Forensic Blogs

An aggregator for digital forensics blogs

by

Update: 1768.py Version 0.0.15

Some new features that help with analyzing memory dumps.

Here is the analysis of a VMware vmem file:

There’s a new sanity check, determining if an extracted configuration is OK or not OK (NOK).

A config passes the sanity check if it contains a valid payload type and a valid public key.

Configurations that don’t pass the sanity check, are most likely false positives: they have a valid header, but no valid fields. They can show up in memory dumps of Windows machines.

Option -S can be used to hide configurations that don’t pass the sanity check:

Now we are just left with detections of the sleep mask routine. What’s new in this version, is that the position where the signature was found is listed.

Finding both 32-bit and 64-bit routines is unusual.

Option -V can be used to dump 256 bytes before and after the signature, to help us get an idea what we are dealing with.

And what we actually found here, is the memory of the anti-virus program containing signatures, like signatures for Cobalt Strike sleep mask deobfuscation routines.

1768_v0_0_15.zip (http)
MD5: 15EBA21D59D78ED9A674DC2B88687555
SHA256: 73987F1B8577A5C31B2D7BDC197A465F8700B3F3C7838A31802BD77FFC872C42

by

Overview of Content Published in July

Here is an overview of content I published in July:

Blog posts: simple_listener.py Quickpost: Standby Power Consumption Of My USB Chargers Update: base64dump.py Version 0.0.23 Update: sortcanon Version 0.0.2 Update: oledump.py Version 0.0.69 Update: re-search.py Version 0.0.21 Quickpost: Standby Power Consumption Of My USB Chargers (120V vs 230V) Quickpost: iPad Pro Charging – Power Consumption YouTube videos: Maldoc: non-ASCII VBA Identifiers Videoblog posts: Maldoc: non-ASCII VBA Identifiers SANS ISC Diary entries: YARA 4.2.2 Released 7-Zip & MoW 7-Zip & MoW: “For Office files” 7-Zip Editing & MoW Python: Files In Use By Another Process Adding Your Own Keywords To My PDF Tools Maldoc: non-ASCII VBA Identifiers Video: Maldoc: non-ASCII VBA Identifiers Wireshark 3.6.7 Released

by

Quickpost: iPad Pro Charging – Power Consumption

I charged an iPad Pro (12.9 Inch) and measured the power consumption (at 120V and 230V). According to the specs, this iPad has a battery with a capacity of 40.88 Wh.

Procedure: when the iPad Pro turns itself of because of a low battery, I started to charge the iPad with an Apple A2347 USB C charger and measured the AC power consumption of this charger. It consumes around 21 Watt, this value starts to diminish when the battery approaches full charge. When at 100%, the charger will still deliver power, slowly decreasing to 3 Watts, and then it stops delivering power for charging. At that point, I stop the power consumption measurement.

I did not use the iPad while charging.

This measurement was done twice: at 120V 60Hz and 230V 50Hz (using an AC power supply).

ACWhDuration120V 60Hz57.17103:07:48230V 50Hz57.55903:09:16

There’s not much difference between the two measurements, but what I’ll certainly take away from this test, is that it takes around 57 Wh of AC power to charge a 40.88 Wh battery!

Quickpost info