Thursday, July 30, 2009

Cygwin Installation

Note: I am reusing a post from my forensics class at John Jay College. This will be used as a reference for an upcoming post on Volatility module installation. So be patient, there is more to come...

This post goes over an installation of Cygwin which is a Linux-like environment for windows. Since most of you have Windows machines, this will allow you run tools that normally run under Linux/Unix environments.

The setup file is here.

When you download setup, double click it. You should see the following:




Press ``Next'' and choose ``Install from the Internet'' :



Choose where to install Cygwin (by default it is in C:\Cygwin):



Cygwin will create a directory in which it will store the its files during installation. After installation you can delete the folder. The default location is the desktop:



Select your internet connection. The default is OK:



Select a mirror (mirrorservice.org is good):



Press ``Next'' You should see the following:



Next you will see a list of packages you can download. By default these are organized by category:



If you press the plus signs on the left hand side, it will open up the category and you can select specific packages:




Here is a list of packages you need organized by category:

    From the Base category
  1. Everything
    From the Devel category
  1. Gcc: C, C++, Fortran compilers
  2. gcc-mingw: Mingw32 support headers and libraries for GCC
  3. gcc2: Version X.XX.X [whatever is latest] of C, C++, Fortran compilers
  4. gdb: The GNU Debugger
  5. make: The GNU version of the `make' utility
  6. mingw-runtime: MinGW Runtime
  7. openssl-devel: The OpenSSL development environment
    From the Editors category
  1. Nano: A pico clone text editor with extensions [works like pico]
  2. vim: Vi Improved – enhanced vi editor
    From the Interpreters category
  1. Perl
  2. Python
    From the Utils category
  1. until-linux: Random collection of Linux utilities
  2. file
  3. ELFIO
    From the Text category
  1. less: A file pager program, similar to more(1)



After you have made your selections, press next for installation to begin. This part is the actual installation, and may take some time. Just let it finish. After it finishes you will be asked if you want to create shortcuts on the desktop. Make sure to click Finish.

Running Cygwin

When you run Cygwin for the first time, it might take a little longer to start up. This is because it is configuring
a few more files for your environment. Then you should get a command line prompt that looks like:

You are now able to work on your programs at home on your windows machines.

Wednesday, July 22, 2009

Volatility News

So if you follow me or Moyix on twitter, you will have seen some updates about some cool new plugins by MHL for Volatility. Shouts to MHL for his awesome work!

Other volatility plugins are listed on the Forensics Wiki.

Moyix has also released his slides from his recent talk on combining memory and registry analysis. Awesome stuff!

Volatility was also recently mentioned in Episode 522 of Hak5: Whats in your RAM? along with some other very cool tools like Matthieu Suiche's win32dd

Volatility has been under heavy development lately and has issued a call for bugs. So if you are currently a user and have encountered something odd, please report it so that it may be fixed. You can do so by sending an email to the developer's listserv. In order to get the newest code updates, you can download Volatility from the svn repository simply following the instructions on the site. For installation instructions you can check out the install manual written by yours truly ;-)

Want to learn about memory forensics and the internals of Volatility? Andreas Schuster has posted slides teaching just that!

BTW, Volatile Systems is also currently hiring. So if memory forensics and reverse engineering are within your interests you can apply for a job that includes both!

It's an exciting time and I'm sure there will be much more to come.