Encase- Index search issue
Hello,
I have created a .L01 image of a .PST file and need to perform searches. I ran the processor option 'index text and metadata', the job completed successfully according to Processor Manager. However, when I attempt to search using the index, I get zero hits.
I know for a fact these words appear in the data since I also ran a keyword search through the processor which provided matches. Any ideas what the issue might be?
Thanks!
π£forvestic
Check the cache folder with the corresponding GUID for your .L01 file and see if it contains a folder called LucenIndex; under that should be a folder called Standard with a bunch of files in it. Check to make sure the files have some kind of size; not all of them will. There are also some .csv files in the main cache folder for that GUID that should basically recreate the data in the the performance monitor tabs for the Evidence processor the you could go through to check if the Indexing actually completed. Lastly I would do several raw keyword searches on your data and see if you get hits that way. If you're still having issues, I'd create a tech support case.
I've had issues recently with Encase's evidence processor hanging with one or two items to complete. I would also suggest re-running the process and monitoring it off and on to see if this might be your issue. If it is, definitely create a support case.
π€mkel2010
π@malwr
Hello,
I have created a .L01 image of a .PST file and need to perform searches. I ran the processor option 'index text and metadata', the job completed successfully according to Processor Manager. However, when I attempt to search using the index, I get zero hits.
I know for a fact these words appear in the data since I also ran a keyword search through the processor which provided matches. Any ideas what the issue might be?
Thanks!
π£forvestic
Check the cache folder with the corresponding GUID for your .L01 file and see if it contains a folder called LucenIndex; under that should be a folder called Standard with a bunch of files in it. Check to make sure the files have some kind of size; not all of them will. There are also some .csv files in the main cache folder for that GUID that should basically recreate the data in the the performance monitor tabs for the Evidence processor the you could go through to check if the Indexing actually completed. Lastly I would do several raw keyword searches on your data and see if you get hits that way. If you're still having issues, I'd create a tech support case.
I've had issues recently with Encase's evidence processor hanging with one or two items to complete. I would also suggest re-running the process and monitoring it off and on to see if this might be your issue. If it is, definitely create a support case.
π€mkel2010
π@malwr
Reddit
r/computerforensics on Reddit: Encase- Index search issue
Posted by u/forvestic - 9 votes and 3 comments
[LIVE Nov 25, 2022 11AM PT Off By One Security : Introduction to Linux Heap Exploitation](https://www.youtube.com/watch?v=dMDoC9DlVzA)
π£soupcreamychicken
π@malwr
π£soupcreamychicken
π@malwr
YouTube
Introduction to Linux Heap Exploitation
In this stream I will cover remedial heap exploitation on Linux. This technique only works on older heap implementations lacking the Safe Unlink protection. Though dated, it serves as a great way to get started with exploring the heap and how one approachesβ¦
Containers: Rootful, Rootless, Privileged and Super Privileged
π£fcano1
First off: Who the hell makes text highlighting for copy/paste the same colors as the text itself? That's seriously user-hostile and qualifies the site designer for an Asshat Of The Year award. Also, fix your damn CSP configuration, you're shitting out a bunch of blocked requests.
Anyways -
> A rootless container is a container that could be run without root privileges in the host. Docker runs containers launching them with the Docker daemon, which is run as root. Podman does not use any daemon and it does not need root to run containers.
This is wrong. Going by the docker rootless documentation directly, the docker daemon being run as root must be stopped as part of the rootlesskit installation; a systemd user service is started in its stead which is run as a user. As such, the daemon is no longer running as root, it's by default a unix socket and ends up getting placed in the user's XDGRUNTIMEDIR (which often means
This leads to interesting adventures with loginctl trying to keep systemd user units running without an active pty/tty, but is still manageable.
Also of note, cgroups v1 is non-viable with rootless docker; you have to get cgroups v2 configured (which requires some grub-fu) in order to get resource limitations to be effective for rootless docker. Might not be the case for podman, but definitely the case for docker.
Having been down this path recently trying to automate the deployment of rootless docker with Ansible, it's certainly an annoying process to automate.
π€Katana__
π@malwr
π£fcano1
First off: Who the hell makes text highlighting for copy/paste the same colors as the text itself? That's seriously user-hostile and qualifies the site designer for an Asshat Of The Year award. Also, fix your damn CSP configuration, you're shitting out a bunch of blocked requests.
Anyways -
> A rootless container is a container that could be run without root privileges in the host. Docker runs containers launching them with the Docker daemon, which is run as root. Podman does not use any daemon and it does not need root to run containers.
This is wrong. Going by the docker rootless documentation directly, the docker daemon being run as root must be stopped as part of the rootlesskit installation; a systemd user service is started in its stead which is run as a user. As such, the daemon is no longer running as root, it's by default a unix socket and ends up getting placed in the user's XDGRUNTIMEDIR (which often means
/run/user/$UID/docker.sock, my memory is fuzzy here).This leads to interesting adventures with loginctl trying to keep systemd user units running without an active pty/tty, but is still manageable.
Also of note, cgroups v1 is non-viable with rootless docker; you have to get cgroups v2 configured (which requires some grub-fu) in order to get resource limitations to be effective for rootless docker. Might not be the case for podman, but definitely the case for docker.
Having been down this path recently trying to automate the deployment of rootless docker with Ansible, it's certainly an annoying process to automate.
π€Katana__
π@malwr
π1
Your Guide to Cyberspace: Command Leads Armyβs Mission in 5th Warfighting Domain - from the US's December 2022 issue of Army Magazine
π£digicat
π@malwr
π£digicat
π@malwr
AUSA
Your Guide to Cyberspace: Command Leads Armyβs Mission in 5th Warfighting Domain
Nothing has transformed modern life like the microprocessor, and nothing has significantly shaped the modern global economy as the rise
2023 China Security Report from the Japanese National Institute for Defence Studies - "concern about acts which combine cyberattacks and information warfare. According to Taiwanβs Team T5, they are seeing the emergence of an βAPT + InfoOpβ model combining information operations with hack and leak"
π£digicat
π@malwr
π£digicat
π@malwr
Squalr Memory Editor - New Update for First Time in Years π
π£Aecial
Good to see you back. I've been using it for couple years already it's really good and thanks for all the effort you put in it.
π€mahmozilla
Since Cheat Engine comes bundled with adware (unless you pay $$ to the creator's Patreon), there is increased demand for a good and free alternative.
I took a very break from this project to focus on building out an educational game to teach x86/x64 assembly called Squally, but I've been itching to get back to making this project better.
It's better than CE in many ways, but still has a ways to go. I still need to fix bugs, improve the UX, and finish a couple features.
π€Aecial
π@malwr
π£Aecial
Good to see you back. I've been using it for couple years already it's really good and thanks for all the effort you put in it.
π€mahmozilla
Since Cheat Engine comes bundled with adware (unless you pay $$ to the creator's Patreon), there is increased demand for a good and free alternative.
I took a very break from this project to focus on building out an educational game to teach x86/x64 assembly called Squally, but I've been itching to get back to making this project better.
It's better than CE in many ways, but still has a ways to go. I still need to fix bugs, improve the UX, and finish a couple features.
π€Aecial
π@malwr
GitHub
Releases Β· Squalr/Squalr
Squalr Memory Editor - Game Hacking Tool Written in C# - Squalr/Squalr
π1
Threat Analysis: Active C2 Discovery Using Protocol Emulation Part4 (Dacls, aka MATA)
π£digicat
π@malwr
π£digicat
π@malwr
VMware Security Blog
Threat Analysis: Active C2 Discovery Using Protocol Emulation Part4 (Dacls, aka MATA)
Dacls, aka MATA, is a cross-platform RAT used by the DPRK-linked Lazarus Group and the first artifacts were observed around April 2018. The VMware Threat Analysis Unit (TAU) first discovered the Dacls C2 servers on the Internet by protocol emulation in Augustβ¦
π1
Learn about insider risk management forensic evidence (preview) - Microsoft Purview (compliance)
π£digicat
π@malwr
π£digicat
π@malwr
Docs
Learn about insider risk management forensic evidence
Learn about insider risk management forensic evidence in Microsoft Purview. Forensic evidence is an investigative tool for viewing captured user activity to help determine whether the user's actions pose a risk and may lead to a security incident.
cent: Community edition nuclei templates, a simple tool that allows you to organize all the Nuclei templates offered by the community in one place
π£digicat
π@malwr
π£digicat
π@malwr
GitHub
GitHub - xm1k3/cent: Community edition nuclei templates, a simple tool that allows you to organize all the Nuclei templates offeredβ¦
Community edition nuclei templates, a simple tool that allows you to organize all the Nuclei templates offered by the community in one place - xm1k3/cent
π1
DFIRArtifactMuseum: The goal of this repo is to archive artifacts from all versions of various OS's and categorizing them by type. This will help with artifact validation processes as well as increase access to artifacts that may no longer be readily available anymore.
π£digicat
π@malwr
π£digicat
π@malwr
GitHub
GitHub - AndrewRathbun/DFIRArtifactMuseum: The goal of this repo is to archive artifacts from all versions of various OS's andβ¦
The goal of this repo is to archive artifacts from all versions of various OS's and categorizing them by type. This will help with artifact validation processes as well as increase access t...
NetWalker ransomware samples/source
Does anyone know when I could get my hands on a sample of netwalker ransomware. Pardon my ignorance but I do not know where to find samples online.
EDIT: since someone asked, I am doing a writeup on fileless powershell malware and I saw someone mention netwalker as a pretty notorious one. I would prefer wild samples so I can deobfuscate them myself as it will give more content but just the source code is cool as well
π£Aleks_Leeks
Hey you can find a ton of samples here - https://bazaar.abuse.ch/browse.php?search=tag%3ANetwalker
*No account setup required
π€dkayem
π@malwr
Does anyone know when I could get my hands on a sample of netwalker ransomware. Pardon my ignorance but I do not know where to find samples online.
EDIT: since someone asked, I am doing a writeup on fileless powershell malware and I saw someone mention netwalker as a pretty notorious one. I would prefer wild samples so I can deobfuscate them myself as it will give more content but just the source code is cool as well
π£Aleks_Leeks
Hey you can find a ton of samples here - https://bazaar.abuse.ch/browse.php?search=tag%3ANetwalker
*No account setup required
π€dkayem
π@malwr
reddit
NetWalker ransomware samples/source
Does anyone know when I could get my hands on a sample of netwalker ransomware. Pardon my ignorance but I do not know where to find samples online.
π2