Installing Latest Yara That Works With Automake-1.11

2013-01-25 21:16:27 by chort

If you still run Ubuntu 10.04 (or another OS that can't upgrade automake past 1.11), you'll find that Yara 1.7 (last SVN version) won't build. You'll probably get something like this:

configure.ac:3: unknown warning category `no-extra-portability'

This is a quick post to show you how to get the latest 1.6 bugfixes (i.e. updated past the 1.6 tarball release) without breaking the build.

First off, I recommend installing RE2 for better performance (allegedly, I cannot confirm). Once you've done that, follow these easy steps (don't miss -r 162, that's the critical bit!):

$ rm -rf yara-project-read-only
$ svn checkout -r 162 http://yara-project.googlecode.com/svn/trunk/ yara-project-read-only
$ cd yara-project-read-only
$ ./configure --with-re2
$ ./bootstrap.sh
$ make
$ sudo make install
$ cd  yara-python
$ python setup.py build
$ sudo python setup.py install
$ sudo ldconfig

Boom, done!

SF Bay Area DFIR Meetup January 31st

2013-01-12 16:24:44 by chort

Big news, AlienVault has agreed to play host, and they'll provide pizza and beer to boot! We also have a set date now, so without further ado, here's what to put on your calendar.

Read the rest of this story...

Scripting Hopper Disassembler - WS2_32.dll Ordinals to Names

2012-12-26 22:52:58 by chort

Over the holiday break I set goals to learn Yara signature creation and start the lab exercises in Practical Malware Analysis. Learning Yara turned out to be extremely easy, the User's Manual (available here) is excellent. Attempting to do the labs from PMA with Hopper rather than IDA Pro turned out to be rather challenging. One major advantage of IDA Pro is F.L.I.R.T. as many experienced reversers have been quick to point out to me. The very first exercise I attempted required analyzing a call to gethostbyname, which I couldn't even find because Hopper hadn't resolved the import ordinal to a name. I decided it was an excellent opportunity to learn how to use the built-in scripting of Hopper to resolve the names myself.

Read the rest of this story...

SF Bay Area DFIR Meetup

2012-12-20 19:13:58 by chort

If you are in the San Francisco Bay Area and do Incident Response, please read this post and give feedback on preferred location, time, and frequency of proposed local meetups.

Read the rest of this story...

Prerequisites To DFIR

2012-12-15 21:24:08 by chort

I gave a short presentation at Baythreat this year titled My First Incident Response Team: DFIR for Beginners. Due to the time format, I wasn't able to give a lot of context around some of the concepts. A few people asked if I had suggestions of simpler things to start with prior to diving into digital forensics. I hope to address those questions in a long-form version of my presentation at conferences in 2013, but in the mean time here are a few things I consider prerequisites or jumping-off places for new incident responders.

Read the rest of this story...