Cuckoo Sandbox 1.2 released

After a while we finally released Cuckoo Sandbox 1.2!

It is one of the Cuckoo’s release with the most impressive amount of new features, just to mention a few:

  • XenServer machinery support
  • Physical machine support, to run analysis on bare metal
  • Comparative reporting, you can compare analysis in a fancy way
  • Improved visualisation of network data

A complete list of feature is available in the announce post, I kindly suggest to have a look over it.

Cuckoo Sandbox 1.2 released

New Ghiro website

It seems that the old Ghiro website was too hard for understand for people visiting it.

All we know people stops on websites few seconds, so contents should be delivered in an efficient way, with a simple layout and  short web page.

After one year we read about people that barely were able to understand what Ghiro is, if it is an automated digital forensic tool or a brand new Photoshop clone. We read about people asking where they can download it, how much it costs a license and so on.

So our burlone, Ghiro’s design engineer, put together a brand new website, check it out it at http://www.getghiro.org/ and let us know if you like it.

New Ghiro website

How to clean data in Cuckoo Sandbox

Starting with Cuckoo Sandbox 1.2, which will be released soon, the old data cleanup tool will be deprecated in favour of a new cleanup method.

The old clean tool, still available, it is the clean.sh script in the tools directory. It is a bash script used to delete the data inside the storage directory (malware samples and reports), logs directory and db directory. The downside is that if you are not using SQLite database but  MySQL or PostgreSQL and if you enable the MongoDB reporting module to store analysis results in MongoDB, clean.sh won’t clean up that data, leaving you in a dirty situation.

In Cuckoo 1.2 clean.sh has been deprecated and a new clean up method is provided, using the –clean argument when calling cuckoo.py:

python cuckoo.py --clean

Running this command all the data will be deleted: storage directory (malware samples and reports), logs directory, data inside any database configured and MongoDB data if the related reporting module is enabled.

Easy peasy!

How to clean data in Cuckoo Sandbox

Ghiro 0.2 released

It took some time, but here we are, I am really happy to say: we released Ghiro 0.2! We continuously love to improve Ghiro’s feature and our codebase, I hope you like we now release and any kind of feedback will be appreciated. It follows the official release statement.

Ghiro 0.2 has been released!

Ghiro is an automated image forensics tool: sometimes forensic investigators need to process digital images as evidence. Dealing with tons of images is pretty easy, Ghiro is designed to scale to support gigs of images. All tasks are totally automated, you have just to upload you images and let Ghiro does the work. Understandable reports, and great search capabilities allows you to find a needle in a haystack. Ghiro is a multi user environment, different permissions can be assigned to each user. Cases allow you to group image analysis by topic, you can choose which user allow to see your case with a permission schema.

It can be downloaded from http://getghiro.org  in both package and appliance ready-for-use.

What’s new in Ghiro 0.2?

* Added case deletion, you can now delete a case.
* Added analysis deletion, you can now delete an analysis.
* Added favorited images.
* Added automatic update check and option to disable it.
* Added filter to show only completed analysis in task panel.
* Added an admin panel showing dependency status.
* Added image’s hex view page.
* Added PDF and HTML static report download.
* Added image’s strings extraction and important string highlight.
* Added requirements.txt for quick dependency setup with pip.
* Added JSON API to create cases and submit images.
* Added command to check for new releases via command line.
* Added search only inside cases, now you can specify in which case search.
* Added image’s tags, now you can tag an image.
* Added image’s comments, now you can comment an image.
* Added signatures count in Google Map and image thumbnails view.
* Added URL upload, now you can upload an image from an URL.
* Refactored image analyzer to be modular, rewritten all analysis features as
modular plugins.
* Fixed upload local folder feature, now unknown files are skipped.
* Fixed a bug when logging an activity containing UTF-8 chars.
* Updated Javascript libraries.
* Many little refactorings.
* Documentation update.
* Bug fixes.

Ghiro 0.2 released

Ghiro Appliance Building

All started with us thinking about a way to provide users with the simplest and fastest method to test or deploy Ghiro, some users just want to give a try or deploy their infrastucture with no pain in few minutes, and we like challanges.

The game was achieving an plug and play “box” with:

  • Few requirements or no requirements.
  • The ability to use the appliance building technology in a continous integration system to be used in developer’s daily testing.

After evaluating some technologies, the winner was a conventional “virtual appliance”, becuase it requires only one virtualization sofware (i.e. Virtualbox, Vmware). I love docker but it is more demanding.

Packer was the framework used to create, starting from configuration files and script, a brand new Ghiro Appliance running the latest development release from GitHub.

The appliance building script is open source and available under a project dubbed ghiro-appliance on Github.

To play with it you have two options:

  1. Get the latest stable appliance, the appliance running the latest stable Ghiro, from official Ghiro website.
  2. Create your own development appliance, using the latest Ghiro development release

If you are a Ghiro hacker or you just want to live on the cutting edge of image forensics, you are going for the second option for sure.

Creating a new Ghiro appliance from scratch is quite easy:

  • Download and install Packer.
  • You must have VirtualBox installed and access to internet (to download Ubuntu’s packages).
  • Check out  ghiro-appliance repository and run:
$ packer build template.json

You will see packer run an create the Ghiro appliance: spawn a Virtualbox machine, run the initial setup, reboot, and install all software required.
It can take more or less 30 minutes depending on your system performance and internet speed.

Now you will get an .OVA file ready for use! For more documentation just have a look to ghiro-appliance README.md and Ghiro’s documentation.

 

Ghiro Appliance Building

Silk Road 2 Seized: FBI Report Highlights

It is not a flashing news, yesterday Silk Road 2 has been closed, admin has been arrested and charged, meanwhile in US and EU servers have been seized by various law enforcement agencies.

Today all Silk Road 2 markets show this page.

The operation dubbed “Onymous” was a joint effort of FBI, Eurpol, Eurojust and US Homeland Security, it was publicly advertised on FBI’s twitter profile.

FBI twitter statement on Silk Road 2.

Many good articles are available about operation details and Silk Road admin profile so I don’t want to duplicate them, just have a look to these nice reads:

The interesting point is the published sealed complaint, a 33-pages document full of details. It teach us something about OPSEC and Silk Road operation.

I suggest you to have a look over the document, there are some interesting highlights:

  • The Silk Road 2 admin, Blake Benthall aka “Defcon” is not alone, there are others known and unknown people involved. So this one could not be the only arrest.
  • He is accused of: narcotics trafficking conspiracy, conspiracy to commit and aid and abet computer hacking, conspiracy to transfer fraudulent identification documents, money laundering conspiracy.
  • An undercover US Homeland Security agent infiltrated inside the support forum stuff and gained access to private areas. The agents are used to get screenshots as proof.
    Undercover agent in Silk Road 2
  • FBI estimated Silk Road 2 was generating  sales of at least 8$ million and 400.000$ in commissions in October 2014.
  • FBI places the born of Silk Road 2 on 6th November 2013.
  • The site was an shopping mall for drugs and illegal services, just click on an item and put it in the shopping cart, probably the most known feature of Silk Road ever. The website had almost the same features of Silk Road 1.
  • The admin implemented a Bitcoin tumbler, like in Silk Road first release.
    Silk Road bitcoin tumbler
  • The fee was generally from four to eight percent, after a while a fixed fee of five percent was fixed for all services.
  • On December 2013 the admin posted a message saying “DPR places operational security above all else”. Sorry if I tell you, this is an OPSEC fail.
    Silk Road OPSEC
  • The admin promptly moved the servers hosting Silk Road 2 when the Tor Project announced the  Tor’s “de-anonymity” vulnerability. That is real vulnerability response.
  • The admin was aware of  “business” risks.
    Silk road risks
  • On September 10, 2014 someone around 1,5$ million were stolen by someone.
    Silk road hacked
  • The website had approximately 150.000 monthly active users.
  • The admin tried to recruit large scale narcotics vendors. He was really marketing oriented, he focused on how to grow the vender user base, improve the offer with new products and how to be competitive in the market.
  • Some kind of intelligence was available to website stuff:  they warned Minnesota’s users about an FBI operation defined as “large darknet related operation”.
  • The admin stated in a forum’s message that protecting website infrastructure and servers from being seized by law enforcement was him top priority. Fail.
  • Law enforcement put offline a server and imaged it, a forensic analysis was performed. They extracted private keys to run Tor hidden server and the website, chat logs and server configuration.
  • Blake used his personal email to lease, control and maintain the server.

    Blake Benthall
  • Blake accessed email with his original IP address, easily tracked to his hotel room.
  • Blake was active on social networking sites (Twitter, Github) and leaked some information.
  • Browser fingerprint was used as a proof to identify Blake.
    Identification with browser fingerprint

Long story short: Silk Road 2 admin did a good job but it was not enough. He failed in some points about about OPSEC in a job where you can’t fail.

Kudos to FBI and other agencies for the joint operation.

Silk Road 2 Seized: FBI Report Highlights

Bringing up VirtualBox interface before starting Cuckoo

I am getting older and I need to write down commands I use rarely.

Cuckoo sandbox expects to found all network interfaces configured in its configuration file up when you start it.

If you configured Cuckoo to bind on, for example, VirtualBox virtual interface altough it is not up and working, Cukoo will raise an error to tell you it cannot operate with an interface down.

Cuckoo Sandbox 1.2-dev
www.cuckoosandbox.org
Copyright (c) 2010-2014

2014-08-24 00:21:33,713 [root] CRITICAL: CuckooCriticalError: Unable to bind ResultServer on 192.168.56.1:2042: [Errno 99] Cannot assign requested address

The “Unable to bind ResultServer” error means that Cuckoo was unable to bind the component used to fetch analysis’ logs, it happens because your virtual interface is down or missing.

To fix you have only to bring up your (virtual) interface. You should create the virtual networking device and configure it.

With VirtualBox you have two ways to get a virtual interface up. The quick and dirty one: just start and stop your virtual machine. The cleanest, use the following commands to create the virtual network interface and configure it:

VBoxManage hostonlyif create
ip link set vboxnet0 up 
ip addr add 192.168.56.1/24 dev vboxnet0

The first command tells VirtualBox to bring up an host-only vboxnet interface, the rest is used to configure it.

Happy analysis!

Bringing up VirtualBox interface before starting Cuckoo

Ghiro development repository moved

Ghiro development branch moved!

We moved development branch (where next Ghiro’s release is currently developed) to master branch. Starting from now, if you want to follow Ghiro’s development you have only to follow our GitHub master branch. Easy peasy.

Check it out! We are always developing amazing, at least we hope so, new features.  Please remember you can use GitHub to opening tickets for us: if you spot a bug or want a new feature.

Ghiro development repository moved