Post-Mortem RAM Forensics - CanSecWest

More documents

Recommendations

Info

<strong>CanSecWest</strong>2007 28 PoC: Virtual Memory Page Directory Index Page Table Index Byte Offset Page Directory PDI Entry Shown without PAE enabled Virtual Address Page Table PTI Entry Adapted from Windows Internals : Solomon and Rossinovich See also Intel Software Developers Manuals Physical Memory Page Physical Page Byte VIDAS
<strong>CanSecWest</strong>2007 29 PoC: FileTime • 100 nanosecond intervals since 1601 • vs UNIX 1 second intervals since 1970 • and it’s a 64 bit value, stored as two 32 bit values, each lil endian • # Filetime conversions • # FFFFFF00 00000000 = under 1.5 seconds • # 00000001 00000000 = under 1.5 seconds • # 00000010 00000000 = about 26 seconds • # 00000000 01000000 = about 7:09 • # 00000000 10000000 = about 1:51:31 • # 00000000 00010000 = about 1 day 6:32:31 • # 00000000 00100000 = about 21 days 8:40:18 • # 00000000 00000100 = about 11 months 22 days 18:44:57 • # 00000000 00001000 = about 14 years 3 months 10 months 11:59:22 • # 00000000 00000001 = about 228 years 5 months 5 days 23:50:03 • # 00000000 00000010 = about 6353 years 6 months 18 days 21:21:00 VIDAS
Page 1 and 2: CanSecWest2007 Post-Mortem RAM Fore
Page 3 and 4: CanSecWest2007 3 NUCIA (obligatory
Page 5 and 6: CanSecWest2007 5 Evidence Volatilit
Page 7 and 8: CanSecWest2007 7 • Live System Cu
Page 9 and 10: CanSecWest2007 9 • Windows How to
Page 11 and 12: T = 0: “Pre” state T = 1: copy
Page 13 and 14: CanSecWest2007 13 Impact • If a f
Page 15 and 16: CanSecWest2007 15 The caveat • Mi
Page 17 and 18: CanSecWest2007 17 Current Analysis
Page 19 and 20: CanSecWest2007 19 Proof of Concept
Page 21 and 22: CanSecWest2007 21 EPROCESS • The
Page 23 and 24: CanSecWest2007 23 …and smells lik
Page 25 and 26: CanSecWest2007 25 Cross Volatility
Page 27: CanSecWest2007 27 PoC: Virtual Addr
Page 31 and 32: CanSecWest2007 31 • Create Images
Page 33 and 34: CanSecWest2007 33 PoC: Demo • On
Page 35 and 36: CanSecWest2007 35 PoC: Demo • SO
Page 37 and 38: CanSecWest2007 37 Future work (proc
Page 39 and 40: CanSecWest2007 39 Future work (memo
Page 41 and 42: CanSecWest2007 41 Food for thought:
Page 43 and 44: CanSecWest2007 43 Question #1 from
Page 45: CanSecWest2007 45 Cited • Windows

Post-Mortem RAM Forensics - CanSecWest

Create successful ePaper yourself

Delete template?

Save as template?