The following process walks through how to mount an Apple Disk Image, or more commonly known as a .dmg file. This process walks through mounting the HFS section of a .dmg file on a Linux system to allow the extraction of files for further analysis. Step 1 - Checking The File Type To begin with, I usually check what type of .dmg file it is with the "file" command. This is done to understand if it is a compressed or uncompressed .dmg file. $ file application.dmg The output you could typically expect could be: application.dmg: data which means the…

Following a presentation I did for a SANS community night in Melbourne Australia recently, I had a lot of attendees ask if I could provide the graphical timeline that I presented which showed the events leading up to the discovery of WannaCry in May 2017. Below is that timeline with events unique to the WannaCry variant that got a lot of attention in the mainstream news in May 2017. I've tried not to dive too far down the rabbit hole of the EternalBlue exploit, and its use in other malware - which is most certainly occurring in the wild. I've…

In the aftermath of the WannaCry ransomware outbreak, what are the real lessons we should have all learned? Or even better, what should we be telling those not in the Cyber Security industry, so they don't fall victim to media hype or vendor spin. My hope is this information is also useful in clearing up any misinformation that's spread about WannaCry. This whole attack was not the result of a phishing email. No email type protections would have saved you from getting infected with WannaCry. The malware was spread via other users on the internet directly connecting to your network/…

Ever wondered how much metadata is included within the PDF files you email or share with others. Well, believe it or not, there is a lot that can be determined from a PDF you've created. This post looks at how to clean the metadata from your PDF files before you send them, and how to protect them, so they aren't easily edited or copied by a recipient. These techniques are sometimes referred to anti-forensics with the goal to limit the amount of forensic information you provide within a file that you have produced. If you're after the quick copy and…

Machine Learning, Security Analytics, Behavioral Analytics, call it whatever you like, but will it really uncover hidden security incidents in your network? For the purpose of this article, I am going to refer to machine learning, security analytics, behaviour analytics, user based anomaly detection, and all the other flavours in between as "machine learning". Yes, I understand they can all be different and represent different areas; however, I want to discuss the application of machine-based detection being used to find security incidents versus human based detection. I have to say up front that I am not a data scientist, I'm…

One of my common bugbears with businesses is the idea that a Distributed Denial of Service (DDoS) attack is an incident that should be managed and handled by your Cyber Security Incident Response team. It's not and here is why..... Receiving rubbish traffic to a web server, or any service for that matter, that you stick on the internet is just a part of being online and businesses need to accept this upfront and plan for it. It's no different to planning when you drive a car, you decide on the best route with least traffic and when there is…

When you install BTSync from the Ubuntu repositories it currently is set up as a service assuming you're running a server. This is generally a good thing, from a security standpoint, as it is set up with a new user account to keep BTSync permissions isolated from other users. However, BTSync running as a service with a separate user account can be a little bit of a pain if you want BTSync to share out folders from your /home/{username} directory. This is an issue because your home directory folders are set to only be accessible by your user account,…

OK, so I thought it is finally time that I actually get serious about my contribution back to the internet as it's been so kind to me for a long time. So this blog is essentially a lot of my random thoughts on the Information Security industry, mainly; Digital Forensics, Incident Response and Penetration Testing. I'll also use this Blog for a lot of sys admin things that I do all the time and usually have to piece together from various places around the internet.....mainly so I can repeat them again, but also in the hope they are useful…