A GhettoForensics Look Back on 2013
This site, Ghetto Forensics, was started this year as the beginning of an effort to better document some of the side work that I do that I thought would be appealing, or humorous, to the overall...
View ArticleClik here to view.
Malware with No Strings Attached - Dynamic Analysis
I had the honor of lecturing for Champlain College's graduate level Malware Analysis course this week. One of the aspects of the lecture was showing off dynamic analysis with my Noriben script and some...
View ArticleClik here to view.
Is Google Scanning Malware Email Attachments Between Researchers
Disclaimer: This post is based upon experiences I found when sending malware via GMail (Google Mail). I'm documenting them here for others to: disprove, debate, confirm, or to downplay its...
View ArticleClik here to view.
Malware with No Strings Attached Part 2 - Static Analysis
In the previous post I showed some dynamic analysis procedures for a variant of a trojan known to Symantec as Coreflood. Based on the dynamic analysis, we discovered that the analyzed sample contained...
View ArticleClik here to view.
A Walkthrough for FLARE RE Challenges
The FireEye Labs Advanced Reverse Engineering (FLARE) challenge was causing a bit of a buzz when it was announced and launched in early July. It read like a recruitment campaign for a new division...
View ArticleClik here to view.
DJ Forensics: Analysis of Sound Mixer Artifacts
In many forensics examinations, including those of civil and criminal nature, there is an art to finding remnants of previously installed applications. Fearing detection, or assuming that an...
View ArticleClik here to view.
Noriben - Your Personal, Portable Malware Sandbox
Announcing NoribenNoriben is a Python-based script that works in conjunction with Sysinternals Procmon to automatically collect, analyze, and report on runtime indicators of malware. In a nutshell, it...
View ArticleNoriben version 1.1 Released
I've made available the latest version of Noriben with some much-needed updates.The greatest update is a series of added filters that dramatically help to reduce false positive items in the output....
View ArticleGhetto Forensics!
While I have maintained a blog on my personal website (www.thebaskins.com) for many years, the process of creating new posts on it has become cumbersome over time. As I perform more technical posts,...
View ArticlePresentation Archive
Below are a series of presentations I've given over the years, though not a fully inclusive list. Many are too sensitive (FOUO/LES/S/TS/SAP/EIEIO) to store, and others have been lost to digital decay....
View ArticleNoriben Version 1.2 released
In a mad rush of programming while on a plane to BSidesNOLA, and during the conference, I completed a large number of updates, requests, and demands for Noriben.As a basic malware analysis sandbox,...
View ArticleHow To: Static analysis of encoded PHP scripts
This week, Steve Ragan of CSO Online posted an article on a PHP-based botnet named by Arbor Networks as Fort Disco. As part of his analysis, Ragan posted an oddly obfuscated PHP script for others to...
View ArticleClik here to view.
Mojibaked Malware: Reading Strings Like Tarot Cards
One notable side effect to working in intrusions and malware analysis is the common and frustrating exposure to text in a foreign language. While many would argue the world was much better when text...
View ArticleClik here to view.
Malware Analysis: The State of Java Reversing Tools
In the world of incident response and malware analysis, Java has always been a known constant. While many malware analysts are monitoring more complex malware applications in various languages, Java is...
View ArticleNoriben version 1.4 released
It's been a few months since the last official release of Noriben. The interim time has been filled with a few ninja-edits of updated filters, and wondering what to put in next.Noriben started out as a...
View ArticleClik here to view.
Dumping Malware Configuration Data from Memory with Volatility
When I first start delving in memory forensics, years ago, we relied upon controlled operating system crashes (to create memory crash dumps) or the old FireWire exploit with a special laptop. Later,...
View ArticleClik here to view.
Of Malware and Adware: Why Forbes Did Not Serve Me Malware
The topic of web-based advertising is always a hot topic for discussion, debate, and outright argument. One realizes that the Internet in which we've grown accustomed to is reliant on ads; after all,...
View ArticleClik here to view.
Solving the 2015 FLARE On Challenges
The second annual FLARE On is a reverse engineering challenge put forth by the FireEye Labs Advanced Reverse Engineering (FLARE). While accepted as a very advanced and tactical recruiting method, it...
View ArticleCreating a Malware Sandbox in Seconds with Noriben.
Happy New Years!As part of the new year, let's make an effort to make your defensive posture better, especially through quicker and more effective malware analysis! A few years ago I created a sample...
View ArticleClik here to view.
GrrCon 2015 - Memory Forensics - Grabbing all the Flags...
Today we bring you a special guest posting by Tony "@captcook32" Cook. Late last year GrrCon hosted their anticipatory excellent set of challenges which included an in depth memory forensics challenge...
View ArticleClik here to view.
Running the Labyrenth: Unit 42 CTF
At least once a year I try to publish my work process for a Capture The Flag (CTF) event. If you're not familiar with CTFs, they're a timed challenge of very difficult or obscure challenges to gain a...
View ArticleClik here to view.
Exploring the Labyrenth (2017 Edition)
2017 brings us one of the best, though newest, CTFs: Palo Alto's LabyREnth.The 2016 iteration was a grueling set of 3 dozen challenges across multiple topics that tested one's ability, skill, patience,...
View ArticleEnforcing the Law at the Mid Atlantic Collegiate Cyber Defense Competition...
The MidAtlantic Collegiate Cyber Defense Competition (MACCDC) is one of the many regional CCDCs that includes a somewhat unique aspect: law enforcement and investigations. For those unfamiliar with...
View ArticleClik here to view.
Flare-On 9 - The Worst Writeups
Since its inaugural year I have been a participant in the FireEye / Mandiant Flare-On challenges produced by FLARE, the FireEye Labs Advanced Reverse Engineering. FLARE is one of the industry's most...
View ArticleClik here to view.
Huntress CTF 2023 - Unique Approaches to Fun Challenges
As someone who has participated in numerous Capture The Flag (CTF) competitions, I was excited when Huntress Lab announced their CTF late last year. Anytime a new organization ventures into hosting...
View Article