Home Contact

M-unition

The Ammunition You Need to Find Evil and Solve Crime

About Us

Welcome to M-unition, the MANDIANT blog. Here we share our insights about the tools we create and use to find evil and solve crime.

Research Tool Release: ApateDNS

Written by Steve Davis

Here at Mandiant we deal with our fair share of malicious code. Being able to quickly identify specific information about a piece of malware is imperative. More specifically, knowing which domains a piece of malware uses for command and control (C2) communication is important to on-site incident responders. Read the rest

Tags: ,

. 24 Oct 11 | The Armory | Comments (0)

Exploring Artifacts in Heap Memory with Heap Inspector

Written by Aaron LeMasters

Please welcome the latest addition to Mandiant’s free forensic gadget grab bag:  Heap Inspector.  This tool is the manifestation of a very simple idea a colleague and I came up with several months ago when discussing the prevalence of heap sprays as a staging mechanism for most exploits in the wild today (and why anti-virus/HIPS did not recognize and block heap sprays in progress).  The idea was simple:  a heap spray stores identical copies of the same block of data hundreds of times on the heap, so why not hash each chunk in an application’s heap space and report repeating patterns?  The idea grew into a full-featured tool to visualize and search an application’s heap space in near real-time.  I presented Heap Inspector at a turbo talk this year at Blackhat USA 2011. Read the rest

Tags: , ,

. 04 Aug 11 | The Armory | Comments (0)

Highlighter v1.1.2 Released

Written by Jed Mitten

Hey, guess what?!  MANDIANT has just released Highlighter v1.1.2 in response to your feedback – a fix for one particularly nagging issue with highlights and removals not updating the view immediately, and a few extra items thrown in to make Highlighter a little nicer to use. Read the rest

Tags: , , ,

. 07 Feb 11 | The Armory | Comments (0)

Web Historian: Reloaded

Written by Aaron LeMasters

We’ve been busy here on team agent at MANDIANT.  In the spirit of our long-standing support of free software in the Incident Response community, we are happy to announce the release of Web Historian 2.0.  This release is a complete rewrite and revamp of our very popular web history extraction tool.  This version of Web Historian comes packed with features and supports Firefox 2/3+, Chrome 3+, and Internet Explorer versions 5 through 8.  Here is a quick run-down of some of the new features:

  • Collects web history, cookie history, file download history, and form history into data sets
  • Simple/powerful UI based on tabbed organization of datasets
  • Perform a live artifact scan of the local system
  • Perform an artifact scan of one or more arbitrary history files from all supported browsers
  • Import results from existing XML scan documents
  • Data displayed in gridview style with full search, sort, and filter capabilities
  • Custom filters can be created and applied to one or more data sets
  • Export data sets to XML, HTML or CSV
  • Extract and export history files used in live artifact scan
  • Quick copy/paste selected gridview rows to clipboard
  • Customizable scan settings can tweak the scan to target specific browsers and data sets
  • Right-click context menu for narrowing gridview data instantly
  • Select which columns to display in each dataset
  • View page thumbnails and indexed content
  • Export sanitized version of history results to distribute to others
  • Website Analyzer provides visualization of datasets using bar graphs, pie charts and timelines
  • Website Profiler shows a quick “report card” of artifacts for various websites

The custom filters mentioned above are extremely useful for narrowing the scope of your web history investigation. Read the rest

Tags: , , , ,

. 16 Jun 10 | The Armory, The Suite Spot | Comments (0)