• Stars
    star
    130
  • Rank 277,575 (Top 6 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created almost 3 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Rip Raw is a small tool to analyse the memory of compromised Linux systems.

Rip Raw

Rip Raw is a small tool to analyse the memory of compromised Linux systems. It is similar in purpose to Bulk Extractor, but particularly focused on extracting system Logs from memory dumps from Linux systems. This enables you to analyse systems without needing to generate a profile.

This is not a replacement for tools such as Rekall and Volatility which use a profile to perform a more structured analysis of memory.

Rip Raw works by taking a Raw Binary such as a Memory Dump and carves files and logs using:

  • Text/binary boundaries

  • File headers and file magic

  • Log entries

Then puts them in a zip file for secondary processing by other tools such as Cado Response or a SIEM such as Splunk (examples below).

Example

For example, after capturing the memory of an Amazon EKS ( Elastic Kubernetes Service) system compromised with a crypto-mining worm we processed it with rip_raw:

python3 rip_raw.py -f eks-node-ncat-capture.mem

And then the large zip of logs that Rip Raw outputs can be viewed in a tool such as Cado Response (below). Approximately 36500 log events were extracted from this memory image, along with a number of binaries such as images and executables.

Screenshot

Or Splunk: Screenshot

Learn More

More Repositories

1

varc

Volatile Artifact Collector collects a snapshot of volatile data from a system. It tells you what is happening on a system, and is of particular use when investigating a security incident.
Python
175
star
2

DFIR_Resources_REvil_Kaseya

Resources for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply Chain Attack
C
174
star
3

masked-ai

Masked Python SDK wrapper for OpenAI API. Use public LLM APIs securely.
Python
67
star
4

CloudAndContainerCompromiseSimulator

Simulates a compromise in a cloud and container environment
Shell
28
star
5

AWS_EKS_Cluster_Forensics

AWS EKS Cluster Forensics
22
star
6

MalwareAnalysis

MalwareAnalysis
C#
11
star
7

DFIR_Resources_Whispergate

Resources for DFIR Professionals Responding to the Whispergate
C#
9
star
8

Awesome-Fargate-ECS-EKS-Security-Tools-and-Guides

Awesome Fargate & ECS & EKS Security Tools and Guides
7
star
9

DFIR_Resources_Industroyer2

IoCs and YARA rules for Industroyer2
YARA
7
star
10

guardduty-lambda-cado

Go straight from Guard Duty alerts to Automated Investigations in AWS with Cado Response
Python
4
star
11

product-help

Product help and user guides
JavaScript
3
star
12

hellokitty-ransomware

Decoded HelloKitty Ransomware
C
3
star
13

ctf-lambda-containers

2
star
14

Deployment-Templates

Contains a copy of the Terraform deployment templates for Cado Response
HCL
2
star
15

api-reference

The documentation reference for the Cado platform's RESTful API.
HTML
2
star
16

cado-poc-eks-cluster

Easily create a simple EKS cluster for testing EKS acquisition in the Cado platform.
Shell
2
star
17

Engineering-Career-Ladder

The Engineering Career Ladder for Cado Security
1
star
18

log4shell

Content to help the community responding to the Log4j Vulnerability Log4Shell CVE-2021-44228
1
star