Forensic Blogs

An aggregator for digital forensics blogs

by

Overview of Content Published in 2022

Here is an overview of content I published in 2022:

Blog posts: Update: jpegdump.py Version 0.0.9 Windows Explorer: Improper Exif Data Removal Beta: smtp-honeypot.py Update: oledump.py Version 0.0.63 Update: 1768.py Version 0.0.12 Update: oledump.py Version 0.0.64 New Tool: xlsbdump.py spring4shell Capture File Power Consumption Of A Philips Hue lamp In Off State .ISO Files With Office Maldocs & Protected View in Office 2019 and 2021 New Tool: myjson-filter.py Update: cut-bytes.py Version 0.0.14 Update: 1768.py Version 0.0.13 New Tool: pngdump.py (Beta) Update: re-search.py Version 0.0.19 Update: oledump.py Version 0.0.65 Quickpost: Machine Code Infinite Loop Update: oledump.py Version 0.0.66 Update: cs-parse-traffic.py Version 0.0.5 Update: zipdump.py Version 0.0.22 Update: oledump.py Version 0.0.67 Update: base64dump.py Version 0.0.21 Update: pecheck.py Version 0.7.15 Update: re-search.py Version 0.0.20 Update: pdf-parser.py Version 0.7.6 Update: 1768.py Version 0.0.14 Update: Python Templates Version 0.0.7 PoC: Cobalt Strike mitm Attack Update: oledump.py Version 0.0.68 Update: python-per-line.py Version 0.0.8 New Tool: dns-query-async.py Discovering A Forensic Artifact Update: base64dump.py Version 0.0.22 New Tool: sortcanon.py Another Exercise In Encoding Reversing Examples Of Encoding Reversing Quickpost: Cracking PDF Owner Passwords Update: cut-bytes.py Version 0.0.15 Update: format-bytes.py Version 0.0.14 simple_listener.py Quickpost: Standby Power Consumption Of My USB Chargers Update: base64dump.py Version 0.0.23 Update: sortcanon Version 0.0.2 Update: oledump.py Version 0.0.69 Update: re-search.py Version 0.0.21 Quickpost: Standby Power Consumption Of My USB Chargers (120V vs 230V) Quickpost: iPad Pro Charging ? Power Consumption Update: 1768.py Version 0.0.15 Update: 1768.py Version 0.0.16 Quickpost: Standby Power Consumption Of My Bosch 18V Chargers Update: jpegdump.py Version 0.0.10 Update: oledump.py Version 0.0.70 Update: translate.py Version 2.5.12 Update: xor-kpa.py Version 0.0.6 Update: hex-to-bin.py Version 0.0.6 Quickpost: Sun Drying Biodegradable Waste Quickpost: Dolmen du roc de l?Arca Maldoc Analysis Video ? Rehearsed & Unrehearsed Quickpost: An Inefficient Powerbank Update: virustotal-search.py Version 0.1.7 New Tool: split-overlap.py Update: strings.py Version 0.0.8 Update: My Python Templates Version 0.0.8 Quickpost: Tuning The Electric Energy Consumption Of My TV Taking A Look At PNG Files with pngdump.py Beta Version 0.0.3 Update: rtfdump.py Version 0.0.11 Quickpost: Standby Power Consumption Of An Old Linear Power Supply Update: base64dump.py Version 0.0.24 Update: rtfdump.py Version 0.0.12 Quickpost: Testing A Lemon Battery Update: byte-stats.py Version 0.0.9 The Making Of: qa-squeaky-toys.docm Quickpost: BruCON Travel Charger Quickpost: Testing A USB Fridge Update: pdf-parser.py Version 0.7.7 Update: oledump.py Version 0.0.71 Quickpost: Testing A USB Fridge (Update) Update: what-is-new.py Version 0.0.2 Update: python-per-line.py Version 0.0.9 Extracting Certificates For Defender Update: count.py Version 0.3.1 Update: hash.py Version 0.0.9 Update: virustotal-search.py Version 0.1.8 Update: zipdump.py Version 0.0.23 New tool: teeplus.py Update: filescanner Version 0.0.0.8 Update: InteractiveSieve Version 0.9.2.0 Update: nsrl.py Version 0.0.4 Update: file-magic.py Version 0.0.5 Update: myjson-filter.py Version 0.0.3 Update: dnsresolver.py Version 0.0.2 New Tool: dns-pydivert.py Combining dns-pydivert And dnsresolver Powerstrip With Neon Lamp Switch Update: zipdump.py Version 0.0.24 Combining zipdump, file-magic And myjson-filter YouTube videos: YARA’s Console Module Quick & Dirty Shellcode Analysis – CVE-2017-11882 TShark & Multiple IP Addresses Maldoc Cleaned by Anti-Virus curl, json & jo Method For String Extraction Filtering Office Protects You From Malicious ISO Files Maldoc .DOCX MSDT Inside Sandbox Decoding Obfuscated BASE64 Statistically Another Exercise In Encoding Reversing Maldoc: non-ASCII VBA Identifiers 1768.py’s Sanity Check James Webb JPEG With Malware VBA Maldoc & UTF7 (APT-C-35) An Obfuscated Beacon – Extra XOR Layer Maldoc Analysis: Rehearsed vs. Unrehearsed Analyzing Obfuscated VBS with CyberChef Grep & Tail -f With Notepad++ Analysis of a Malicious HTML File (QBot) PNG Analysis PNG + mimikatz.exe Extracting Information From “logfmt” Files With CyberChef Extracting Information From “logfmt” Files With InteractiveSieve Videoblog posts: YARA?s Console Module MSBuild & Cobalt Strike Quick & Dirty Shellcode Analysis ? CVE-2017-11882 TShark & Multiple IP Addresses Maldoc Cleaned by Anti-Virus curl, json & jo Method For String Extraction Filtering Office Protects You From Malicious ISO Files Maldoc .DOCX MSDT Inside Sandbox RTF & ms-msdt & Preview Pane Decoding Obfuscated BASE64 Statistically Maldoc: non-ASCII VBA Identifiers 1768.py?s Sanity Check James Webb JPEG With Malware VBA Maldoc & UTF7 (APT-C-35) An Obfuscated Beacon ? Extra XOR Layer Analyzing Obfuscated VBS with CyberChef Grep & Tail -f With Notepad++ Analysis of a Malicious HTML File (QBot) PNG Analysis PNG + mimikatz.exe Extracting Information From ?logfmt? Files With CyberChef SANS ISC Diary entries: Expect Regressions TShark & jq Extracting Cobalt Strike Beacons from MSBuild Scripts YARA’s Console Module Power over Ethernet and Thermal Imaging Wireshark 3.6.2 Released Video: YARA’s Console Module Sending an Email to an IPv4 Address? Windows, Fixed IPv4 Addresses and APIPA Video: Quick & Dirty Shellcode Analysis – CVE-2017-11882 TShark & Multiple IP Addresses oledump’s Extra Option Video: TShark & Multiple IP Addresses ICMP Messages: Original Datagram Field YARA 4.2.0 Released Curl on Windows SolarWinds Advisory: Unauthenticated Access in Web Help Desk (12.7.5) MGLNDD_* Scans Maldoc Cleaned by Anti-Virus Wireshark 3.6.3 Released Video: Maldoc Cleaned by Anti-Virus Quickie: Parsing XLSB Documents curl 7.82.0 Adds –json Option jo Method For String Extraction Filtering Video: Method For String Extraction Filtering Office Protects You From Malicious ISO Files Video: Office Protects You From Malicious ISO Files Sysmon’s RegistryEvent (Value Set) Analyzing a Phishing Word Document YARA 4.2.1 Released Detecting VSTO Office Files With ExifTool Quick Analysis Of Phishing MSG Wireshark 3.6.5 Released Huge Signed PE File Huge Signed PE File: Keeping The Signature Extracting The Overlay Of A PE File Analysis Of An “ms-msdt” RTF Maldoc “ms-msdt” RTF Maldoc Analysis: oledump Plugins Quickie: Follina, RTF & Explorer Preview Pane Decoding Obfuscated BASE64 Statistically Wireshark 3.6.6 Released Video: Decoding Obfuscated BASE64 Statistically More Decoding Analysis My Paste Command YARA 4.2.2 Released 7-Zip & MoW 7-Zip & MoW: “For Office files” 7-Zip Editing & MoW Python: Files In Use By Another Process Adding Your Own Keywords To My PDF Tools Maldoc: non-ASCII VBA Identifiers Video: Maldoc: non-ASCII VBA Identifiers Wireshark 3.6.7 Released VBA Maldoc & UTF7 (APT-C-35) YARA 4.2.3 Released Sysinternals Updates: Sysmon v14.0 and ZoomIt v6.01 Dealing With False Positives when Scanning Memory Dumps for Cobalt Strike Beacons Update: VBA Maldoc & UTF7 (APT-C-35) James Webb JPEG With Malware Video: James Webb JPEG With Malware Video: VBA Maldoc & UTF7 (APT-C-35) Quickie: Grep & Tail -f With Notepad++ Analysis of an Encoded Cobalt Strike Beacon Analyzing Obfuscated VBS with CyberChef Maldoc With Decoy BASE64 Wireshark 3.6.8 and 4.0.0rc1 Released Word Maldoc With CustomXML and Renamed VBAProject.bin Video: Analyzing Obfuscated VBS with CyberChef Video: Grep & Tail -f With Notepad++ Maldoc Analysis Info On MalwareBazaar Downloading Samples From Takendown Domains PNG Analysis Sysmon v14.1 Release Wireshark 4.0.0 Released Curl’s resolve Option Wireshark: Specifying a Protocol Stack Layer in Display Filters Analysis of a Malicious HTML File (QBot) Video: Analysis of a Malicious HTML File (QBot) rtfdump’s Find Option Video: PNG Analysis Quickie: CyberChef & Microsoft Script Decoding Sysinternals Updates: Process Explorer v17.0, Handle v5.0, Process Monitor v3.92 and Sysmon v14.11 IPv4 Address Representations Update: IPv4 Address Representations Extracting Information From “logfmt” Files With CyberChef Finger.exe LOLBin VLC’s Check For Updates: No Updates? Open Now: 2022 SANS Holiday Hack Challenge & KringleCon Quickie: CyberChef Sorting By String Length CyberChef & Entropy YARA v4.3.0-rc1 –print-xor-key NVISO blog posts: Cobalt Strike: Memory Dumps – Part 6 Cobalt Strike: Overview – Part 7 Analyzing a “multilayer” Maldoc: A Beginner’s Guide Analyzing VSTO Office Files NVISO Videos: Using Known Private Keys To Decrypt Traffic Using Process Memory To Decrypt Traffic Dealing With Obfuscated Traffic And Process Memory Decrypting DNS Traffic Analyzing a “multilayer” Maldoc: A Beginner’s Guide

by

Overview of Content Published in December

Here is an overview of content I published in December:

Blog posts: Update: python-per-line.py Version 0.0.9 Extracting Certificates For Defender Update: count.py Version 0.3.1 Update: hash.py Version 0.0.9 Update: virustotal-search.py Version 0.1.8 Update: zipdump.py Version 0.0.23 New tool: teeplus.py Update: filescanner Version 0.0.0.8 Update: InteractiveSieve Version 0.9.2.0 Update: nsrl.py Version 0.0.4 Update: file-magic.py Version 0.0.5 Update: myjson-filter.py Version 0.0.3 Update: dnsresolver.py Version 0.0.2 New Tool: dns-pydivert.py Combining dns-pydivert And dnsresolver Powerstrip With Neon Lamp Switch Update: zipdump.py Version 0.0.24 Combining zipdump, file-magic And myjson-filter SANS ISC Diary entries: Finger.exe LOLBin VLC’s Check For Updates: No Updates? Open Now: 2022 SANS Holiday Hack Challenge & KringleCon Quickie: CyberChef Sorting By String Length CyberChef & Entropy YARA v4.3.0-rc1 –print-xor-key

by

New Tool: dns-pydivert.py

dns-pydivert is a tool that uses WinDivert, a “user-mode packet capture-and-divert package for Windows” to divert IPv4 DNS packets to and from the machine it is running on.

This tool requires admin rights.

When started, it listens for IPv4 UDP packets with source and/or destination port equal to 53.
When this tools processes its first UDP packet with destination port 53, it considers the source address of this packet as the DNS client’s IPv4 address (e.g., the Windows machine this tool is running on) and the destination address to be the IPv4 address of the DNS server used by the client.
From then on, all IPv4 UDP packets with source or destination port 53 (including that first packet) are altered by the tool.
All IPv4 UDP packets with destination port 53, have their destination address changed to the IPv4 address of the client.
All IPv4 UDP packets with source port 53, have their source address changed to the IPv4 address of the DNS server.

This tool can be used to redirect all DNS IPv4 traffic to the machine itself, where a tool like dnsresolver.py can handle the DNS requests.

Caveats:

This tool does not handle IPv6. This tool does not check if the UDP packets to and/or from port 53 are actual DNS packets. This tool ignores DNS traffic over TCP. This tool does not handle queries to multiple DNS servers (different IPv4 addresses) correctly. dns-pydivert_V0_0_1.zip (http)
MD5: BEAB8F9D180E15B27EB86CBEF7429216
SHA256: 7CB4BA7A4ABC0788AB8CE3F2DD1006DF86AD5D80943A4716FC3E62F1FA2100F6