Autotimeliner to CyberChef to Timesketch

As you might know, I love to combine several OpenSource tools to get things done. One thing I wanted to play for some weeks is Autotimeliner by Andrea Fortuna.This tool is made to extract events from an Memory Image to combine it into a timeline. If you have a timeline, what comes next? Of course, putting it into Timesketch. So let’s give it a try.

We start with a memory dump from a Stuxnet infection from Download the four files, extract them and you are good to go.



Installation is pretty easy, install Volatility either via pre-compiled binary or install it manually, see the Volatility installation wiki for further information.

Test it running: -v


To install sleuthkit run:

brew install sleuthkit


sudo apt-get install sleuthkit

Installation Autotimeliner

Simply clone the GitHub repository:

git clone

Run it

python -f /Users/foobar/Downloads/ -p WinXPSP2x86 -t 2009-10-20..2018-10-21

That might take some time depending on your hardware.

Now you have an csv file around 5.6 MB.

                _     _______ _                _ _
     /\        | |   |__   __(_)              | (_)
    /  \  _   _| |_ ___ | |   _ _ __ ___   ___| |_ _ __   ___ _ __
   / /\ \| | | | __/ _ \| |  | | '_ ` _ \ / _ \ | | '_ \ / _ \ '__|
  / ____ \ |_| | || (_) | |  | | | | | | |  __/ | | | | |  __/ |
 /_/    \_\__,_|\__\___/|_|  |_|_| |_| |_|\___|_|_|_| |_|\___|_|

- Automagically extract forensic timeline from volatile memory dump -

Andrea Fortuna - -

*** Processing image /Users/foobar/Downloads/
*** Using custom profile: WinXPSP2x86
*** Creating memory timeline......done!
*** Creating shellbags timeline......done!
*** Creating $MFT timeline......done!
*** Merging and filtering timelines......done!
Timeline saved in /Users/foobar/Downloads/

The format used for the dates is not compatible with Timesketch:

more /Users/foobar/Downloads/
Date,Size,Type,Mode,UID,GID,Meta,File Name
Tue Oct 20 2009 12:08:04,0,ma.b,---a-----------,0,0,84995,"[MFT STD_INFO] Python26\Lib\SITE-P~1\setuptools-0.6c11-py2.6.egg-info\TOP_LE~1.TXT (Offset: 0x8a28c00)"
Tue Oct 20 2009 12:08:04,0,ma.b,---a-----------,0,0,85000,"[MFT STD_INFO] Python26\Lib\SITE-P~1\SETUPT~1.EGG\DEPEND~1.TXT (Offset: 0x75e4000)"
Tue Oct 20 2009 12:08:06,0,m..b,---a-----------,0,0,84985,"[MFT STD_INFO] Python26\Scripts\EASY_I~1.PY (Offset: 0x91b9400)"
Tue Oct 20 2009 12:08:06,0,ma.b,---a-----------,0,0,84986,"[MFT STD_INFO] Python26\Scripts\EASY_I~1.MAN (Offset: 0x91b9800)"
Tue Oct 20 2009 12:08:06,0,ma.b,---a-----------,0,0,84987,"[MFT STD_INFO] Python26\Scripts\EASY_I~1.EXE (Offset: 0x91b9c00)"
Tue Oct 20 2009 12:08:06,0,ma.b,---a-----------,0,0,84988,"[MFT STD_INFO] Python26\Scripts\EASY_I~2.MAN (Offset: 0x1042f000)"
Tue Oct 20 2009 12:08:06,0,m..b,---a-----------,0,0,84989,"[MFT STD_INFO] Python26\Scripts\EASY_I~2.PY (Offset: 0x1042f400)"
Tue Oct 20 2009 12:08:06,0,ma.b,---a-----------,0,0,84990,"[MFT STD_INFO] Python26\Scripts\EASY_I~2.EXE (Offset: 0x1042f800)"
Tue Oct 20 2009 21:21:26,0,...b,---a-----------,0,0,66083,"[MFT STD_INFO] Documents and Settings\Administrator\Desktop\SysinternalsSuite\ZoomIt.exe (Offset: 0x1a8a5c00)"
Wed Oct 21 2009 00:02:28,76800,m...,---a-----------,0,0,65342,"[MFT FILE_NAME] Program Files\NTCore\Explorer Suite\Tools\DRIVER~1.EXE (Offset: 0x14b9c800)"
Wed Oct 21 2009 00:02:28,76800,m...,---a-----------,0,0,65342,"[MFT FILE_NAME] Program Files\NTCore\Explorer Suite\Tools\DriverList.exe (Offset: 0x14b9c800)"
Wed Oct 21 2009 00:02:28,76800,m...,---a-----------,0,0,65342,"[MFT STD_INFO] Program Files\NTCore\Explorer Suite\Tools\DRIVER~1.EXE (Offset: 0x14b9c800)"
Wed Oct 21 2009 18:25:52,780800,m...,---a-----------,0,0,65338,"[MFT FILE_NAME] Program Files\NTCore\Explorer Suite\TASKEX~1.EXE (Offset: 0x14b1b800)"

so we need to adjust that. In the past, I used an own developed python script for that, but that does not really scale, so I considered another option.


An open source tool by GCHQ:

A simple, intuitive web app for analysing and decoding data without having to deal with complex tools or programming languages. CyberChef encourages both technical and non-technical people to explore data formats, encryption and compression.


git clone

Now open it

From the CSV that was generated, use your favourite tool to extract the first column of the csv which should look like that:

Tue Oct 20 2009 12:08:04
Tue Oct 20 2009 12:08:04
Tue Oct 20 2009 12:08:06
Tue Oct 20 2009 12:08:06
Tue Oct 20 2009 12:08:06
Tue Oct 20 2009 12:08:06
Tue Oct 20 2009 12:08:06
Tue Oct 20 2009 12:08:06
Tue Oct 20 2009 21:21:26
Wed Oct 21 2009 00:02:28

Now use the following CyberChef Recipe


And paste them all into input. It will result in a file you can download with the output.

Now the output txt has two CSV columns, you need to combine them with your autotimeliner csv to have the following headers:

datetime	timestamp	timestamp_desc
2009-10-20T12:08:04+0000	1256040484000	stuxnet.vmem_Mem_Dump_Timeline
2009-10-20T12:08:04+0000	1256040484000	stuxnet.vmem_Mem_Dump_Timeline
2009-10-20T12:08:06+0000	1256040486000	stuxnet.vmem_Mem_Dump_Timeline
2009-10-20T12:08:06+0000	1256040486000	stuxnet.vmem_Mem_Dump_Timeline
2009-10-20T12:08:06+0000	1256040486000	stuxnet.vmem_Mem_Dump_Timeline
2009-10-20T12:08:06+0000	1256040486000	stuxnet.vmem_Mem_Dump_Timeline

Now the csv should like like:


2009-10-20T12:08:04+0000,1256040484000,stuxnet.vmem_Mem_Dump_Timeline,Tue Oct 20 2009 12:08:04,0,ma.b,---a-----------,0,0,84995,[MFT STD_INFO] Python26\Lib\SITE-P~1\setuptools-0.6c11-py2.6.egg-info\TOP_LE~1.TXT (Offset: 0x8a28c00)
2009-10-20T12:08:04+0000,1256040484000,stuxnet.vmem_Mem_Dump_Timeline,Tue Oct 20 2009 12:08:04,0,ma.b,---a-----------,0,0,85000,[MFT STD_INFO] Python26\Lib\SITE-P~1\SETUPT~1.EGG\DEPEND~1.TXT (Offset: 0x75e4000)
2009-10-20T12:08:06+0000,1256040486000,stuxnet.vmem_Mem_Dump_Timeline,Tue Oct 20 2009 12:08:06,0,m..b,---a-----------,0,0,84985,[MFT STD_INFO] Python26\Scripts\EASY_I~1.PY (Offset: 0x91b9400)

There is one little caveat, you need to add „“ around the message, because some values might break the Import process.

That can now be imported into Timesketch

Et voila, a timesketched Memory Dump

lnav the log file navigator

This is a recommendation to a tool that I am using since months – the log file navigator.

Who does not know the issue, you have to look at logs from various places and you start with stuff like more, grep, cat etc. or upload it to your ELK, Splunk, QRadar – you name it.

While those tools have their good reason, log files usually have a specific set of requirements to handle effectively. And for that reason use lnav. The tool enables you to work with your log file(s) locally, offline and effective.

Some quotes:

Just point lnav to a directory and it will take care of the rest.  File formats are automatically detected and compressed files are unpacked on the fly.

The log message format is automatically determined by lnav while scanning your files.   The following formats are built in by default:

More features on the project website.

The best part? The tool is free! Yes free as free, so no data is shared with the developer, no shareware, it is free!

It runs on Apple OSX and linux – I am waiting for a Windows version as there is Linux subsystem support on Windows 10.


Out of my attempt to reverse engineer the Komand API (a security orchestration tool) I found myself writing some python helper to use the API. Maybe it is useful for some people, so I decided to OpenSource it.

It is hard to understand why a tool, thats main purpose it to connect APIs does not have an API documentation / client itself.

Usage should be pretty simple, clone the repository and good to go:

usage: [-h] [-v] [-wm] [-j JOB]

optional arguments:
-h, --help show this help message and exit
-v, --verbose increase output verbosity
-wm, --workflow_map show workflow map
-j JOB, --job JOB show job status

Feel free to open Issues or Make Pull Requests. The repository is hosted on Github:

15 Must read books if you want to work on Cyber Security


One of the most frequent questions I get asked by my students: What books should I read if I want to work in Cyber Security?

So I reviewed what I have read so far, talked to colleagues I trust to conduct the following list (as I have a lot of german readers, there is always a link to the german and the english version). The list is a mixture of educational books as well as books that will give an idea about mindset of hackers, defenders and other players in that field.

If you have other recommendations, opinions or comments, I would highly appreciate every feedback in the comments below.

I will try to update the post on a regular base as new trends are coming up e.g. machine learning, AI or blockchain (but I do not see any must-read-books in that areas).

It is fair to say, it is not the only way into the security area, a good amount of people learned by blogs, twitter, youtube and such and there is nothing wrong with it, it is quite the opposite, as the pace of change is so fast, it is hard to keep books up to date.

Every item has links to, if you happen to buy the book using the links you support the blog, thank you for that.

1. The Art of War

by Sun Tzu

A relative short (and cheap) book that teaches various aspects of war that most experts agree can also be applied to cyber security. To be honest, there are also a good amount of people who think Art of war is not as important, so read it and make your own opinion.
At least it will be a good ice breaker for networking.

Englisch link / German link

2. Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker

by Kevin Mitnick

This was the first security related book I read after attending a conference talk of the author Kevin Mitnick. It is fair to say he is one of the most known hackers and reading his stories gives the reader first hand access to the mind and motivation of a hacker. The book is also very good to read.

English link / German link

3. The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage

by Cliff Stoll

What to say, a book about espionage, spies and many more. Good book that for sure must be read.

English link / German link

4. Practical Malware Analysis: A Hands-On Guide to Dissecting Malicious Software

by Michael Sikorski

Reading that book will equip you with all concepts and skills to analyse malicious files. This is even a very good skill if your goal is not to become the top notch malware reverse engineer, but the concepts outlined in the book will help to understand weaponizing files to target systems or users.

English link / German link

5. Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon by Kim Zetter

This book covers the maybe most prominent cyber security attack in history: Stuxnet. To understand motivation of companies to invest money in cyber security, knowing and trying to understand the Stuxnet case is so helpful and Kim Zetters book is the best to do so.

English link / German link

6. Rtfm: Red Team Field Manual

by Ben Clark

This list would be incomplete without at least one book covering the offensive aspect of cyber security professionals: red teaming. Even if you do not want to be payed to hack into companies, it is good to know what the people getting paid to hack into companies have read without a doubt.

English link / German link

7. Crafting the InfoSec Playbook: Security Monitoring and Incident Response Master Plan

by Jeff Bollinger, Brandon Enright, Matthew Valites

Legendary book outlining how to ramp up an Incident Response Plan to defend a network. If your goal is to go into red teaming, read that book to understand how defenders work.

English link / German link

8: 1984

by George Orwell

Fictional book but also a must read for making a career because it will sharpen your sensors for privacy more than any other book out there.

German link

9: Practical Unix & Internet Security

by by Simson Garfinkel, Gene Spafford, Alan Schwartz

Sooner or later everyone in the industry encounters Unix, that is why this book is on that list, because it is the bible for that area.

English link / German link

10: Computer Incident Response and Product Security

by Damir Rajnovic

Damir „Gaus“ Rajnovic created the standard to read to set up an Computer Security Incident Response Team (CSIRT / CIRT / CERT / CSIRT) or a Product Security Incident Response Team (P-SIRT).

German link

11: Applied Cryptography: Protocols, Algorithms and Source Code in C

by Bruce Schneier

A top x list in Cyber Security without a book from Bruce Schneier is not worth to listen to. Bruce Schneier is the rockstar in the area and his book the go to for cryptography.

English link / German link

12: Secure Coding: Principles and Practices

by Mark G. Graff, Kenneth R. van Wyk

You need to understand how to write secure code. Without that know how it is way harder to argue on basic security principles. This book is bootcamp for that purpose.

English link

13: Hacking: The Art of Exploitation

by Jon Erickson

Refered by a trusted friend as one of the go-to books for understanding exploitation.

English link

14: Cryptonomicon

by Neal Stephenson

Another fictional book on that list to understand motivation and boost your motivation in the field.

English link

Bonus: The Ultimate Hitchhiker’s Guide to the Galaxy

by Douglas Adams

When asking friends for opinions and recommendations for that list, the ultimate hitchhiker’s guide to the Galaxy was mentioned „because no security professional will take you seriously if you haven’t read it“ – nothing to add here.

English link / German link


You might have discovered, it is not yet 15 books, I am still on the journey to discover the remaining bricks. But rather prefer to let people read less books that have a big impact than more books with some that might not be the same caliber.

Have fun with reading.

(This post is inspired by 15 Must Read Books if You Want to Work on Wall Street)

Überwachungskamera worauf kommt es an

Ich werde immer wieder gefragt, wie man einfach eine Kameraüberwachung für das eigene Haus umsetzen kann. Viele bauen gerade ihr Haus oder renovieren, viele Gewerke sind mit Experten besetzt oder es gibt schon sehr sehr viel Material im Internet. Anscheinend jedoch nicht zu Videokameras im Außenbereich.

Um nicht immer das gleiche zu erzählen also hier eine schriftliche Variante meiner Antworten.

Disclaimer: Dieser Blogpost ist keine rechtliche Beratung, prüft also bitte erst, welche Regeln, Gesetze es gibt und respektiert die Privatsphäre von euren Nachbarn und anderen Personen in eurem Haushalt genauso wie Personen die euch ggf. besuchen (mehr dazu später)

Der Beitrag ist in verschiedene Fragen unterteilt, sollten noch weitere Fragen unter den Nägeln brennen, einfach die Kommentarfunktion nutzen.

Frage: Warum sollte ich eine Videoanlage / Videoüberwachung in meinem Haus installieren?

Am wichtigsten ist es zu verstehen, dass eine Videoanlage nichts verhindert. Wer sich vor Einrücken schützen möchte muss in Dinge wie Schlösser, Beschläge oder Riegel investieren (Stichwort passive Sicherheit) auch eine Alarmanlage verhindert keine Einbrüche.
Eine Videoanlage kann aber für ein Sicherheitsgefühl sorgen, sie kann helfen, Einbrüche oder Diebstähle aufzuklären.

Eine solche Anlage kann auch genutzt werden, um Personen, die im Haus sind und z.b. ihr Büro im Dach haben einen Überblick zu verschaffen, was um das Haus herum geschieht.

Was auch beachtet werden sollte, ist die Stromversorgung, zum einen die Stromversorgung der Kamera (Power over Ethernet vs. reguläre Steckdose vs. Batterie)

Steckdose: Super wenn sie schon da ist. Frage jedoch wie dann die Datenübertragung funktioniert, Wifi / WLAN kann teilweise etwas unzuverlässig sein.

Power over Ethernet: ggf. sinnvoll wenn am Ort der Kamera keine Steckdose ist und man damit nur ein Kabel ziehen muss

Batterien: Nutzbar wenn man überhaupt keine Kabel hat / keine Kabel legen kann. Es ist jedoch zu beachten, dass bei entsprechender Bewegung viele Bilder / Videos entstehen und die Laufzeit der Kamera deutlich verkürzen.

Frage: Wo sollte eine Kamera platziert werden?

Die Antwort ist schwer zu geben, es kommt darauf an. Zum einen sollte man interessante Punkte wie Eingänge, Parkplätze oder Nischen in Betracht ziehen.
Ein weiterer Aspekt ist die genaue Platzierung, es ist zum Beispiel unglücklich, eine Kamera so zu platzieren, dass sie ungesehen demontiert oder abgedeckt werden könnte.

Auch die Distanz ist relevant, was bringt eine Aufnahme von einer Person an der Eingangstür wenn jede Aufnahme maximal die Farbe der Mütze erkennen lässt.

Frage: Welche Anlage sollte ich nutzen?

Je nach Budget. Gute Erfahrung habe ich mit Reolink Anlagen gemacht, dort ist auch ein Controller erhältlich, der die Speicherung usw übernehmen kann und Kameras zum Beispiel per Power over Ethernet versorgt und eine Mail schicken kann, wenn die Verbindung zu einer Kamera unterbrochen wurde.
Auch die Qualität der Kameras ist sehr gut.

Frage: Wohin sollten die Aufnahmen gehen?

Sie sollten gespeichert werden, wenn Aufnahmen in der Cloud gespeichert werden oder die Anlage über das INternet steuerbar ist, hat das immer das Risiko, dass sich Dritte unberechtigten Zugang zu der Anlage verschaffen.

Wie kann ich meine Anlage von außen steuern / auf Aufnahmen zugreifen?

Ich würde nicht empfehlen, die Anlage aus dem Internet erreichbar zu machen, sondern per VPN z.b. auf die FritzBox zugreifen und dann auf die Anlage als ob man sich im Heimnetz befindet. Das verkleinert das Risiko dramatisch.

Frage: Warum nicht in die Cloud?

Siehe oben, in die Cloud bringt immer das Risiko mit, dass die Anlage von außen gesteuert werden kann.

Frage: Welche Bereiche sollte ich überwachen?

Alle wichtigen, aber auf die eigene Privatsphäre und die der Anwohner achten. Z.b. öffentliche Straßen dürfen nicht überwacht werden. Einen Balkon überwachen scheint erst mal sinnvoll, aber was wenn ihr euch dort mal hinlegen wollt, dann gibt es Bilder von euch auf dem Balkon. Es ist also Abwägungssache.

Ein komplettes System:

Kabellose Kamera ohne Stromversorgung:

Security API collection

While working on different stuff I was searching for a collection of APIs that are related of useful for security researchers, incident response people or threat intel.

Unable to find a good list of REST APIs decided to start it. The collection is hosted on a Security API list, and pull requests or issues mentioning missing APIs are highly welcome.

Why did I produce such a list? More and more people want to automate their workflows, Security Orchestration is the new Buzzword after last years Threat Intelligence, but basically containing the same, they both have in common to facilitate already available data, with Orchestration not storing that much data but enriching dots collected.

However the challenge is, what to integrate, everyone has their „go to“ tools they use on a daily base risking to miss some golden nuggets that are handy.

The list is divided (at the moment) in tools that are mostly on prem., online tools, SIEMs and various. With an increasing number of APIs that ordering might change of course.

So I really hope the list is useful and people can use it and that it can grow.

Simsme a secure messenger

(c) Deutsche Post AG

(c) Deutsche Post AG

There have been some ongoing discussions about Facebook Messanger / Whattsapp – security, encryption, privacy etc.
Just a few days ago Facebook made a big move pushing more users to the Facebook Messenger.
And now a new big player enters the field of messengers: Deutsche Post.

They announced a product called „Sims Me“ being a „free and secure messenger on iOS and Android“.

Of course Deutsche Post has some expirience with delivering messages for hundrets of years. But this is not the first App Deutsche Post is providing, officially the apps are developed by „DP IT Brief GmbH“.

Key Features of SimsMe

– End to end encryption
– everything stored on servers
– self destructive messages *
– Ability to connect to your existing contacts (but only by granting SimsMe access to your contacts)
– Confirm users by QR code (same like Threema)
– App is password protects -> if your possword got lost, your app data is gone, you have to reinstall it.

* only for th first million users for free

There is a good FAQ on the page.


The starting phase was a bit to much for Deutsche Post as to much users tried the service, but for now it is okay, some bugs have to been fixed, there is some space for improvement regarding UI, but overall a nice product.

Of course stating „it is end-to-end encrypted“ does not mean anything. I haven’t seen a Audit of the App, even if it would be open source, there is no evidence that the open source code is the code DP IT Brief GmbH is sending to Apple / Google. And there is no way to check wether the app uploaded from DP IT Brief GmbH to Apple / Google is the App that you are downloading to your device (they are in a position to madify apps). That said, having a big company providing an app with end to end encryption is better than using a plain-text or not properly encrypted app. But still, if you want to exchange sensitive stuff, face to face is the way to go.


iOS Itunes download
Andoid Google Playstore

Upload kippo ssh honeypot files to viper

You want to store all your samples catched by your SSH-Kippo Honeypot to your malware repository operated with viper?

Go that way:
Start Viper API:

foo@bar ~/scripts/viper $ ./ -H -p 8080

and upload all your samples to viper:

for i in /home/pi/kippo-read-only/dl/*; do curl -F file=@$i -F tags="honeypot" http://covert:8080/file/add; done 


    "message": "added"
    "message": "added"

(you might want to modify the dir to your setup)
Why not automate uploading from kippo to viper?
– The „attacker“ might upload more then just malware / samples. You do not want to waste space in your malware zoo with another copy of netcat…

Threema – Whattsapp with encryption

Whattsapp the popular smartphone app has several „privacy issues“ due to lack of encryption.

but there is an alternative solution with end to end encryption: Threema.
The company behind Threema is based in switzerland.

They have a special section within their FAQ for security questions: FAQ

Threema is at the moment only available for Android and iOS, so no Blackberry nor Windows Mobile support, but that should only be a question of time.

Another blogpost about threema:

But there are some concerns as the messages are stored plain on the device: article on (german only)

Download iOS app
Download android version

a better wp security plugin problem

Das WordPress Security plugin „A better wp security“ ist sehr wertvoll, bei manchen Webhostern können einzelne Funktionen jedoch dazu führen, dass der WordPress blog nicht mehr erreichbar ist.

Z.b. führt das nutzen der Funktion „Dateiänderungen tracken / File change detection“ auf einem shared hoster unter Umständen zu einem Timeout, weil nicht genug CPU / RAM vorhanden ist um alle Files zu checken.

Hier muss das plugin „A better WP security“ zurück gesetzt werden.

Mit dem folgenden SQL command werden alle options rückgesetzt:

FROM `wp_options`
WHERE option_name LIKE '%bwps%'

Alternativ lohnt sich ein Blick in die htaccess, welche durch das plugin ggf. auch angepasst wird.

Die default WordPress htaccess Datei sieht wie folgt aus:

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

Für Einsteiger noch eine Buchempfehlung zu dem Thema:

Für Profis: