From Security Weekly Wiki
Revision as of 05:38, 27 January 2013 by Mikeaperez (talk | contribs) (Created page with "{{Advertisements}} = Episode Media = [http://pauldotcom.com/2013/1/episode-318 Episode 318] [http://traffic.libsyn.com/pauldotcom/PaulDotCom-318.mp3 MP3] = Announcements ...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Episode Media

Episode 318


Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 318 for Thursday January 31st, 2013

SANS is running a special promotion for Forensic Online courses.

To learn more about the 15% discount on online forensic classes, visit SANS Specials Training page, which will also tell you how to access the many FREE forensic resources available from SANS. Hurry, the discount will only be valid through February 20.

Guest Tech Segment with Alissa "Sibertor" Torres :Extracting Network Packets from Physical Memory Images with Bulk Extractor

Alissa Torres is a certified SANS Instructor and Incident Handler at Mandiant, finding evil on a daily basis. Alissa began her career in information security as a Communications Officer in the United States Marine Corps and is a graduate of University of Virginia and University of Maryland. She's on tonight to talk to us about Bulk Extractor.

My first investigation at Mandiant as an MCIRT incident handler was to unravel a DNS anomaly occurring on a customer's network. I was tasked with identifying why numerous workstations were hammering the internal DNS Servers with version.bind requests from port UDP 53. Using the stream-based extraction tool, Bulk Extractor, against two memory images from a sample set of affected systems, I was able to get visibility into the anomalous traffic by carving the network packets from the one of the memory images.

Bulk Extractor

As a stream-based tool, Bulk Extractor has several advantages over other forensics tools, which are limited by file system structure and boundaries to interpret data. It processes data, disregarding sector boundaries, and automatically detects and expands compressed data. So, running a hard drive image or memory image through Bulk Extractor automatically unzips compound files like Office files, zipped files and Xpress compression as found in Windows hibernation files. In addition, this tool is capable of processing data segments in parallel, making it much faster than some forensics tools limited to a single processor. Bulk Extractor, written by Simson L. Garfinkel, is included in BackTrack and the SIFT, the SANS Investigative Forensic Toolkit and is available for download.

Bulk Extractor “categorizes” data in specific folders upon processing based on the scanners specified in the job by the analyst. The default scanners look for information of interest in typical investigations (IP, hostnames, MACs, Credit Cards, URLs, and domains). Additional scanner features, and some of the most powerful, include –AES keys, -Net Scanner (carves network traffic), -Wordlist (pulls strings from data image) and –Stoplists (suppresses “known goods” from appearing in the output).

Figure 1 Sample Syntax for Bulk Extractor tool


BE Viewer

For those analysts who prefer to use a GUI, Bulk Extractor does have a graphical user interface tool, BEViewer. The BEViewer reports pane displays the results of a Bulk Extractor job that can include default, wordlist, and net scanners in addition to the defaults. By using the viewer, an analyst can search through the output for specific keywords, viewing the data in hexademical or text view in the far right pane (Shown below).


The packets.pcap file can be opened with any network packet analysis tool. Realize that since these packets are pulled from a memory image, there are no time/ datestamps nor are there both sides of the “conversation”. From what I viewed, the memory images I parsed contained inbound packets with no time/datestamps.


Based on what was seen in the resultant pcap, I was able to detect an inbound packet, scanning this local system for a DNS vulnerability and provide this lead to the customer, who confirmed their pen-testing team had been active on the network.

Questions come to light based on this investigation, to include "Are there specific occasions when memory should be dumped locally not over the network in order to prevent trampling over network packets on the local system?” This is a consideration, especially in light of the lack of visibility into internal network traffic between hosts. Unless customers are capturing their own network traffic between subnets, the memory-bound packets may be the only evidence of anomalous activity between hosts.

More information on Bulk Extractor can be found at Simson Garfinkel’s website. We also put this tool through its paces in the SANS FOR508: Advanced Computer Forensic Analysis and Incident Response as we work our way through investigating an enterprise-level compromise by a sophisticated adversary. Check it out at SANS Cyber Guardian in Baltimore, MD April 15 -20, 2013.

Submitted by Alissa Torres


  • Join us on our 2nd ever Google+ Hangout! Add PaulDotCom on Google+ and join us in the Google Hangout.
  • We are in the process of archiving and cataloging our technical segments, please visit the PaulDotCom Technical Library and we indexed all of the interviews we have conducted. We are also working on updating all of the articles, so check the newsletter or if you want to help in exchange for some free guidance and security training please email me.


Paul's Stories

Larry's Stories

  1. Shark? - [Larry] - I learned something about google…
  2. Flaw in Enigma - Neat.

Jack's Stories that would make Motley Crue blush

Allison's Stuff