Registry Decoder v-1.4 released

This project is the live registry hive acquisition component of Registry Decoder. It is capable of acquiring both the currently running and historical registry files from a number of Windows operating system versions, both 32 and 64 bit.

The acquired files can then be imported into the offline analysis component for complete forensic investigation.
Registry Decoder, now version 1.4, had a number of enhancements, usability improvements, and updates to existing plugins. These include:
Diffing enhancements:

  • The ability to export diffs from both search and plugins
  • Diff exports now include the matching entries
  • Diff tabs have a color legend to explain the diffs
  • All reporting fields add default file extensions if not provided by the user
  • The ‘value’ of a registry ‘name’ is now added in search results
  • Fixed a bug where the same entry could appear multiple times in search results
  • Updates to the StreamMRU, ShellBags, ShellBagsMRU, and RecentDocsOrdered plugins by Kevin Moore

Download : regdecoderliveR24.zip (13.6 MB) 
Find Other Version |
Read more in here : http://code.google.com/p/regdecoderlive/

Update volatility v3.0 – An advanced memory forensics framework

This is a point release of source and binaries for the Volatility Technology Preview. This release is for public discussion and testing – it is _not_ an official stable release.

More documentation can be found here:
https://code.google.com/p/volatility/wiki/TechPreviewBranch

This release includes:
– Source code.
– All in one windows binary packed using pyinstaller – this does not need any pre-requisites.
– Windows and OSX memory acquisition drivers: Winpmem 1.1 release.
– Documentation.
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

Volatility supports memory dumps from all major 32- and 64-bit Windows versions and service packs including XP, 2003 Server, Vista, Server 2008, Server 2008 R2, and Seven. Whether your memory dump is in raw format, a Microsoft crash dump, hibernation file, or virtual machine snapshot, Volatility is able to work with it. We also now support Linux memory dumps in LiME format and include 35+ plugins for analyzing 32- and 64-bit Linux kernels from 2.6.11 – 3.5.x and distributions such as Debian, Ubuntu, OpenSuSE, Fedora, CentOS, and Mandrake.

For architecture details, installation and usage tutorials, and an API guide, see our wiki pages.

Windows Basic
Current date, time, CPU count, CPU speed, service pack
Current thread and idle thread
Addresses of the KDBG, KPCR, DTB, PsActiveProcessHead, PsLoadedModuleList, etc
Processes

  • List active processes (column or tree view)
  • Scan for hidden or terminated _EPROCESS objects (using pool tags or _DISPATCHER_HEADER)
  • Enumerate DLLs in the PEB LDR lists
  • Rebuild/extract DLLs or EXEs to disk based on name, base address, or physical offset
  • Print open handles to files, registry keys, mutexes, threads, processes, etc
  • List security identifiers (SIDs) for processes
  • Scan for cmd.exe command history and full console input/output buffers
  • List process environment variables
  • Print PE version information from processes or DLLs (file version, company name, etc)
  • Enumerate imported and exported API functions anywhere in process or kernel memory
  • Show a list of virtual and physical mappings of all pages available to a process
  • Dump process address space to disk as a single file
  • Analyze Virtual Address Descriptor (VAD) nodes, show page protection, flags, and mapped files
  • Represent the VAD in tree form or Graphviz .dot graphs
  • Dump each VAD range to disk for inspecting with external tools
  • Parse XP/2003 event log records

Kernel Memory

  • List loaded kernel modules and scan for hidden/unloaded module structures
  • Extract PE files including drivers from anywhere in kernel memory
  • Dump the SSDT for all 32- and 64-bit windows systems
  • Scan for driver objects, print IRP major function tables
  • Show devices and device tree layout
  • Scan for file objects (can show deleted files, closed handles, etc)
  • Scan for threads, mutex objects and symbolic links

GUI Memory

  • Analyze logon sessions and the processes and mapped images belonging to the session
  • Scan for window stations and clipboard artifacts (clipboard snooping malware)
  • Scan for desktops, analyze desktop heaps and attached GUI threads
  • Locate and parse atom tables (class names, DLL injection paths, etc)
  • Extract the contents of the windows clipboard
  • Analyze message hooks and event hooks, show the injected DLL and function address
  • Dump all USER object types, pool tags, and flags from the gahti
  • Print all open USER handles, associated threads or processes, and object offsets
  • Display details on all windows, such as coordiates, window title, class, procedure address, etc
  • Take screen shots from memory dumps (requires PIL)

Malware Analysis

  • Find injected code and DLLs, unpacker stubs, and decrypted configurations, etc
  • Scan process or kernel memory for any string, regular expression, byte pattern, URL, etc
  • Analyze services, their status (running, stopped, etc) and associated process or driver
  • Cross-reference memory mapped executable files with PEB lists to find injected code
  • Scan for imported functions in process or kernel memory (without using import tables)
  • Detect API hooks (Inline, IAT, EAT), hooked winsock tables, syscall hooks, etc
  • Analyze the IDT and GDT for each CPU, alert on hooks and disassemble code
  • Dump details of threads, such as hardware breakpoints, context registers, etc
  • Enumerate kernel callbacks for process creation, thread creation, and image loading
  • Display FS registration, registry, shutdown, bugcheck, and debug print callbacks
  • Detect hidden processes with alternate process listings (6+ sources)
  • Analyze kernel timers and their DPC routine functions
  • Networking
  • Walk the list of connection and socket objects for XP/2003 systems
  • Scan physical memory for network information (recover closed/terminated artifacts)
  • Determine if listening sockets are IPv4, IPv6, etc and link to their owning processes

Registry

  • Scan for registry hives in memory
  • Parse and print any value or key cached in kernel memory, with timestamps
  • Dump an entire registry hive recursively
  • Extract cached domain credentials from the registry
  • Locate and decrypt NT/NTLM hashes and LSA secrets
  • Analyze user assist keys, the shimcache, and shellbags
  • Crash Dumps, Hibernation, Conversion
  • Print crash dump and hibernation file header information
  • Run any plugin on a crash dump or hibernation file (hiberfil.sys)
  • Convert a raw memory dump to a crash dump for opening in !WinDBG
  • Convert a crash dump or hibernation file to a raw memory dump
  • Miscellaneous
  • Link strings found at physical offsets to their owning kernel address or process
  • Interactive shell with disassembly, type display, hexdumps, etc

Download : volatility-3.0-tp2.zip (9.8 MB) 
Find other version |
Read more in here : http://code.google.com/p/volatility/
Our post before :

Update Junkie the network sniffer v-2.2.0

Release Notes v-2.2.0 : Faster deadlock detection. Can replay pcaps in a loop. Can now pass nettrack values to a guile action. More documentation (in doc/). Support for multi-line HTTP headers. Guile files are pre-compiled before installation (see ./configure –help)


Junkie is a real-time packet sniffer and analyzer. It is modular enough to accomplish many different tasks. It can be a helpful companion to the modern network administrator and analyst. Compared to previously available tools, junkie lies in between tcpdump and wireshark. Unlike tcpdump, its purpose is to parse protocols of any depth; unlike wireshark, though, it is designed to analyze traffic in real-time and so cannot parse traffic as completely as wireshark does. In addition, its design encompasses extendability and speed. It has a plug-in system and high-level extension language that eases the development and combination of new functionalities; threaded packet capture and analysis for handling of high bandwidth networks; and a modular architecture to ease the addition of any protocol layer. It is based on libpcap for portability, and well-tested on professional settings.
Download : https://github.com/securactive/junkie/zipball/release/2.2.0
Read more right here : https://github.com/securactive/junkie
Our port Before : https://seclist.wordpress.com/2012/02/14/junkiethesniffer-v1-5-0-released/

update SecureSystems-Analyst Antimalware Toolkit v-8.8.2012

SecureSystems-Analyst Antimalware Toolkit is a toolkit based on Xubuntu 12.04 for malware analysis and collection purposes.
Features

  • Designed for reverse engineering malware. Contains many Firefox extensions and Tor Browser.
  • Uses XFCE to provide a customizable desktop that’s not too heavy on resources.
  • Also has some network analysis tools such as WireShark and Zenmap.
  • Live CD/Installer available only. Note does not fit onto a standard CD.

This toolkit is provided to help researchers reverse engineer malware.
It runs a customized Xubuntu 12.04 i386 Linux OS.
This package includes both a live dvd and installer.

Login Name: securesystems-analyst
Login Password: analyst

Root Account Password: analyst

System Requirements

VMware Workstation 8*
2GB of free ram.
25GB of free disk space.

*Other Virtual Environments(VirtualBox, Virtual PC etc) have not been tested.

Download : 8.8.2012.zipx (1.6 GB) 
Find Other version |
read more in here : http://www.cyberstealthlabs.org/projects/csl-antimalware-toolkit

Our post Before : https://seclist.wordpress.com/2012/07/13/securesystems-analyst-toolkit/

Update volatility v2.1 – An advanced memory forensics framework

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

What’s new in 2.0 Highlights of this release include:

  •     Restructured and depolluted namespace
  •     Usage and Development Documentation
  •     New Configuration Subsystem
  •     New Caching Subsystem
  •     New Pluggable address spaces with automated election
  •     New Address Spaces (i.e. EWF, Firewire)
  •     Updated Object Model and Profile Subsystems (VolatilityMagic)
  •     Support for Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7
  •     Updated Scanning Framework
  •     Volshell integration
  •     Over 40 new plugins!

 

Volatility supports investigations of the following x86 bit memory images:

* Microsoft Windows XP Service Pack 2 and 3
* Microsoft Windows 2003 Server Service Pack 0, 1 and 2
* Microsoft Vista Service Pack 0, 1 and 2
* Microsoft 2008 Server Service Pack 1 and 2 (there is no SP 0)
* Microsoft Windows 7 Service Pack 0 and 1

Volatility currently provides the following extraction capabilities for
memory samples:

– Image date and time
– Running processes
– Open network sockets
– Open network connections
– DLLs loaded for each process
– Open files for each process
– Open registry keys for each process
– OS kernel modules
– Mapping physical offsets to virtual addresses
– Virtual Address Descriptor information
– Addressable memory for each process
– Memory maps for each process
– Extract executable samples
– Scanning examples: processes, threads,
sockets, connections, modules

Download Right Here  | Read more in here
Our Post Before : https://seclist.wordpress.com/2011/12/06/volatility-v2-0-an-advanced-memory-forensics-framework-release/

mft2csv : MFT decoder, NTFS File Extracter & cmdline fileinfo dumper

This tool will decode the $MFT record for a given file. It is a combination of mft2csv and NtfsFileExtracter. That means it is a tool for quick decode and dumping of file records. It does not write any csv, but dumps the information to the console. It is very handy when testing stuff and learning NTFS, as you can do stuff to a file and get it decoded right away, without first having to extract the whole $MFT and then decode it to a csv, before importing it into Excel or something and get the actual result. MFTRCRD is therefore for quick dumping of record information for individual files, whereas mft2csv is for decoding the complete $MFT with all its records, which may be a substantial amount and timeconsuming task.
It supports both file name+path and IndexNumber (MFT record) as input (param1). One switch (param3) is for optimizing decode speed when $ATTRIBUTE_LIST is present for a given file. For most usage, set param3 as attriblist=off. That will produce faster output. Only set param3 as attriblist=on when there is an $ATTRIBUTE_LIST attribute present. Another switch (param4) is for choosing wether to hexdump resolved INDX records from the $INDEX_ALLOCATION attribute.

Attributes currently handled:
$STANDARD_INFORMATION
$ATTRIBUTE_LIST
$FILE_NAME
$OBJECT_ID
$SECURITY_DESCRIPTOR (just raw hex dump)
$VOLUME_NAME
$VOLUME_INFORMATION
$DATA
$INDEX_ROOT
$INDEX_ALLOCATION
$BITMAP (just raw hex dump)
$REPARSE_POINT
$EA_INFORMATION
$EA
$LOGGED_UTILITY_STREAM

Download In here | Read more right here

Winpmem v-0.1 rc1 released.

Winpmem is an open source windows memory imager which exposes a raw device with direct physcial memory access.

This tool can be used to allow volatility to run on the raw memory of a live system – with no need to take an image.
Included is a simple user space imaging application using the driver.

Download In here | Read more right here