Running Arkime on FreeBSD
Arkime (formerly Moloch) is a large scale, open source, indexed packet capture and search system. I run a single-node Arkime instance on my IoT network for full-take packet capture as part of my IoT Lab, as well as for general monitoring. Running Arkime on FreeBSD isn't officially supported, but it can be made to work… continue reading
Adventures with Windows IoT Core Kernel debugging.
Also one way of obtaining a memory dump from a Windows IoT Core device. I'm sitting here waiting for an update to download on one of my macOS VM's in order to run a kernel debugger and take a peek at a couple of things. Unfortunately, said download is through my amazing Australian broadband: Like… continue reading
Guide: Cuckoo Sandbox on FreeBSD
This is a guide through configuring a basic Cuckoo Sandbox installation on a FreeBSD host. The main points of difference between a Linux and a FreeBSD install lie in the configuration of the firewall for the host to NAT connections between the Virtualbox host-only network and the Internet. I don't often write guides, however decided… continue reading
Converting a memory image from raw to padded
Convert a Linux memory image from a raw (where the System RAM ranges have been concatenated together) to a padded image, provided the early boot messages were present in the kernel ring buffer at the time of imaging. Includes Python code to convert an image automatically. Update 2016-06-29: The code on Github has been updated… continue reading
Recovering BitLocker Keys on Windows 8.1 and 10
A brief touch on how the changes to BitLocker after Windows 7 affect master key recovery and where to look when recovering keys. This article is not intended to be an in-depth look at the inner workings of BitLocker, but is instead focussed on retrieval of the Full Volume Encryption Key (FVEK) from memory. Key… continue reading