Posts

Showing posts from 2014

Digital Forensics Tools Bookmarks

We want to share with you a list of bookmarks related to hardware and software tools for Digital Forensics acquisition and analysis. The bookmark file is in Mozilla Firefox, so it can be directly imported into it.

You can download the file from

http://www.realitynet.it/bookmarks.html

If you are interested in adding a tool to our list, please contact me at mattia @ realitynet.it.

mimikatz offline addendum

Image
I must admit I did not expect so many acknowledgments by writing the volatility mimikatz plugin. I want to say thanks to all people that tweeted, emailed - and so on - me: it is just a piece of the puzzle, and the big pieces are those from volatility and from mimikatz.
First, I want to say thanks to Andrew Case, for the support and for having tweeted about the plugin: probably all those acks are because Andrew is an uber-well-known DFIR expert! Then I want to say thanks to Kristinn Gudjonsson, my favorite plaso “harsh” reviewer, who spotted some “devil” (you wrote it! ;) issues in my code, as the multiple inheritance I used… lol, I will fix it! Last but not least I want to once again say thanks to Benjamin aka gentilkiwi, who wrote an e-mail to me making the congratulations for the plugin.
With this post, I want to point out some features of mimikatz that I had not considered in the first instance.
mimikatz can work offline
In the previous post I wrote “Mimikatz is "normally" us…

et voilà le mimikatz offline

In one of my recent cases, I needed to recover the windows user password: I had different OSes with various levels of cryptography, mainly at file level. Usually I think it's a good approach to recover as many hints as possible, to derive a scheme and/or to find a way to access the data. 
ODI
I like to call it ODI (Offensive Digital Investigations, in Italian "odi" means hear, find out). I remember an old case where I got 500+ strong encrypted archives... too many without a password catalog. I searched for the weakest protection and I found three zip-crypto (not a strong protection) archives: I cracked them in few days and then I was able to derive the schema to access all of them. I was lucky.

This time I felt that the Windows user password was the... key. Usually the dirty work is made with rainbow tables, but no way: I was unable to crack the Windows 7 user password.

mimikatz
I don't remember exactly why I was playing with mimikatz (hem, coff coff) but I had a drea…