Post-Mortem RAM Forensics - CanSecWest

More documents

Recommendations

Info

CanSecWest2007 42 Google starters (in no real order) • PhysicalMemory object • MyFip.H • Fanbot.A • DKom • Hacker Defender • Shadow Walker • EProcess • The artist formerly called Sysinternals (process explorer for starters) • “Blue Pill” + rootkit • UPX • Packer • Sony Rootkit • RAIDE • TRUMAN • Shimmer.a • Tim Vidas ☺ • Mariusz Burdach • Jesse Kornblum • Andreas Schuster • Aaron Walters • Nick Petroni • Harlan Carvey • ProcLoc • Volatools • WMFT • PTFinder • LSPI • Memparse VIDAS
CanSecWest2007 43 Question #1 from the Audience • So how do you recommend that I implement RAM into my investigations? – Officially I’m probably not supposed to answer that • The whole I’m not a lawyer and don’t play one on TV thing • The whole I’m an Academic not a practitioner thing – That said: If the situation allows, maybe the best way is to: • arrive on scene • get ready (BIOS cheat sheet, dd on bootable CD) • pull plug *** • plug back in immediately *** • boot to CD • copy RAM • image disk as normal • take both back with you ***Or maybe it’s via dd on a USB mass storage – copy w/o unplugging, time / results VIDAS will tell
Page 1 and 2: CanSecWest2007 Post-Mortem RAM Fore
Page 3 and 4: CanSecWest2007 3 NUCIA (obligatory
Page 5 and 6: CanSecWest2007 5 Evidence Volatilit
Page 7 and 8: CanSecWest2007 7 • Live System Cu
Page 9 and 10: CanSecWest2007 9 • Windows How to
Page 11 and 12: T = 0: “Pre” state T = 1: copy
Page 13 and 14: CanSecWest2007 13 Impact • If a f
Page 15 and 16: CanSecWest2007 15 The caveat • Mi
Page 17 and 18: CanSecWest2007 17 Current Analysis
Page 19 and 20: CanSecWest2007 19 Proof of Concept
Page 21 and 22: CanSecWest2007 21 EPROCESS • The
Page 23 and 24: CanSecWest2007 23 …and smells lik
Page 25 and 26: CanSecWest2007 25 Cross Volatility
Page 27 and 28: CanSecWest2007 27 PoC: Virtual Addr
Page 29 and 30: CanSecWest2007 29 PoC: FileTime •
Page 31 and 32: CanSecWest2007 31 • Create Images
Page 33 and 34: CanSecWest2007 33 PoC: Demo • On
Page 35 and 36: CanSecWest2007 35 PoC: Demo • SO
Page 37 and 38: CanSecWest2007 37 Future work (proc
Page 39 and 40: CanSecWest2007 39 Future work (memo
Page 41: CanSecWest2007 41 Food for thought:
Page 45: CanSecWest2007 45 Cited • Windows

Post-Mortem RAM Forensics - CanSecWest

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?