Latest News

An Overview of Real World Account Hacking Strategies

I often get sick and tired of reading comments underneath a white-hat hacking tutorial, asking “how do I hack a Gmail”, “How to hack Facebook account”, etc by people that don't really understand the fundamentals of what they are asking. Then there are the RATters, bot masters, and others spreading Trojans with their back-doored, fake Facebook-Hacking programs, that prey on the ignorant people who downloads them.

While the “Master Hack” would be to find some insane Zero Day in the web application front end of the website's own servers, attacking them directly and pwning their massive database. That's just not going to happen. Surely not by anyone who has to ask “how to”. I'll tell you why. Google, Yahoo, Facebook (ANY of the big wheels in the cyber world) have entire teams of security specialists, constantly upgrading, monitoring, and researching their entire internal network infrastructure. Nothing connected to a network is ever 100% Secure, though, so I guess if you're a noob you may still have something like a 0.00000001% chance of accidentally finding a way in, before it is found and patched. They also have all the money in the world to ensure they are not running outdated or unsafe SQL versions or rules. Then we come to brute-forcing.. A semi direct attack. Anyone who has (in the last SEVERAL Years) tried guessing a password to an account on any of the big sites more than a few times and locked down the account after so many wrong guesses can quickly ascertain why it wouldn't be wise to throw 50 wrong guesses per second at one.

I could go on and on about impractical theories and misconceptions, but let's get to the fun part. I will go over how accounts are actually getting hacked into in the real world. This isn't a tutorial. Just an overview of various real world strategies, that don't take much technical know-how. It is more of a cleverness skill-set than a programing one, most of the time.

The majority of hacked accounts happen via simply stealing passwords to accounts. Once the attacker has the credentials, there are still often hurdles to overcome, in today's world. Most having to do with the security settings of the website and account, itself.. The attacker may be in a different country, and then the account may automatically lock down and require verification (via SMS, alternate email, etc). Not always, but I promise it does happen quite often. In this case he would have to be careful to use a proxy or vpn that matches the same location as the victim, or perhaps find a tor exit node via AdvOR that is of the same location. But the problem with using freely available proxies, vpns, and exit nodes are that they quickly become blacklisted by spammer usage and get flagged by the website. Also, many of the free proxies have very limited bandwith or restrictions. Most of this can be worked around for a few bucks, though.

The methods for stealing creds are far and wide, local and remote, and ever evolving in a war with the ever evolving security industry. The same industry that funds research into hacking their own systems and teaching the world how to break into them, in order to funnel more importance and money into their cause. But the economics and politics are a whole other subject.


In this method, the attacker attempts to direct unwary users to a fake login page, usually by spamming the url. Spam urls used to be most prevalently done via massive email lists, but is quickly being replaced by fake accounts on social media sites. Anyone can make a fake account of a pretty girl and get circles of thousands of friends very quickly. Sometimes the victim has malware or a network intrusion that is redirecting them to the malicious page. But either way, the point is, the victim is tricked into visiting a fake page that looks like the real one and if the victim fills out the username and password fields, a php script writes the values to a log on the attacker's server.

The usual step-by-step for this technique is by uploading the fake, modified webpage, the script, and log to a web-hosting provider. But they are on the watch for that, these days and most phishing pages are actually being run on an apache server on the attacker's own box, with port 80 forwarded to it from the router and the obfuscated url actually pointing straight to their external ip (I know. Sad but true.), there are others hosted from a paid bullet-proof hosting service.

RATs, Keyloggers, Botnets, Stealers, and Other Trojans

These days, trojans come far and wide with easy to use client interfaces. Most, such as RATs, Consist of a client and a server builder. The server is the malicious exe that will report back to the client via reverse tcp (usually), through the port specified. The server exe can be crypted, have icons, various install options, as well as persistence, process and default browser injection... In other words they can be hard to get rid of for the average user. Once crypted and tested, the server exe is usually binded to some software or the file extension is spoofed with charmap to reverse the characters to make it look like a jpg, then a real jpg is converted to a .ico and used as the icon. They are spread in warez, malicious urls hosting a jdb (Java Drive-By) that tries to execute the code through the browser, and sometimes via a direct client-side attack with an exploit kit or metasploit that attempts to execute the malicious exe via a vulnerability in a program on the victim's box.

Once an attacker has r00t, or even user privilege on the victim's machine, the server will report to the client what functions it was designed to do, this can (AND WILL) include keystrokes, screenshots, control of processes on the victim computer, remote desktop, and spy features, such as webcam and mic control (He can watch you and listen to you and save all of it!!!!).

Keyloggers, file-stealers, and password-stealers are pretty self explanatory. Usually the malicious exe is built to deliver to an ftp. Sometimes smtp. Botnets are usually specified for only specific functions and are geared more toward mass infection. The client side of a botnet is a builder executable and a control panel run on a local (or remote hosted) server and accessed via a web interface with a common browser.

MITM (Man in the Middle) Attack

These attacks are not really geared toward mass-victim hacks... But that is what makes it more scary. I would much rather an attacker have my creds buried among 100,000 others that he has, than someone sitting across the room spending hours reading packets to have me and 3 others' credentials. It is usually more focused on the victim and specified. This is not a rule. It is just how it usually occurs in the real world.

In a MITM attack, the attacker is usually running an automated script  that spoofs his MAC address, blocks usage of SSL encryption (via sslstrip, etc), and captures packets between machines. The attacker machine will basically tell the victim machine that he is the router and tell the router that he is the victim machine, and it will then pass along the packets to the destination device, like he was never there. SSL is usually blocked by a script that enforces http only, thus leaving creds passed along the network in plain text. Sometimes a favicon is even added that looks like a lock, so that it gives the impression of a safe, encrypted network protocol.

There are many variations to local network attacks. Some try to inject malicious iframes into the victim's browser or other client side attacks. Some don't capture creds or block SSL, but just capture the session cookie, losing access as soon as the victim logs out or it expires. Some even broadcast a fake access point. Most are done in public wifi networks. Some are corporate espionage type attacks, but by far, most are coffee shop/parking lot attacks by bored teenagers running automated scripts on a backtrack or kali linux machine.

The Local Attack 

These are typically done by stalkers or nosy friends that find portable, easy to use forensic programs online, put them on a USB stick and play with someone's computer. They look for lots of things, including deleted files. But for this discussion, they look for account passwords saved by the browser of a naive user who doesn't clear his  history, saved form data, passwords, etc.


Hey I know it sounds crazy, but many a social engineer has found answers to security questions in someone's email on social networks, or just asked them in conversations or knew them already, and then reset the passwords to their accounts. Never know.

I didn't get into SQL injection or other hacking on smaller sites and trying the same Creds you find there, onto the big sites, but it happens, too.

That concludes my overview of attack strategies that are common-place in the real world. Yes, there are many ways to get into things and many more will evolve. Some of these may be obsolete, in the future. But for the purposes of this discussion, this is how it is actually being done.


About the Author

I'm Gary. Though I have many names in many places, this is my true one. I am honored to have been invited by the RHA InfoSec to create content. I can't really go all the way into my experience, suffice to say my greatest teachers have been hours upon hours of trial, effort, information and second opinions.

My skill-set is wide and varied and I am more a "Jack of all trades", rather than a specialist in any one category. I stay pretty busy with various projects (not all is computer related), but I will do my best to lend my time, effort, and knowledge. If I am busy or unable to answer any of your inquiries or handle your requests, for whatever reason, then I am sure Rafay, or Preston or any of the others can when they are able. Last but not least. I (PERSONALLY) do not want your likes, recognition, attention, traffic, or friends. Please save all of that for Rafay and the RHA Page. These guys have put this together, for you and deserve all recognition for it. Thank you.

phpThumb Server Side Request Forgery

Recently me along with my friend "Deepankar Arora" discovered a server side request forgery vulnerability inside of the phpThumb's latest version. The vulnerability is not inside the script itself, bit it occurs due to the fact that the webmasters do not configure phpThumb properly and also due to the fact that the high security settings were not turned on by default until now, before we talk about the details, let us briefly introduce the readers to SSRF vulnerability.

What is a Server Side Request Forgery?

A server side request forgery is not a single vulnerability, however it represents different classes of vulnerability which includes attacks such as XXE, http response splitting etc. In a server side request forgery an attacker creates forged packets to communicate with the intra/internet by using the vulnerable server as a pivot point. Several other different attacks can be performed, however we will keep it at a basic level so that they can be understood easily.


The debug mode in phpThumb was introduced for trouble shooting purposes, however the debug mode when turned can result in a server side request forgery. By exploiting it a SSRF vulnerability an attacker may be able to scan local or remote ports, fingerprint services etc.

Let's take a look at the piece of code responsible for fetching an external image:
if ($rawImageData = phpthumb_functions::SafeURLread($phpThumb->src, $error, $phpThumb->config_http_fopen_timeout,
$phpThumb->config_http_follow_redirect)) {
        $phpThumb->DebugMessage('SafeURLread('.$phpThumb->src.') succeeded'.($error ? ' with messsages: "'.$error.'"' :
''), __FILE__, __LINE__);
        $phpThumb->DebugMessage('Setting source data from URL "'.$phpThumb->src.'"', __FILE__, __LINE__);
        $phpThumb->setSourceData($rawImageData, urlencode($phpThumb->src));
    } else {
 if ($rawImageData = phpthumb_functions::SafeURLread($_GET['src'], $error, $phpThumb->config_http_fopen_timeout,
$phpThumb->config_http_follow_redirect)) {
            $md5s = md5($rawImageData);

The above code is responsible for fetching an external image file with the "src" parameter. The code doesn't checks if the image retrieved is actually a valid image i.e. .jpg, .png, .gif etc. Therefore, under debug mode set to "True" it would display the error message received from the lower layer network sockets which would enable an attacker to launch a server side request forgery attack.

Furthermore, I noticed that there was a validation being performed for protocols such as file://.

if (preg_match('#^(f|ht)tp\://#i', $phpThumb->src)) {

However, this doesn't prevent this attack completely, as an attacker may be able to leverage other protocols such as gopher://, dict:// etc in order to exploit this vulnerability. has known ports 22, 80 and 25 open, In case where the server errors are turned on, there would be a distinct response by probing open ports vs closed ports.

Proof of Concept // Open Port // Open port
h=32&w=32&src= // Closed port

Probing For Open-Port 80

Probing For An Open-Port 22 

Probing For a Closed-Port 1337

SSRF Inside-Out

In the similar manner an attacker may be able to leverage this attack to scan ports for the intranet. Following are the most common hosts found on the intranet that is worth looking for. 

1) intranet
2) webmail
3) jira
4) helpdesk
5) bugzilla
6) localhost

In case where the debug mode is disabled, the attacker would receive the following error message:


It is recommended to turn off the "debug" mode. The debug mode can be modifying by changing the following lines inside the PHP code. 

"$PHPTHUMB_CONFIG['disable_debug']= false;" 


"$PHPTHUMB_CONFIG['disable_debug']= true;".


1) The authors explicitly disabled all other protocols then http/https/ftp protocols. This minimizes few of the attack vectors.

2) The debug_mode has been disabled and the "High Security Mode" has been enabled by default in version phpThumb 1.7.12. Take a look at the author's note:

3) Further security improvements are to be done in the future versions.

Special thanks to "David Vieira-Kurz" from Majorsecurity for his advice on this issue. 

Transport Layer Security - Part 1

This is a non-technical guide which will make you familiar with the transport layer. The main purpose of writing this guide is to point out why we need major security implementation on the transport layer. What if the components of this layer get compromised?

In this today’s digital world, every business has their website. If it is a small firm or any big agency which is government agency or non-government agency, they have a website and they use websites. It is clearly visible that number of individuals and companies who are accessing the internet has rapidly increased. As the businesses around the globe are rapidly increasing, they want the internet to be act as web e-commerce for their business to manage everything centrally. However, over the years we are watching that web services across the internet are majorly vulnerable in various ways. None of the business wants to put themselves into vulnerable environment. As a result, the need for security in the corporate world is also in demand.

Suspicious File Analysis With PEFRAME

In this article I am going to conduct a walk through with a nice python tool named PeFrame. This tool should be an analyst’s first choice in order to analysis a piece of static malware. I am going to discuss each and every feature provided by this tool and I will also show you why it is important to find information through the malware.

What is Peframe?

This is a python-based. Tool used to assist in the analysis of PE files. There are many different tools available for malware analysis, but this tool is strictly built for portable executable malware analysis such as .exe and .dll files.


eLearnSecurity Web Application Penetration Testing (WAPT) - Course Review

As years passed by, we have seen an upward progression in the layer of insecurity starting from the physical layer attacks (Layer 1)  towards Application layer attacks (Layer 7) inside of the OSI model. Application layer attacks are where we are at right now, and frankly speaking from my experience i find application layer attacks more easy to learn and exploit as compared with network layer attacks. The defenses are more easy to break and there are lots of attack vectors involved. All you need is right tools to be able to automatically scan and exploit application layer vulnerabilities, talking about bug bounty programs for an instance this is exactly the same what's happening, i have literally seen people with absolutely zero security knowledge finding/reporting bugs and getting listed in hall of fames and making money. The question arises, If it's that easy to exploit applications, what if they could use the knowledge for a negative cause. However, That's a different story which we are not gonna talk about today.

It's super easy to download a vulnerability scanner such as netsparker, acunetix, netstalker and start scanning websites and reporting vulnerabilities, however what separates an actual penetration tester from some one who takes on bug bounty program as a hobby is the ability to understand the underlying technologies, and frankly speaking, it's what is the fundamental of all the penetration testing, the more better you understand the application and it's underlying technology, the more chances are that you would find critical bugs within it. With that being said there are certain restrictions to what a scanner can do and cannot, for example A scanner cannot find logical bugs, second order sql injections etc since it doesn't knows the context, therefore i only use for them  for quality assurance or for pointing out an interesting part of the webapplication, which i could look furthur.

To keep up with the knowlege and the trend, i regularly take new courses on penetration testing. Recently i got a chance to  take the elearnsecurity's "Web Application Penetration Testing course" and it turned out to be an amazing experience.


The elearnsecurity's WAPT was specifically designed for beginners who have just came into the field of web application penetration testing and security and want to take their knowledge to the next level. The authors of this course have done a great job of putting all covering most of the aspects of web application penetration testing.

Course Contents

The course is divided into several modules and personally i feel that every module is covered in extensive depth and does it's job of being clear and self-explanatory to the readers. Following are modules that you would come up, i would talk briefly about what's inside of them.


This module introduces the readers to the fundamentals of web security, it talks about some of the important concepts in security such as same origin policy and other stuff necessary for understanding the rest of the course.


This particular module is what i find it missing inside most of the courses of web application security, penetration testing is not only about finding the vulnerabilities and exploiting them, it's about learning the art of the reporting which turns out to the most important step of a penetration test, if your report such, you suck. You might argue by saying that "Did they hire a web designer or a penetration tester to do the job?", however it's true that clients do take your reports seriously and this is what this chapter aims at explaining, the art of of reporting. I would have liked this module more, if they had given up a sample penetration testing report to the readers so that they can exactly figure out how the actual report looks.

Testing Information Gathering 

This particular module talks about enumerating web applications, things such as subdomains, backend services, backend databases etc. Once again the author do a great job of explaining things in a very simple manner.

Cross-Site Scripting 

This module talks about various types of cross site scripting attacks and how to end up detecting them inside of real application, for me this module was a bit basic as i was expecting an extensive coverage of things such as DOM XSS and WAF Byapss. Nevertheless, the module is perfect from a beginners perspective.

SQL Injections 

I personally really liked this module, since it talks about most of the types of sql injection attacks. The best part of this module is that it talks about the concepts and how things are done manually, instead of talking about tools such as havij, sqlmap to exploit the vulnerabilities in an automated fashion.

Session Security 

This module talks about wide variety of session attacks such as session id prediction, session fixation etc, to quote them "Session related vulnerabilities will be the subject of this module with extensive coverage of the most common attacking patterns. Code samples on how to prevent session attacks are provided in PHP, Java and .NET At the end of the module the student will master offensive as well as defensive procedures related to session management within web applications".

Flash Security and Attacks 

Flash although has been taken over by HTML 5, it is still present on lots of websites and it's not going away anytime soon. This module first talks about flash security models and then talks about how to go about attacking flash based files, which in my opinion is a great approach.


This module talks about wide variety of authentication based attacks, to quote them "During this module the student will learn the most common authentication mechanisms, their weaknesses and the related attacks. From Inadequate password policies to weaknesses in the implementation of common features".

HTML5 and New Frontiers 

This module is the main essence of the course, with the arrival of html 5 and things such as local storage, web storage etc lots of new attack vectors have been introduced, this module talks about wide variety of html 5 based attack vectors in detail.

Common Vulnerabilities 

This module talks about less publicized vulnerabilities such as clickjacking, RFI, LFI, http response splitting etc.

Web Services 

This module talks about pentesting webservices such as webservices, rest api etc. As their growing popularity has brought us new attack vectors.

XPath Injection

I don't really know why they needed a different module to cover xpath injection, they might had created a module called "Injection Attacks" and would had included all the types of injection attacks under that module. Anyways, this module talks about xml structure first and then talks about xml injection and how to go about exploiting it.

 VA and Exploitation Tools

This module talks about popularly used vulnerability assessment tools such as acunetix, netsparker etc to effectively scan for vulnerabilities, this module also talks about using these tools to actually exploit some of the vulnerabilities.

Coliseum Lab

The course comes up with coliseum lab, which itself is divided into two types of labs, guided labs and unguided labs which are actual challenges. The labs are built into the cloud and destroyed after a certain time by default. The labs allow you to practice what you learned through out the course.


After you have completed the course, you can schedule the examination. You would be provided a web application and your objective would be to gain administrative access to the web application and document all high risk vulnerabilities. The total time frame for the exam is 7 days and after that you would given given more 7 days to document the report and submit your findings. It was a fun and a challenging exam, it took me 2 days to complete the challenge, it might have been even faster if it were not for my slow internet connection.

Areas for Improvement

The overall course is good, but it certainly has some areas it should be worked on:
  • Recently due to the increase in the use of client side javascripts, we have seen rise in security issues such as DOM based XSS. I didn't see any in-depth coverage of this attack, it was taught at a very basic level. 
  • Web Application firewalls are very common now a days, the course didn't cover the art of bypassing web application firewalls or common techniques that could be use to evade them. 

Overall,  i would rate the course 8/10 as from a beginners perspective it's a must to do course, the best is that they don't only teach you how to find vulnerabilities, but they also teach you how to document them.

For more information, please visit the official website -

Memory Forensics, Analysis And Techniques PART 2


Volatility is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of samples of digital artifacts from volatile memory (RAM).

Note: Before reading this post, i'd recommend you to go ahead and read the part 1 - Memory Forensics, Analysis And Techniques PART 1


The tool supports a variety of formats "dump", performs some automatic conversion between formats and can be used on any platform that supports Python. Installation and use are simple, simply unzip the package supplied by Systems Volatility in a system where Python already installed.
C:\Volatility>python volatility

Figure 1) Supported Internel Comands.

Example: volatility pslist -f /path/to/my/file

Figure 2) Use the command volatility

The image 3 shows the use of the command "ident", which can be used to identify the date and time the image was collected, as well as providing information about the operating system on which the dump was generated:

C:\Volatility>python volatility ident –f C:\memorytest_rafael_fontes.dmp

Figure 3) Command ident.
You can use the --help option with any command to get help:

C:\Volatility>python volatility ident –-help

Figure 4) Option Volatility help tool.

To list the processes that were running at the time it was generated dump can use the "pslist." As can be seen below, the output will contain the name of the process, its identifier (Pid) and father process ID (PPID) beyond the time when it was started and other useful information.

C:\Volatility>python volatility pslist –f C:\memorytest_rafael_fontes.dmp

Figure 5) Use the command pslist.

The "connscan" provides information about the network connections that were active at the time the data were collected memory. Already the "sockets" displays the open sockets at the time the dump was generated. The command "files" displays open files for each process. You can specify the case number on the command line to display only those files opened by a particular process.
C:\Volatility>python volatility files –p 1740 –f C:\ memorytest_rafael_fontes.dmp

Figure 6) Use the command files.

The command "dlllist" displays a list of DLLs loaded for each process, and the command "regobjkeys" displays a list of registry keys opened by each process.
C:\Volatility>python volatility dlllist –p 1740 –f C:\memorytest_rafael_fontes.dmp

Figure 7) Use the command dlllist
C:\Volatility>python volatility regobjkeys –p 1740 –f C:\memorytest_rafael_fontes.dmp

Figure 8) Use the command regobjkeys.

It is possible, through command "procdump" extracting executable from the dump of memory, allowing access to the code that was running on the machine, and thus better understand their behavior.
C:\Volatility>python volatility procdump –p 1740 –f C:\ memorytest_rafael_fontes.dmp

Figure 9) Use the command procdump.

It was possible to observe the generation of executable "executable.1740.exe" and the occurrence of informational messages like "Memory Not Accessible" after using the command "ProcDump". This is because not all the virtual memory addresses are accessible on the image because it may have been, for example, paged to disk. Thus, these messages provide an audit log so that you can determine which parts of the executable generated were successfully retrieved.

Practical examples,to determine the date and time of the image, for example, one can use the following command:

>>> Python volatility datetime -f target-2013-10-10.img

    Image Local date and time: Mon Oct 10 16:20:12 2013
The command pslist, in turn, determines the procedures that were running at the time the image was captured:

 >>> Python volatility pslist -f target-2013-10-10.img

Name Pid PPID THDs HNDs Time
lsass.exe 536 480 20 369 Mon Oct 10 16:22:18 2013
 To determine which system ports were open, one can employ the command "socks". For the system under analysis, it is possible to detect, for example, the process LSASS.exe listening on port 4500.

>>> Python volatility sockets -f target-2013-10-10.img

Forensic Memory for Linux distributions:        

S.M.A.R.T Linux                                                                                      

Figure 1) S.M.AR.T. Linux.
S.M.A.R.T. Linux is a bootable floppy distribution containing tool (smartmontools) for monitoring IDE/SCSI hard disks (using Self-Monitoring, Analysis and Reporting Technology). Why floppy? Probably because all other distributions containing this useful utility are CD versions [and not everybody has a CD-ROM ;)]. It's going to be free, small, helpful and easy to use. Current version is based on Kernel 2.4.26, uClibc 0.9.24 and BusyBox 1.00 official release. Built on Slackware 10.0.
The Sleuth Kit and Autopsy

Figure 2) Autopsy.                                                                                    

Figure 3) The Sleuth Kit.

Autopsy™ and The Sleuth Kit™ are open source digital investigation tools (a.k.a. digital forensic tools) that run on Windows, Linux, OS X, and other Unix systems. They can be used to analyze disk images and perform in-depth analysis of file systems (such as NTFS, FAT, HFS+, Ext3, and UFS) and several volume system types.
CAINE (Computer Aided Investigative Environment)

Figure 4) C.A.I.N.E.

CAINE(Italian GNU/Linux live distribution created as a project of Digital Forensics) offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface.
The main design objectives that CAINE aims to guarantee are the following:
• An interoperable environment that supports the digital investigator during the four phases of the digital investigation.
• A user friendly graphical interface.
• A semi-automated compilation of the final report.


Below are some tools that can be used for forensic analysis on computers with Mac OS X.

Mac OS X Forensics Imager:

Figure 1) Mac OS X Forensics Imager.

Tool for imaging disk byte by byte format Encase or FTK for later forensic analysis in these tools.

Metadata Extractor
Application to extract meta-data files for a specific folder in Mac Displays location on google maps in case there are geo-location information in the file.

File Juicer:

Figure 2) File Juicer 1.

Figure 3) File Juicer 2.

Commercial software that enables the extraction of images and texts from any file. Ignores format, and scans files byte by byte for identifying the data supported. Among other features, there are the following, which find application in forensic analysis:

· Extract images from PowerPoint presentations and PDFs
· Recover deleted pictures and videos from memory cards
· Recover text from corrupt
· Extract images and html files from the cache of Safari
· Extract attachments from email archives
· Generate Word document from simple PDFs
· Recover photos from iPods in TIFF
· Convert ZIP files which are in. EXE
· Extract JPEG images in RAW format (Canon & Nikon)
· Extracting data from different types of cache file
· Find and extract file in general data in JPEG, JP2, PNG, GIF, PDF, BMP, WMF, EMF, PICT, TIFF, Flash, Zip, HTML, WAV, MP3, AVI, MOV, MPG, WMV, MP4, AU, AIFF or text.


There are several trends that are revolutionizing the Forensic Memory. The process to do the analysis in memory forensics also walks for a better solution and refinement of the technique, it is an approach increasingly relevant in the context of Computer Forensics. In certain cases the popularity and use of tools for encrypting volumes as TrueCrypt, or creating malware residing only in volatile memory, raise the difficulty of analyzing the data stored in these devices.

However, it is interesting to note that the Forensic Memory is best seen as a complement to other approaches. An example of this is the procedure in which an investigation after the image capture of volatile memory, it uses the "Analysis of Living Systems" as a way to determine the next step in solving the case. Later, in the laboratory, we use the "Memory Forensics" as a complement to traditional forensics, giving greater agility and precision to the process.

I hope my article has helped computational experts and specialists in information security.
This is a guest post written by , RAFAEL FONTES SOUZA. He is the maintainer of the “Project Backtrack Team Brazilian”, He works at RHAinfosec as a senior penetration tester. He is also the Founder of the "Wikileaks and Intelligence, Cypherpunks". Good communication in groups and the general public, attended college projects with a focus on business organization, he currently seeks work experience outside of brazil”. He frequently contributes at RHA and talks about various topics related to internet security. 

Memory Forensics, Analysis And Techniques Part 1


Due to the increased number of cases of cyber-crimes and intrusions, along with the storage capacity of hard disks and devices, it was necessary to extend the techniques of computer forensics, currently works consist in collection and analysis of static data stored hard drives, seeking to acquire evidence related to the occurrence of malicious activities in computer systems after its occurrence.
With the evolution of technological resources and the popularity of the Internet, it has become impractical to maintain only the traditional approach, due to the large volume of information to be analyzed and the growth of digital attacks. In this context, the analysis of data stored in volatile memory comes up with new techniques, it is necessary to check the processes that were running, established connections, or even access keys encrypted volumes, without causing the loss of sensitive information to the investigation, thus allowing the recovery of important data to the computer forensics.


Memory forensics is a promising technique that involves the process of capturing and analyzing data stored in volatile memory. Since, by volatile memory, which means that data can be lost on system shutdown, or can be rewritten in the normal functioning of the same. This characteristic of constant flux, the data in memory are usually less structured and predictable.


The overview of the information stored in memory, everything is running on a computer is stored temporarily in memory, either in volatile memory, the paging file is related to virtual memory. By extracting an image of memory known as 'dump' memory is possible to identify the relationship of the running processes, it is possible to establish a relationship between the processes in order to identify which processes have started other processes, likewise, is feasible to identify which files, libraries, registry keys and sockets that were in use by each process. In summary, it is possible to map how the system was being used when generating the 'dump' memory and also recover executable programs stored in memory.


This is the method currently used by the experts in computer forensics to acquire the contents of RAM.
There are several programs that help the image acquisition memory system, this work. These tools make reading memory bit-by-bit and copy its contents to a file, the "dump" of memory. This file will have the same physical memory size of the system.

What should be taken into account, regardless of the tool being used, is that, as shown by the "Locard Exchange Principle", when an acquisition program dump is executed, it must be loaded into memory, meaning it will traces, and that some of the memory space that could contain valuable information will be used, and can even lead to changes in the area occupied by processes to paging files. Furthermore, while the tool is reading the contents of the memory, the status of the system is not frozen, which means that while some pages are being copied, and others may be changed if the process is that use is still running, for example. What will define the time spent to collect the image are factors such as processor speed, bus fees and operations in and out of the disc.



FTK Imager is a free tool provided by Access to Data acquiring forensic images. The tool allows you to create, mainly disk images…Besides creating forensic disk images, we can perform memory dumps and even perform a forensic analysis on the small image created. There are many other fucionalidades you will discover when you are working with it. The FTK Imager was created by the company AccessData and is free.


Well, I'm looking for a simple and practical way to demonstrate these concepts. Let's click on the "File" menu and click the "Create Disk Image" and choose which disk or partition, or we will make the image. To choose the option to perform a forensic image of the disc, we will on the "Physical Drive”, if we want to make the image of a partition, let the option "Logical Drive". Look the pictures below:

Figure 1) FTK Imager.

Figure 2) Logical Drive.

Figure 3) Physical Drive.

Then I'll do the forensic image of a USB stick plugged into my machine, and also choose the option "Physical Drive ". Can I choose which device I want to make the image and then I click on the "Finish" button.
Figure 4) Select Drive.

Now click on "checkbox Verify images after area They created". With this option selected, the tool will calculate the "hash" MD5 and SHA1 image created after that, click the "ADD" button.

Figure 5) Create Image.

Let's select "RAW", to perform forensic image format which is the tool of "DD" and click "Next".

Figure 6) Select RAW.

Will request some information on evidência. We can fill these information . After that, click on "Next".
Figure 7) Evidence Item Information.

Figure 8) Select Image Destination.

We will choose the output directory (where the forensic image is saved). "Image Filename" is where you must enter the filename of my image. In the "Image Fragment Size" I can put zero because I do not want my fragmented image. If I wanted to break into pieces, I put this field size in MB that every piece of my image would have. After that , just click on the "Finish" button.

Figure 9) The output directory.

Just click on the "Start" button.

Figure 10) Create Image.
Figure 11) Image Summary.

When the process of image acquisition forensics has finished , we can display a summary with various information.In the same directory where the image was stored was created a “txt”, which is like a log , which has the same summary information.

In the part 2, we will take a look at some more techniques for memory forensics, Stay Tuned!

Update: Part 2 has been published - Memory Forensics, Analysis And Techniques Part 2

This is a guest post written by , RAFAEL FONTES SOUZA. He is the maintainer of the “Project Backtrack Team Brazilian”, He works at RHAinfosec as a senior penetration tester. He is also the Founder of the "Wikileaks and Intelligence, Cypherpunks". Good communication in groups and the general public, attended college projects with a focus on business organization, he currently seeks work experience outside of brazil”. He frequently contributes at RHA and talks about various topics related to internet security. 

Importance Of Cryptography And Security Experts In Society.


It is well known that philosophy hacker alters every decade, year, time, and your value. Currently the involvement of these citizens who assists the process of innovation, strengthens the technological knowledge base, the hacker culture has a fundamental relationship with the Brazilian and multinational corporate entities that dominate the IT industry.

Clearly, this scenario suffers the effects of information security, the more people involved in a project, more innovation and evolution is computer generated. Simple versions to illustrate how this concept is described are some open source projects and independent Linux distributions have been excellent.


Due to the advancement of technology  emerged the cypherpunks (the name derives from 'cipher', cipher code and punk) defend the right to freedom and privacy, making use of and contributing to the future of encryption and similar techniques in order to establish political revolutions and even social. Started in the early 1990s, the movement led to its peak during cyberwars and also in the period of Internet censorship better known as the Arab Spring in 2011.

The term can be used to refer to any individual activist,security groups or for a general philosophy. First, cypherpunks advocate the use of encryption as a tool for data protection and personal privacy or corporate in a universe where information is increasingly available on the network.

The movement began with groups of information security in the late 1980s and early 90s who communicated primarily through mailing lists online, was strongly influenced by the hacker culture, concerns with the government, your personal data, civil law and the implications for supervision of superpowers. The hackers were the first to recognize the growing problem of online privacy.
To paraphrase Richard Stallman, “The use of hacker to mean security breaker is a confusion on the part of the mass media. We hackers refuse to recognize that meaning, and continue using the word to mean, someone who loves to program and enjoys being clever about it".


To answer this, hackers revolutionary or  “Cypherpunks” put themselves in front of a major challenge in coding and implementation of the technology required supporting the objective of the advent of encrypting files, data, and documents for secure anonymous networks, email, web browsing and financial transactions.
From the beginning, a number of groups of experts aimed at protecting the data and ensure privacy online.

They have been responsible for the creation and dispersion of the software used to promote anonymity online. Heavily involved in political debates and issues that involve the use encryption.
The cypherpunks are a strong influence on the data encryption, they are generally well educated and professionally made, using the use of cryptography and computer programming, despite the implications of the term "punk", they cover a wide range of incomes, and ethnicities social classes. At a critical point in history where our data are drifting like garbage in the ocean, there was the awakening of the hacker culture creating and innovating techniques of privacy and anonymity.


Readers in mind various dimensions and critical thinking, stopped to watch through the eyes and mind of a hacker? Have you ever wondered how they act, how much need and responsibility affects their daily life, how to apply your strength or support any movement, as to base their ethics and politics, which made it so?

Well, we're hackers, and like everyone else we want to do our part to contribute to a more just and egalitarian society, defend the right of freedom and expression.

Currently, encryption has evolved such that we think that we are vulnerable, we are just targets, there is the goal of obtaining unique security solutions for citizens, governments, military, health agencies and multinational companies, and finance departments legal, actually became essential to establish equilibrium.


There is only one encryption system known perfectly safe; all encryption methods ever conceived,only one was mathematically proven to be completely safe.

It's called "Vernam cipher or one-time pad“, the value of all other figures are based on computer security, this code is mathematically calculated to ensure autonomy and privacy. This means that the probability of breaking the encryption key using computer technology and algorithms currently available within a reasonable time, is not supposed to be extremely small, but impossible. Each cryptographic algorithm except the “One-Time Pad” can be broken given certain space of time, even though it may delay. Example, systems of public key encryption such as PGP, RSA is based on the following:

The security of these systems is simply based on the computational difficulty of calculation, to break this number N such methods should be followed, and by the time these systems are designed the best publicly available algorithms for factoring would take millions of years to factor a 200-digit number.
This does not logically exclude the possibility of technological invention capable of running at high speed factoring algorithms.

How do you know that the encryption system you use is really safe? Do you understand how it works?

Do you think if a government institution or military intelligence had a method of breaking cryptosystems that would advertise this fact?

Systems security is a matter of utmost importance for anyone with a natural distrust and those attracted to positions of power. The interception and decoding of personal communications can be literally a matter of life or death for some individuals.


The result of the work of a new and innovative computer technology known as the quantum computer, an algorithm for factoring now exists for factoring integers in linear time giants. It was created in 1994 by Peter Shor of AT & T Bell Laboratories. An engine to process quantum Shor's algorithm could factor a hundred digit integers in a few arithmetic operations in a matter of time fast.

Quantum computers are functioning prototypes exist information on the implementation of a scalable matrix inversion in the time optimized(SMITH).

In 1917,during the First World War,the American scientist Gilbert Vernam was given the task of inventing a method of encryption that the Germans could not break through by AT & T.

What was planned was the only proven unbreakable encryption scheme known to date. In comparison with most encryption systems is a very simple way. To use a one-time pad, you need 2 copies of the "pad” (also known as the key), which is a source of random data to the message you want to encode.

If the data on the ' pad' is not truly random, the security of the block is committed.
The 'pad' should never be reused, are unique and not reused. The decisive factor is that the 'pad' may be used only once, the purpose is “OneTime”, that is the point of this model. Its engine is based on the VOC technology (Virtual Cascade OTP) and fully resistant crypto analysis and is much safer as “Acid Cryptofiler”, used by NATO. This algorithm is designed for citizens who desire freedom and privacy, secret agents, agencies that operate in foreign countries, can be used by journalists, lawyers, doctors, police...
Random data to ' pad' should never be generated only by software.

It should be developed through processes, access to the hardware of a truly non-deterministic nature. If you intend to provide or secure highly confidential information through insecure channels, a telephone, and you need absolute certainty that there will be decrypted ciphertext is intercepted then there is no choice but to use the Vernam algorithm.

About The Author

This is a guest post written by , RAFAEL FONTES SOUZA. He is the maintainer of the “Project Backtrack Team Brazilian”, He is also a member of the "French Backtrack Team" and made partnerships with groups from Indonesia and Algeria, was prepared a collection of video lessons and made available on the website. He is also Founder of the "Wikileaks and Intelligence, Cypherpunks". Good communication in groups and the general public, attended college projects with a focus on business organization, he currently seeks work experience outside of brazil”.

Contact Us

24x7 online , we happy to answer you , ,
skype: greeenchip


This Blog and its TUT's are intended for educational purposes only, no-one involved in the creation of this TuT may be held responsible for any illegal acts brought about by this Blog or TuT.

Featured Post

Custom Domains And HTTPS Redirection Code