fred

Posted on January 17, 2025April 29, 2025 by randrada

Digital Forensics Tool - FRED

Forensics Registry Editor (FRED) is a specialized tool designed for in-depth analysis and editing of the Windows registry in a forensic context. This tool allows investigators to examine, modify, and export registry keys and values from live systems or offline registry hives extracted from suspect machines. FRED provides detailed insights into registry changes, user activity, and system configurations critical for digital forensics investigations. By working with snapshots of the registry, FRED enables timeline reconstruction and aids in identifying potential indicators or compromise (IoCs) or malicious persistence mechanisms. The tool’s user-friendly interface and export capabilities make it suitable for both live forensics and post-incident investigations, providing comprehensive reports that can be used for further analysis or as evidence in legal proceedings.

Forensics Registry Editor

Just like a regular registry editor, like registry explorer by Eric Zimmeman himself this tool works the same. Registry hives are located in C:\Windows\system32\config, with its simple drag and draft capability forensics investigator will be able to view the content easily.

The Sleuth Kit Tools

Arsenal Image Mounter

Posted on January 17, 2025April 29, 2025 by randrada

Digital Forensics Tool - Arsenal Image Mounter

Arsenal Image Mounter (AMI) is a powerful forensic tool for mounting and analyzing disk images. Unlike traditional disk mounting tools, AIM allows forensics investigators to mount disk images (including E01, VHD, VMDK, and raw formats) directly into the Windows kernel as complete disk devices, ensuring that the mounted images behave exactly like physical disks. This enables forensic professionals to perform advanced analysis, such as retrieving hidden data, unallocated space, or deleted files that standard mounting methods might overlook.

AIM supports various write-protection options to prevent any modifications to the original disk images, ensuring forensic integrity throughout the analysis. The tool is often used with other forensics software for profound evidence investigation, making it ideal for incident response, digital forensics investigations, and legal proceedings. With Arsenal Image Mounter, users can also mount snapshots of virtual machine disks, making it a versatile solution for investigating physical and virtual environments. The detailed logs and reports generated during mounting sessions can be exported for further forensics analysis and case documentation.

Arsenal Image Mounter: Mounting Disk Image

Go to File > Mount Disk Image

Select Disk Image File, usually disk image has E01, VHD, VMDK file extensions.

Arsenal Image Mounter: Ensuring Disk Integrity

Read-only mode ensures disk integrity by preventing any modifications to the data stored on the disk. This safeguards the system from unintended changes, file corruptions, or malicious attacks, ensuring that the original state of the data is preserved.

In forensics investigations, mounting a disk as read-only ensures that the evidence remains untouched, which is crucial for maintaining its validity in court. This method guarantees that the digital evidence can be trusted and upheld in legal proceedings by preventing alterations.

Since the disk is used in Windows systems, we assume the file system is NTFS which explains the 512 sector size.

Arsenal Image Mounter: Interpreting the Output

The tool identifies the disk as PhysicalDrive1 with a size of 18GB and detects the presence of Volume Shadow Copies. These shadow copies are snapshots created by the Windows Volume Shadow Copy Service(VSS), which can provide valuable forensic evidence by allowing access to previous versions of files or deleted data.

The Sleuth Kit Tools

BTLO Dot

Posted on January 3, 2025January 16, 2025 by randrada

Blue Team Labs Online - Dot Walkthrough

Read Lab Instruction

Blue Team Labs Online

Lab Walkthrough

Scenario: Investigate the host(procmon) and network(pcap) logs captured from a compromised machine. Use ProcDOT to correlate both logs and answer the following questions.

Tool: ProcDOT, ProcMon, Wireshark

Question 1: Attacker downloaded a tool from github.com. What is the process initiated the connection and What is the file name it is saved as?

Question 2: Powershell is used to download files from the attacker machine. What is the process ID of the powershell process that downloaded the first file? Also, what is the attacker machine IP?

Question 3: What is the port from which the second file was downloaded and what is the full path of the downloaded file?

Question 4: Attacker got control over the system after the injection, assuming he used Meterpreter, what is the payload he would have used (written as selected in Metasploit) and what is the port?

Question 5: What is the PID of the victim process on which the injection happened?

Question 6: What is the pid and location of the main malware which initiated these actions?

ProcDOT

Posted on January 3, 2025April 29, 2025 by randrada

Dynamic Malware Analysis with ProcDOT

ProcDOT is primarily used for visualization, leveraging ProcMon’s CSV files and Wireshark’s PCAP files to create a detailed representation of events that occur when a program is executed. This provides the user with valuable insights into system and network activity, helping them better understand what transpired during the program’s execution.

Here’s a sample of how ProcDOT is used:

Once the files are loaded (Procmon logs and PCAP file) we can then look for an interesting process to continue our analysis.

Here, we select one of the “powershell.exe” processes.

We can see that this PowerShell script was used to download a file from ‘raw.githubusecontent.com’. While identifying this network communication using tools like ProcMon and Wireshark might take some time, ProcDOT simplifies the process and quickly reveals the details for us.

Dynamic Analysis Tool Lists

jadx

Posted on January 3, 2025April 29, 2025 by randrada

Android Package Reverse Engineering with JADX(Java to Dex)

JADX is a powerful used for decompiling Android APK files, transforming DEX bytecode into human-readable Java source code. By providing a user-friendly GUI and command-line interface, JADX makes it easier for users to explore and analyze the internal logic and structure of Android applications. It is widely utilized for reverse engineering, malware analysis, and security auditing, offering a quick and efficient way to gain insights into an app’s source code.

Here’s a sample of how JADX is used:

First, run ‘-h’ command.

Next, extract the zip file and simply run the command:

jadx -o <output_directory> somefile.apk

The command above will decompile the APK file and will drop the files to the selected directory.

Finally, you can proceed with your analysis.

Reverse Engineering Tool Lists

ByteCodeViewer

Posted on January 3, 2025April 29, 2025 by randrada

Android Package Reverse Engineering with ByteCodeViewer

ByteCodeViewer is a comprehensive reverse engineering tool designed to analyze Java and Android applications. It provides a unified platform to decompile, debug, and analyze bytecode using various decompilers, including CFR, FernFlower, and Procyon. Equipped with a powerful GUI, ByteCodeViewer enables users to explore classes, methods, and application structures with ease. It is a go-to tool for developers, security researchers, and reverse engineers, simplifying tasks like debugging, malware analysis, and application auditing.

Here’s a sample of how ByteCodeViewer is used:

Command: Java -jar Bytecode-Viewer.jar

#note: This tool requires Java as a dependency; make sure to install it in your system.

Reverse Engineering Tool Lists

BTLO Maldroid

Posted on January 3, 2025January 16, 2025 by randrada

Blue Team Labs Online - Maldroid Walkthrough

Read Lab Instruction

Blue Team Labs Online

Lab Walkthrough

Scenario: Hey buddy, you are good with computers, right? Can you fix my phone? I installed an application, and all I see on my phone is that I have saved the required files on the Desktop. Please have a look.

Tool: APKTool, jadx, dex2jar-tools, bytecodeviewer

Question 1: What is the package name of the apk?

Question 2: Does the APK enable backups? If so, what file is it declared in, and what is the minimum Android version the ransomware affects?

Question 3: What is the name of the Android application?

Question 4: Can the application run on startup? What is its intent priority?

Question 5: What is the decryption key?

APKTool

Posted on January 3, 2025April 29, 2025 by randrada

Android Package Reverse Engineering with APKTool

APKTool is a versatile tool primarily used for reverse engineering Android APK files. It enables users to decode APK resources to nearly original form, rebuild modified APKs, and troubleshoot issues with APKs.

By decompiling and reassembling the app’s components, APKTool provides valuable insights into an application’s structure, resources, and functionality, aiding in tasks such as malware analysis, debugging and localization.

Here’s a sample of how APKTool is used:

Use the ‘d’ option to decode the APK file.

Command: apktool d <apk_file>

After executing the command, the APK file is decoded, generating multiple files essential for further analysis.

Among these, several folders are created in the current directory, along with the AndroidManifest.xml file, which contains crucial configuration details.

Reverse Engineering Tool Lists

Malzilla JavaScript Analysis

Posted on June 15, 2023January 22, 2025 by randrada

JavaScript Malware Analysis using - Malzilla

Malzilla is a GUI-based tool for analyzing malicious JavaScript and Web pages. It is specifically built to deobfuscate JavaScript by using SpiderMonkey JavaScript engine for executing JavaScript code.

JavaScript Analysis From Malware Analysis Perspective:

This involves examining the code to uncover potential malicious behavior, understand its functionality, and identify any obfuscation techniques employed. By dissecting the JavaScript, analysts aim to detect payload delivery mechanisms, identify suspicious patterns, and determine the impact it may have on systems and data.

JavaScript analysis plays a crucial role in cybersecurity, enabling researchers to identify and mitigate potential threats. Malicious JavaScript continues to be a favored vector for attacks, ranging from spear-phishing campaigns to drive-by downloads.

The use of tools like Malzilla significantly enhances the analysis process, making it faster and more efficient. By leveraging such tools, security professionals can effectively dissect malicious code and respond swiftly to protect their systems and data.

Automate Artifact Collection

SSDEEP Fuzzy Hashing

Posted on June 14, 2023January 22, 2025 by randrada

Malware Static Analysis with SSDEEP Fuzzy Hashing Tool

ssdeep – is a tool used for Fuzzy Hashing, which is a type of hashing that employs Context-Triggered Piecewise Hashing (CTPH). Essentially, this tool is utilized to compare files that are similar but not identical.

Using ssdeep, it is possible to classify various malware samples, and if any similarities are detected, the tool can identify the malware family to which the sample belongs.

Static Analysis Tool Lists