RAM File System in Python

One of the first things you are taught when studying Computer Forensic Investigation is the concept of evidence volatility. Simply put, some pieces of evidence will be available for collection for a much shorter amount of time than other pieces. You must always collect evidence from the most to least volatile. For a concrete example of "why" this practice must be applied you can consider the bot I have developed below.

Incident Response Reading Material

The SANS institute has been nice enough to collect a list of checklist and procedural documentation to aid the Computer Forensic Examiner in the possible tasks they may be faced with. https://www.sans.org/score/checklists

Escalate Plowman – Linux FW Privilege Escalated Download and Execute

The Escalte Plowman tool (https://github.com/dreilly369/EQGRP-Auction-Files/tree/master/Firewall/EXPLOITS/ESPL) is a parameterized dropper (or a privelege escalation exploit) against WatchGuard firewalls (and likely a few others) of unknown versions. It injects code via the ifconfig command. It uses FTP, TFTP, or HTTP (via wget) for the download portions. The code makes some assumptions about the environment. For instance, when using the TFTP protocol it assumes the existence of a custom tftp client located at the hard-coded location /usr/rapidstream/bin/tftp. The sample also makes the assumption of the interface being eth0.

Extrabacon's Sploit Framework 1: Static Analysis

Sploit is the modular core that runs the EXTRABACON exploit in the (supposed) Equation group tool dump. While everyone is focused on the news of the 0-days, the recent porting of this old exploit to newer ASA versions (http://www.securityweek.com/leaked-cisco-asa-exploit-adapted-newer-versions) I chose to look at the underlying structure. First because there are already a number of talented researchers covering every angle of each exploit in greater detail than I could.

RFIDler revisited: RFIDling with Proximity card UID collection

My first few projects scripting for the RFIDler were an exploratory effort. As you can see from my integration post and my first auto-capture script there were a number of features I breezed passed. The main one I want to discuss now is the RFIDler python class.

Cracking a OTP Cipher: Python Unit Testing by Example - Part 2 Unit Testing with Python

Now that we have defined the steps for our algorithm (if you have not read part 1 go do that first) we can begin to describe what features we want the core of our OTP reuse cracker to have. This is where Unit Tests fit in. They describe explicitly what the System needs to do to pass and be considered

Cracking a OTP Cipher: Python Unit Testing by Example - Part 1 Encryption Motivation

This article is special to me because it combines 3 things I love dearly in one project. Today I am going to talk about how someone (namely me) can use The Python language to automate an attack on an implementation of the One Time Pad Encryption Scheme that ignored the "One-Time" portion of the name. Python, Unit Testing, and Attacking Crypto...does it get any better?