By ro0ted | June 6, 2015 - 16:38 | Posted in /b/ | 1 Comment
#ro0ted #OpNewblood What the blackhats dont want u to know: Memory Cloning + BE in Linux

Last tutorial we used Bulk Extractor for Windows this will be for Linux. – ro0ted https://twitter.com/ro0ted/

 

Open your terminal:
type:

sudo apt-get -y install gcc g++ flex libewf-dev

wget http://digitalcorpora.org/downloads/bulk_extractor/bulk_extractor-1.5.5.tar.gz
gunzip bulk_extractor-1.5.5.tar.gz
tar xsvf ‘bulk_extractor-1.5.5.tar’

cd bulk_extractor-1.5.5 wget http://digitalcorpora.org/downloads/hashdb/hashdb-2.0.1.tar.gz
gunzip hashdb-2.0.1.tar.gz
tar xsvf ‘hashdb-2.0.1.tar’

cd hashdb-2.0.1
./configure
make
sudo make install

cd bulk_extractor-1.5.5
bash bootstrap.sh
./configure
make
sudo make install

to run type: bulk_extractor
Untitled

Untitled

Untitled

And if you want a graphical interface instead of commands…
type: BEViewer
Untitled

From here it’s very simple.
Click Tools>Run bulk_extractor:
Untitled

This menu box will pop up:
Untitled

Now don’t worry about the fancy settings we will get into that in another tutorial this is just a linux walk through:
Untitled

You will need to create a memory dump I suggest using LiME

You can use any img file. For testing purposes if you are using a vm chances are you have this file:
Untitled
Well you can throw this in Bulk Extractor although initrd isn’t your memory dump however you will get results:
Untitled

 Okay I will use a simple utility to create a memory dump on a linux platform called Guymager this process is known as “memory cloning”

type: sudo apt-get install guymager
to run type: guymager

Untitled

Right click acquire image:
Untitled

Expert Witness Format is the best:
Untitled

Select your output:

 

Untitled
Then wait warning it will take a long time..:
Untitled
You can also do a RAW Device scan:
Untitled
Click RAW Device:
Untitled

Untitled

Untitled

Untitled

After the results are done which takes 3hrs minimum I will post the results. Check out my last tutorial on Bulk Extractor & Memory Dumping for a Windows Based machine here. Next tutorial I will show you how to do a memory dump of your Android. – ro0ted https://twitter.com/ro0ted/
ro0ted

Please check out my series on, “What the blackhats don’t want you to know” below..#CgAn

 

Random tutorial in the series: Meet Volatility Frameworks automatic cousin: Volix

 

(In order)

Why am I teaching Reverse Engineering to inexperienced new Anons in OpNewblood?

Whitehat Lab

ASM Programming

Introduction Part 1 Ollydbg 

Introduction Part 2 Using Ollydbg and Tracing Botnets

Analyzing Botnets

 Introduction Part 3 Ollydbg: Cheating a Crackme

Introduction Part 4 Ollydbg: Your first Patch

Encryption 101

Cuckoo Sandbox: Automated Malware Analysis also known as Malwr.com

Introduction to Honeydrive: A Brief Walk Through

Installing Kippo the SSH Honeypot on a VPS Part 1: How to set it up

Resource Hacker

Dll Injection the Easy Way

Visual Basic Binaries Walk Through Part 1

Ollydbg on Steroids

Creating Patchers Part 1

Have you supported the gas mask campaign over the years?

Crack to win a gas mask gift pack

How to edit a register me crack me Pre Part 1

Unwinding Delphi Binaries Walk Through if not Preview

Cracking Delphi Part 2

Reversing Timed Trials: Ollydbg Tricks Part 3

Analyzing Adware

Preview Against Debugging

Bypassing Registering 101

Bypassing Part 2

Android/iOS Reversing

Introducing IDA Pro: Static Analyzing

Hacker’s Disassembler

Ripping Apart Adware

Never trust Warez or Cracked Programs: Reversing a Crypted IRC bot infected file

IDA PRO Book

Unpacking & Crypting there is a difference

Covert Debugging whitepaper from blackhat.com

Manually Unpacking with Ollydbg

Manually Unpacking Part 2

Manually Unpacking 101

ASM Injecting

ASM Injecting Part 2

ASM Injecting Part 3: Crypt your malicious file

Reversing Trials

Adding Your Menu

ASM Injecting Part 4

ASM Injecting Part 5

Finding Nag Screens & Removing them

REMnux: Linux Toolkit for Reverse-Engineering and Analyzing Malware

REMnux: Volatility Framework ~ Memory Forensics
Volatility Analyzing the ZeuS Bot Part 2
Infected Machine? Create a memory dump
What the gov doesn’t want you to know: All your pastebin data is being LOGGED
Connect to IRC more securely with SSL, add a fingerprint to your nick
Do you have pictures of yourself on the internet? You might of leaked your location of where the pic was taken through EXIF Data
Bulk Extractor: Walk Through for a Windows Platform
Bulk Extractor: Walk Through for Linux platform

 

(Visited 989 times, 1 visits today)


Trackbacks:

  • You can follow any responses to this entry through the RSS 2.0 feed.
  • Both comments and pings are currently closed.