home ... me ... pictures ... email ... feed ... rust chronicles... twitter...

July 14, 2010

forensics puzzles

I found out last week that I made the tail end of the finalists list for the most recent SANS forensics puzzle contest. It was an "operation aurora exploit" based thing that came through javascript and had shellcode in it, which downloaded a metasploit-built exploit with meterpreter run over ssl. That at least, is the consensus. I was digging about studying the exploit mechanisms, which, as I don't do this for a living, is new to me. "That looks like shellcode, how do I make it into something I can read" and such.

I got possessed to write a file carver in the middle of the night in the middle of this. I could have used foremost, but, having it drilled into my head that foremost sucked, since the people I learned forensics from wrote scalpel, I thought, well, it can't be that hard to pull a PE file out of a snippet of raw data; it really isn't, that was maybe two hours of leisurely C. (Yes, I know I should be using python like a good modern security person. Have you seen how fast I am at C?)

Anyway. If you want to check out my writeup it is here, and it is really probably better written than anything I turned in for forensics class last semester because I had time to put it together while Clay studied for the professional engineer exam. I decided on the Tuesday before it was due that I was going to finish the puzzle and really make a go at it; so this is only really about eight or ten hours worth of work over a few nights.

I really have no idea what to do with all this free time since I've graduated and the wedding is thankfully overwith. It's not like there isn't work; one of my companies is expanding and the other one wants more hours. Every spare moment in the last few years was eaten up by something; now all I have outside of work is ballet. And malware. But what do I do with it?

candice at July 14, 2010 08:47 PM


« here goes nothing ... Current ... Nash Metropolitans »