carrier-lost.org

I just found this old draft from July 2010, which I completely forgot about. This was supposed to be a series of blogposts but I didn’t had the time back then. Even this post is far from complete, but maybe it’s useful for somebody.

1.1 Introduction

This multiparted series will summarize the various aspects, possibilities and methods to obtain and analyse a computers physical memory. You can find a lot of information about memory analysis on the net and this series neither wants to nor won’t be able to cover all aspects. Part I will focus on the different methods to obtain an memory dump, which will be analyzed later. If you’re not interested in getting a memory dump and just want to take a look at its content, you can download some of the sample memory images for example from here, here, or here.

1.2 Hardware Tools

There are a few PCI cards out there, but most of them are research projects or not available to the costumer.

Tribbel PCI card
Tribble is a proof-of-concept research project by Joe Grand of Grand Idea Studio and Brian Carrier of digital-evidence.org. Most information about the device can be found in this paper.

CoPilot
CoPilot was developed by Komoku as a malware protection and rootkit detection PCI card and was later on acquired by Microsoft.

FRED: Forensic RAM extraction device
Only a few information about this project is available on the developers website at BBN Technologies.

1.3 Software Tools

1.3.1 Windows (free)

http://www.mantech.com/capabilities/mdd.asp

http://sourceforge.net/projects/mdd/

https://www.hbgary.com/products-services/fastdump-pro/

1.3.2 Windows (paid)

http://gmgsystemsinc.com/knttools/

http://www.x-ways.net/capture/index-d.html

1.3.2 Unix/Linux/Mac

Firewire http://www.storm.net.nz/projects/16

Firewire, only for use by law enforcement http://goldfish.ae/

http://www.sleuthkit.org/index.php

http://www.forensicswiki.org/index.php?title=Jesse_Kornblum

1.4 Forensic live cds

http://www.caine-live.net/

http://www.deftlinux.net/

helix

1.5 Links

http://www.gmgsystemsinc.com/fau/

http://computer.forensikblog.de/themen/windows/speicheranalyse/index10.html

http://cybercrimetech.com/projects/reaper/

http://www.digital-evidence.org/tools/index.html

http://www.forensicswiki.org/wiki/Tools:Memory_Imaging

http://www.informaworld.com/smpp/section?content=a779634402&fulltext=713240928

http://www.dfrws.org/

Since a few months, applications have to use OAuth to authenticate a Twitter account using the REST API. If you want to write a php application for just one account (like your own small webclient), you don’t have to go the “ping-pong” way of authentication. You only need this to authenticate different users and as we only need access for one single user, it is possible to simplify the oauth authentication step. Nevertheless I find it much more comfortable to you a finished library. In this example we will use Abraham Williams’ awesome TwitterOAuth library for PHP, which requires a minimum PHP version of 5.2.x, cURL and OpenSSL.

First you have to visit http://dev.twitter.com/apps an register a new application. Choose “Browser” as application type and set the default access level to “Read & Write”. You will need the printed “Consumer key” and “Consumer secret” in the next step. Also you will need the “Access Token (oauth_token)” and “Access Token Secret (oauth_token_secret)”, which can be found under “My Access Token” in the right menu.

Include the library in your PHP script. Change the path accordingly.

require_once(‘twitteroauth/twitteroauth.php’);

Open your config file and define the 4 needed keys like:

define(‘CONSUMER_KEY’, ‘aAaAaAaAaAaAaAaAaAaA’);
define(‘CONSUMER_SECRET’, ‘bBbBbBbBbBbBbBbBbBbB’);
define(‘OAUTH_TOKEN’, ‘cCcCcCcCcCcCcCcCcCcC’);
define(‘OAUTH_TOKEN_SECRET’, ‘dDdDdDdDdDdDdDdDdDdD’);

To connect to Twitter, add in your PHP script:

$twitter = new TwitterOAuth (CONSUMER_KEY, CONSUMER_SECRET, OAUTH_TOKEN, OAUTH_TOKEN_SECRET);

You can now use the $twitter object to interact with the Twitter API. For example fetch your user information or post an update.

$twitter->get(‘account/verify_credentials’);
$twitter->post(“statuses/update”, array(“status’”=> “First tweet using my own Twitter app!”));

Check out the TwitterOAuth documentation for more options and the Twitter documentation for available ressources.

I hope this small guide helps you getting started and I would love to see some of your results. Questions? Comments!

OpenWRT is a linux distribution for embedded devices like a router. The installation of OpenWRT on your device instead of the original vendor’s firmware allows you to do some nifty stuff with your router like installing additional software out of openWRT’s own repository.

Although there is a package for the openSSH server available, dropbear is the default choice. To enable password-less ssh access you first need to generate the ssh keys on your client machine if you haven’t already. If you want, you can secure your key by typing in a password, otherwise just press enter.

pat@earth:~$ ssh-keygen

Next you have to transfer your public key (the file ending with .pub) to your openWRT installation.

pat@earth:~$ scp ~/.ssh/id_rsa.pub 192.168.1.1:/tmp/

Replace 192.168.1.1 with the IP of your router. If you changed the Port of your ssh server, you have to define it using the -P parameter like scp -P 4321 etc.

Connect to your router and add the transferred public key file to your authorized_keys. Unlike OpenSSH, Dropbear doesn’t look in .ssh underneath your home directory for the authorized_keys file, so you have to create the file in /etc/dropbear/.

root@router:~# cd /etc/dropbear/
root@router:~# cat /tmp/id_rsa.pub >> authorized_keys
root@router:~# chmod 0600 authorized_keys

Now you should be able to ssh from your client pc to your openWRT device without the need of a password.

The rt2800usb module is quite buggy, so you have to blacklist it and use rt2870sta instead.

Information

pat@htpc:~$ lsusb
Bus 001 Device 002: ID 148f:2870 Ralink Technology, Corp.

Syslog

htpc kernel: [ 5.273678] Registered led device: rt2800usb-phy0::radio
htpc kernel: [ 5.273689] Registered led device: rt2800usb-phy0::assoc
htpc kernel: [ 5.273710] Registered led device: rt2800usb-phy0::quality
htpc kernel: [ 5.274304] usbcore: registered new interface driver rt2800usb

Blacklist

echo blacklist rt2800usb | sudo tee -a /etc/modprobe.d/blacklist.conf
echo blacklist rt2x00usb | sudo tee -a /etc/modprobe.d/blacklist.conf

Restart and you’re fine.

OpenSSH 4.9 was the first version of the famous daemon that came with an built-in chroot functionality (changelog). Chrooting the sshd and restricting the shell access to a few commands can be a great solution to grant a few users secure access to exchange files. We will use the rssh shell to only allow sftp access for one user, locked to his chrooted home directory. Since it is dangerous to give a user write access to the root of a chroot, you have to create the user’s home directory inside the chroot. In this example /home/ftp will be the chroot and /home/ftp/secftp is the home directory of the user, the place where he finds himself when connecting to the machine.

Install the rssh shell with

$ aptitude install rssh

and adjust the config file for the user secftp to allow sftp access.

$ vim /etc/rssh.conf

user=secftp:027:00010 #user:umask:proto

Then add the new user secftp (with /secftp as home and /usr/bin/rssh as shell) to your system and set a password.

$ useradd -d /secftp -s /usr/bin/rssh -g users secftp
$ passwd secftp

Create the directory and adjust the ownership so secftp can read/write and other group members can read the uploaded files.

$ mkdir -p /home/ftp/secftp
$ chown secftp:users /home/ftp/secftp

Edit your sshd configuration and add the user specific options for your chroot. Don’t forget to add secftp to your AllowUsers (which you should have configured ).

$ vim /etc/ssh/sshd_config

AllowUsers secftp

Subsystem sftp internal-sftp

Match User secftp
   ChrootDirectory /home/ftp
   AllowTCPForwarding no
   X11Forwarding no
   ForceCommand internal-sftp

Restart the sshd daemon and you should be done.

Sources:
http://www.gossamer-threads.com/lists/openssh/dev/44657
http://hp.kairaven.de/scpsftp/ssh-rssh-sftp.html
http://www.debian-administration.org/articles/590

Update: For a full tutorial on how to setup Adobe Air and Tweetdeck on 64bit Ubuntu, take a look here.

Starting TweetDeck on a Linux desktop other then Gnome or KDE will result in the error message

Oops, TweetDeck can’t find your data

because TweetDeck doesn’t support them by default. But you only get to know about it, when starting from the command line

Unknown desktop manager, only Gnome and KDE are supported

To use TweetDeck you need e.g. a running gnome-keyring-daemon, otherwise TweetDeck doesn’t know how to save your account/password information. To start TweetDeck change the DIRNAME to your needs and use this script.

#!/bin/bash
GNOME_KEYRING=`pidof gnome-keyring-daemon`
DIRNAME=”/opt/TweetDeck/bin”
GNOME_DESKTOP_SESSION_ID=$GNOME_KEYRING $DIRNAME/TweetDeck &

Much like setting up a shared folder on a Linux host and a Windows guest, you need to create the folder to share on your host system and add it to your shared folders list in Virtualbox. You also need a mountpoint inside your virtual system (in this case: /mnt/VirtualBoxExchange).
Mounting it is done with the command

mount -t vboxsf VirtualBoxExchange /mnt/VirtualBoxExchange

Done.

Create the config file in your .ssh directory if it doesn’t already exist.

touch /home/pat/.ssh/config

Open the file and add your configuration:

Host xmp
HostName example.com
User username
Port 2222

Where Host is the name of the shortcut. You can also add other options like

PubkeyAuthentication yes
PasswordAuthentication no
ServerAliveInterval 25
ServerAliveCountMax 150

or another Host to your configuration. Take a look at the ssh_config manpage for more options.
You can now use your shortcut with

ssh xmp

Today Marc Ruef released an article about Opera Mini on the iPhone and pointed out that all traffic is routed through Opera’s own proxy server. Opera isn’t allowed to use his own rendering engine on the iPhone because of Apple’s strict license. Opera Mini just provides another frontend for Apple’s safari engine, while the rendering happens on Opera’s server.
Users of Opera Mini should be aware that all their traffic could be analysed and used for data mining.

A quick test reveals that the Android version of Opera Mini also uses Opera’s own server as a proxy.

t09-07.opera-mini.net – - [16/Apr/2010:13:27:39 +0200] “GET /blog HTTP/1.1″ 301 198 “http://www.carrier-lost.org/blog/about/” “Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.18302/764; U; en) Presto/2.4.15″
t09-07.opera-mini.net – - [16/Apr/2010:13:27:39 +0200] “GET /blog/ HTTP/1.1″ 200 3886 “http://www.carrier-lost.org/blog/about/” “Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.18302/764; U; en) Presto/2.4.15″
t09-07.opera-mini.net – - [16/Apr/2010:13:27:39 +0200] “GET /blog/wp-content/themes/decoder/img/bg-meta.gif HTTP/1.1″ 404 2400 “http://www.carrier-lost.org/blog/” “Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.18302/764; U; en) Presto/2.4.15″

Where t09-07.opera-mini.net is the proxy server.

1. Create the folder on your host you like to share with the virtual machine (e.g. /home/pat/VirtualBoxExchange).
2. Add the shared folder to your virtual machine.

3. Open the command prompt on the windows machine (Start -> Run -> cmd.exe) and type

net use x: \\vboxsvr\VirtualBoxExchange

4. Have fun.