Time for Forensix!

You know about Windows, now for Linux forensics! [View this email in your browser]( SecPro #91: Time for Forensix. Hello! We've discovered a foolproof way to "improve" your password policy... It will certainly ease the strain on Helpdesk, anyway. This week, we're looking forward to Sai wrapping up a month-long series on approaching forensic investigation, this time looking at [Linux forensics for beginners](. If you want to move into forensic analysis, there's no better place to start than with this noob-friendly guide to getting started. After that, we'll take a look at [another APT]( an excerpt from [Packt's Machine Learning for Cybersecurity Cookbook]( and throw in a few tools to keep you busy this week. Make sure to tell us your favorite in the survey further down the newsletter. The first 25 respondents will receive a free Packt eBook for their trouble! Cheers! [Austin Miller]( Editor in Chief This week's highlights: - [Forensics for Linux]( - [Exploring APTs - #4]( - [The Machine Learning for Cybersecurity Cookbook]( - [Mastering Linux Security and Hardening]( - [This Week's Survey]( And with that - on with the show! Food for Thought... Here's an interesting infographic that I came across this week. Created by [Cyberstartupobservatory]( it runs through the Top 10 most common CWEs that the adversary has exploited over the last calendar year. As you can imagine, there are some pretty familiar faces here. How secure do you feel with your current organizational set-up? Are you properly protected against these CWEs? Which ones do you think will be the most common issues globally over the next year? Fill in the survey below and tell us what you think! The first 25 respondents will find a free Packt eBook of their choice! [TELL US WHAT YOU'RE THINKING!]( A New Book from Packt! - Prevent threat actors from compromising a Linux system - Leverage additional features and capabilities of Linux - Use secure directories and strong passwords to create user accounts - Configure permissions to protect sensitive data [NEED SOMETHING NEW TO READ?]( This Week's Editorial Articles [Forensics for Linux]( [Sai]( back with a breakdown on how to approach forensic analysis and which tools we should be using! [Exploring APTs - #4]( Do you want to learn a bit more about an APT that has meddled in US elections, the World Anti-Doping Association, and a variety of journalists, military officials, and politicians? [Check it out here]( Cybersecurity Fundamentals [Machine Learning for Cybersecurity Cookbook]( We're back with another excerpt from the [Machine Learning for Cybersecurity Cookbook]( This time, we're taking a look at how to tackle packed malware. For a full rundown on how to stuck into this problem, check out the book. [LIKE WHAT YOU SEE? CLICK HERE]( Assembling a packed sample dataset One obvious way in which to assemble a dataset for a packer classifier is to collect samples that have been packed and whose packing has been labeled. Another fruitful way in which to assemble packed samples is to collect a large dataset of files and then pack these yourself. Getting ready There are no packages required for the following recipe. You may find upx.exe in the Packers folder of the repository for this book. How to do it... In this recipe, you will use UPX to pack a directory of files. - Place upx.exe in a directory, A, and place a collection of samples in a directory, B, in A. For this example, B is Benign PE Samples UPX. - List the files of directory B: import os files_path = "Benign PE Samples UPX/" files = os.listdir(files_path) file_paths = [files_path+x for x in files] - Run upx against each file in B: from subprocess import Popen, PIPE cmd = "upx.exe" for path in file_paths: cmd2 = cmd+" \""+path+"\"" res = Popen(cmd2, stdout=PIPE).communicate() print(res) Whenever an error occurs in packing, remove the original sample: if "error" in str(res[0]): print(path) os.remove(path) How it works… The first two steps are preparation for running our UPX packer. In Step 3, we use a subprocess to call an external command, namely UPX, in Python. As we pack our samples (Step 4), whenever an error occurs, we remove the sample, as it cannot be packed successfully. This ensures that our directory contains nothing but packed samples, so that we can feed in clean and organized data to our classifier. Have You Tried...? Learning how to run forensic analysis on Linux is easier with a few tools specifically for running forensic analysis on Linux. Check out this week's selection and tell us your favorite one in the survey above! - [ashemery/LinuxForensics]( - Need a big collection to start studying hard? Look no further. - [aquasecurity/tracee]( - A Linux runtime security and forensics tool, using eBPF. - [intezer/linux-explorer]( - An easy-to-use live forensics toolbox for Linux endpoints. - [hard2bit/afbd]( - Need to pentest against teams with strong forensic capabilities? Test out this anti-forensics block device driver for Linux. - [M00NLIG7/ChopChopGo]( - Speed up your Linux forensics with this speedy artifact hunter. - [PacktPublishing/Digital-Forensics-with-Kali-Linux-Second-Edition]( - A book from [Packt]( all about how to run digital forensics with Kali. [FORWARDED THIS EMAIL? SIGN UP HERE]( [NOT FOR YOU? UNSUBSCRIBE HERE]( Copyright © 2023 Packt Publishing, All rights reserved. As a GDPR-compliant company, we want you to know why you’re getting this email. The _secpro team, as a part of Packt Publishing, believes that you have a legitimate interest in our newsletter and the products associated with it. Our research shows that you opted-in for communication with Packt Publishing in the past and we think that your previous interest warrants our appropriate communication. If you do not feel that you should have received this or are no longer interested in _secpro, you can opt out of our emails using the unsubscribe link below. Our mailing address is: Packt Publishing Livery Place, 35 Livery StreetBirmingham, West Midlands, B3 2PB United Kingdom [Add us to your address book]( Want to change how you receive these emails? You can [update your preferences]( or [unsubscribe from this list](.