Analyze McAfee quarantine files with punbup.py

Have you ever needed to extract a McAfee quarantine file? Today’s tutorial will show you how to extract a BUP file with punbup in the lab. There are many reasons to extract the files out of a McAfee quarantine file, the most common is to perform deeper analysis or to restore a file that was incorrectly identified. We will use the SANS SIFT workstation today to perform this task using the punbup.py script.

Continue reading “Analyze McAfee quarantine files with punbup.py”

Acquiring a Forensic Disk Image with FTK Imager and the Wiebetech USB Writeblocker

This tutorial covers the process of imaging a hard drive that has already been removed from a system with FTK Imager and a write blocker. FTK Imager comes in two versions, one that is installed on a pc and one that can be used during incident response from a thumb drive. We will be using the installed version for this tutorial, but both look and function the same. I will cover the following key steps in the process:

Continue reading “Acquiring a Forensic Disk Image with FTK Imager and the Wiebetech USB Writeblocker”

Building a Virtual Cyber Security Lab Part 1 – SANS SIFT

In this post we will start creating a virtualized cyber security training environment by installing the SANS SiFT forensics workstation virtual appliance. In order to get the necessary skills to become a cyber security analyst one must practice in an environment with all the tools and a few sacrificial lambs. As you might expect most businesses will not let you use their production environments for this. So what are aspiring cyber security analyst to do? Build a test lab of course. A good lab environment will provide the analyst with all of the tools necessary to launch attacks, detect the attacks, and respond to the attacks.

Continue reading “Building a Virtual Cyber Security Lab Part 1 – SANS SIFT”

Installing NSA’s Ghidra reverse engineering tool on CentOS 7 in 10 minutes.

Today’s topic is how to install NSA Ghidra reverse engineering tool on CentOS 7 in 10 minutes. Reverse engineering of malware normally requires software that is priced out of the reach of folks that are trying to get into forensics or incident response; not anymore! NSA released the Ghidra reverse engineering tool at no cost for the end user. This is great news for people wanting to join the ranks of security analysts.

Continue reading “Installing NSA’s Ghidra reverse engineering tool on CentOS 7 in 10 minutes.”

Using GeoIP data from the command line

Today’s topic is using GeoIP data from the command line. Security analysts often find they need to ascertain an IP addresses geographic location in order to make decisions. The most obvious use would be around geofencing, i.e. blocking IP’s from certain countries or regions. GeoIP information is simple to acquire from the Linux command line with the tool geoiplookup and the Maxmind dat files. Here is an updated post and video on how to use Maxmind’s GeoLite2 database. How to use GeoLite2 on the command line.

Continue reading “Using GeoIP data from the command line”