Career Technology Cyber Security INDIA

 Tcpxtract – Extract Files from Network Traffic AKA Carving Last updated: September 9, 2015 | 15,075 views tcpxtract is a tool for extracting files from network traffic based on file signatures. Extracting files based on file type headers and footers (sometimes called “carving”) is an age old data recovery technique. Tools like Foremost employ this technique to recover files from arbitrary data streams. tcpxtract uses this technique specifically for the application of intercepting files transmitted across a network. Other tools that fill a similar need are driftnet and EtherPEG. driftnet and EtherPEG are tools for monitoring and extracting graphic files on a network and is commonly used by network administrators to police the internet activity of their users. The major limitations of driftnet and EtherPEG is that they only support three filetypes with no easy way of adding more. The search technique they use is also not scalable and does not search across packet boundries. tcpxtract fe

 Katana v2 (y0jimb0) – Portable Multi-Boot Security Suite Last updated: September 9, 2015 | 28,389 views Katana is a portable multi-boot security suite which brings together many of today’s best security distributions and portable applications to run off a single Flash Drive. It includes distributions which focus on Pen-Testing, Auditing, Forensics, System Recovery, Network Analysis, and Malware Removal. Katana also comes with over 100 portable Windows applications; such as Wireshark, Metasploit, NMAP, Cain & Able, and many more. New in V2 This version has a bunch of new stuff all around. One major addition to the project is Forge. This tool facilitates a simple point-and-click installation for adding even more distributions to Katana Bootable. This new version also adds the Computer Aided Investigative Environment (CAINE) for a live forensics environment and Kon-Boot for bypassing password. Much effort was placed on the installation of additional applications to the Katana Tool Ki

 peepdf – Analyze & Modify PDF Files peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. With peepdf it's possible to see all the objects in the document showing the suspicious elements, supports all the most used filters and encodings, it can parse different versions of a file, object streams and encrypted files. With the installation of PyV8 and Pylibemu it provides Javascript and shellcode analysis wrappers too. Apart of this it's able to create new PDF files and to modify/obfuscate existent ones. The main functionalities of peepdf are the following: Analysis: Decodings: hexadecimal, octal, name objects More used filters References in objects and where an object is referenced Strings search (including streams) Physical structure (offsets) Logical tree stru

 Malware Analyser v3.0 – A Static & Dynamic Malware Analysis Tool Malware Analyser is freeware tool to perform static and dynamic analysis on malware executables, it can be used to identify potential traces of anti-debug, keyboard hooks, system hooks and DEP setting change calls in the malware. This is a stepping release since for the first time the Dynamic Analysis has been included for file creations (will be improved for other network/registry indicators sooner) along with process dumping feature. Malware analysis is a process to perform analysis of malware and how to study the components and behavior of malware. On this paper it will use two methods of malware analysis, static analysis and dynamic analysis. Static analysis is a method of malware analysis which done without running the malware. While dynamic analysis is a method of malware analysis which the malware is running in a secure system [7]. Malware analysis is important, since many malware at this day which is not dete

 Sniffjoke 0.4.1 Released – Anti-sniffing Framework & Tool For Session Scrambling SniffJoke is an application for Linux that handle transparently your TCP connection, delaying, modifying and injecting fake packets inside your transmission, make them almost impossible to be correctly read by a passive wiretapping technology (IDS or sniffer). An Internet client running SniffJoke injects in the transmission flow some packets able to seriously disturb passive analysis like sniffing, interception and low level information theft. No server support is needed! The internet protocols have been developed to allow two elements to communicate, not some third-parts to intercept their communication. This will happen, but the communication system has been not developed with this objective. SniffJoke uses the network protocol in a permitted way, exploiting the implicit difference of network stack present in an operating system respect the sniffers dissector. How Does It Work? It works only under L

 Collar Bomber Gets Owned By Word Metadata & USB Drive There were other more technical and probably relevant stories to report on today, but for some reason I just found this story very odd and strangely fascinating. Now here a strange case, a man climbs into a young girls bedroom in the middle of the night, threatens her with a baseball bat and then chains a bomb to her neck. His random instructions include e-mailing to a Gmail account and he leaves a ‘soft copy’ version of the ransom note on a pen-drive with the girl. There are plenty of metadata extraction tools such as Metagoofil and The Revisionist. And well even without those, after recovering the file you can just open it in Word and view the metadata. I’m guessing this Paul Peters chap wasn’t so familiar with wear levelling and metadata. He should have known better, and well he was doing this for a ransom..so really he should have just bought a new pen-drive for the job. But as we know well, these people don’t think like we

NetworkMiner v1.1 Released – Windows Packet Analyzer & Sniffer NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files. What is NetworkMiner for? NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. Is NetworkMiner free? Our most well known product is NetworkMiner, which is available in a professional as well as free open source version. NetworkMiner collects data (such as forensic evidence) about hosts on the network rather than to

 File Disclosure Browser – Tool To Explore .DS_Store Files The File Disclosure Browser takes .DS_Store files found on websites and parses through them to find a list of all potential files in the directory. It can then either just display the URLs for the files or if you give it a proxy it can browse to the files itself. How do I open DS_Store files? To open DS_Store files in Windows, you can right-click on the file, click Open With, then choose an application. Some user-suggested applications are Windows Notepad, WinRAR, Free File Viewer, Adobe Acrobat, Microsoft Office, etc. Also, try dragging the file to a browser to open it. What is DS_Store file Git? DS_Store file? It stands for Desktop Services Store and it holds meta information about your folder's thumbnails, settings, etc. . DS_Store files are created any time you navigate to a file or folder from the Finder on a Mac. What is DS_Store on Google Drive? '. DS_Store' files are automatically generated by macOS' Fin

 Rec Studio 4 – Reverse Engineering Compiler & Decompiler REC Studio is an interactive decompiler. It reads a Windows, Linux, Mac OS X or raw executable file, and attempts to produce a C-like representation of the code and data used to build the executable file. It has been designed to read files produced for many different targets, and it has been compiled on several host systems. REC Studio 4 is a complete rewrite of the original REC decompiler. It uses more powerful analysis techniques such as partial Single Static Assignment (SSA), allows loading Mac OS X files and supports 32 and 64 bit binaries. Although still under development, it has reached a stage that makes it more useful than the old Rec Studio 2. Although REC can read Win32 executable (aka PE) files produced by Visual C++ or Visual Basic 5, there are limitations on the output produced. REC will try to use whatever information is present in the .EXE symbol table. If the .EXE file was compiled without debugging informati

 The Cryptographic Implementations Analysis Toolkit (CIAT) is a compendium of command line and graphical tools whose aim is to help in the detection and analysis of encrypted byte sequences within files (executable and non-executable). It is particularly helpful in the forensic analysis and reverse engineering of malware using cryptographic code and encrypted payloads. This was an interesting find because it wasn’t too long ago I published a post about Mediggo, a Tool To Detect Weak Or Insecure Cryptosystems Using Generic Cryptanalysis Techniques. Requirements Windows Binaries included in this distribution as well as supporting libraries were compiled using gcc, Mingw and Msys. Linux binaries were compiled using gcc 4.1.2. They were tested from command line in machine with Windows Vista Home Premium (32 bit + SP1) and on Linux Gentoo 2008.0 X86 operating systems. They should run without problems in any computer with Windows 2000, XP or VISTA 32bit and any Linux x86 with Mesa3-D, but I

 Sysdig – Linux System Troubleshooting Tool Sysdig is open source, Linux System Troubleshooting Tool: capture system state and activity from a running Linux instance, then save, filter and analyze. Think of it as strace + tcpdump + lsof + awesome sauce. With a little Lua cherry on top. Sysdig was born from a team’s constant frustration. System level troubleshooting is just way more of a pain than it should be — especially in distributed, virtualized, and cloud-based environments. So they took the lessons they learned while building network monitoring tools like WinPCap and Wireshark and created a new kind of system troubleshooting tool for Linux. What is Sysdig tool? Sysdig uses a unified platform to deliver security, monitoring, and forensics in a container- and microservices-friendly architecture. Sysdig Monitor is a monitoring, troubleshooting, and alerting suite offering deep, process-level visibility into dynamic, distributed production environments. Sysdig captures system calls a

 DAMM – Differential Analysis of Malware in Memory Differential Analysis of Malware in Memory (DAMM) is a tool built on top of Volatility. Its main objective is as a test bed for some newer techniques in memory analysis, including performance enhancements via persistent SQLite storage of plugin results (optional); comparing in-memory objects across multiple memory samples, for example processes running in an uninfected samples versus those in an infected sample; data reduction via smart filtering (e.g., on a pid across several plugins); and encoding a set of expert domain knowledge to sniff out indicators of malicious activity, like hidden processes and DLLs, or windows built-in processes running form the wrong directory. An open source memory analysis tool built on top of Volatility. It is meant as a proving ground for interesting new techniques to be made available to the community. These techniques are an attempt to speed up the investigation process through data reduction and codif

 Rekall – Memory Forensic Framework Rekall is a memory forensic framework that provides an end-to-end solution to incident responders and forensic analysts. From state of the art acquisition tools, to the most advanced open source memory analysis framework. What is Rekall? Image result for Rekall – Memory Forensic Framework What is Rekall? Rekall is an advanced forensic and incident response framework. While it began life purely as a memory forensic framework, it has now evolved into a complete platform. How do you run Rekall? 1. Installation .Simply type (for example on Linux): $ virtualenv /tmp/MyEnv New python executable in /tmp/MyEnv/bin/python Installing setuptools, pip...done. $ ... .To have all the dependencies installed. You still need to have python and pip installed first. ... .$ pip install rekall-gui. It strives to be a complete end-to-end memory forensic framework, encapsulating acquisition, analysis, and reporting. In particular Rekall is the only memory analysis platform

 FastIR Collector – Windows Incident Response Tool FastIR Collector is a “Fast Forensic” acquisition tool. Traditional forensics has reached its limit with the constant evolution of information technology. With the exponentially growing size of hard drives, their copy can take several hours, and the volume of the data may be too large for a fast and efficient analysis. “Fast Forensic” allows to respond to those issues. It aims a extracting a limited, but with high informational value, amount of data. These targeted data are the most consistent and important ones for an incident response analyst and allows the analyst to quickly collect artifacts and thus, to be able to quickly take decisions about cases. FastIR Collector is Windows incident response tool that offers the possibility to extract classic artefacts such as memory dump, auto-started software, MFT, MBR, Scheduled tasks, Services and records the results in csv files. The tool can also perform smart acquisitions thanks to the f

 GRR Rapid Response is an incident response framework focused on remote live forensics. The goal of GRR is to support forensics and investigations in a fast, scalable manner to allow analysts to quickly triage attacks and perform analysis remotely. GRR consists of 2 parts: client and server. GRR client is deployed on systems that one might want to investigate. On every such system, once deployed, GRR client periodically polls GRR frontend servers for work. "Work" means running a specific action: downloading file, listing a directory, etc. GRR server infrastructure consists of several components (frontends, workers, UI servers) and provides web-based graphical user interface and an API endpoint that allows analysts to schedule actions on clients and view and process collected data. Remote forensics at scale GRR was built to run at scale so that analysts are capable of effectively collecting and processing data from large numbers of machines. GRR was built with following scenar

 Web Application Log Forensics After a Hack Sites get hacked, it’s not pleasant but it happens. A critical part of it, especially in my experience, has been the web application log forensics applied directly after an attack. You can usually piece together what happened, especially if the attacker doesn’t rotate IP addresses during the attack. With a little poking around and after creating a timeline, you can usually figure out what the entry point was and where the flaw in your site/software is. It’s a critical skill to learn and a great reason to have all your logs turned on, all the time as verbose as your server and storage can handle it. This article from Acunetix walks you through some of the things to look for, and the flow to use when examining a server post-attack. Nowadays, web applications are popular targets for security attackers. Using specific security mechanisms, we can prevent or detect a security attack on a web application, but we cannot find out the criminal who has

 Memhunter – Automated Memory Resident Malware Detection Memhunter is an Automated Memory Resident Malware Detection tool for the hunting of memory resident malware at scale, improving the threat hunter analysis process and remediation times. It’s a self contained binary that can be deployed and managed at scale, does not use memory dumps and relies purely on memory inspection to do its work. It also does not require any complex infrastructure to deploy. The tool was designed as a replacement of memory forensic volatility plugins such as malfind and hollowfind. The idea of not requiring memory dumps helps on performing the memory resident malware threat hunting at scale, without manual analysis, and without the complex infrastructure needed to move dumps to forensic environments. Memhunter in a nutshell: It is an standalone binary that gets itself deployed as a windows service It uses a set of memory inspection heuristics and ETW data collection to find footprints left by common inject

 Dumpzilla In essence, Dumpzilla is a Python 3 script designed for extracting data from popular web browsers: Firefox, Seamonkey, and Iceweasel. It’s compatible with both Windows and Unix-based operating systems, thus making it one of the most flexible free open source forensic tools that’s geared towards a specific purpose. What is Dumpzilla forensic tool? Dumpzilla: a forensic tool to extract information from browsers based on Firefox. Dumpzilla is a Python 3 script developed to extract artifacts from Firefox, Iceweasel and Seamonkey browsers, useful durgin a forensic analysis. It works in command line under Unix and Windows 32/64 bits systems. What is Dumpzilla in Kali? Dumpzilla application is developed in Python 3. x and has as purpose extract all forensic interesting information of Firefox, Iceweasel and Seamonkey browsers to be analyzed. Due to its Python 3. x development, might not work properly in old Python versions, mainly with certain characters. Dumpzilla application is de

 ExifTool As the name implies, ExifTool can read, write, and edit EXIF and metadata across a wide range of format types, thus making it a suitable option if you’re looking for free photo forensics tools. In addition, it’s compatible with FlashPix, IRB, IPTC, GPS, GeoTIFF, XMP, JFIF, and other formats. What is ExifTool command? Image result for exiftool ExifTool is a powerful tool used to extract metadata of a file. It is used not only on images but some other formats of files like PDF and mp4 etc. It enables us to update and remove metadata of files and gives a lot of information about files. How do I install ExifTool on Windows? Windows Download the Windows Executable from the ExifTool home page. (The file you download will have a name like " exiftool-#. ##. zip ".) Extract " exiftool(-k).exe " from the " . zip " file, and place it on your Desktop. (Double-click on " exiftool-#. ##. How does ExifTool calculate shutter count? 4) Viewing Shutter Count

 USB Write Blocker Much like DRS by SalvationDATA, USB Write Blocker comes with a write-blocker that will protect the files inspected from being overwritten. Both of these PC forensics tools are perfect for analyzing a USB flash drive or a photo memory stick and can pull up lost data that would otherwise be impossible to salvage on your own. What is USB write blocker? Image result for usb write blocker A write blocker is any tool that permits read-only access to data storage devices without compromising the integrity of the data. A write blocker, when used properly, can guarantee the protection of the data chain of custody. How do hardware write blockers work? Image result for usb write blocker Hardware write blocker—The hardware blocker is a device that is installed that runs software internally to itself and will block the write capability of the computer to the device attached to the write blocker. What is a write blocker in forensics? Image result for usb write blocker Write blocke

 FAW Forensics Acquisition of Websites (or FAW for short) is one of the best digital forensic tools for analyzing websites. After you run it, it will capture the entire source code and any images it contains and investigates it for traces of criminal activity. Once finished, you can take the data and integrate it with other computer forensic software tools like Wireshark. FAW in multipage version allows automatic capture of a list of web pages. Perfect for capturing entire websites fast and automatically. FTP. This tool allows you to capture entire websites in FTP and SFTP mode without modifying metadata of copied files. What is forensics acquisition of websites? Forensic Acquisition of Websites (FAW) is a way to forensically acquire a website or webpage as it is viewed by the user. FAW preserves what is publicly available at the time. FAW is the first forensic browser and the best known in the world. Born in 2011, it is the reference software used by consultants, lawyers and law enfor

 MVT MVT is one of the finest iOS and Android forensic tools that lets you decrypt encrypted backups and discover traces of malware that may be present in the system. It will generate a report of exactly what apps are installed on the smartphone and even present the extracted data as a JSON string. If you’re looking for a mobile forensic tool with capabilities like this but aren’t overly trusting of free mobile forensic tools, look no further than SalvationDATA’s SPF Pro. It has better functions, ongoing support by the developer team, is more user-friendly, and has a free trial to boot. Mobile Verification Toolkit (MVT) software is used to help you check forensic traces to understand whether your iphone or android phone have been compromised by the pegasus israeli spyware. Pegasus spyware founded in 2010 by Israeli pegasus nso group technologies, enables the remote surveillance of cellphone devices. Pegasus spyware has allegedly helped governments in countries like India, to hack into

 Free Hex Editor Neo Free Hex Editor Neo is one of the top database forensics tools for handling large files. Much like DBF by SalvationDATA, it’s one of those forensic image tools that have both a paid and a free version you can try at your leisure. Among its main features are manual data carving, data extraction, low-level file editing, and performing a deep scan to uncover hidden data. Free Hex Editor Neo is the fastest freeware binary file editor for Windows platform. Neo's data processing algorithms are extremely optimized and carefully tuned to save your time. It handles operations on large files and hex dumps (even larger than 1 GB) in just seconds! In contrast to any competitors, our binary file editing product always offers you this kind of user experience: lengthy operations performs smoothly, UI stays responsive, progress bars provide you with frequently updated information, system always has sufficient resources, all your modifications are stored safely and instantly re

 The Sleuth Kit What does The Sleuth Kit do? Image result for The Sleuth Kit The Sleuth Kit is a collection of command line tools and a C library that allows you to analyze disk images and recover files from them. It is used behind the scenes in Autopsy and many other open source and commercial forensics tools. What is sleuth kit Autopsy? Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card. Is Sleuth Kit open source? The Sleuth Kit is open source, which allows investigators to verify the actions of the tool or customize it to specific needs. The Sleuth Kit uses code from the file system analysis tools of The Coroner's Toolkit (TCT) by Wietse Venema and Dan Farmer. How are Sleuth Kit and autopsy different? An autopsy is basically a graphic

 Oxygen Forensic Suite : Oxygen Forensic Suite is one of the popular open-source mobile forensics tools that will help you gather the evidence you need from a mobile phone. It also belongs on the list of Android forensic tools that let you bypass the password or lock screen gesture prompt, thus granting you unobstructed access to data that is stored inside. This is a free alternative to SPF Pro, one of SalvationDATA’s flagship products. Since SPF Pro is way more powerful and has more features, be sure to sign up for the no-strings-attached free trial. What is a forensic suite? Image result for oxygen forensic suite by Usama Azad. Oxygen Forensics Suite is a forensic software that is used to acquire data from almost all kinds of mobile devices, their backups and images, SIM card data, messenger logs, and cloud storage. Is Oxygen Forensics a Russian company? Oxygen Forensics In Europe, its customers include London Metropolitan Police, the French National Police, the Spanish Civil Guard,

 NMAP Network Mapper (or NMAP for short) is one of the cyber security forensics tools for network scanning and auditing. One of its core advantages is the fact that it supports almost every popular operating system in existence, including Windows, Linux, Mac, including some less popular ones like Solaris and HP-UX. What is Nmap used for? Nmap allows you to scan your network and discover not only everything connected to it, but also a wide variety of information about what's connected, what services each host is operating, and so on. It allows a large number of scanning techniques, such as UDP, TCP connect (), TCP SYN (half-open), and FTP. Why do hackers use Nmap? Image result for nmap Nmap can be used by hackers to gain access to uncontrolled ports on a system. All a hacker would need to do to successfully get into a targeted system would be to run Nmap on that system, look for vulnerabilities, and figure out how to exploit them. Hackers aren't the only people who use the softw

 Crowdstrike Crowdstrike is digital forensic software that provides threat intelligence, endpoint security, etc. It can quickly detect and recover from cybersecurity incidents. You can use this tool to find and block attackers in real time. What is CrowdStrike and how it works? CrowdStrike installs a lightweight sensor on your machine that is less than 5MB and is completely invisible to the end user. Once CrowdStrike is installed, it actively scans for threats on your machine without having to manually run virus scans. Features: .It is one of the best cyber forensics tools that help you to manage system vulnerabilities. .It can automatically analyze malware. .You can secure your virtual, physical, and cloud-based data center. What is special about CrowdStrike? Superior protection. CrowdStrike protects the people, processes and technologies that drive modern enterprise. A single agent solution to stop breaches, ransomware, and cyber attacks—powered by world-class security expertise and

 Xplico Xplico is an open-source forensic analysis app. It supports HTTP( Hypertext Transfer Protocol), IMAP (Internet Message Access Protocol), and more. What is xplico used for? Xplico is a network forensics analysis tool (NFAT), which is a software that reconstructs the contents of acquisitions performed with a packet sniffer (e.g. Wireshark, tcpdump, Netsniff-ng). Features: .You can get your output data in the SQLite database or MySQL database. .This tool gives you real time collaboration. .No size limit on data entry or the number of files. .You can easily create any kind of dispatcher to organize the extracted data in a useful way. .It is one of the best open source forensic tools that support both IPv4 and IPv6. .You can perform reserve DNS lookup from DNS packages having input files. .Xplico provides PIPI (Port Independent Protocol Identification) feature to support digital forensic. How does xplico work? Xplico extracts packets from internet traffic and captures the applicatio

 Volatility Framework Volatility Framework is software for memory analysis and forensics. It is one of the best Forensic imaging tools that helps you to test the runtime state of a system using the data found in RAM. This app allows you to collaborate with your teammates. Volatility is an open source framework used for memory forensics and digital investigations. The framework inspects and extracts the memory artifacts of both 32-bit and 64-bit systems. The framework has support for all flavours of Linux, Windows, MacOS and Android. Features: .It has API that allows you to lookups of PTE (Page Table Entry) flags quickly. .Volatility Framework supports KASLR (Kernel Address Space Layout Randomization). .This tool provides numerous plugins for checking Mac file operation. .It automatically runs Failure command when a service fails to start multiple times. What does Volatility program do? Volatility is one of the best open source software programs for analyzing RAM in 32 bit/64 bit system

  Registry Recon Registry Recon is a computer forensics tool used to extract, recover, and analyze registry data from Windows OS. This program can be used to efficiently determine external devices that have been connected to any PC. Registry Recon, developed by Arsenal Recon, is a powerful computer forensics tool used to extract, recover, and parse registry data from Windows systems. The process of manually scouring Windows Registry files proves to be extremely time consuming and leaves gaping holes in the ability to recover critical information. What is registry in cyber forensics? On the Windows system, the registry is a source of evidence against the cyber criminal as it maintains the details of the activity on the system. The digital forensic investigation of the Windows registry helps in collecting forensic information relevant to the case. Features: .It supports Windows XP, Vista, 7, 8, 10, and other operating systems. .This tool automatically recovers valuable NTFS data. .You ca

 Wireshark  Wireshark is a tool that analyzes a network packet. It can be used to for network testing and troubleshooting. This tool helps you to check different traffic going through your computer system. Wireshark is a network protocol analyzer, or an application that captures packets from a network connection, such as from your computer to your home office or the internet. Packet is the name given to a discrete unit of data in a typical Ethernet network. Wireshark is the most often-used packet sniffer in the world. What are the four main uses of Wireshark? Image result for wireshark description Here are some reasons people use Wireshark: .Network administrators use it to troubleshoot network problems. .Network security engineers use it to examine security problems. .QA engineers use it to verify network applications. .Developers use it to debug protocol implementations. Wireshark consists of a rich feature set including the following: Live capture and offline analysis. .Rich VoIP an