Incident Response Archives - Page 10 of 11

arp cache

Posted on May 12, 2022January 22, 2025 by randrada

Endpoint Analysis using Windows tool - arp cache

Address Resolution Protocol is a protocol or procedure that connects an ever-changing IP address to a MAC address, and every time a device requests a MAC address to send data to another device connected to the LAN, the device verifies its ARP cache to see if the IP-to-MAC address connection has already been completed.

From an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the iceberg, and as a responder you want to know what machines the patient is connected to and you can verify it via the machine’s ARP table.

To view the ARP cache or the ARP table, you can run the following syntax inside the command prompt: arp -a

The image below is a sample of an ARP table with the corresponding IP address and MAC address.

#note: The result may vary depending on your machine’s arp table.

DocFileViewer

Posted on May 10, 2022January 22, 2025 by randrada

Document Analysis using DocFileViewer

DocFileViewer is a document forensic analysis tool it is used to analyze [.]doc file extension. This is a GUI tool that can parse and view the OLE structure of Microsoft Doc files.

In an incident, time is critical to the responder, and they must have the skills and the right tools to perform such an action to be able to quickly timeline the attack.

Open or drag the document inside the tool.

oledump

Posted on May 10, 2022January 22, 2025 by randrada

Document Analysis using oledump.py

oledump.py is a document forensic analysis tool developed by Didier Stevens and it is used to analyze OLE files. These files contain streams of data. Oledump allows you to analyze these streams. Many applications use this file format, the best known is MS Office.

In an incident, time is critical to the responder, and they must have the skills and the right tools to perform such an action to be able to quickly timeline the attack.

#note: oledump.py will require olefile.py module to run.

Methods to fix this issue:

1. Download python and install olefile: use pip install olefile

2. Download olefile.py and paste it to olydump.py folder

To use the tool, open command prompt and run the following syntax: oledump.py -h

PDFStreamDumper

Posted on May 10, 2022January 22, 2025 by randrada

Document Analysis using PDFStreamDumper

PDFStreamDumper is a tool used for the analysis of malicious PDF documents. It has specialized tools for dealing with obfuscated JavaScript, low-level PDF headers and objects, and shellcode. In terms of shellcode analysis, it has an integrated interface for libemu sctest, an updated build of iDefense sclog, and a shellcode_2_exe feature.

In an incident, time is critical to the responder, and they must have the skills and the right tools to perform such an action to be able to quickly timeline the attack.

Drag or open the document inside the tool.

pdfparser

Posted on May 10, 2022January 22, 2025 by randrada

Document Analysis using PDF Tools Toolkit

pdf-parser.py is a document forensic analysis tool developed by Didier Stevens and it is used to analyze [.]pdf file extensions. This tool will parse a PDF document to identify the fundamental elements used in the analyzed file.

In an incident, time is critical to the responder, and they must have the skills and the right tools to perform such an action to be able to quickly timeline the attack.

Pdfid

Posted on May 10, 2022January 22, 2025 by randrada

Document Analysis using PDF Tools Toolkit

pdfid.py is a document forensic analysis tool developed by Didier Stevens and it is used to analyze [.]pdf file extensions. This tool scans a file to look for PDF keywords, allowing you to identify PDF documents that contain JavaScript or execute an action when opened.

In an incident, time is critical to the responder, and they must have the skills and the right tools to perform such an action to be able to quickly timeline the attack.

MalHost-Setup

Posted on May 7, 2022January 22, 2025 by randrada

Document Analysis using OfficeMalScanner Toolkit

MalHost-Setup is the last tool we will discuss in the OfficeMalScanner toolkit and what it does is converts the document’s malicious offset into an executable to expedite the process of analysis.

In an incident, time is critical to the responder and it must have the skills and the right set tools to perform such action to be able to quickly timeline the attack.

Open command prompt and run:

MalHost-Setup.exe <document_name> <exe_name> <offset_address>

DisView

Posted on May 7, 2022January 22, 2025 by randrada

Document Analysis using OfficeMalScanner Toolkit

DisView is bundled inside the OfficeMalScanner toolkit, it works by disassembling the code inside the malicious offset for further analysis.

In an incident, time is critical to the responder, and they must have the skills and the right tools to perform such an action to be able to quickly timeline the attack.

To use the tool:

Open command prompt run > DisView.exe <document_name> <offset_address>

RTFScan

Posted on May 7, 2022January 22, 2025 by randrada

Document Analysis using OfficeMalScanner Toolkit

RTFScan is a document forensic analysis tool to analyze [.]rtf file extensions. The toolkit includes OfficeMalScanner, RTFScan, DisView and MalHost tools that aid the analyst in analyzing documents in relation to phishing incidents.

In an incident, time is critical to the responder, and they must have the skills and the right tools to perform such action to be able to quickly timeline the attack.

OfficeMalScanner

Posted on May 7, 2022January 22, 2025 by randrada

Document Analysis using OfficeMalScanner Toolkit

OfficeMalScanner is a document analysis part of OfficeMalScanner toolkit that is developed by Frank Boldewin. It is used to analyze [.]doc file extensions. The toolkit includes RTFScan, DisView, MalHost-Setup that aid the analyst in investigating documents that are related to phishing.

In an incident, time is critical to the responder, and they must have the skills and the right tools to perform such an action to be able to quickly timeline the attack.