E6/

'16

()
ath.grigoriadis@mil.gr


E6/

- '15


E6/


E6/

15
1. report ISP (
), .
2. ISP
.
3.

, antivirus
. .

4. ,
.
5. (code audit),
.

6. .
7. virus total .
:

NA MHN E '16


E6/

2016 (23-27 )

(09:00-15:00)
( )

(27 ).


E6/

email ()

210-6576267, 210-657-6226

web server (Portal) ,

- hints.

Chat room

MISP - Malware Information Sharing Platform


E6/

portal

22 ()

cd1@cd.mil.gr


E6/

News Portal (panoptis.cd.mil.gr)

chat
(chat.panoptis.cd.mil.gr)

(misp.panoptis.cd.mil.gr)


E6/

chat (Domain: chat.panoptis.cd.mil.gr)

Jabber Server client.

Pidgin client (http://pidgin.im/download/)

News Portal

: email

8 (1 + 1 )
p2016_general
p2016_ep01
p2016_ep02
p2016_ep03,


E6/

Malware Information Sharing Platform (http://misp-project.org/)

: email

: News Portal

: , ,
: , ,
: , , ,


E6/

:
Email
1 ()

User name password

email 19 2016 (12:00 .)

[]_[].[]
Dimokritos_Giannis.Agiannis
Unipi_Dimitris.Kostantinou

:
panoptis2016@cd.mil.gr
210 657 6150


E6/

Web Application Security Active Response

Windows Forensics Analysis

Linux Forensics Analysis

Mobile Forensics Analysis

Network Forensics Analysis

Data Leakage Investigation Analysis

Capture the Flag


E6/

Web Application Security Active Response

:

() (online)
.

(exploitation) .

virtual image (win 8.1)


E6/

Linux Forensics Analysis

:

virtual image (linux)

Mobile Forensics Analysis

:

APK (OS Android) 2

' (basic)
.

' (advanced)

plain text.

.apk .


E6/

Network Forensics Analysis

:

pcap

logs proxy web server

Data Leakage Investigation Analysis

:
- 1 pcap mailbox,

4 e-mail.
:
-
.

7 Capture the Flag (CTF)

projects

CEO insider
/ penetration testing incident
handling,
CEO
(. 2106551046) CEO.

7 Capture the Flag (CTF)

:

,
.

7 Capture the Flag (CTF)

CTF
/

IP
.

7 Capture the Flag (CTF)

/
/
.


( flag ).
flags
VM
scoreboard flags

(, network scans, failed attackes, failed answers ),
.

7 Capture the Flag (CTF)

CTF 1 openvpn
email /
1 (leader)
/
. email leader .

7 Capture the Flag (CTF)

email leader
:
, email
(leader) .
(..
, VUL_FIND_EVERYTHING)

.png
(60x60),


UDP 41194

7 Capture the Flag (CTF)

email ctf@cd.mil.gr
panoptis2016@cd.mil.gr. email
CTF
.

leader 20 12:00.
.

email certificate
openvpn password.

23 10:00 14:00
. 2106551046
certificates.

CTF

. 2106551046 .

7 Capture the Flag (CTF)

1 certificate .

router/firewall (.. pfsense) certificate
( NAT) vpn
.

23 vpn.


E6/


E6/

- :

https://www.brimorlabs.com/Tools/LiveResponseCollection-Allosaurus.zip

, registry
windows .

Linux and MacOs.

module

http://www.brimorlabsblog.com/2015_09_01_archive.html

2. windows linux
, portal.


E6/

(windows)

Winpmem

https://github.com/google/rekall/releases/download/v1.5.0/winpmem-2.1.post3.exe

Dumpit

http://www.moonsols.com/wp-content/plugins/downloadmonitor/download.php?id=7

Fireeye Memoryze

https://www.fireeye.com/services/freeware/memoryze.html


E6/

(Linux)

Lime

https://github.com/504ensicslabs/lime


E6/

Volatility (windows+linux)

http://www.volatilityfoundation.org/#!25/c1f29

Fireeye redline (windows)

https://www.fireeye.com/services/freeware/redline.html

Rekall (windows+linux)

https://github.com/google/rekall/releases/tag/v1.5.0


E6/

Registry
FTK Imager

http://www.accessdata.com/support/product-downloads#

Windows_Live_Response

https://www.brimorlabs.com/Tools/LiveResponseCollection-Allosaurus.zip

Forecopy

https://github.com/proneer/Tools/tree/master/forecopy


E6/

Registry
Regripper

https://code.google.com/p/regripper/

Registryviewer

http://www.accessdata.com/support/product-downloads#

Regviewer

http://sourceforge.net/projects/regviewer/

Registry Browser

https://lockandcode.com/software/registry_browser


E6/

Disk Forensics
Sleuthkit autopsy (windows version)

http://www.sleuthkit.org/autopsy/download.php

FTK Imager

http://www.accessdata.com/support/product-downloads#

Sleuthkit

http://www.sleuthkit.org/sleuthkit/download.php

bulk_extractor

https://github.com/simsong/bulk_extractor

https://github.com/log2timeline/plaso

Raw Disk Image to Virtual Machine

VBoxManage convertfromraw <filename> <outputfile> [--format

VDI|VMDK|VHD]


E6/

File system recovery forensics

Scalpel

https://github.com/sleuthkit/scalpel

Foremost

http://foremost.sourceforge.net/


E6/

Web Browser Forensics

Nirsoft forensics tools

http://www.nirsoft.net/utils/#browser_tools


E6/

Email headers

https://toolbox.googleapps.com/apps/messageheader/analyzeheader


E6/

Malware forensics
remnux

https://remnux.org/#distro

Ida pro

https://www.hex-rays.com/products/ida/support/download_freeware.shtml

Immunity debugger

https://www.immunityinc.com/products/debugger/

Olly debugger

http://www.ollydbg.de/version2.html


E6/

Malware forensics
sysinternals tools

https://live.sysinternals.com/

buatapa

http://www.brimorlabsblog.com/2015/08/publicly-announcing-buatapa.html

Didier Stevens virus total tools

https://blog.didierstevens.com/programs/virustotal-tools/

Didier Stevens Authenticode tools

https://blog.didierstevens.com/programs/authenticode-tools/

National Software Reference Library

http://www.nsrl.nist.gov/Downloads.htm#isos

http://rjhansen.github.io/nsrllookup/


E6/

Malware forensics
Cuckoo

http://www.cuckoosandbox.org/

Pyew

https://github.com/joxeankoret/pyew

Online tools

https://malwr.com/submission/


E6/

Network forensics
Tcpdump

http://www.tcpdump.org/#latest-release

Wireshark

http://www.wireshark.org/download.html

Xplico

http://www.xplico.org/download

http://www.forensicswiki.org/wiki/Network_forensics


E6/

Mobile forensics
mobile analysis framework - live cd

Androl4b (https://github.com/sh4hin/Androl4b)

Santoku (https://santoku-linux.com/)

MobSF (https://github.com/ajinabraham/Mobile-Security-FrameworkMobSF)


E6/

Live forensics CDs

SIFT

http://digital-forensics.sans.org/community/downloads

Kali

http://www.kali.org/downloads/

Santoku

https://viaforensics.com/resources/tools/santoku/

CAINE

http://www.caine-live.net/page5/page5.html


E6/

links

http://en.wikipedia.org/wiki/List_of_digital_forensics_tools

https://uk.sans.org/posters/windows_artifact_analysis.pdf

https://digital-forensics.sans.org/media/Poster_SIFT_REMnux_2016_FINAL.pdf

https://digital-forensics.sans.org/media/rekall-memory-forensics-cheatsheet.pdf

https://digital-forensics.sans.org/media/Poster-2015-Memory-Forensics2.pdf

https://digital-forensics.sans.org/media/DFIR-Smartphone-Forensics-Poster.pdf

https://digital-forensics.sans.org/media/Poster_2016_Find_Evil.pdf

https://digital-forensics.sans.org/media/evidence_collection_cheat_sheet.pdf

https://digital-forensics.sans.org/media/linux-shell-survival-guide.pdf


E6/

links

https://digital-forensics.sans.org/media/windows_to_unix_cheatsheet.pdf

https://digital-forensics.sans.org/media/log2timeline_cheatsheet.pdf

https://digital-forensics.sans.org/media/hex_file_and_regex_cheat_sheet.pdf

https://digital-forensics.sans.org/media/mobile-device-forensic-process-v3.pdf

https://blogs.sans.org/computer-forensics/files/2012/06/SANS-Digital-Forensicsand-Incident-Response-Poster-2012.pdf

http://dfir.to/Find-Evil-Poster

http://crucialsecurityblog.harris.com/2011/03/14/typedurls-part-1/

http://www.sleuthkit.org/autopsy/docs/quic

http://digital-forensics.sans.org/media/log2timeline_cheatsheet.pdfk/index.html

http://digital-forensics.sans.org/media/sift_cheat_sheet.pdf

http://www.nirsoft.net/utils/


E6/

, Plan for
the Worst, Hope for the Best!!


E6/

CERT:
mcirc@cd.mil.gr
210-6574242 ( () . )
() . .. spapageorgiou@mil.gr
2106576220
A () imonogioudis@mil.gr
() ath.grigoriadis@mil.gr
() .

g.stamatoukos@cd.mil.gr


E6/