Cyber

It’s semester 2 2023 and time for my final subject in the UNSW Cyber Security Masters course, digtital forensics run by Seth Enoka. I got to venture deep into Windows internals, including core Windows memory structures, subsystems such as prefetch and shimcache, NTFS file system internals and mechanicsm including MFT analysis and much more. All this analysis was conducting using the following Linux analysis tools: Tools Tools Description Yara A pattern-matching tool used in malware research and forensic analysis to identify and classify files based on defined rules and signatures. Volatility 2 & 3 Open-source memory forensics frameworks used to extract and analyze digital artifacts from volatile memory (RAM) in a memory dump to investigate cyber incidents and malware. Volatility USNParser Plugin A Volatility plugin specifically designed to parse and extract information from the USN journal on Windows systems, aiding in file activity analysis. SCCA Tools SCCA (Source Code Control System Analysis) Tools assist in examining version control system repositories to identify code changes, contributors, and track project history. ESEDB Tools These tools provide access to Extensible Storage Engine (ESE) Database files, commonly used in Windows applications, for analysis and recovery purposes. analyzeMFT A tool used in digital forensics to parse and analyze the Master File Table (MFT) entries from NTFS filesystems, revealing information about files and directories. Oletools A collection of Python-based tools for analyzing and extracting data from OLE (Object Linking and Embedding) files, such as Microsoft Office documents, often used in malware analysis. Wireshark A widely-used network protocol analyzer that captures and inspects data packets on a network, helping with network troubleshooting, security analysis, and protocol reverse engineering. The Sleuth Kit (TSK) An open-source digital forensic toolkit that includes various CLI tools (mmls, fls, icat) for file system analysis and data recovery from different operating systems. Plaso An open-source Python-based tool used for super timeline creation and log analysis, helping to reconstruct events and activities from various data sources for forensic investigations. Advanced Forensics Format Library (afflib) Tools Tools for working with the Advanced Forensics Format (AFF), an extensible open file format used in computer forensics to store disk images and related metadata. wxHexEditor A hexadecimal editor with a graphical user interface, used for low-level data inspection and editing in forensic analysis and reverse engineering. Gnumeric A spreadsheet application, similar to Microsoft Excel, used for data analysis and visualization, including data manipulation and statistical functions. Personal Folder File Tools (pfftools) Tools designed to work with Personal Folder File (PFF) formats, commonly used by Microsoft Outlook to store emails, calendars, and other personal data. These tools aid in email forensics and analysis. Resources Windows shellbags 8 timestamps on an NTFS file system, an attacker can fairly easily mutate 4 of them, hard to convincingly adjust nano-second level Eric Zimmermans Windows Forensics Tools SANS Hunt Evil Poster Knowing what’s normal on a Windows host helps cut through the noise to quickly locate potential malware. Use this information as a reference to know what’s normal in Windows and to focus your attention on the outliers. MITRE ATT&CK MITRE ATT&CK for ICS Cyber Kill Chain Industrial Cyber Kill Chain Locard’s Exchange Principle NIST Guide to Forensics in Incident Response Dragos Threat Groups Crowdstrike Adversary Groups Diamond Model for Intrusion Analysis The Four Types of Threat Detection Volatility v2.4 cheat sheet Module 0 - Intro Locards Principle (Edmond Locard aka Sherlock Holmes of France) ...

Kicking off the 2023 University year I continue my journey into the Cybersecurity Masters program with unit Infomation Assurance and Security run by Michael McGarity and Huadong Mo. Provides students with a deep understanding of the technical, management and organisational aspects of Information Assurance within a holistic legal and social framework. The course is essentially modelled off the CISSP certification, which dives into the following subjects: make a realistic assessment of the needs for information security in an organisation discuss the implications of security decisions on the organisation’s information systems understand the principles of writing secure code show an understanding of database and network security issues demonstrate an understanding of encryption techniques understand foundations of the tools and techniques in computer forensics show an appreciation of the commercial, legal and social context in which IT security is implemented apply knowledge gained to business and technical IA scenarios Intro Not a one size fits all approach. Too many factors and seemingling chaotic variables, such as risk appetites, country legislation, the business vertical (mining vs banking vs government), acceditation frameworks that apply to certain industries, tolerances, technology limitations, and so on. ...

Semester 1 2022 has snuck up on me again. This semester as part of the UNSW and ADFA run Master of Cyber Security degree, I’m taking the blue team core unit ZEIT8026 Cyber Defence - Network Security Operations (SecOps) lectured by Dr Waqas Haider and Dr Nour Moustafa. Unlike its sister red team unit ZEIT8020 Cyber Offense - Cyber Network Operations (CNO) which I took in 2018, ZEIT8026 aims to lay the foundational knowledge of cyber defence operations: ...

An academic paper I authored in May 2019, as part of studying Reverse Engineering at UNSW. Abstract Extracting meaningful semantic differences between software binaries without source code is difficult. This is a challenging problem due to the overwhelming amount of syntactic noise that small changes can result in at the assembly level. Curiously when it comes to program semantics the “signal from the noise” can be distilled in a manner that is both static and processor agnostic, through the application of control flow and graph isomorphism analysis, symbolic execution and theorem proving. The graph isomorphism problem has no known polynomial time algorithm (i.e. is NP) making brute force approaches computationally infeasible. By blending various static analysis techniques and applying some generalisations, consider a novel approach to overcoming the computationally infeasibility of this problem domain with a view to binary difference analysis. ...

An academic paper I authored in October 2019, as part of studying Modern Exploit Development at UNSW. Abstract Heap oriented exploits continue to be an ongoing threat, and have gained popularity post the stack smashing frenzy of the 90’s and early 00’s. Even so called safe languages (e.g. JavaScript, Java) remain vulnerable due to their underlying C/C++ implementations. Heap allocator designs and implementations, of which there are many, struggle to strike the balance between performance and security, performance often winning out to keep programs running as fast as possible. Two ingredients are needed for a successful heap exploit, the first a memory management error in the target program, and second an exploitable heap allocator implementation. Many countermeasures in mainstream allocators seen to date are often the result of knee-jerk reactions to exploits of the past, with patching occurring to existing designs. A large body of research exists around detecting, preventing or mitigating heap attacks. ...