204); font-family: "Times New Roman"; font-size: 12pt; overflow: hidden; padding: 2px 3px; vertical-align: bottom;">WinPmem</td><td data-sheets-hyperlink="https://github.com/Velocidex/WinPmem" data-sheets-value="{"1":2,"2":"https://github.com/Velocidex/WinPmem"}" style="border: 1px solid rgb(204, 204, 204); color: #1155cc; overflow: hidden; padding: 2px 3px; text-decoration-line: underline; vertical-align: bottom;"><a class="in-cell-link" href="https://github.com/Velocidex/WinPmem" target="_blank">https://github.com/Velocidex/WinPmem</a></td></tr><tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"Dumpit"}" style="border: 1px solid rgb(204, 204, 204); font-family: "Times New Roman"; font-size: 12pt; overflow: hidden; padding: 2px 3px; vertical-align: bottom;">Dumpit</td><td data-sheets-hyperlink="https://my.comae.com/login" data-sheets-value="{"1":2,"2":"https://my.comae.com/"}" style="border: 1px solid rgb(204, 204, 204); color: #1155cc; overflow: hidden; padding: 2px 3px; text-decoration-line: underline; vertical-align: bottom;"><a class="in-cell-link" href="https://my.comae.com/login" target="_blank">https://my.comae.com/</a></td></tr></tbody></table><br /></google-sheets-html-origin></div><div><google-sheets-html-origin>2. </google-sheets-html-origin>The following article describe some of the methods the memory applications use to obtain the dump in kernel mode: ZwOpenSection with ZwMapViewOfSection, MmMapIoSpace</div></div><div style="text-align: left;">and MmMapMemoryDumpMdl</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><a href="https://commons.erau.edu/cgi/viewcontent.cgi?referer=&httpsredir=1&article=1291&context=adfsl" target="_blank">https://commons.erau.edu/cgi/viewcontent.cgi?referer=&httpsredir=1&article=1291&context=adfsl</a><br /></div></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><br /></div><br /><br /></div><br /><br /></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2487515128006761905.post-67676885008028296702018-01-31T03:12:00.001-08:002018-01-31T11:10:26.874-08:00 Practical Exercise - Image Carving II - Python<div dir="ltr" style="text-align: left;" trbidi="on">
<script src="https://google-code-prettify.googlecode.com/svn/loader/run_prettify.js"></script>
<br />
<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
In the last post we looked at how we can <i><u>manually</u></i> carve out a jpeg image from free 'space'. Good to know and OK to do if we have one or two but if we had thousands to carve...... it could take some time. We would then use some sort of Image Recovery Software but could we write our own??<br />
<br />
Part of the reason for this blog was to demonstrate some Hex Ninja skills both manually and how we can write some simple scripts to automate some of these tasks.<br />
<br />
The general process goes something like this: <br />
1. First we find the artifact we are looking for.<br />
2. Understand the layout of the artifact.<br />
3. Manually try and carve out the artificat and make sure it works for all cases.<br />
4. Write a script to automate the process.<br />
5. Test the script and make sure it works.<br />
<br />
The last blog post covered steps 1-3, this post will cover steps 4-5.<br />
<br />
So the language we will be using is Python. It is very easy to program in and is my 'goto' language at the moment for getting something up and running fast.<br />
<br />
Available from <a href="https://www.python.org/downloads/" rel="nofollow" target="_blank">https://www.python.org/downloads/ </a><br />
<br />
There are two versions available 2.7 and 3.6. See <a href="https://wiki.python.org/moin/Python2orPython3" rel="nofollow" target="_blank">https://wiki.python.org/moin/Python2orPython3</a> to check out the differences between them.<br />
<br />
I mainly use 2.7 because of there are more code libraries and more support for debugging on sites like <a href="https://stackoverflow.com/questions/tagged/python-2.7" rel="nofollow" target="_blank">StackOverflow</a> but we can test it on both and see if it works. Eventually I will move to Python3.<br />
<br />
So download Python 2.7 for your OS (Mac/Windows/Linux) and follow the install instructions.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmEmSeAvvIvv7ci72cWe_oJUx8YQstN9XpjQhkdywSgBcSbW6FzAjZx0eH0WomH3_5_AUfIOgfEmeFLJ1b_ChyArVVy-15fJOdA-FH6wA2C87Y0yZcKmhGKT53042o9oitSPJddmYyOP3g/s1600/Python+download+page.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="539" data-original-width="1028" height="334" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmEmSeAvvIvv7ci72cWe_oJUx8YQstN9XpjQhkdywSgBcSbW6FzAjZx0eH0WomH3_5_AUfIOgfEmeFLJ1b_ChyArVVy-15fJOdA-FH6wA2C87Y0yZcKmhGKT53042o9oitSPJddmYyOP3g/s640/Python+download+page.PNG" width="640" /></a></div>
<br />
To make sure everything has intalled OK, go to a command prompt and type <i><b>python.</b></i><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxzv9eN4wxdfXPoG9dMPuJ6GK_iq3IZ0n1ki7OEu2QvZxM3a_T93PWuh4alMsGGpILhCpqUyH_lsOk6HMMlZnUcPSPzdqLkmS57R8-6KU91CAE9hcjLetJRYYI_Qq4JoLoQq6lmU6SsJEE/s1600/command+prompt.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="62" data-original-width="639" height="62" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxzv9eN4wxdfXPoG9dMPuJ6GK_iq3IZ0n1ki7OEu2QvZxM3a_T93PWuh4alMsGGpILhCpqUyH_lsOk6HMMlZnUcPSPzdqLkmS57R8-6KU91CAE9hcjLetJRYYI_Qq4JoLoQq6lmU6SsJEE/s640/command+prompt.PNG" width="640" /></a></div>
<br />
Hopefully you see something similar to the above screenshot. The output should tell you what version you are using (2.7.12) if it is 32 or 64 bitand a Python command prompt <b>>>></b><i><b> </b></i><br />
<br />
In the tradition of your programming languages your first exercise is to print <b>Hello World</b> to the screen.<br />
Python makes this very simple, type <b>print ("Hello World")</b> and you should see output like below.<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2WDr5hdTgpqeBk-2-HyxGUc8oEIN67zsI37Ap7cynWrzTOTeYOXWeJCXduturpTaRdAFnl_KajkHPbIIJg7izcBUK8Z3SXld7bt12Lgo-0cYlrFyuSVHGkzVnC_n1Kd-jvdhG-ZO81y1l/s1600/command+prompt.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="88" data-original-width="638" height="88" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2WDr5hdTgpqeBk-2-HyxGUc8oEIN67zsI37Ap7cynWrzTOTeYOXWeJCXduturpTaRdAFnl_KajkHPbIIJg7izcBUK8Z3SXld7bt12Lgo-0cYlrFyuSVHGkzVnC_n1Kd-jvdhG-ZO81y1l/s640/command+prompt.PNG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
To get back to the normal commad prompt hit hit Ctrl-Z and Enter. <br />
<br />
There are two main ways of using python.<br />
1. From the Python command prompt where we can type python commands direct. This is good for doing simple testing of instructions.<br />
2. Running a python script, where we write the python commands in an editor, save it with the extension <i><b>py </b></i>and then we can execute it by typing at the command prompt <b>python yourscripty.py</b> <br />
<br />
We will be mainly use the second technique. We can use a a basic text editor such a notepad. My favourite editor is PyCharm from JetBrains <a href="https://www.jetbrains.com/pycharm/" rel="nofollow" target="_blank">https://www.jetbrains.com/pycharm/</a><br />
It has code hightlighting, code completetion, finds error and you can run your code from within the editor, but there are a plethora of editors. They can be a bit daunting to initially use but well worth it if you intend to code a lot. For simlicity we will just use a text editor.<br />
<br />
So now we are ready to start coding.<br />
But before we start coding let's think about what we want to achive.<br />
1. We want to load a file.<br />
2. We want to search the file for the JPEG start of frame header "FFD8FFE0" and the end of frame 'FFD9"<br />
3. We then want to save the data between these markers to a file. Simples!<br />
<br />
As we want to keep the code simple, we won't be doing any error checking. In a real production program, there is a lot of error checking making sure the file exists, the data is in the correct format etc etc and it can make looking at the code confusing, so we will just be doing the bare basics.<br />
<br />
The first thing we add to our script is to tell python what modules we will be using. We will be using the module <i><b>re </b></i>. We will be using <i><b>re </b></i>(Regular Expressions) to do fast searches so we need to tell Python the load in that module using the import insstruction<br />
<br />
We then hardcode in the Start/End of Frame tags we will be searching for. FFD8FFE0 and FFD9. The format of them may look a little strange but basically it is in a hex byte string format. ie each hex byte is preceed with \x. The reason we do this is because the the file we read in will be in that format so it is easier to search for these tags in this format.<br />
<br />
<pre style="background-color: #2b2b2b; color: #a9b7c6; font-family: 'Courier New'; font-size: 9.0pt;"><span style="color: #cc7832; font-weight: bold;">import </span>re
JPEG_SOF = <span style="color: #a5c261;">b'</span><span style="color: #cc7832;">\xFF\xD8\xFF\xE0</span><span style="color: #a5c261;">'</span>JPEG_EOF = <span style="color: #a5c261;">b'</span><span style="color: #cc7832;">\xFF\xD9</span>
JPEG_EOF = <span style="color: #a5c261;">b'</span><span style="color: #cc7832;">\xFF\xD9</span><span style="color: #a5c261;">'</span> </pre>
</div>
<br />
Next we want to read in our file we want to search through. We could pass in the filename as an argument but as we are trying to be simple we will hardcode the filename it into our code. We use the <b>open</b> command with the name of the file we are carving from. We will use the date file <b>Carve1.bin</b> from the previus blog. <a href="https://github.com/thehexninja/BlogDownloads/blob/master/Carve1.bin" rel="nofollow" target="_blank"> https://github.com/thehexninja/BlogDownloads/blob/master/Carve1.bin</a><br />
<br />
We use the <b>'rb'</b> format indicating we want to read 'r' a binary 'b' file. The open command returns a reference to out file call a file object we call file_obj. Next we read the whole file into a variable call <b>data</b>. Don't try this with a massive file. We will show in later posts files how to read in big files. We then want to close the file which releases the reference to it so other programs can access it. Also make sure the file Carve1.bin i is in the same directory as the python script, otherwise we have to add path information to the filename.<b> </b>
<br />
<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<pre style="background-color: #2b2b2b; color: #a9b7c6; font-family: 'Courier New'; font-size: 9.0pt;"><span style="background-color: #40332b;">file_obj</span>=<span style="color: #8888c6;">open</span>(<span style="color: #a5c261;">'Carve1.bin'</span><span style="color: #cc7832;">,</span><span style="color: #a5c261;">'rb'</span>)
data=<span style="background-color: #344134;">file_obj</span>.read()
<span style="background-color: #344134;">file_obj</span>.close()</pre>
<br />
This seems all pretty straightforward.<br />
<br />
No we have our data loaded in memory we can perform our search. This is where we use the <b>re</b> module. Basically we want to get a list of all the offsets in the data where we find our tags. The following commands returns a list of these offsets.<br />
<br />
<pre style="background-color: #2b2b2b; color: #a9b7c6; font-family: 'Courier New'; font-size: 9.0pt;">SOF_list=[match.start() <span style="color: #cc7832; font-weight: bold;">for </span>match <span style="color: #cc7832; font-weight: bold;">in </span>re.finditer(re.escape(JPEG_SOF)<span style="color: #cc7832;">,</span>data)]
EOF_list=[match.start() <span style="color: #cc7832; font-weight: bold;">for </span>match <span style="color: #cc7832; font-weight: bold;">in </span>re.finditer(re.escape(JPEG_EOF)<span style="color: #cc7832;">,</span>data)]
</pre>
<br />
If we run the script so far we can check what we have found.<br />
<br />
<br />
<pre style="background-color: #2b2b2b; color: #a9b7c6; font-family: 'Courier New'; font-size: 9.0pt;">>>> SOF_list
[<span style="color: #6897bb;">4696</span>]
>>> EOF_list
[<span style="color: #6897bb;">11747</span>]</pre>
<br />
So we have found the SOF tag at byte offset 4696 and the EOF tag at 11747.<br />
<br />
Now all that is left for us to do is to get the data between these offset and save it to a file. We will write the code assuming their could be more hits so we can loop through all the we can carve all the images in one go.<br />
<br />
So we need a counter variable we will call <b>i </b>we use to go through the lists. We then use a for loop to go through the SOF_list. We then want to get the jpeg image data from the hex byte string we read in from the file. We can do it simply by subdata=data[start:end]. So now we have the data we just need to save it to a file. As before I like to name the file and include the start offset and end offset in the name of the file. We do this with <br />
<pre style="background-color: #2b2b2b; color: #a9b7c6; font-family: 'Courier New'; font-size: 9.0pt;">carve_filename=<span style="color: #a5c261;">"Carve1_"</span>+<span style="color: #8888c6;">str</span>(SOF)+<span style="color: #a5c261;">"_"</span>+<span style="color: #8888c6;">str</span>(EOF_list[i]<span style="color: #6897bb;"></span>)+<span style="color: #a5c261;">".jpg"</span></pre>
<br />
Now we just open that file with the 'wb' - write <b>b</b>inary format. We update i with i=i+1 to then refernce the next EOF_list offset. And we do a print statement to give some feedback to the user.<br />
<br />
<pre style="background-color: #2b2b2b; color: #a9b7c6; font-family: 'Courier New'; font-size: 9.0pt;">i=<span style="color: #6897bb;">0</span><span style="color: #cc7832; font-weight: bold;">for </span>SOF <span style="color: #cc7832; font-weight: bold;">in </span>SOF_list:
subdata=data[SOF:EOF_list[i]+<span style="color: #6897bb;">2</span>]
carve_filename=<span style="color: #a5c261;">"Carve1_"</span>+<span style="color: #8888c6;">str</span>(SOF)+<span style="color: #a5c261;">"_"</span>+<span style="color: #8888c6;">str</span>(EOF_list[i]<span style="color: #6897bb;"></span>)+<span style="color: #a5c261;">".jpg"</span><span style="color: #a5c261;"> </span></pre>
<pre style="background-color: #2b2b2b; color: #a9b7c6; font-family: 'Courier New'; font-size: 9.0pt;"><span style="color: #a5c261;"> </span>carve_obj=<span style="color: #8888c6;">open</span>(carve_filename<span style="color: #cc7832;">,</span><span style="color: #a5c261;">'wb'</span>)
carve_obj.write(subdata)
carve_obj.close()
i=i+<span style="color: #6897bb;">1</span><span style="color: #6897bb;"> </span><span style="color: #cc7832; font-weight: bold;">print </span>(<span style="color: #a5c261;">"Found an image and carving it to "</span>+carve_filename)</pre>
<br />
So that should do it. We can now save this file call it jpeg_carve.py and run it.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizl-fxRynfoBi_3vmPmFY6peFcmOlbXuy-kIloPaco_9hXAPH5XslrZFl7S-9iHFrC7P7YKrxe-39fsTCZWqs7BvZUdZqGcZH6j4LDvMLIi6vvEFxQKDiHDYqE1e0SlDlz_YyiLlehidWh/s1600/command_out.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="61" data-original-width="522" height="74" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizl-fxRynfoBi_3vmPmFY6peFcmOlbXuy-kIloPaco_9hXAPH5XslrZFl7S-9iHFrC7P7YKrxe-39fsTCZWqs7BvZUdZqGcZH6j4LDvMLIi6vvEFxQKDiHDYqE1e0SlDlz_YyiLlehidWh/s640/command_out.PNG" width="640" /></a></div>
<br />
Great it works .. so lets check the carved file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpAOHTzmMj_5-9_WhaJG9BhVtC7IoHow7BqBTYHOSzof8ZE6USWY012H6gQ77uwQCPg2InHMjxzJxq6nTtmt1ac-VeEaciwtYfwtS79mkC0s_QXTYxhssKJ3V1v7yGb0q2FC7h8jvRyomL/s1600/carved.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="365" data-original-width="422" height="345" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpAOHTzmMj_5-9_WhaJG9BhVtC7IoHow7BqBTYHOSzof8ZE6USWY012H6gQ77uwQCPg2InHMjxzJxq6nTtmt1ac-VeEaciwtYfwtS79mkC0s_QXTYxhssKJ3V1v7yGb0q2FC7h8jvRyomL/s400/carved.PNG" width="400" /></a></div>
<br />
And we are done. A 17 line image carver!</div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2487515128006761905.post-30965071705093017622017-12-31T00:00:00.001-08:002017-12-31T00:00:06.331-08:00Practical Exercise - Image Carving<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="text-align: center;">
<span style="font-size: x-large;">So who's ready to carve?</span></h2>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsknqhinnsHk-XBUb49x4z_awjModreR8GAr3AcArAzeQZo37A1NKSAH67QmeMGnoW24ZZ8iWTsRAxAJFr_AJL5LawtDsi0vycv6_gTVgUo-1EiSTBGuE7ARQCjo03Op9tPHgtLErGZOm3/s1600/Gordon_carving.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="864" data-original-width="713" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsknqhinnsHk-XBUb49x4z_awjModreR8GAr3AcArAzeQZo37A1NKSAH67QmeMGnoW24ZZ8iWTsRAxAJFr_AJL5LawtDsi0vycv6_gTVgUo-1EiSTBGuE7ARQCjo03Op9tPHgtLErGZOm3/s200/Gordon_carving.jpg" width="165" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
Or as Gordon would say " Let's Carve or F#!K OFF "</div>
<br />
In the last post we talked about some simple carving of a JPEG image file using a hex editor.<br />
<br />
Before we get to carried away we should practice a couple of simple carving of images from 'unallocated'. What do I mean by 'unallocated' I hear you ask well...<br />
<br />
There are a couple of approaches to carving and recovering files from file systems.<br />
<br />
Firstly is the "File System" approach. That is, we use the fileystem's knowledge of where the deleted file was to begin our journey of recovery.<br />
<br />
For example, when a file is deleted in a FAT32 filesystem, the directory entry has the first byte of the entry overwritten with 'E5'. The directory entry still contains; the filename (minus the first character), the filesize and the first cluster number. These can be vital to assist in the recovery process.<br />
<br />
For a valid file we could look up the cluster number in the FAT table and find all the fragments as each FAT entry points to the next cluster number.<br />
<br />
However when a file is deleted the FAT table entries are zeroed so we cannot trace the file fragments. We will go through a worked example of this later.<br />
<br />
The second technique for file recovery is to ignore the filesystem and treat the disk as one big block of data. We can either do this on the whole disk image or we can just export the unallocated portion of the disk. We can then use our knowledge of what type of file we are trying to recover to attempt to find the file/s in question.<br />
<br />
So let's start with three simple image carves.<br />
<br />
1. JPEG: Deleted, no thumbnails, not overwritten, unfragmented in free unallocated space.<br />
<br />
2. JPEG: Deleted, no thumbnails, not overwritten, unfragmented in full unallocated space.<br />
<div>
<br /></div>
3. JPEG: Deleted, no thumbnails not overwritten, fragmented in unallocated space.<br />
<br />
<div>
<br /></div>
<div>
</div>
<div>
<h3 style="text-align: left;">
Carve 1</h3>
</div>
<div>
Download the bin file from the GitHub</div>
<div>
<a href="https://github.com/thehexninja/BlogDownloads/blob/master/Carve1.bin" target="_blank">https://github.com/thehexninja/BlogDownloads/blob/master/Carve1.bin</a></div>
<div>
<br /></div>
<div>
In a hex editor search for FFD8FFE0.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSmDngKtKoDtLsFAXV_eBpx71-R0YqW58S4cRlJ4uY7Bm9aOw48UroEXAaMljW_hWibtlxdcA3NIbcy5STZvFCS06SiLXwcP-9o9uJKJRgnb-Xrps4dtxn0Udwnt4FYS0BU_Cp-Kh2UK4v/s1600/Hex1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="468" data-original-width="662" height="226" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSmDngKtKoDtLsFAXV_eBpx71-R0YqW58S4cRlJ4uY7Bm9aOw48UroEXAaMljW_hWibtlxdcA3NIbcy5STZvFCS06SiLXwcP-9o9uJKJRgnb-Xrps4dtxn0Udwnt4FYS0BU_Cp-Kh2UK4v/s320/Hex1.PNG" width="320" /></a></div>
<div>
<br /></div>
<div>
We find a search hit at 0x1258</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyElaN8FAxizpS0VmUc2VrlzC8U-wwatTNkESXefZrXgk5Ud50oXS2wBx_alSG9n6m1nXJONHJaUunmqttNRF7mUj-zWcCc653AccMD089Zmi6DsymMy-dQnKWKatvtifyMJ2EzQnnY0Ic/s1600/Hex2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="333" data-original-width="660" height="161" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyElaN8FAxizpS0VmUc2VrlzC8U-wwatTNkESXefZrXgk5Ud50oXS2wBx_alSG9n6m1nXJONHJaUunmqttNRF7mUj-zWcCc653AccMD089Zmi6DsymMy-dQnKWKatvtifyMJ2EzQnnY0Ic/s320/Hex2.PNG" width="320" /></a></div>
<div>
<br /></div>
<div>
Select the beginning of block at the the start of the JPEG at 0x1258. Now we search for the end of the file with the hex FFD9.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijMnwihiUoVmyQHCkdc4Qa-C2AxCsXVunGTGqMzTckgwZR2gM99jVCQHI_eHK7x0ku8qJolEl8YeJdhQ2tGhLGmHWxtZdqMAMSFnBWgZU3gg_ZR7JGlfn56B751THlL85mOfqzc4S4QbOk/s1600/Hex3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="523" data-original-width="657" height="254" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijMnwihiUoVmyQHCkdc4Qa-C2AxCsXVunGTGqMzTckgwZR2gM99jVCQHI_eHK7x0ku8qJolEl8YeJdhQ2tGhLGmHWxtZdqMAMSFnBWgZU3gg_ZR7JGlfn56B751THlL85mOfqzc4S4QbOk/s320/Hex3.PNG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
The D9 of FFD9 is at end of the file is at offset 0x2DE4. We select this as the end of the block. Copy the block out to a new file. In the filename I like to include 3 things, the file I am carving from, the start and end offset. So lets call it Carve1_1258_2DE4.jpg and wallah... </div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-63PjISKlL31Lb_ctf8BkRnXgID5IRW6FOC72oc394DE5QDsz8SuFOB0HC3EPz9bN1gDQd7ItFJ8QWYermpH4klm2AFKYuSuPjxyDjP4T3xB8JnJArssq0EwSenk8JhN-4BBMOzgRwe0L/s1600/Carve1_1258_2DE4.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="287" data-original-width="333" height="171" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-63PjISKlL31Lb_ctf8BkRnXgID5IRW6FOC72oc394DE5QDsz8SuFOB0HC3EPz9bN1gDQd7ItFJ8QWYermpH4klm2AFKYuSuPjxyDjP4T3xB8JnJArssq0EwSenk8JhN-4BBMOzgRwe0L/s200/Carve1_1258_2DE4.jpg" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Carve1_1258_2DE4.jpg</td></tr>
</tbody></table>
<div>
<br /></div>
<div>
<div>
<h3>
Carve 2</h3>
</div>
<div>
Download the bin file from the GitHub</div>
<div>
<a href="https://github.com/thehexninja/BlogDownloads/blob/master/Carve2.bin" target="_blank">https://github.com/thehexninja/BlogDownloads/blob/master/Carve2.bin</a></div>
</div>
<div>
<br /></div>
<div>
Again we search for FFD8FFE0.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUSVTEbQVuU8itXkguW1Unq6y05cF2417pSAr0iAE2hyYHUKJGtPPvvbWyMJhRiTCfCkhU4r_qjdxAFpV1ZA7W6lLH_rESaCAGlPWN7Wgr-FD-whfzYBLdcAp4FPo_cZRX-6XPRxoqy6Fj/s1600/hex4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="517" data-original-width="660" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUSVTEbQVuU8itXkguW1Unq6y05cF2417pSAr0iAE2hyYHUKJGtPPvvbWyMJhRiTCfCkhU4r_qjdxAFpV1ZA7W6lLH_rESaCAGlPWN7Wgr-FD-whfzYBLdcAp4FPo_cZRX-6XPRxoqy6Fj/s320/hex4.PNG" width="320" /></a></div>
<div>
<br /></div>
<div>
We find it at offset 13B6. In this second example we see that it is embedded in other data (other deleted or allocated files), this is more typical of what we might see.</div>
<div>
Again we search for FFD9 for the end of file marker. It is at 0x2360. We select the block and copy it out into a new file. Carve2_13B6_2360.jpg.</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAFEGCMCeih_gBN7yR8H1tfk17j5XdQewyxj_1NWWbhSEG5cWSZ2s1J602AepXoRl2Tosrx5UcSBuh6DJ0_tS-jXBaZqg-lAtp568pmX0E2kIgY8WPNmfP09Cu0eRYbd_FQY5zVIcD_Dwf/s1600/Carve2_13B6_2360.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="175" data-original-width="175" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAFEGCMCeih_gBN7yR8H1tfk17j5XdQewyxj_1NWWbhSEG5cWSZ2s1J602AepXoRl2Tosrx5UcSBuh6DJ0_tS-jXBaZqg-lAtp568pmX0E2kIgY8WPNmfP09Cu0eRYbd_FQY5zVIcD_Dwf/s1600/Carve2_13B6_2360.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Carve2_13B6_2360.jpg</td></tr>
</tbody></table>
<div>
<br /></div>
<div>
This seems simple enough, just a search from the start and end and we a have carved two deleted files of the Hex Ninja.</div>
<div>
<br /></div>
<div>
<div>
<h3>
Carve 3</h3>
</div>
<div>
Download the bin file from the GitHub</div>
<div>
<a href="https://github.com/thehexninja/BlogDownloads/blob/master/Carve2.bin" target="_blank">https://github.com/thehexninja/BlogDownloads/blob/master/Carve3.bin</a></div>
</div>
<div>
<br /></div>
<div>
Opening this unallocated blob we see something interesting...</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuThho5V-btykTRE-6awBPnS4GYt4QEGqoblnOyctwxYflyAHh8ZeCHOCZTOwPRXiHcQ3jwWSRp-SAW2YrtZTT1daELLGqOpVHPa4eNAoPmSCPqVsfgZgUw2EpDpqnWlt4Ap-LFQvduvBq/s1600/hex5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="307" data-original-width="660" height="148" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuThho5V-btykTRE-6awBPnS4GYt4QEGqoblnOyctwxYflyAHh8ZeCHOCZTOwPRXiHcQ3jwWSRp-SAW2YrtZTT1daELLGqOpVHPa4eNAoPmSCPqVsfgZgUw2EpDpqnWlt4Ap-LFQvduvBq/s320/hex5.PNG" width="320" /></a>\</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
For those who like to common hexinate files it looks like an OLE Compound File (OLECF) that is used in Word, Powerpoint, Excel from 1997-2003. They have a distinct 8 byte header D0CF11E0A1B11AE1. For more info have a look at <a href="http://www.forensicswiki.org/wiki/OLE_Compound_File" target="_blank">http://www.forensicswiki.org/wiki/OLE_Compound_File</a></div>
<div>
<br /></div>
<div>
So this example looks like there is another file in the unallocated space. But we will concentrate on the JPEG we are searching for. So we search for FFD8FFE0 as before.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgf2vlEdF4_P9fLWfWvjB9y3VPc3yivz3ksshrIyAP1guPlHMYmja7bniaji8tgopKapMG8GCZqXgxC1YO6_2-mojoIRbaO85bGAA32Rtofev1ZlnIHyY85tCMJ8xQBqfE-5EeQZididvtP/s1600/hex6.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="258" data-original-width="661" height="155" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgf2vlEdF4_P9fLWfWvjB9y3VPc3yivz3ksshrIyAP1guPlHMYmja7bniaji8tgopKapMG8GCZqXgxC1YO6_2-mojoIRbaO85bGAA32Rtofev1ZlnIHyY85tCMJ8xQBqfE-5EeQZididvtP/s400/hex6.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
Interesting to note that it is on a nice byte boundary of 0x2000 ie 8192 bytes or 16 sectors of 512 bytes. This will be important later but let's move on to carving the JPEG. Search for FFD9. We find it at 0x4424. We save it as Carve3_2000_4424.jpg.</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaLl2tYr1wvhwQWXnlx2zhtX7_TepVUUD8_zDPvL8QS7Ej3GuTrfMEWrJXgGaxiNIIdYiImo7Af2fWG65O5wFzZXJFh3SVoypsC0-7_48m0IZd3tb_KZACI5JnvPrycPVrEysETaUU12ZU/s1600/Carve3_2000_4424.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="240" data-original-width="293" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaLl2tYr1wvhwQWXnlx2zhtX7_TepVUUD8_zDPvL8QS7Ej3GuTrfMEWrJXgGaxiNIIdYiImo7Af2fWG65O5wFzZXJFh3SVoypsC0-7_48m0IZd3tb_KZACI5JnvPrycPVrEysETaUU12ZU/s1600/Carve3_2000_4424.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Carve3_2000_4424.jpg</td></tr>
</tbody></table>
<div>
Huh, this doesn't seem right. The first part looks like the devilishly handsome you know who!! But what happened to the rest. So let's look back at our file we carved out. If we scroll up from the bottom we see some weird stuff. We see some references to a directory structure "theme/theme/themeManager.xml" ...</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhk8Qjw9xXGJd4VUnXaBX5uqps43Z-x4V8OJJc5vmz77IPILpJ07k2gme783P80-vvNOoD1zsSXysawinKwvmXkPaUTwuMgkC1w4oYrTlyif1M_QtpaCJEf1z225RIW9OXz4LtL9IQzNt1U/s1600/hex8.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="514" data-original-width="656" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhk8Qjw9xXGJd4VUnXaBX5uqps43Z-x4V8OJJc5vmz77IPILpJ07k2gme783P80-vvNOoD1zsSXysawinKwvmXkPaUTwuMgkC1w4oYrTlyif1M_QtpaCJEf1z225RIW9OXz4LtL9IQzNt1U/s320/hex8.PNG" width="320" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
That stuff should not be in our JPEG. So here is our Aha moment... no not 'Take on me' Aha more like a 'that's interesting' Aha.</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsMLHU8k7MHuEGiEUNg_rveFYI1PXzcRkz7PjmDCH8zBImHNaECO6KTUhvtduoM_bqAmrRg2EBUKdXWzWU8lZp-SM-3KmpVYHYqSZc_nHGBx8fEkfbnynNmVdB4bIwZVr7J92j0t2-IK57/s1600/Aha.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="177" data-original-width="285" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsMLHU8k7MHuEGiEUNg_rveFYI1PXzcRkz7PjmDCH8zBImHNaECO6KTUhvtduoM_bqAmrRg2EBUKdXWzWU8lZp-SM-3KmpVYHYqSZc_nHGBx8fEkfbnynNmVdB4bIwZVr7J92j0t2-IK57/s1600/Aha.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Aha - Take On Me (1985)<br />https://www.youtube.com/watch?v=djV11Xbc914</td></tr>
</tbody></table>
<div>
</div>
<div>
We saw the first part of unallocated was an OLE file then we found our JPEG but it looks like maybe we have some of the OLE file mixed in our JPEG causing it to not decode properly. </div>
<div>
<br /></div>
<div>
So now what could be happening. Perhaps FRAGMENTATION!!!. </div>
<div>
<br /></div>
<div>
What is this fragmentation sorcery you speak of?</div>
<div>
<br /></div>
<div>
Well let's back up a bit first.</div>
<div>
<br /></div>
<div>
So for a new filesystem out of the box, we have a nice clean storage device. A new file would be stored in sequential blocks on a disk. We store a file in logical blocks called clusters. Each cluster is made up as of a number of the smallest traditional Hard Disk units called a sectors (512 bytes). The cluster is an arbitrary unit and is the smallest addressable unit the operating system can address. For example in a FAT32 filesystem a cluster may be 4 sectors (2048 bytes) or 8 sectors (8192 bytes) etc. </div>
<div>
<br /></div>
<div>
So why isn't this fixed? </div>
<div>
<br /></div>
<div>
Well mainly for a reason of a trade off. If the cluster size is too big we can waste a lot of space. e.g. if our cluster is 32kBytes and our file is 100 bytes we are wasting nearly 32kBytes (slack space). But, if we make each cluster really small say, 1 sector, we run out of the maximum storage space pretty quickly as the size of the table to address all these sectors (FAT) becomes almost as big percentage of our storage e.g. a 2TB disk using a 1 cluster/sector would need 16GB of FAT to store all sectors addresses and there are 2 FATs on the disk for redundancy</div>
<div>
<br /></div>
<div>
So when we have many files and we delete some, create some new files, delete some more file our disk becomes fragmented. So when we go to save a file we have lots of gaps in our disk from the files that have been deleted and the operating system would like to reuse them. The FAT file system will store the sequential cluster number for each file e.g. 202,203,207,412,902 could be the non-sequential cluster numbers for a 5 cluster file. This is fine for an allocated file but what happens when the file is deleted. The directory entry has the first byte overwritten with E5, it also stores the first cluster number but the FAT entry is overwritten with zeros. </div>
<div>
<br /></div>
<div>
This is OK for a deleted file that has sequential cluster numbers but for a typical file with non-sequential cluster numbers we are.... well... stuffed! </div>
<div>
The things we use for our advantage is to know the cluster size and the type of file we are searching for. The cluster size is good as we only need to look at the boundary of clusters for the file we are searching for. The file type is useful as we know what we are looking at. A text file or a ZIP file look very different in hex. </div>
<div>
<br /></div>
<div>
Now back to our file. If we have a look at the highlighted section in our carved file, we remember that our OLE file was 0x2000 bytes long, that could be a clue for our cluster size 0x2000 is 8192 bytes or 16 sectors. This is a good clue that our cluster size of 16 or fraction of this maybe 8 or 4.</div>
<div>
<br /></div>
<div>
So looking back through our data Carve3.bin we see that if we step forward in multiples of 0x2000 bytes we see that if our assumption of a cluster size of 0x2000 were true that the second cluster looks strange. Prior to 0x8000 is a a run of all zeros which is not normal for a sequential run of a JPEG which usually has high entropy data.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiG8fD0Ce3HgSrpd0b16KvwCiiYAxUvKopuJ5kXWB7ZBLkqFK7wbXYp9ZwwykUOjqwITPbFK-_e1PVGmli16zrzQXjH0L9w7glpYjpkjncsuir97DEFeHR_GjroUaGxv3Jg27yHK1YgwfZw/s1600/hex9.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="268" data-original-width="662" height="161" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiG8fD0Ce3HgSrpd0b16KvwCiiYAxUvKopuJ5kXWB7ZBLkqFK7wbXYp9ZwwykUOjqwITPbFK-_e1PVGmli16zrzQXjH0L9w7glpYjpkjncsuir97DEFeHR_GjroUaGxv3Jg27yHK1YgwfZw/s400/hex9.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
So let's try maybe half the cluster size of 0x1000 or 4092 bytes (8 sectors). If we find the start of the JPEG be searching for FFD8FFE0 we found at 0x2000. We then search forward one 'trial cluster' of 0x1000 we find that there is no continuity of high entropy data we would normally see in the data part of a JPEG. So our initial assumption of a cluster size of 0x2000 was wrong. So let's move forward with a cluster size of 0x1000.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjOyKiexEXQcBwvZO8ZZHif4Tcu8C4RFWDUTQbRhOBtcQu9aZ7X7EvwIvpbfdDVoZ9VhOUgxsYnbFz4_qX7KF_MtgQkjPMb5iNozuqYiIWPDLa_nH3NABp9Ajk8fz9vvvShD39rJI_IbFy/s1600/hex11.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="327" data-original-width="662" height="158" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjOyKiexEXQcBwvZO8ZZHif4Tcu8C4RFWDUTQbRhOBtcQu9aZ7X7EvwIvpbfdDVoZ9VhOUgxsYnbFz4_qX7KF_MtgQkjPMb5iNozuqYiIWPDLa_nH3NABp9Ajk8fz9vvvShD39rJI_IbFy/s320/hex11.PNG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
If we move forward from 0x3000 to 0x4000 we see some nice data that has high entropy again.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4fwtJcNGwbjaECRxXnwkbb-YT-ScwIaVsCSpMhbaRA-vPIwJ-tYYw_kPyX-UKuYhXRT0yJbi7hSo1Hfw3WbeHlMo2L-PT2FB1-oKQ7L0V4qSMhrsupzhPsKslIUvqVJ2bXpTWqQzQzQvK/s1600/hex12.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="461" data-original-width="660" height="223" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4fwtJcNGwbjaECRxXnwkbb-YT-ScwIaVsCSpMhbaRA-vPIwJ-tYYw_kPyX-UKuYhXRT0yJbi7hSo1Hfw3WbeHlMo2L-PT2FB1-oKQ7L0V4qSMhrsupzhPsKslIUvqVJ2bXpTWqQzQzQvK/s320/hex12.PNG" width="320" /></a></div>
<div>
So it looks like our assumption of cluster size 0x1000 might be correct, so if we move forward another cluster 0x1000 we see we are not in JPEG type high entropy data anymore.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtMF3pJAAeMDjhPyafMeTTL8oAaqFLEL_bAjJwdVV6H4lGqVsRG1jqz1C8n-k8pbq5zFYNYggzZsro0DnPgoMp6Q2G1yS_sNALINKL7MmgyDBgza9rTSotKKXjsqUJ3ODoZBnXTTdwZkSB/s1600/hex13.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="567" data-original-width="664" height="273" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtMF3pJAAeMDjhPyafMeTTL8oAaqFLEL_bAjJwdVV6H4lGqVsRG1jqz1C8n-k8pbq5zFYNYggzZsro0DnPgoMp6Q2G1yS_sNALINKL7MmgyDBgza9rTSotKKXjsqUJ3ODoZBnXTTdwZkSB/s320/hex13.PNG" width="320" /></a></div>
<div>
So maybe the JPEG finishes in this last cluster i.e from 0x3000 to 0x4000. So lets search forward from 0x4000 looking for FFD9 and we find a hit at 0x4424. </div>
<div>
So if we try making up a the file of:</div>
<div>
0x2000 to 0x3000 and </div>
<div>
0x4000 to 0x4424</div>
<div>
If we combine those parts we have a file Carve3_2000_3000_4000_4224.jpg. In a hex editor we simply copy the first part 0x2000 to 0x3000 to a file then we copy 0x4000 to 0x4224 and append that to our file. Now let's check the results.</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisjaryzsh8vShdQ4y9TpCrQIM_05P1ZbQO36lkvM5SN1ErxkSbb-B7p_qWxuJ4ZbKHDcpz3B90Xp24BQ7SJxD2OByp8qOfwUfe1GdL1L_XOM0XI-SzXHxXETsH-zUOePRo00LFw5bTNoJ5/s1600/Carve3_2000_3000_4000_4224.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="240" data-original-width="293" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisjaryzsh8vShdQ4y9TpCrQIM_05P1ZbQO36lkvM5SN1ErxkSbb-B7p_qWxuJ4ZbKHDcpz3B90Xp24BQ7SJxD2OByp8qOfwUfe1GdL1L_XOM0XI-SzXHxXETsH-zUOePRo00LFw5bTNoJ5/s1600/Carve3_2000_3000_4000_4224.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Carve3_2000_3000_4000_4224.jpg<br /></td></tr>
</tbody></table>
<div>
Wow that looks good if I don't say so myself.... and my best profile too!</div>
<div>
<br /></div>
<div>
So that was quite a hexinating journey. So what did we cover. Carving a sequential JPEG from unallocated space right up to a fragmented carve. Good work. What you have learnt is the basis of every file recovery.</div>
<div>
<br /></div>
<div>
Until the next post TheHexNinja says:</div>
<div>
<br /></div>
<div>
<i>Seasons Greetings All</i></div>
<div>
<i>Prosperous New Year Awaits </i></div>
<div>
<i>Drink and Be Merry</i></div>
<div>
<br /></div>
<div>
<br /></div>
</div>
Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-2487515128006761905.post-90045567789539522542016-07-26T16:42:00.001-07:002016-07-30T10:41:56.273-07:00Hex Editors Phoaar<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-size: x-large;">The Hex Editor</span><br />
<br />
OK, so our basic tool on this journey is the humble hex editor. But all is not so simple. There are a plethora of hex editors available. Basically we want to be able to highlight an area of interest, save.... view...save.. copy...paste.. cut..repeat....<br />
<br />
The basic features you will be using a lot of are<br />
<ul style="text-align: left;">
<li><b>Search</b>: bytes in hex, locate, count, index, export address</li>
<li><b>Goto</b>: both absolute and relative address.</li>
<li><b>Select</b>: nice if they are right click 'start', right click 'end'</li>
<li><b>Cut</b>, <b>Copy</b>, Insert Paste, Overwrite Paste</li>
<li><b>Hex/Decimal</b>: be able to switch between these easily</li>
</ul>
You will be doing these functions alot! So choose a hex editor that can do those functions easily or with shortcuts. <br />
<br />
My favourite hex editors are (no affiliations or endorsements):<br />
<br />
<span style="font-size: large;">Paid</span>:<br />
<br />
<span style="font-size: large;">WinHex - Xways</span><br />
<a href="http://www.winhex.com/winhex/">http://www.winhex.com/winhex/</a><br />
<br />
Super fast, simple to use. All you really need for basic hex carving.<br />
The basic personal licesne is ~$60 and well worth it.<br />
For basic carving I really like the 'right click- beginning of block' , 'right click- end of block', Edit- Copy Block into new file - Walla. <br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyxWPVXxnySrENDU3DzwoDSVdHWhdjaSSEtAPNhIczuRpEADW63t_OsjsJO-BzTls3EA3HMVqDhf22NSx2zYBYdmfjSecljRad7_D7gLnNvF5GmJbOYMYOn3j0-lhTfnKLHfzhyphenhyphen5b2uzFF/s1600/WInHex.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="342" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyxWPVXxnySrENDU3DzwoDSVdHWhdjaSSEtAPNhIczuRpEADW63t_OsjsJO-BzTls3EA3HMVqDhf22NSx2zYBYdmfjSecljRad7_D7gLnNvF5GmJbOYMYOn3j0-lhTfnKLHfzhyphenhyphen5b2uzFF/s640/WInHex.JPG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">WinHex Screenshot</td></tr>
</tbody></table>
<br />
<br />
<span style="font-size: large;">HexWorkshop</span><br />
<a href="http://www.hexworkshop.com/">http://www.hexworkshop.com/</a><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4iWG6nOOtNNhjEaaB39CQ_dH7xyKSa9VHK-3VE6PjhhwkGkUQkFrultFyzVQztAa6g3pk1jCwezsaLqINVbGqLpYKqekT-JnyZ2zaYn72s0159zPJG3Ley9wlwgt-IQ98U0XZCUUtCFPW/s1600/HexWorksop.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="241" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4iWG6nOOtNNhjEaaB39CQ_dH7xyKSa9VHK-3VE6PjhhwkGkUQkFrultFyzVQztAa6g3pk1jCwezsaLqINVbGqLpYKqekT-JnyZ2zaYn72s0159zPJG3Ley9wlwgt-IQ98U0XZCUUtCFPW/s640/HexWorksop.JPG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Hex Workshop Screenshot</td></tr>
</tbody></table>
I like the coloured byte window....purrdy..., it is nice to help identify periodic patterns and you can pick up small changes in the data as you scroll through a file etc<br />
License is $89.95<br />
Copying and cutting blocks of data is a little cumbersome as you need to specify start address and either size or end address. Not a show stopper, but it does slow the Hex Ninja down when he has his flow on. <br />
<br />
<br />
<span style="font-size: large;">010 Editor</span><br />
<a href="http://www.sweetscape.com/010editor/">http://www.sweetscape.com/010editor/</a><br />
A bit more expensive but I like this one a lot for more complex operations and analysis<br />
$129.95 or $49.95 for personal use<br />
Has scripting capabilities and some nice file templates for parsing file structures<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnE2xF7SCASbDT7BrwY3j3P819g7l0sv2xHw6sc2dZ5vlyEDr9hzJ4_8LQIz7l6IrIYhmLNpL48ZuA9ufuTGb5oWTIzRLApvs2rIjJUnj6h54pxfVjPDjMTp2t9QJHzYhXU_CtJjtBlFzX/s1600/010.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="402" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnE2xF7SCASbDT7BrwY3j3P819g7l0sv2xHw6sc2dZ5vlyEDr9hzJ4_8LQIz7l6IrIYhmLNpL48ZuA9ufuTGb5oWTIzRLApvs2rIjJUnj6h54pxfVjPDjMTp2t9QJHzYhXU_CtJjtBlFzX/s640/010.JPG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">010 Editor Screenshot</td></tr>
</tbody></table>
<br />
<br />
<br />
<span style="font-size: large;">Free Editors</span>:<br />
<br />
<span style="font-size: large;">Notepad++ with the Hex Editor Plugin</span><br />
<a href="https://notepad-plus-plus.org/">https://notepad-plus-plus.org/</a><br />
Good if you like to keep the programming, hex editing all in one place.<br />
<br />
<span style="font-size: large;">Hxd</span><br />
<a href="http://mh-nexus.de/en/hxd/">http://mh-nexus.de/en/hxd/</a><br />
<div>
Nice interface and has Mac version as well.</div>
<br />
Although forensic tools have the ability to show the hex, the features are pretty limited (except for XWAYS -WinHex)<br />
<br />
<br />
<span style="font-size: large;">Example</span><br />
So.... What daily functions does Hex Ninja like to do in a hex editor?<br />
<br />
The number one thing I do is seeing if a given file is intact, corrupted etc so by basically opening a file in a hex editor we get to see what it really like like and not what the file extension is labeling it as.<br />
<br />
So open as many files as you can so you get to see the basic structure they have. If you first focus on JPG, PNG, MP4/MOV, AVI, DOC and PDF, you will be across most filetypes you want to recover, rebuild etc.<br />
You will get so used to there structure and tags that you can recognise them in a stream of hex, <br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4JPFVjd9oEHISAb4MiRljsIOYqzGDFLvLqmjlSwjnjF-6wD9OHRymDGQEyAas3Wl7t2p6EMPuLuqAJkdmmyu3mT8EVL4d1SHBNRrvt34cZnaE4wyRzM5ap2w9jM333x3qybjIN-hEG1nd/s1600/matrix1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4JPFVjd9oEHISAb4MiRljsIOYqzGDFLvLqmjlSwjnjF-6wD9OHRymDGQEyAas3Wl7t2p6EMPuLuqAJkdmmyu3mT8EVL4d1SHBNRrvt34cZnaE4wyRzM5ap2w9jM333x3qybjIN-hEG1nd/s1600/matrix1.jpg" /></a></div>
<br />
<br />
<span style="background-color: white; font-family: "helvetica" , "arial" , sans-serif; font-size: 13px; line-height: 16.25px;"><i>...there's way too much information to decode the Matrix. You get used to it, though. Your brain does the translating. I don't even see the code. All I see is blonde, brunette, redhead. Hey uh, you want a drink? -Cypher</i></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
For example the most common file the Hex Ninja sees is the common JPG or more correctly the JPEG File Interchange Format (JFIF).. The JPG is the file extension, the JFIF is the file container it is stored in. Lets hexinate a typical JPEG.</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivVnOqA_tHqZnWDqiaq45GC76R1VhCmBqFx-_j0szSiBnBypWvn91mkHDc_vuYB6CA044tcSe6fGggTXbEiymVG_4zR02UkXWJj_AN1T1Fm4K4U3ts4AF5zFgtzGOYryFpOJXwoYCKG7Uj/s1600/hex_ninjastar.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="134" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivVnOqA_tHqZnWDqiaq45GC76R1VhCmBqFx-_j0szSiBnBypWvn91mkHDc_vuYB6CA044tcSe6fGggTXbEiymVG_4zR02UkXWJj_AN1T1Fm4K4U3ts4AF5zFgtzGOYryFpOJXwoYCKG7Uj/s640/hex_ninjastar.JPG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Hex View of JPEG</td></tr>
</tbody></table>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
To do any basic carving we need to find the start of a file and the end of the file OR an embedded size so we can find the end. Let's take a quick look under the hood.</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
The basic structure in JFIF is a sequence of marker segments. Starting with FF followed by a byte defining the marker type. Depending on the marker there can be embedded data and nested marker segments. </div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
See <a href="https://en.wikipedia.org/wiki/JPEG">https://en.wikipedia.org/wiki/JPEG</a> for a basic overview or <a href="https://www.w3.org/Graphics/JPEG/itu-t81.pdf">https://www.w3.org/Graphics/JPEG/itu-t81.pdf</a> if you want to dig deeper.</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
The first 2 bytes 0xFFD8 indicate a 'Start Of Image' (SOI). </div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
If we just searched for the two bytes 0xFFD8 on a disk or 'unallocated space' we would produce to too many false hits. Generally the longer and more specific the search term the less false hits we will get, so two bytes is a little short so we will see what follows that we could use in a search term . </div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
The next two bytes 0xFFE0 indicate a 'JFIF APP0 marker segment'. which has embedded data such as the text 'JFIF'. While the 0xFFD8FFE0 is generally common across all cameras/phones I have seen a couple of cameras that didn't put the APP0 first but APP1 was first ie 0xFFD8FFE1 but that is rare so let's keep it simple.</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
Next we need to look for an embedded size or embedded file marker. </div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
Unfortunately there is no embedded size in the JFIF, We could technically decode the image as we carve to find the end but that it a bit more intense so lets start with finding the end. So we need to be looking for an end of file marker. In the JFIF specification it is End Of Image (EOI) 0xFFD9.... Really.. a two byte marker! That can lead to a lot of false positives. Why didn't they make it an 8 byte marker or even 4 or 6 bytes would be better! </div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
There are a couple of issues we should be aware of so we can try and avoid false positives in a search and carve: </div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
1. There can be embedded thumbnail/s inside the JFIF file that have the same SOI and EOI markers. Yep good thinking JPEG working group! We can generally avoid this by ignoring the EOI if it occurs too soon after the SOI. We can also carve out the thumbnails in a more thorough carve to be done in later blogs. </div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
2. If the end of the file has been overwritten we may not find the EOI marker until the end of another image. We can avoid this by limiting how far we search for the EOI after the SOI. </div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
3. The image data may be fragmented. That is, cluster size blocks of the data can be intermingled with other files. Generally we do not know the location or sequence of the clusters. We will practise these in a later blog post. </div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
The marker 0xFFD9 should not occur in the file unless it is the EOI (of the main image or thumbnails), ie we should not find it in the compressed image data (OK JPEG working group, at least you thought of that). </div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
No back to our simple carve. We locate the 0xFFD9 indicating the end of the file.</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbnzTiY2a5hLQxPt-mSegYUxupUBTiz74z_wbzyhsCgaVUR9DF2c5plKlLYdgza3UkBfpx84wDIu-b-ifBbjZ8QAZW0UGW8vfpANLHdNE4qmpxH37l4LJEVuKZKs8BVSMo1JL-4f_Agil0/s1600/hex_ninjastar_end.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="202" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbnzTiY2a5hLQxPt-mSegYUxupUBTiz74z_wbzyhsCgaVUR9DF2c5plKlLYdgza3UkBfpx84wDIu-b-ifBbjZ8QAZW0UGW8vfpANLHdNE4qmpxH37l4LJEVuKZKs8BVSMo1JL-4f_Agil0/s640/hex_ninjastar_end.JPG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">JFIF EOI Marker 0xFFD9</td></tr>
</tbody></table>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
<span style="font-size: large;">Summary:</span></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
So if we found what looked to be a JPEG in unallocated space or embedded in another file we can carve it out using the simple technique:</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
1. Search 0xffD8FFE0, mark the first byte as the start of the block.</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
2. Seacrh 0xFFD9, mark the last byte the end of the block.</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
3. Copy the block into a new file, save it with a .jpg extension and you will have a carved JPEG.</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
<span style="background-color: white; font-family: "verdana" , sans-serif; font-size: 13.2px; line-height: 18.48px;">Until the next post TheHexNinja says:</span><br />
<span style="background-color: white; font-family: "verdana" , sans-serif; font-size: 13.2px; line-height: 18.48px;"><br /></span><i style="background-color: white; font-family: "Trebuchet MS", Trebuchet, Verdana, sans-serif; font-size: 13.2px; line-height: 18.48px;"><span style="color: #073763; font-family: "verdana" , sans-serif;">Bamboo bends in wind</span></i><br />
<i style="background-color: white; font-family: "Trebuchet MS", Trebuchet, Verdana, sans-serif; font-size: 13.2px; line-height: 18.48px;"><span style="color: #073763; font-family: "verdana" , sans-serif;">Ninja watches you alone</span></i><br />
<i style="background-color: white; font-family: "Trebuchet MS", Trebuchet, Verdana, sans-serif; font-size: 13.2px; line-height: 18.48px;"><span style="font-family: "verdana" , sans-serif;"><span style="color: #073763;">POISON DART IN BACK </span></span></i></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
<br /></div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2487515128006761905.post-6164157824503018112016-01-13T01:55:00.000-08:002016-01-13T18:20:43.227-08:00Workflow<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZrcnYIkT5FS8hhUIrhDvIe45HKaWrqA5ZsJRwweC6K3-9Dnd2p-psN3b-try423h-ge7rAcfcwxrJK0-dbQBFFrVwCVVLq-7_wchL2RE1uNJ66wwqhop4Ga9Eon1BXeyyL0mcgTvav0Mc/s1600/Workflow_B1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Verdana, sans-serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZrcnYIkT5FS8hhUIrhDvIe45HKaWrqA5ZsJRwweC6K3-9Dnd2p-psN3b-try423h-ge7rAcfcwxrJK0-dbQBFFrVwCVVLq-7_wchL2RE1uNJ66wwqhop4Ga9Eon1BXeyyL0mcgTvav0Mc/s1600/Workflow_B1.png" /></span></a></div>
<span style="font-size: large;"><span style="font-family: Verdana, sans-serif;"><br /></span></span>
<span style="font-size: large;"><span style="font-family: Verdana, sans-serif;">The first post is going to be a quick overview of my normal workflow and what tools I use. </span></span><br />
<span style="font-family: Verdana, sans-serif;"><span style="font-size: large;"><br /></span>
Firstly, welcome! Thanks for dropping by. Hopefully you will find something useful. If you want something explained in more detail, add a comment or send me an email. Happy to help. </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Now... when I say tools, I don't mean 'point and click'. I am not against them but usually if I am looking at it in hex, it is due to automated tools not extracting the data I need. It is also harder to explain how they work. </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">You can choose what tools you like but the main thing is that your are comfortable with them and can use them quickly.
</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif; font-size: large;">Workflow</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">The basic workflow goes like this:</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif; font-size: large;">1. What is this? </span><br />
<span style="font-family: Verdana, sans-serif;"> A big blob of data with juicy stuff inside. Excited? Me too. Look at all that HEX! Gigabytes of it! </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuDoRTokd0z4q6MxjzOwcBIaivzbeMnEMunoez-8sCaqbJEIgihyphenhyphensmjA59rp9rtndu3ZSjk8b2nBUWeiwI4yGdcrIcTuAfFdpFMaNpBFwUHzZzDzCkhCBHMJFB2fjUqBORAkeLTu4nduYD/s1600/hex_B1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="236" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuDoRTokd0z4q6MxjzOwcBIaivzbeMnEMunoez-8sCaqbJEIgihyphenhyphensmjA59rp9rtndu3ZSjk8b2nBUWeiwI4yGdcrIcTuAfFdpFMaNpBFwUHzZzDzCkhCBHMJFB2fjUqBORAkeLTu4nduYD/s640/hex_B1.PNG" width="640" /></a></div>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif; font-size: large;">2. What are we looking for?</span><br />
<span style="font-family: Verdana, sans-serif;"> Pictures, videos, documents, SMS, MMS, chat, SQLite databases, web searches etc</span><br />
<span style="font-family: Verdana, sans-serif;"> Knowing what we are looking for will give us information such as headers footers, tags that we can search for.</span><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<span style="font-family: Verdana, sans-serif; font-size: large;">3. What am I looking in? </span><br />
<span style="font-family: Verdana, sans-serif;"> Is this a file, a copy of a micro SD Card, a Hard Disk Drive DD image, a raw NAND chip dump.</span><br />
<span style="font-family: Verdana, sans-serif;"> This will help us know if the data is contiguous, what the sector,page,block sizes are, if the data needs to be reordered. It will help us to know if the filesystem is FAT32, NTFS, EXT4 etc</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyYe_APv9pwWiiJ4nE5wiJUAu-GfDOgg5gnZ5dB8p4NHwwQJhmddgznwzEe45SD_e3LQVncu9MjEB8X3kb_IgwoZPfmht0RAJ9w71uFKAQqaodGzWzmrznupvrnVqNeIzAMcyEw4ySSk3V/s1600/devices_b1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="249" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyYe_APv9pwWiiJ4nE5wiJUAu-GfDOgg5gnZ5dB8p4NHwwQJhmddgznwzEe45SD_e3LQVncu9MjEB8X3kb_IgwoZPfmht0RAJ9w71uFKAQqaodGzWzmrznupvrnVqNeIzAMcyEw4ySSk3V/s320/devices_b1.png" width="320" /></a></div>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif; font-size: large;">4. Is that data active or deleted?</span><br />
<span style="background-color: white; font-family: Verdana, sans-serif;"> If the data is active, then we can use a filesystem approach to find it (that is not really a topic for here but more details later).</span><br />
<span style="font-family: Verdana, sans-serif;"> If the data has been deleted, how long ago was it deleted? How big is the disk/memory, how full is the disk, how much was it used since the data was deleted?</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoQqk6b6vXfFxr-6KdTa_b7JCS-bJK6_N5u7jMBxwKyCVa_3bqeeagy8a1t4sGXEtHT9RjvMCqA6ASjoPic9UzKnKOCqjaq4J3S5kxPc7znGG1g0W_sq3rPQ2YJMEn_bzQdoxtyvJ0RDPb/s1600/Deleted_B1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="67" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoQqk6b6vXfFxr-6KdTa_b7JCS-bJK6_N5u7jMBxwKyCVa_3bqeeagy8a1t4sGXEtHT9RjvMCqA6ASjoPic9UzKnKOCqjaq4J3S5kxPc7znGG1g0W_sq3rPQ2YJMEn_bzQdoxtyvJ0RDPb/s640/Deleted_B1.PNG" width="640" /></a></div>
<br />
<span style="font-family: Verdana, sans-serif; font-size: large;">5. Let's try looking manually</span><br />
<span style="font-family: Verdana, sans-serif;"> The reason we are looking manually is usually due to fragmentation, incomplete file finalisation or partial overwriting. Using our hex editor we search for tags/headers/footers to try an identify similar patterns or files structures.</span><br />
<span style="font-family: Verdana, sans-serif;"> Can we try and 'carve' out a file that can be viewed. Is the data fragmented, has it been partially overwritten? Do we need to build a new file? Do we have similar files from the same device?</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjON3-IevZCqY2ktvJvc_9OFxpNl_FbQGrO4wInswx_uUP2_DHJcF8_8L8rmdzWEzZzVGy5Gm9Peor3B7LkUZjuUX3VNsQ30bNRZW4KHTxLSn8y4DrQ34wnjiSyACjYVkdq3F_IixG4gHup/s1600/Matrix_b1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="208" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjON3-IevZCqY2ktvJvc_9OFxpNl_FbQGrO4wInswx_uUP2_DHJcF8_8L8rmdzWEzZzVGy5Gm9Peor3B7LkUZjuUX3VNsQ30bNRZW4KHTxLSn8y4DrQ34wnjiSyACjYVkdq3F_IixG4gHup/s320/Matrix_b1.png" width="320" /></a></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHfxkClWcPgqRlKG9r-YB0-fqgi8gsMKdLeBR9zO1U2hoQSC684VEij2zfW0BRXKsuNnb29knmKddB3chcB0_3jZoVO7XAiKEiovfYspOiV6mHWFZk9YdBi7VL0JoxLtSHca1k709eeQ4a/s1600/morpheus_B1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHfxkClWcPgqRlKG9r-YB0-fqgi8gsMKdLeBR9zO1U2hoQSC684VEij2zfW0BRXKsuNnb29knmKddB3chcB0_3jZoVO7XAiKEiovfYspOiV6mHWFZk9YdBi7VL0JoxLtSHca1k709eeQ4a/s200/morpheus_B1.jpg" width="200" /></a><br />
<br />
<span style="font-family: Verdana, sans-serif; font-size: large;"><br /></span>
<span style="font-family: Verdana, sans-serif; font-size: large;">6. Now let's automate this.</span><br />
<span style="font-family: Verdana, sans-serif;"> Once we have done this manually we can now write a script to automate this process. Sometimes we are only looking for one file or piece of data but often it will be many or we will get a similar job again so it is worth putting in the few minutes to script a semi-reusable solution.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEneRCW62BV6v-Lt4ZkDcsC4B22FFR2ZYYIkyaxixojiGn_wf8r-Kv7mffM8ajhsuNasJtCxq1gEKpfaW9GYyQvp_sP6pkEnt2xKC0aXjKGR0SInKV0I7xI9G4nmq2CCJYbLp8mktAWmrV/s1600/python_bl_b1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEneRCW62BV6v-Lt4ZkDcsC4B22FFR2ZYYIkyaxixojiGn_wf8r-Kv7mffM8ajhsuNasJtCxq1gEKpfaW9GYyQvp_sP6pkEnt2xKC0aXjKGR0SInKV0I7xI9G4nmq2CCJYbLp8mktAWmrV/s640/python_bl_b1.png" width="640" /></a></div>
<br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">It would be nice to say this is the last step but there is a continuous loop between step 5 and 6. As we automate it, a new case breaks it, we adjust and automate ....</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">I am code language agnostic and have programmed in languages such as c64 basic, Fortran, Spice, various database 'languages', C, C++,VB, java, Matlab, assembler and Python.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">I currently like to use Python due to simplicity, readability, support (where would I be without stackoverflow.com), rapid development, price (Gratis is good), licensing, cross platform support, easy GUI support and easy deployment (We can package it up as an exe if we need to distribute it stand alone- this saves the 'oh it's missing a module!' or 'how do i run it?' dilemma that turn a lot of people off from running code. (Setting this up simply is planned for about post 8.. so stay tuned)</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">I am also OS agnostic, PC, Mac, Linux, DSP on embedded ARM.. bring it on.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">The code in the coming blogs will be using Python but as it is almost pseudo code, you can convert it to your language of choice. I am not up for a debate of which language is best.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">The code is written to be understood, I am not here to show off how I reduced 8 lines of code into 1 and now no one can understand except it Dr Smarty McSmarty or how using a different instruction or module runs 13.6% faster. We can optimise later if we need to. Let's just get something working quickly so our brains can think about the problem and not be bogged down in syntax issues.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">OK so let's get started!</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif; font-size: large;">Tools:</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgc7ubFBaNfEIHrnJO0SSHhVXVi0DmP_MoiQL9u5jgZdZ4C-Ij0jgzpHiHbJUz3-E3aGBQL_WgakjpGpT1uSH6yKRvRQmQdsIIcE3wuLrx0uIqeTY8oa8Gfz7wIBmT61Y1r0V1GxMGyVHsb/s1600/Tools_B1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Verdana, sans-serif;"><img border="0" height="104" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgc7ubFBaNfEIHrnJO0SSHhVXVi0DmP_MoiQL9u5jgZdZ4C-Ij0jgzpHiHbJUz3-E3aGBQL_WgakjpGpT1uSH6yKRvRQmQdsIIcE3wuLrx0uIqeTY8oa8Gfz7wIBmT61Y1r0V1GxMGyVHsb/s200/Tools_B1.JPG" width="200" /></span></a></div>
<span style="font-family: Verdana, sans-serif; font-size: large;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">1. <a href="http://accessdata.com/product-download">FTK Imager</a> (free and simple to get 'forensic' copies of data like SD cards or Hard Disk Drives etc.)</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">2. Hex Editor (The next post will go over which ones I use and like)</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">3. Python (usually use 2.7 due to code base and support out there but also am tinkering with 3)</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">And that's it! The results I have been able to get from these simple tools have surpassed anything commercial I have used and the difference is I get to understand it too. Which makes the next job/project easier... well, I keep telling myself that.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Until the next post TheHexNinja says:</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<i><span style="background-color: white; color: #073763; font-family: Verdana, sans-serif;">Gentle deer drinks dew</span></i><br />
<i><span style="background-color: white; color: #073763; font-family: Verdana, sans-serif;">Forest awakens new day</span></i><br />
<i><span style="font-family: Verdana, sans-serif;"><span style="background-color: white; color: #073763;">NINJA STAR TO NECK </span><span style="background-color: white; color: white;">TO NECK</span></span></i></div>
Unknownnoreply@blogger.com0