Navigation

Entries in forensics (6)

Thursday
Aug022012

Defcon 20 NFPC Round 4 - Easy Mode

This is an 'easy mode' guide to the NFPC at Defcon 20. Let's begin: starting at packet 253, there is a TCP/LPD session from 10.0.1.4 to 10.0.1.3. A quick scan of the reconstructed session reveals little:

Having never seen LPD traffic, we gave the RFC 1179 a quick read, lucky it's relatively short.

Click to read more ...

Sunday
Feb262012

CODEGATE 2012 - Forensics 200 Writeup

The challenge starts with a file and description:

File: C1E4775363DE0885E8360ED9A13A86B8

Question:

When IU who lives in Seoul tried to do SQL Injection attack a certain WEB site, suddenly the browser was closed abnormally. What is the SQL Injection value she tried to enter and when the browser was closed? The time is based on Korea Standard Time(UTC +09:00)

Time Format is YYYY-MM-DDThh:mm:ssTZD (TZD : +hh:mm or hh:mm)

Answer : injection_value|time ('|' is just a character)
Convert ' ' to '_' for injection value.

Click to read more ...

Thursday
Jul012010

Exploring recent PDF exploits: A Time Killer

Over the past few months I've seen numerous articles and CVEs on Adobe Reader and it's vulnerabilities. It seems like everyday I wake up to a new discussion on how to launch some bit of javascript or run application xyz. Well, I've also been seeing many attempts to exploit old vulnerabilities. (Usually by correlating suspicious domains to sets of drive-by-download PDF files thanks to a short script by my friend Dave.) Either way, this last week the number of malicious PDFs increased. So I decided to take some apart and familiarize myself with the different vulnerabilities and how JavaScript played a role. All the information I found had already been documented (and I'll try my best to link to those discoveries). But I want to walk through my investigation and maybe up-turn a few overlooked rocks.

Click to read more ...

Sunday
May092010

Fun with Network Forensics: Discovering a Rouge Bridge

This is a short write up on some interesting things I found while completing a midterm project for a Network Forensics class I took last year. My network forensics group decided to map the traffic for contemporary Windows-based denial of service vulnerabilities. Our project utilized a live network of volunteer hosts connected to the university network. We used NetFlow data collected by Flow Tools. While searching for possible exploits I found a hidden network bridge. The bridge used a non-human host registered to a roaming port in a networking closet. The host was eventually found to use a rouge process which proxied connections from an external residence on to campus. A malicious user could have used this bridge to proxy requests from their home through the university.

Click to read more ...

Thursday
Dec172009

Fun with Home Network Forensics

This semester I took a course called network forensics. It was a very interesting course, project based, which allowed the students to design any network forensics-related project they wished. For our project, completed with a classmate of mine, we analysed Cisco NetFlow data for our Fraternity house. There was quite a few administrative hoops to jump though, including authorization by the university's IRB (since we collected information about their students). I thought I'd share some of my experiences from the project. This summary will try to guide anyone interested in simple forensics with setting up a collection environment for their home network. Unfortunately it isn't a HOWTO or drop in system. Though if you try what I describe, you're bound to have some fun!

Click to read more ...