Easy-To-Use Live Forensics Toolbox For Linux Endpoints - Linux Expl0rer

Easy-to-use live forensics toolbox for Linux endpoints written in Python & Flask.

Capabilities

ps

• View full process list
• Inspect process memory map & fetch memory strings easly
• Dump process memory in one click
• Automaticly search hash in public services
  • VirusTotal
  • AlienVault OTX

users

• users list

find

• Search for suspicious files by name/regex

netstat

• Whois

logs

• syslog
• auth.log(user authentication log)
• ufw.log(firewall log)
• bash history

anti-rootkit

• chkrootkit

yara

• Scan a file or directory using YARA signatures by @Neo23x0
• Scan a running process memory address space
• Upload your own YARA signature

Requirements

• Python 2.7
• YARA
• chkrootkit

Installation

1. Clone repository

git clone https://github.com/intezer/linux_expl0rer

2. Install required packages

pip install -r requirements.txt

3. Setup VT/OTX api keys

nano config.py

Edit following lines:

VT_APIKEY = ''
OTX_APIKEY = ''

4. Install YARA

sudo apt-get install yara

5. Install chkrootkit

sudo apt-get install chkrootkit

Start Linux Expl0rer server

sudo python linux_explorer.py

Usage

1. Start your browser

firefox http://127.0.0.1:8080

2. do stuff

Notes

• We recommend using NGINX reverse proxy with basic http auth & ssl for secure remote access
• Tested with Ubuntu 16.04

Download Linux Expl0rer

Linux Memory Cryptographic Keys Extractor - CryKeX

CryKeX - Linux Memory Cryptographic Keys Extractor

Properties:

• Cross-platform
• Minimalism
• Simplicity
• Interactivity
• Compatibility/Portability
• Application Independable
• Process Wrapping
• Process Injection

Dependencies:

• Unix - should work on any Unix-based OS
  • BASH - the whole script
  • root privileges (optional)

Limitations:

• AES and RSA keys only
• Fails most of the time for Firefox browser
• Won't work for disk encryption (LUKS) and PGP/GPG
• Needs proper user privileges and memory authorizations

How it works
Some work has been already published regarding the subject of cryptograhic keys security within DRAM. Basically, we need to find something that looks like a key (entropic and specific length) and then confirm its nature by analyzing the memory structure around it (C data types).
The idea is to dump live memory of a process and use those techniques in order to find probable keys since, memory mapping doesn't change. Thanks-fully, tools exist for that purpose.
The script is not only capable of injecting into already running processes, but also wrapping new ones, by launching them separately and injecting shortly afterwards. This makes it capable of dumping keys from almost any process/binary on the system.
Of course, accessing a memory is limited by kernel, which means that you will still require privileges for a process.
Linux disk ecnryption (LUKS) uses anti-forensic technique in order to mitigate such issue, however, extracting keys from a whole memory is still possible.
Firefox browser uses somehow similar memory management, thus seems not to be affected.
Same goes for PGP/GPG.

HowTo
Installing dependencies:

sudo apt install gdb aeskeyfind rsakeyfind || echo 'have you heard about source compiling?'

An interactive example for OpenSSL AES keys:

openssl aes-128-ecb -nosalt -out testAES.enc

Enter a password twice, then some text and before terminating:

CryKeX.sh openssl

Finally, press Ctrl+D 3 times and check the result.
OpenSSL RSA keys:

openssl genrsa -des3 -out testRSA.pem 2048

When prompted for passphrase:

CryKeX.sh openssl

Verify:

openssl rsa -noout -text -in testRSA.pem

Let's extract keys from SSH:

echo 'Ciphers [email protected]' >> /etc/ssh/sshd_config
ssh [email protected]
CryKeX.sh ssh

From OpenVPN:

echo 'cipher AES-256-CBC' >> /etc/openvpn/server.conf
openvpn yourConf.ovpn
sudo CryKeX.sh openvpn

TrueCrypt/VeraCrypt is also affected: Select "veracrypt" file in VeraCrypt, mount with password "pass" and:

sudo CryKeX.sh veracrypt

Chromium-based browsers (thanks Google):

CryKeX.sh chromium
CryKeX.sh google-chrome

Despite Firefox not being explicitly affected, Tor Browser Bundle is still susceptible due to tunneling:

CryKeX.sh tor

As said, you can also wrap processes:

apt install libssl-dev
gcc -lcrypto cipher.c -o cipher
CryKeX.sh cipher
 wrap
 cipher

Download CryKeX

Tools to analyze MS OLE2 files and MS Office documents, for malware analysis, forensics and debugging - oletools

oletools is a package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the olefile parser. See http://www.decalage.info/python/oletools for more info.

News

• 2016-11-01 v0.50: all oletools now support python 2 and 3.
  • olevba: several bugfixes and improvements.
  • mraptor: improved detection, added mraptor_milter for Sendmail/Postfix integration.
  • rtfobj: brand new RTF parser, obfuscation-aware, improved display, detect executable files in OLE Package objects.
  • setup: now creates handy command-line scripts to run oletools from any directory.
• 2016-06-10 v0.47: olevba added PPT97 macros support, improved handling of malformed/incomplete documents, improved error handling and JSON output, now returns an exit code based on analysis results, new --relaxed option. rtfobj: improved parsing to handle obfuscated RTF documents, added -d option to set output dir. Moved repository and documentation to GitHub.
• 2016-04-19 v0.46: olevba does not deobfuscate VBA expressions by default (much faster), new option --deobf to enable it. Fixed color display bug on Windows for several tools.
• 2016-04-12 v0.45: improved rtfobj to handle several anti-analysis tricks, improved olevba to export results in JSON format.

See the full changelog for more information.

Tools:

• olebrowse: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to view and extract individual data streams.
• oleid: to analyze OLE files to detect specific characteristics usually found in malicious files.
• olemeta: to extract all standard properties (metadata) from OLE files.
• oletimes: to extract creation and modification timestamps of all streams and storages.
• oledir: to display all the directory entries of an OLE file, including free and orphaned entries.
• olemap: to display a map of all the sectors in an OLE file.
• olevba: to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML).
• MacroRaptor: to detect malicious VBA Macros
• pyxswf: to detect, extract and analyze Flash objects (SWF) that may be embedded in files such as MS Office documents (e.g. Word, Excel) and RTF, which is especially useful for malware analysis.
• oleobj: to extract embedded objects from OLE files.
• rtfobj: to extract embedded objects from RTF files.
• and a few others (coming soon)

Projects using oletools:

oletools are used by a number of projects and online malware analysis services, including Viper, REMnux, FAME, Hybrid-analysis.com, Joe Sandbox, Deepviz, Laika BOSS, Cuckoo Sandbox, Anlyz.io, ViperMonkey, pcodedmp, dridex.malwareconfig.com, and probably VirusTotal. (Please contact me if you have or know a project using oletools)

Download and Install:
The recommended way to download and install/update the latest stable release of oletools is to use pip:

• On Linux/Mac:  Sudo -H pip install -U oletools
• On Windows:  Pip install -U oletools 

This should automatically create command-line scripts to run each tool from any directory: olevba, mraptor, rtfobj, etc.
To get the latest development version instead:

• On Linux/Mac: sudo -H pip install -U https://github.com/decalage2/oletools/archive/master.zip
• On Windows: pip install -U https://github.com/decalage2/oletools/archive/master.zip

See the documentation for other installation options.

Documentation:
The latest version of the documentation can be found online, otherwise a copy is provided in the doc subfolder of the package.

Download oletools

A Tool For Forensic File System Reconstruction - RecuperaBit

A software which attempts to reconstruct file system structures and recover files. Currently it supports only NTFS.

RecuperaBit attempts reconstruction of the directory structure regardless of:

• missing partition table
• unknown partition boundaries
• partially-overwritten metadata
• quick format

You can get more information about the reconstruction algorithms and the architecture used in RecuperaBit by reading my MSc thesis or checking out the slides.

Usage

usage: main.py [-h] [-s SAVEFILE] [-w] [-o OUTPUTDIR] path

Reconstruct the directory structure of possibly damaged filesystems.

positional arguments:
  path                  path to the disk image

optional arguments:
  -h, --help            show this help message and exit
  -s SAVEFILE, --savefile SAVEFILE
                        path of the scan save file
  -w, --overwrite       force overwrite of the save file
  -o OUTPUTDIR, --outputdir OUTPUTDIR
                        directory for restored contents and output files

The main argument is the path to a bitstream image of a disk or partition. RecuperaBit automatically determines the sectors from which partitions start.

RecuperaBit does not modify the disk image, however it does read some parts of it multiple times through the execution. It should also work on real devices, such as /dev/sda but this is not advised.
Optionally, a save file can be specified with -s . The first time, after the scanning process, results are saved in the file. After the first run, the file is read to only analyze interesting sectors and speed up the loading phase.

Overwriting the save file can be forced with -w .

RecuperaBit includes a small command line that allows the user to recover files and export the contents of a partition in CSV or body file format. These are exported in the directory specified by -o (or recuperabit_output ).

Pypy
RecuperaBit can be run with the standard cPython implementation, however speed can be increased by using it with the Pypy interpreter and JIT compiler:

pypy main.py /path/to/disk.img

Recovery of File Contents
Files can be restored one at a time or recursively, starting from a directory. After the scanning process has completed, you can check the list of partitions that can be recovered by issuing the following command at the prompt:

recoverable

Each line shows information about a partition. Let's consider the following output example:

Partition #0 -> Partition (NTFS, 15.00 MB, 11 files, Recoverable, Offset: 2048, Offset (b): 1048576, Sec/Clus: 8, MFT offset: 2080, MFT mirror offset: 17400)

If you want to recover files starting from a specific directory, you can either print the tree on screen with the tree command (very verbose for large drives) or you can export a CSV list of files (see help for details).

If you rather want to extract all files from the Root and the Lost Files nodes, you need to know the identifier for the root directory, depending on the file system type. The following are those of file systems supported by RecuperaBit:

File System Type	Root Id
NTFS	5

The id for Lost Files is -1 for every file system.

Therefore, to restore Partition #0 in our example, you need to run:

restore 0 5
restore 0 -1

The files will be saved inside the output directory specified by -o .

Download RecuperaBit

Network Forensic Analysis Tool (NFAT) - NetworkMiner 2.0

NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows (but also works in Linux / Mac OS X / FreeBSD). NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.

NetworkMiner collects data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main user interface view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames).

NetworkMiner has, since the first release in 2007, become a popular tool among incident response teams as well as law enforcement. NetworkMiner is today used by companies and organizations all over the world.     

NetworkMiner can extract files and certificates transferred over the network by parsing a PCAP file or by sniffing traffic directly from the network. This functionality can be used to extract and save media files (such as audio or video files) which are streamed across a network from websites such as YouTube. Supported protocols for file extraction are FTP, TFTP, HTTP, SMB and SMTP.

User credentials (usernames and passwords) for supported protocols are extracted by NetworkMiner and displayed under the "Credentials" tab. The credentials tab sometimes also show information that can be used to identify a particular person, such as user accounts for popular online services like Gmail or Facebook.

 Another very useful feature is that the user can search sniffed or stored data for keywords. NetworkMiner allows the user to insert arbitrary string or byte-patterns that shall be searched for with the keyword search functionality.

NetworkMiner Professional comes installed on a specially designed USB flash drive. You can run NetworkMiner directly from the USB flash drive since NetworkMiner is a portable application that doesn't require any installation. We at Netresec do, however, recommend that you copy NetworkMiner to the local hard drive of your computer in order to achieve maximum performance.     

There are several longed-for features that are part of this major release, such as:

• SMB/CIFS parser now supports file extraction from SMB write operations.
• Added parser for SMB2 protocol (read and write).
• Additional IEC-104 commands implemented.
• Added Modbus/TCP parser (as requested by attendees at 4SICS 2014).
• Improved SMTP parser.
• Improved FTP parser.
• Improved DNS parser.
• GUI flickering is heavily reduced when loading PCAP files or doing live sniffing.
• Extraction of web server favicon images (shown in Hosts tab).
• Added "Keyword filter" to several tabs (see more details below).

Download NetworkMiner 2.0

A Virtual Machine For Assessing Android applications, Reverse Engineering and Malware Analysis - AndroL4b

AndroL4b is an android security virtual machine based on ubuntu Mate includes the collection of latest framework, tutorials and labs from different security geeks and researcher for reverse engineering and malware analysis.

Tools

• APKStudio Cross-platform Qt5 based IDE for reverse-engineering android applications
• ByteCodeViewer Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger)
• Lobotomy Android Reverse Engineering Framework & Toolkit (Static and Dynamic Analysis)
• Mobile Security Framework (MobSF)(Android/iOS) Automated Pentesting Framework (Just Static Analysis in this VM)
• DroidBoxDynamic Analysis of Android Applications
• Dorzer Security Assessment Framework for Android Applications
• APKtool Reverse Engineering Android Apks
• AndroidStudio IDE For Android Application Development
• ClassyShark Android executable browser
• BurpSuite Assessing Application Security
• Wireshark Network Protocol Analyzer
• Smartphone Pentest Framework (SPF)
• Metasploit

Download AndroL4b