July 11, 2009:
FEATURED TOOL: LEAF
Leaf is an extendable ELF analysis and
disassembly framework written in C. Leaf contains ELF parsing
functions, an x86 disassembler library (udis86) and a plugin interface.
Leaf does not rely on libelf or any GNU BFD libraries. All of the ELF
parsing code is written from scratch and will work on any stripped
binary without a Section Header. It can parse 32-bit x86 ELF objects
for Linux, BSD and Sun Solaris platforms (other x86 ELF objects from
other OS's may also work). It's disassembly library (udis86) can parse
64-bit x86 instructions but it is not enabled yet.
core engine correlates many things such as xref's, symbols and code
relocations. By itself, Leaf is nothing special. The plugin framework
for developing quick information extracting tools is what adds value.
The code is currently in a beta stage and is available through the
downloads tab above. I have also provided a few example plugins such as
a hit tracer which uses Leaf's debugging API, a plugin that searches
data sections for embedded files using libmagic, and a basic command
Leaf was written
to run on x86 Linux platforms. The debug API is strictly Ptrace and
still needs a few changes in order to run on BSD.
FEATURED TOOL: Elfinfo
is an ELF parser to display the sections and symbols in an ELF file.
July 7, 2009:
FEATURED TOOL: GLSOF (GUI LSOF)
A fundamental part of Linux malware forensics during the behavioral analysis of a malware specimen is monitoring open files on the infected host. The de facto tool for this task is lsof, a utility native to most Linux flavors. Lsof output can be viewed in a terminal window or piped to a file for later analysis. I've always thought that a GUI version of lsof would be an interesting prospect, particularly one that allowed for granular control of input and output. Daniel Francesconi has developed such a tool suite, GLSOF, which is now in it's second incarnation (the original version is written in C; the current version is Java). GLSOF
is two separate utilities--
GLSOF-Queries and GLSOF-Filemonitor. Daniel was very receptive and responsive to question regarding the tools and advised that he is still in the process of refining the functionality of the tools. I have not fully explored the functionality of the tools, but I'm intrigued with what I've seen thus far.
GLSOF-Filemonitor in action
July 6, 2009:
FEATURED TOOL: Net Activity Viewer-
Net Activity Viewer is a graphical network connections viewer for Linux, with similar
functionality as netstat. It includes features like process
information, host name retrieval, automatic refresh and sorting. It has
a fully featured GTK 2 graphical interface.
Net Activity Viewer is a great tool for malware investigators that are familiar with TCPView
, Active Ports
, and other GUI absed port monitoring tools for Windows malware analysis.
Net Activity Viewer has an intuitive menu allowing the user to choose the output and the items displayed in the viewing pane. The benefit to using Net Activity Viewer is that unlike netstat, it automatically refreshes. Further, if the user chooses the "Color Highlight" feature, freshly opened connections are highlighted green (see the image above, displaying a freshly created ssh connection attempt).
July 5, 2009:
DAVIX- [from the SecViz (Security Visualization) web site http://secviz.org]: DAVIX, a live CD for data analysis and visualization, brings the most
important free tools for data processing and visualization to your
desk. There is no hassle with installing an operating system or
struggle to build the necessary tools to get started with
visualization. You can completely dedicate your time to data analysis.
The DAVIX CD is based on SLAX and features broad out-of-the-box
hardware support for graphic cards and network adapters. SLAX is based
on Slackware and follows a modularized approach. Thus, the SLAX ISO
image can easily be customized for various purposes. It can even be
installed on USB sticks and provide you with mobile analysis
capabilities." The following is a list of all the visualization tools
installed on DAVIX distribution:
* R Project
* Dottty and lneato
July 3, 2009:
FEATURED TOOL: Unhide- Unhide is a forensic tool to find
processes and TCP/UDP ports hidden by rootkits, Linux kernel modules or
by other techniques.
It includes two utilities: unhide and unhide-tcp.
Unhide detects hidden processes using three techniques:
* comparing the output of /proc and /bin/ps
* comparing the information gathered from /bin/ps with the one gathered from system calls (syscall scanning)
* full scan of the process ID space (PIDs bruteforcing)
Unhide-tcp identifies TCP/UDP ports that are listening but are not
listed in /bin/netstat through brute forcing of all TCP/UDP ports
Invoking unhide is intuitive and can be used in three modes: proc, sys and brute
The proc mode compares /proc with the output of /bin/ps.
root@MalwareLab:/home/malwarelab/Desktop# unhide proc
[*]Searching for Hidden processes through /proc scanning
The sys mode compares information gathered from /bin/ps with information gathered from system calls.
root@MalwareLab:/home/malwarelab/Desktop# unhide sys
[*]Searching for Hidden processes through getpriority() scanning
[*]Searching for Hidden processes through getpgid() scanning
[*]Searching for Hidden processes through getsid() scanning
[*]Searching for Hidden processes through sched_getaffinity() scanning
[*]Searching for Hidden processes through sched_getparam() scanning
[*]Searching for Hidden processes through sched_getscheduler() scanning
[*]Searching for Hidden processes through sched_rr_get_interval() scanning
[*]Searching for Hidden processes through sysinfo() scanning
The brute mode consists of bruteforcing the all process IDs (this technique is only available on Linux 2.6 kernels).
March 4, 2009:
FEATURED TOOL: Selective File Dumper
Selective File Dumper
is an open source command line tool written in Bash Script for Linux
systems allowing the user to retrieve all the files of a particular
file type (for a GUI front-end option, Zenity can be used).
February 7, 2009:
FEATURED TOOL: DepSpec: Dependency Viewer
Some digital investigators/malware
analysts prefer to analyze suspect Windows binaries on a *nix
system--whether out of preference for working on *nix or because it
offers a safe environment for this sort of analysis. Most *nix flavors
have the dependency identifying tool ldd natively installed, however, probing a Windows binary with ldd can be challenging as it often struggles with the .exe file format, leading to error such as this:
lab@MalwareLab:/home/lab/Desktop# ldd Video.exe
not a dynamic executable
Unfortunately, this error gives the investigator the false impression that the executable is statically linked. An alternative to ldd is DepSpec (Dependency Viewer)
by Kyle McFarland, which provides for a dual-paned GUI allowing the
user to drill down through file dependencies. Although the output is
not a granular as other Windows based dependency analysis tools,
DepSpec offers digital investigators great alternative to ldd on *nix
January 17, 2009:
FEATURED TOOL: Malware Analysis Frameworks
There are a number of freely available
malware analysis frameworks that enable a user to conduct automated
dynamic analysis of suspicious executable files. Some of these
The Reusable Unknown Malware Analysis Net ("TRUMAN")- Developed
by venerable malware researcher Joe Stewart of Secureworks (formerly of
LURQ), "Truman can be used to build a "sandnet", a tool for analyzing
malware in an environment that is isolated, yet provides a virtual
Internet for the malware to interact with. It runs on native hardware,
therefore it is not stymied by malware which can detect VMWare and
other VMs. The major stumbling block to not using VMs is the difficulty
involved with repeatedly imaging machines for re-use. Truman automates
this process, leaving the researcher with only minimal work to do in
order to get an initial analysis of a piece of malware.
Truman consists of a Linux boot image (originally based on Chas Tomlin's Windows Image Using Linux) and a collection of scripts. Also provided is pmodump,
a Perl-based tool to reconstruct the virtual memory space of a process
from a PhysicalMemory dump. With this tool it is possible to circumvent
most packers to perform strings analysis on the dumped malware."
Automated aNalysis and Network emulation ("ANNE")-
Developed by the Luxembourg Computer Security Research & Response
Team, ANNE Is a framework to analyze unknown binaries in an automated
fashion. More information can be found at
ANNE is composed of
- backend xmlserver
- a daemon that process the jobs
- UML (user mode linux) Malware/UML Howto for ANNE
- a web interface frontend
- simulation scripts that run inside the UML
Zero-Wine- Authored by Joxean Koret, "Zero wine is an open source (GPL v2) research project to dynamically
analyze the behavior of malware. Zero wine just runs the malware using
WINE in a safe virtual sandbox (in an isolated environment) collecting
information about the APIs called by the program. The tool is distributed as a prebuilt QEmu virtual machine (or in source code form)."
December 13, 2008:
HeX LiveCD 2.0 released
: "As effort of the Honeynet Project Malaysian chapter
and the RawPacket team
initiative, HeX LiveCD
was created. It is a Network Security Monitoring (NSM) centric Live CD,
built based on the principles of NSM, for analysts, by analysts. This
project will be eventually forked to Hex Sensor and Hex Server to
complete the cycle of NSM processes. Besides, HeX LiveCD is the
blueprint for HornyD
. HornyD and HoneySuckle are the toolkits for the Malaysia Distributed Honeynet Project.
HeX LiveCD contains most of the popular Open Source NSM and network forensics tools. The LiveCD also includes the NSM-Console framework
which acts as aggregated protocols analyst for performing packet analysis on capture files." (description from the Honeynet Project website)
October 25, 2008:
FEATURED TOOL: Elfcmp
Elfcmp- elfcmp compares running processes to the their
respective binary image to ensure that the process
image in memory has not been tampered with after
October 19, 2008:
FEATURED TOOL: The Sleuth Kit
The Sleuth Kit and Autopsy Browser updated- Brian Carrier's popular open source
digital investigation tools, The Sleuth Kit (TSK) 3.0.0 ( a C library and a collection of
command line tools [based on code from The Coroner's Toolkit ]) and the Autopsy Browser 2.20 (an HTTP graphical interface to TSK) are available for download.
October 18, 2008:
FEATURED TOOL: ForensiX Live Response CD
ForensiX Live Response CD
has been updated- Alexander Geschonneck has recently updated the
ForensiX Linux Incident Response Script on the ForensiX Live Response
CD. According to Geschonneck's web site, the new script contains an "extract option...to organize the memory dump for an easy investigation."
September 3, 2008:
FEATURED TOOL: SANS Investigative Forensic Toolkit (SIFT)
SANS releases the SANS Investigative Forensic Toolkit (SIFT) Workstation, a VMware Appliance that is preconfigured with all the necessary tools to perform a forensic examination.
September 2, 2008:
FEATURED TOOL: OSSEC
OSSEC v. 1.6 is released. OSSEC is an Open Source Host-based Intrusion Detection System. It
performs log analysis, integrity checking, Windows registry monitoring,
rootkit detection, real-time alerting and active response.