Categories
Uncategorized

Hello world!

Welcome to WordPress. This is your first post. Edit or delete it, then start writing!

Categories
Cyber Security Mobile App Testing

Installing Genymotion and Getting an Android .APK File

How to Extract an Android .apk with Genymotion:

**If you already have an .apk file you want to test –> check out our Mobile Security Framework or Drozer tutorials.

Why would I want to extract an .apk file when I can download one online??

Well there are a number of security reasons involved, starting with the fact that you should not trust and click on every download link that says it contains the file you want.  Then there is being a systematic, consistent, and thorough penetration tester.  This tutorial will prepare your environment to not only Dynamically Test a mobile application (Usiong the Burp Proxy with Genymotion) but also to statically test the SAME .Apk file through other means.

First things first you will need and .ipa or .apk file.  Basically for those of you who are new to Mobile Application testing these are just the files that store applications.

For the most part:

.ipa –> Apple iOS

.apk –> Android/Play Store

When testing iOS devices and extracting the application .ipa file it is required that you jailbreak a device in order to get the version of the application that has been installed onto your ipad/iphone that you are trying to test, I will update this article for a link once a newer jailbreak is released and I have a few minutes to demonstrate that process.

For today we will do a quick run through of how to extract an android .apk with the Genymotion Virtual Device Emulator.

*****Update on Genymotion 2.10.0+*****

Genymotion 2.10.0+ just became Geny 2.0 in my opinion.  All you do is download Genymotion, Add a new virtual machine, and then in the top right hand corner you will see a GApps icon. (This tutorial used to be 3x as long!)

Screen Shot 2017-11-06 at 2.38.00 PM.png

Click the Icon, accept the agreement, and install. Once the install is complete, power down the device, exit out of it and then start it all the way back up and Pachow, the Play store will be sitting right there ready to use.

**Having issues with your specific application working on Geny?**

Now it has come to my attention that at times some applications do not appear to function correctly on the Android Emulators (will not download from play store due to compatibility issues). This is where application side loading comes into play.  What side loading means is that you will:

  • Go to a site like apkmirror.com (They are run by Android Police, and are my go to trusted source for .apk files) and get your application.  The cool part is that you will be able to Drag-and-Drop this .apk file into Genymotion
  • First you must Download the ARM-Translation Package, by dragging the downloaded zip file into your Virtual Android Device (reboot afterwards). Then click and Drag your .APK package into your Genymotion Device.
  • Restart it manually or by typing adb reboot (to learn how to install ADB, see our Drozer Setup Tutorial.)

********************************************************************************

First things first when going to get your Android .apk file.  Hop on your mobile device or Genymotion Android Device and download ES File Explorer and the application in which you will be testing from the Google Play Store.

Once you pull up ES explorer as shown above, click on APPs find the application you want the .apk file for, press and hold the application and click back-up.

etar

As you can see right above us ^^^ the backed up application was saved at /sdcard/backups/apps/ as we traverse ES explorer to that location we can see that we have successfully created an .apk file for the desired application.

apk success.PNG

Throw this file into your Google Drive/Dropbox account and do what you wish with it!  What I personally recommend is that you:

  • Use a proxy like burp and manually test this Mobile Application in Genymotion.
  • Take a look into Mobile Security Framework to get  a better idea of how this application is built and its functionality while analyzing its source code,
  • Digging into the specific attack surfaces available by using Drozer.
  • Setup a dynamic analysis environment using Burp Suite.

Have fun, learn lots, and hack on.

Cyber Incision Out.

Categories
Cyber Security Mobile App Testing

Android App Hacking with Drozer – Usage

This is the article for those of you who have already previously setup Drozer or are returning to test your next Application a few weeks later and do not quite remember the exact syntax to get Drozer purring.

Reconnecting Drozer – Quickstart

Instead of heading back to the last article on setting up Drozer completely here is the quick start to get back online.

  1. Boot Up your Genymotion Device which has the Drozer agent installed, pull it up and turn it on (bottom right hand corner)
  2. Now pull up a console (command line) and change your directory over to your platform-tools folder.
  3. Type adb forward tcp:31415 tcp:31415 to begin using the correct ports required for Drozer
  4. Switch your directory to your drozer folder and then type drozer console connect and you are back in business

 

Examining Mobile Web Applications w/ Drozer:

drozer list 2

At this point in time I want you to type the command list this is going to demonstrate all of the modules available for you to execute in this session much like the -h or –help command would get you a list of sample syntax that can be used.

drozer app packages

The next command is finding the application package for the APP you are testing.

run app.package.list -f (name of app or company)I have given you a few examples above, this will search for the application package which we will be running additional commands for.  As you can see a search for google pulls up a significant amount of applications, fortunately Drozer puts the (App Name) in brackets so it is very easy for you to identify your application even if you are testing a few at the same time.

For this test I will be using Etar which is an open source calendar application which I have already run these commands on and there are no shown vulnerabilities with this tools  (demonstrating code) as I have already found the application package I will be using.

**Disclosure: Please only be testing applications which you have either written permissions from individuals with authority to test and application, is documented as Open Source (express permissions given – static testing only), or is your own proprietary application in which you are testing for vulnerabilities.

If needed here are the links for SOW (Statement of Work) and ROE (Rules of Engagement) which are highly recommended when working on any penetration testing efforts.

Next, find out some more information on the app you will be looking at first.

run app.package.info -a (application) use the location found in the screenshot above, in my example it was the ws.xsoh.etar  – see below.

drozer app info

As you can see above, the version number is listed, the path, the .apk file, permissions and typically a broadcast receiver would define the permissions(when its supported by a private company).

You should be Screen shooting this data and save them as artifacts when submitting your testing documentation (and for your own reference so you do not have to run these commands again)

If you need to pull an .apk for any reason please see the article already written in regards to MobSF (Mobile Security Framework) where extracting .apk files is documented.

Attack Surfaces

run app.package.attacksurface (application)

This command will get you into territory which has made Drozer so popular in the mobile web application security world.  Lets take a look.

attack surface

As we can see here, there are 7 activities which have been exported along with 3 broadcast receivers.  Now as security testers it is up to us to make sure that these exported activities and attack surfaces are sensitive and/or vulnerable by design.  If they are vulnerable we can take it a step further and use the other Drozer modules to test and exploit these activities.

Be aware and on the lookout for a line that may be included at the bottom of this attack surface result:

debuggable

As security testers this is big.  First and foremost this is most likely an item on your Mobile web application security checklist in which case if you do not see this output, most likely this application is not in Dev mode and has been released appropriately and is in Prod state.

So what does it mean if you do see that this application is debuggable?  Good question.

When an application is debuggable it means that the development team did not turn this “feature” off, it also means that as a penetration tester we are able to take our pick of debuggers attach it to the process and walk through every single set of instructions while executing arbitrary code in the application (good times).  InfoSec institute has an excellent article on digging deeper when you application is debuggable and injecting runtime code.

run app.activity.info -a (application)

etar activities

As you can see in this open source application which is the new free software for android calendar it is using basically all code from the com.android.calendar packages which is why I chose this application.

When using this next command, look for something that was custom written by the creators.  Something that is unique to the app in particular that is either a standalone activity or an activity behind any type of authentication page in which the application can be taken advantage of.  You would be amazed at some of the things you can discover, Password Lists, Usernames, developer documentation, just remember to Document Everything.

run app.activity.start --component (application) (activity)

interacts

Run each activity, witness how it interacts with your application, change parameters, share items, change settings, and see what can be seen and changed within your mobile web application.

Many times the app.service.send can be used to send messages to each individual service, other times it may take writing customer drozer modules as well to truly get the outputs you are looking to get from your Mobile Web Application

 

 

Digging Deeper ~

Drozer is capable of building more complex commands on top of just picking activities and running them within the application.  you can also type

help

in front of your command and see what options are available to you

run app.activity.start --component (application) (activity)

help - Copy

Here we can see that we can continue to use Drozer with a much more ‘explicit intent’ by using optional arguments provided within the help command documentation.

optional args - Copy

 

While there is not much to see on my sample application using these next few commands it is very important that you continue to analyze the application you are testing with these as I am sure there will not only be content, but possible vulnerabilities and findings as well.

 

Content Provider Information

run app.provider.info -a (app)

~This will list content provider information – please run this as while you may not have found a vulnerability within the application itself I have seen a number of times where there are significant vulnerabilities or SQL injection flaws within the content providers of the Mobile App.

Drozer Scanner Module

Also Drozer is able to search for SQL Injection with its scanner module but for directory traversal as well.

run scanner.provider.injection -a (app)

run scanner.provider.traversal -a (app)

Run these to find vulnerable content providers that are easily visible to the scanner.

run scanner.provider.finduris -a (app)

This scanner module will allow you to bring together a list of content URI’s that are accessible and then we are able to take a look and try to retrieve and query information from the URI’s or possibly modify data in any correlating databases.

run app.provider.query content://(content provider as seen in previous command output here)

Now we have data, but how to test it?

Here is where you direct knowledge of Android comes into play.

We know that the Android platform is big on using SQLite databases for storing snippets, metadata, and user data.  Since we know these data bases use SQL, we know that SQL injection is right around the corner.  If you don’t know SQL, you can learn enough in a day off of CodeCademy to be dangerous with it.

Here are a few exploit examples testing for SQL vulnerabilities

run app.provider.query content://(content provider) --verticle_id: 1

Looking at certain id’s within the database

run app.provider.query content://(content provider) --projection "'"

Testing the projection field

run app.provider.query content://(content provider) --selection "'"

Testing the Selection field.

run app.provider.query content://(content provider) --projection "* FROM SQLITE_MASTER WHERE type='table';--"

Use any error messages received to craft your requests to tray to list all tables or query specific tables

run app.provider.query content://(content provider) --projection "* FROM Key;--"

Underlying File Systems

These content providers are in place in order to share data, files, and information to other applications outside of the application in which you are using.  This is called sand-boxing.  There are a number of commands you can use within drozer that I will list in a second, but I personally use Root Browser to dig deeper into the filesystem of the application, and if I require a file I can use drozer to download it if I prefer.

to make sure you have the right file, read it

run app.provider.read content://(content provider)/data/data/(filename)

then download it.

run app.provider.download content://(content provider)/data/data/(filename)

 

Wrap up ~

It is important to remember that you do not have to memorize EVERYTHING!  You just have to know where to find it.  If you ready this whole article awesome.  If you put to use the information delivered in this article, even better!

Personally I hack to learn.

Since I do plan to stop learning, I will definitely not stop Hacking!

I hope you do the same.

Hack On.

Cyber Incision Out.

 

 

 

 

 

Categories
Cyber Security Mobile App Testing

Android App Hacking with Drozer – The Setup

 

Why Drozer?

 

MWR Labs has done an excellent job putting together this attack framework for Android Applications, Drozer Rocks.  They even have an excellent tutorial to help you get everything setup, what I found myself doing when I first learned how to use this tool was still needing other resources in order to complete my setup and get things working, here we bring it all together and get you up and running.

This tool helps analyze attack surfaces and display any attack surfaces in which Android applications have, and allow you to then use public exploits against the applications to make sure that your application has been tested and Validated!

This tool can also be used for Remote Exploits, when a shell is obtained, install the shellcode that Drozer generates, and now you have a remote administration tool on your target device.

You should need no other convincing than this that this tool needs to be in your suite of Android testing Tools right next to Mobile Security Framework (MobSF), Burp, and AndroidStudio.

Setup and Install~

 

First boot up Genymotion (instructions to load this tool are in the MobSF article posted here)  Pick an android device to emulate which is running anything after Android 2.1 and have your application downloaded from the Google Play Store (or sideloaded).

 

To begin head over to Team androids Page and Download the latest Google Drivers available and unzip them into your Mobile Web App Folder (or one that you will remember) Then right click your command console and run as an administrator.  We need to set our path to this folders location in order to use ADB at the command line.

chdir "C:\Desktop\FOLDER\Platform-Tools\"  Replace the words within the quotes to the files location on your workstation when running.

adb devices

In order to run the ADB command in the console you must be in the platform tools folder, this is important to note as the next thing we need to do is install the Drozer agent onto your genymotion device.

Side Note*** If using a physical android device please continue installing to Google USB Drivers onto your computer shown in the Team Android Post then connect the device to your workstation with a USB cable.

Then type adb devices as shown above in the screen capture.

this will pop up a list of the android devices which you have connected either via USB cable or via Genymotion Android Emulator

Building for Windows

NOTE: Windows Defender and other Antivirus software will flag drozer as malware (an exploitation tool without exploit code wouldn’t be much fun!). In order to run drozer you would have to add an exception to Windows Defender and any antivirus software.

We must also have python on our device as it is one of the dependencies of being able to use the Drozer toolset.

git clone https://github.com/mwrlabs/drozer/
cd drozer
python.exe setup.py bdist_msi

Installing .msi (Windows)

Run dist/drozer-2.x.x.win-x.msi 

**As you download this file, Windows Defender should catch it, back click on the alert and add the entire Folder as an exception to Windows Defender and Firewall in order to proceed.

Agent.APK Setup

Now download the Drozer agent.apk file here (this will be installed on your Android device so it can communicate back to the Drozer program on your workstation).

Stay in your platform tools folder so you can run this adb command and install it onto your Android device using the following command:

adb install "C:\Desktop\FOLDER\Drozer\agent.apk" Once again please replace with Your download location of the agent.apk file.

adb install agent.apk

You should then see the orange Drozer agent application symbol on your device.  finally forward your ports to the ports that Drozer uses with the following adb command:

adb forward tcp:31415 tcp:31415

drozer setup

Here you can see the setup I am using.  In Genymotion I have been using Google Nexus 9 – 5.1.0 API 22 devices with a screen size of 1536×1048.

I  find that I like the bigger screen size when working in Geny and it fills exactly half of my UHD display.

drozer agent on

 

Now, click your Drozer agent icon, and in the bottom right hand corner click the “off” button to turn it on.

 

Boom congratulations, you have now setup Drozer and are read to begin testing your Android Application.  Install it off of the Google Play store or sideload it into your Genymotion device, then head back to your command line.

You will navigate over to your Drozer folder which has all of the program files within it and run:

drozer console connect

***On a real(not an emulator) android device the ip of the device must be specified drozer.bat console connect --server 192.168.0.9

drozer running

If you are already knowledgeable on the inner workings of Android Testing Tool Drozer, hack on.  If not follow me on over to my next post.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In this article we jumped between three main articles, none of these will get you completely setup by themselves unfortunately which is why I am here to put all the steps together into this one article and be your one stop shop here at Cyber Incision.

  • The first being from Team Android who is going to get you up and running with fastboot, ADB (<—gotta have it), and Fastboot onto Windows 10
    • This set of drivers is also known as the Android SDK Tools (Follow this link to set this up) which is an advanced command line tool which will allow you to run operations on your Android Device and Emulator that would not have been possible before.
  • The Second Article worth reading is from the INFOSEC Institute which has provided an excellent introduction to Drozer, and can be used as a reference for many of the commands you will see here in this article
  • Finally is the MWR Drozer instructions manual which is an excellent reference point especially once you get past the introductory learning curve and begin using the Drozer modules.
Categories
Cyber Security Mobile App Testing

How to use MobSF to analyze a Mobile Web Application

There are a number of excellent tools that exist when it comes to testing mobile web applications.  Unfortunately many of them cost a significant amount of mulah.  There are a few though that currently are free to use and we are going to take a deep dive into getting you your first Mobile Security Framework report from the Mobile Web App that you are testing today.

Before testing Mobile Web Applications please be sure that your organization has the required documentation and written consent from the organization in order for you to do so.  Typically this will be included in a SOW (Statement of Work) and ROE (Rules of Engagement)

 

 

MobSF Install and Use:

Now that we have the .APK and have it in our Kali box, lets get our Mobile Security Framework up and running.

I would be doing you a disservice if I tried to go step by step on the setup and did not tell you that MobSF and ajinabraham don’t already have excellent tutorials in getting up and running with the MobSF tool, because they do.

Feel free to visit their page or continue on and follow the next few steps.

**For Windows or Mac please see MobSF documentation at this link **

The reason I use Kali in a Virtual Environment is so I can suspend it, have a dedicated MobSF VM, and it saves my MobSF reports in the ‘recent MobSF reports’ so I can actively switch back and forth to it and analyze source code.

https://github.com/MobSF/Mobile-Security-Framework-MobSF/wiki/1.-Documentation

For Kali Linux follow along here and run this syntax:

Pull up your terminal/command line in Kali Linux and run:

git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
cd Mobile-Security-Framework-MobSF

clone the file, then switch your directory as shown above.

sudo apt install build-essential libssl-dev libffi-dev python-dev
pip install -r requirements.txt --user

Then install these libraries which are essential to getting up and running, along with installing the requirements and dependencies.

 

Now in every pentest I have been apart of, there is always a pentester who claims to have done the work but has NO report to back it up…..Don’t be that GUY/GAL!

Run this command apt-get install wkhtmltopdf

This will give you the option at the end of uploading your .APK file to download the pdf and have a report to show that the analysis has at least been run, an artifact exists, and that it can be referenced back to.

 

After this, we are ready to start the MobSF Server.

In your terminal run

python manage.py runserver

MobSF server running.PNG

Now you have your server running, but wait there is nowhere to insert my APK file!?

Thats because MobSF is AWESOME!

Pull up your browser and go to http://localhost:8000/

You will now see the Web Interface that is click and drag ready for that .APK file that you have already downloaded from your Google Drive/Dropbox Account

MobSF Analyzing.PNG

Throw it in, and you will see the server in the background have fun analyzing this .APK while you sit back and relax.

MobSF report.PNG

Be sure you are aware of the OWASP Mobile Security Checklist this is essential to making sure you cover your bases as a pentester.  You are not required to know everything, but you are required to have to know how and where to find EVERYTHING.

So hop to it, get analyzing you have your report, at the bottom left side you can see download report as a pdf, but please use the web interface, it allows you to download the Java code for the application and really get your hands dirty along with be more user friendly than the PDF report (which you should still keep as an artifact).

Analysis.PNG

Here is the certificate for the Application which you are able to make sure it is up to industry standards.

permissions.PNG

 

Also make sure the permissions for your application Make Sense!  Go through these while testing the functionality of the application and make sure that the user is asked for the appropriate permissions and they are not assumed (many a lawsuit has happened by the creator of mobile applications assuming that data can be taken and/or shared).

Manifest Analysis.PNG

As you can see in the Manifest Analysis MobSF rates many items as high severity.  There is a fine line between Customer Experience and Security which is why you see what you see, read the description and use your God given critical thinking skills to analyze them, do not just throw this report at your Project Manager or client and say fix these things!  If you find something out of the ordinary, or seriously think you have a few items that may lead to vulnerabilities, do some research, or crazier yet ASK someone!

MobSF allows you to download the Android manifest, the java code, and the smali code.  Unfortunately this tool does generate false positives.  Verify the issues described by Mobile Security Framework by downloading the code and analyzing it. Do your due diligence.  Prove vulnerabilities exist.

Have fun, learn lots.

~Cyber Incision out

 

 

 

Categories
Cyber Security Forensics

CHFI v9 Certified Hacking Forensic Investigator Certification

This certification is offered by EC-Council who claims that the average salary for CHFI certification holders is between $85,000 and $120,000.  Sounds great right?

Prep:  Took a course of computer forensics, used Skillset.com to study for the exam and it is telling me that I am doing well enough to pass.  Am I ready?

After taking this exam this last weekend and passing, I would want to ask you a few more questions.

1)Have you ever had work experience in this field?  Work experience can go such a long ways when taking these exams.

Also my proctor had taken and passed v8 of this exam andeccouncil-computer-hacking-forensic-investigator-v9-1-638 after having a discussion with him about some of the content that I came across, it was very obvious to the both of us that EC-Council was not playing any games when they said they were increasing the difficulty on this exam when releasing v9.

I do not want to discourage you whatsoever as the time put into this will be worth it when achieving this certification.  Just know that if I relied on just Skillset (pretty sure they are still using v8 questions) and a college level forensics course for all of my information before taking this exam I would not have passed.

Recommendation: Look into your organizations training budget options for their team members.  If you have unlimited funds, hands down go with SANS FOR508 this advanced forensics, incident response, and threat hunting course has gotten rave reviews but the price tag is going to run you over $6000 dollars for the course, and if you end up doing their forensics DFIR netwars program (Worth it, 2 nights of fun and learning whether you are a beginner or already a pro), and go on to take their GIAC Certified Forensic Analyst (GCFA) Exam  you are looking around $7000 dollars +hotel stay. Once again more than worth it if you can get your organization to comp it. (Keep reading till the end for a way to get some serious savings on this course)

If you can’t afford SANS at this time, or the locations of their training at this point in time isn’t convenient look into more local boot-camps closer to your home.  5-day course preferably.   If you are taking something shorter you may not be prepared for where the Google Drive artifacts are located or what is located within Hkey_local_machine (folder specific).  This is one exam you cannot be over prepared for.

The other option is studying the old fashion way.  Hop on amazon and grab your studyguide, but please please please look at the date the book was published! Be sure you get the most recent edition as well!  Click on that amazon link and it will take you to the most current even though its not the cheapest (55$) it will be worth the extra 20 spent on it.

 

Study hard and Go CHFI.

P.s. I did promise a little trick to get your SANS course cheaper.  It is called a SANS Work-Study program.  You have to apply and be chosen for the event, and sometimes you do not get selected for the exact class you were hoping for (you give them a selection of your top 5-10 choices).  You must be able to arrive a day early to the training, show up early for registration, and stay through your lunches to watch over professor equiptment, but it gets you a pretty stellar discount.  Instead of $6000+ you are looking at 1,200 out the door for a whole week of training!  If your company is paying for the event, give someone else the chance to do the work study, but if you are paying out of pocket, and its close enough to commute, DO IT!

 

Work hard, study harder, go get that cert.

Categories
Cyber Security Forensics

The Top Five Computer Forensic Tools

Forensic tools are something that are required to be updated on a regular basis.  Whether because of patches, new hardware, or just a changing technological landscape, tools must be maintained in order to remain relevant.  The ongoing support is just one of the reasons that the tools discussed in this article are the most used in the forensic community.  The capabilities and usability of the tools are what we will discuss here today as to why these tools are some of the most used in my opinion.

Forensics is the retrieval, collection, and interpretation of computer data without the corruption of this data.  Therefore the best tools should be able to contain discoverable unfiltered accounts of suspect’s data, activity, and electronic records.    Guidance Software has developed a phenomenal product in which I discussed in week ones post (EnCase Forensic Imager, 2013).  EnCase Forensic Imager is able to save forensic investigators hours and hours of counting through large amounts of forensic computer data that may or may not be relevant to the case in which they have.  EnCase does this not just through the speed in which it can search and collect data, but also due to the built in automation.  Of course it performs, but it is also one of the top sellers in the forensic community according to their website.  Here is the kicker…. $$$$$.  If you are looking for something to just get your hands dirty with, this is not the tool for you.  This is for the organization who is looking for a new PRODUCT to write off on their taxes!  For getting your hands dirty with a forensic tool kit, look no further than the next line.

SIFT (SANS Investigative Forensic Toolkit) has to come in second place (FREE).  It comes in second place because it is an excellent combination of open source tools that are all updated and worked on by the community (Not to mention a pretty cool acronym).  I am partial to Ubuntu or Linux based systems and this had a lot to do with me choosing it for my number two, along with the fact that anyone who takes a SANS Training course (more to come on these later) will get some serious hands on tSIFTraining with this toolkit. Some of these tools are world class and some of these tools are only usable on specific versions, but none the less because of the popularity of SANS certifications and the amount of people going through their certification process (myself included), I would say this is one of the top five forensic tools.  This is an excellent example of how SANS practices what they preach(keep it up to date as well), and also promote what you preach.  Click on the image to get over to the SIFT Install Directions on YouTube.

ProDiscover Forensics is going to end up as number three on the list.  It will be categorized as one of the top tools used because of a few reason, the first being that it is a free tool.  Free means lots of individuals are able to handle the steep price, and for the quality that comes along with it is acceptable.  This tool specifically goes into preparing legal reports with all of the data that is relevant to the case, previewing all files along with their corresponding meta data, and cross reference of data to make sure nothing is hidden. (Shakeel, 2016).  With this in mind it is an excellent tool for smaller organizations who are getting their Forensics organization either up and running or looking for new tools to expand upon their craft.

Xplico is tool number four, as it is a forensic tool that is used on networks to help reconstruct the contents of packets gained through Wireshark and similar sniffers (Shakeel, 2016).  This tool can take these packets, and then output reconstructed data into multiple types of databases which makes it flexible and there is no size limit on the data entry which makes this tool excellent for any size investigation.  This tool is automatically loaded into many of the main penetration testing Linux images such as Kali Linux by default which will make this one of the most well used tools on the market.

X-Ways Forensics will be one of our final contenders for most used forensic tools.  This is a tool that is capable of running off of a usb drive and will make complete disk images that will identify lost and/or deleted partitions as well.  This is a very popular tool as well, and it lives up to its name.

These in my opinion would be my top five forensic tools, I use Kali Linux frequently so this list is not including any packet sniffers such as Wireshark and web app analysis tools such as burp suite.

References and Tools:

Access Data. (2017). Retrieved June 5, 2017, from http://www.accessdata.com/

Arsenal Recon. (2017). Retrieved June 5, 2017, from http://arsenalrecon.com/apps/recon/

Carrier, B. (2017). Open Source Digital Forensics. Retrieved June 5, 2017, from http://www.sleuthkit.org/

EnCase Forensic Imager v7.06 User’s Guide [PDF]. (2013). Guidance Software Inc.

Guidance Software. (2017). Retrieved June 5, 2017, from https://www.guidancesoftware.com/encase-forensic?cmpid=nav_r

SANS Institute. (2017). SANS Investigative Forensic Toolkit (SIFT) Workstation Version 3. Retrieved from sans.org: https://digital-forensics.sans.org/community/download

Shakeel, I. (2016, December 14). 7 Best Computer Forensics Tools. Retrieved May 18, 2017, from http://resources.infosecinstitute.com/7-best-computer-forensics-tools/#gref

Categories
Cyber Security

Is Cyber Security For You?

I was once looking for an article just like this and asking questions like:

 

Where do I begin?

I am more than ready for a change.

Is this what I want to do?

Cyber Security may look like a daunting major to get involved in, but it truly is like many other types of STEM Degrees.  No matter what you decide to jump into whether you are brand new to college, moving from Associates Degree onto your Bachelors, or going for a more advanced Masters or PhD degree.

If you are going into STEM be prepared to learn a new Language.  No, I am not talking about learning a romance language like Spanish or Italian, I am talking about learning the jargon of the computer trade.  The stuff that right now if you were to talk to ‘That IT guy’  you would not be able to follow along, and I mean-At ALL!

I was sitting in this spot a number of years ago.  Business Major, been taking college courses for Waaayy too long, and working in the finance industry.  I knew I could complete my Business Degree, but then what?

I asked myself this as I watched many new business majors intern and get entry level positions at the organization I already worked at without having my Bachelors.  (Mind you I was tired of dealing with the aftermath of cyber criminals and filing multiple fraud claims a day on customers behalf)  I was ready to make a change and do something about it instead.

So I started searching for articles like the one you are reading now.  What I discovered was that the Cyber security field was growing, and not just growing but Blowing Up.  Forbes said that this field is going to grow from $75 billion in 2015 to $170 billion by 2020 and that there are over 200,000+ jobs open in the US just waiting for a qualified candidate.  This means big opportunities, and extremely competitive salaries for those entering the field.

A bunch of ‘Sorry, you aren’t who we are looking for Mr. Bank Manager’ interviews later, I found one ‘Yes, let’s go hack some things together’ interview.

And Here I am.

14 Certifications later working in the Cyber Security Field (work from home at the moment mind you), and loving every second of it.  My boss is the man (not the stick it to the man type, the one you WANT to work for type), and I learn something new Every. Single. Day.  I may take a break here in an hour or two to go play racquetball with my son, and squeeze and hug the nonsense out of my 10 month old baby daughter because I can, and because I normally spent that time in traffic each and everyday.  Either way I enjoy the extra time I have and am more efficient with the time I put into my work.  I enjoy what I do.  I enjoy learning everyday.  Do you?

So where are you? What are you doing? Most importantly, WHY are you doing it?

If you think that this journey will be like that hacker movie you watched last night (Follow that link for a good laugh or three!), you are going to be most definitely disappointed.  There is another excellent post on the topic of what it is like in the infosec field written by Parisa Tabriz which while is a tad lengthy I challenge you to check out.

cropped-cyber-incision-final.jpg

I realized (and I want you to realize this or at least ponder this by the end of today) that I needed to do this for me because I wanted something different.  I am not sure if you are in the same place or maybe just furthering your career but I urge you to take a leap of faith, try something new, then try harder at it, and take it one step at a time.

I hope and pray you make the right decision for your life, don’t hesitate, just decide.  Be a changer, a shaker, a mover. Be ethical, have integrity, and never ever stop learning.  Sit down and think about next year, 5 years, and 10 years from now.

I look forward to walking with you through all of it, step by step.

Lets begin with your Incision into the Cyber Realm.