Adventures with Windows IoT Core Kernel debugging.
Also one way of obtaining a memory dump from a Windows IoT Core device. I'm sitting here waiting for an update to download on one of my macOS VM's in order to run a kernel debugger and take a peek at a couple of things. Unfortunately, said download is through my amazing Australian broadband: Like… continue reading
Guide: Cuckoo Sandbox on FreeBSD
This is a guide through configuring a basic Cuckoo Sandbox installation on a FreeBSD host. The main points of difference between a Linux and a FreeBSD install lie in the configuration of the firewall for the host to NAT connections between the Virtualbox host-only network and the Internet. I don't often write guides, however decided… continue reading
Converting a memory image from raw to padded
Convert a Linux memory image from a raw (where the System RAM ranges have been concatenated together) to a padded image, provided the early boot messages were present in the kernel ring buffer at the time of imaging. Includes Python code to convert an image automatically. Update 2016-06-29: The code on Github has been updated… continue reading
Recovering BitLocker Keys on Windows 8.1 and 10
A brief touch on how the changes to BitLocker after Windows 7 affect master key recovery and where to look when recovering keys. This article is not intended to be an in-depth look at the inner workings of BitLocker, but is instead focussed on retrieval of the Full Volume Encryption Key (FVEK) from memory. Key… continue reading
Extracting FileVault 2 Keys with Volatility
This is a volatility plugin which can recover FileVault 2 Volume Master Keys from memory, based on a certain pattern. It has been briefly tested on OS X 10.9 – 10.11. Plugin on GitHub here [https://github.com/tribalchicken/volatility-filevault2]. This is aVolatility Framework [http://volatilityfoundation.org] plugin which is capable of recovering the… continue reading