Nation State Quality OSINT on a Taco Bell Budget – Part 2

Welcome to the second post in our series on getting started using AWS services for OSINT. Last post we covered setting up an AWS account, getting the command line interface installed and configured with your credentials and using the Rekognition service to help solve some very common OSINT problems. In this post we’re going to build on that and: Register as a Twitter developer to get API credentials Setup up a Lightsail instance where we can run our code 24/7 for an extremely low cost (free at first) Setup an email with Amazon’s Simple Email Service (SES) which we’ll use to send email alerts Make a very simple database using Amazon’s DynamoDB Tie all of these together to make a persistent twitter monitor in Python To start off, let’s head over to Twitter and register as a developer so we can get an API key. Twitter does a great job supporting their community and you can sign up for a developer account here: The free “sandbox” account is

Nation State Quality OSINT on a Taco Bell Budget – Part 1

I remember taking digital forensics classes years ago and at the very end of the class feeling like I had learned a ton, had a great time, but was also wondering “Ok, what’s next?” When I’m teaching OSINT or other technical topics I often hear “This has been great! What’s next?” For some people, the next step is learning a programing language like Python to write your own custom tools such as web scrapers. Over the past year, I’ve found myself using Amazon Web Services (AWS) services more and more in OSINT tools that I write. They are very well documented but recently when I’ve been talking with other OSINT practitioners, I’ve realized that the part that often leaves people feeling overwhelmed is knowing what is available and how it can be used. In this multi-part blog series, I’ll provide a brief introduction to several of the AWS services as well as some code samples showing how we can use them on OSINT projects. Some of the services that we’re going to use in this series are: Awscli

Filelocator Pro Tips and Tricks for Indexing Large Breach Data Sets

Tomorrow I’ll be giving a talk on breach data including: Places where it’s located How to make large data sets searchable in a reasonable amount of time How some organizations are using breach data to improve their security posture Whenever I give conference talks I try to remove or reduce any barriers to entry. When I have given talks on memory forensics, I have always used the Windows standalone version of Volatility instead of Linux for my demos so attendees who were not really comfortable with Linux wouldn’t feel like they couldn’t try the techniques. With that idea in mind, I wanted to find a way to make large breach datasets searchable without the need to maintain huge databases, normalize hundreds (or more) of disparate datasets etc. Similar to a recent blog post I wrote where I used a forensics tool called bulk extractor to help quickly acquire selectors (emails, phone numbers etc) from a large dataset, I decided to use a common forensics technique of indexing for this problem.

Using Bulk Extractor for Quick OSINT Wins

Early this week, hosted a dump of a SQL databasehacked from a neo nazi forum online known as Iron March at .While there were some .CSV files, there was also an 750MB SQL database file. Withsome massaging, SQL databases can be queried for the data they contain.Sometimes all you’re looking for is a quick and dirty list of selectors andthis data dump seemed like the perfect opportunity to do a quick write-up onusing Bulk Extractor for OSINT. Bulk extractor is an open source tool that can be downloadedfrom .I first learned about it in a digital forensics class years ago and I’ve been afan ever since. It’s designed to quickly chew threw a pile of data and extractthe selectors (IP addresses, email addresses, phone numbers etc.) containedwithin that data. I’ve run it on hard drives, forensics image files, databasefiles, folders full of different file types, memory dumps from mobile phonesetc. I

A Quick Look at MDXFIND

Recently one of the SANS SEC504 labs updated and with the changes came a new set of hashes from the exercises. These hashes are a perfect opportunity to dive a bit deeper and try to determine what hashing algorithm is used when you’re not sure. I wrote a blog post on resources to help figure out hash formats in 2017 but one tool I didn’t cover was MDXFIND. MDXFIND is a free tool available here: Most password cracking programs require three things. A listof the hashes you want to crack, the algorithm that they’re in and a dictionarythat you would like to use for your attempts. MDXFIND is for when you havehashes and a dictionary, but you’re not sure what format the hashes are in. Let’stake a quick look at the syntax of an example. The hashes we want to crack are the following: FC24F5B01909FF7A055933F6C0CD06BFAC60D3DC 47FA7B070774F637F4D6D6D0B97779EBA27A37CE 3D616AA9E23DBDB2F4627C1177C9C0A2AD63F6C2 76E826553BF74EC8DB0E91269816C858503F482E B475650D6B2694E23BC

A Quick Look at Seatbelt for System Enumeration

I’ve decided to write a few blog posts about tools that Ithink are really cool that not everyone knows about. First up on my list is Seatbeltwhich is part of the GhostPac suite recently released by harmj0y. You can read about harmj0y’s motivations and logic here but suffice to say that sometimes PowerShell is a fantastic choice for your post exploitation needs and sometimes you need to avoid it for opsec or other concerns. Because of this, harmj0y ported some of his favorite PowerShell functionality to C# and GhostPac was born. One of the modules in the project is called Seatbelt which is designed to enumerate information from the local system. harmj0y stated that they’re not releasing binaries for this project in an effort to avoid “brittle” signatures targeting static strings, etc. so you’ll have to compile the tools yourself. You can use the free versions of Visual Studio (2015 or 2017 community editions) and it really couldn’t be easier. You can download the project from here , op

Ghostwriting for Antivirus Evasion in 2018

One of the techniques we cover in the antivirus evasion section of the SANS SEC 504 course is ghost writing. The topic was covered brilliantly by Royce Davis on his blog back in 2012 ( ). The workflow he laid out still works, but some of the specific commands needed have changed slightly in Kali Linux. One of my students asked if I knew of a resource with the updated commands and I didn’t, so I decided to write it. The technique aims to take advantage of the fact that sometimes antivirus programs may flag an executable as malicious not because of the program’s functionality, but because the program contains certain signatures that indicate it was created with a “malicious” program such as Metasploit. If this is the case with our payload, then maybe we can make minor modifications which don’t affect the payload’s functionality, but which “break up” or otherwise modify the signatur