January 24, 2006 - Information in Unusual Places
by Jeff Moss
I agree with Mariusz Burdach when he says that volatile memory analysis will be used more often in the future to find evidence. This is often the only place where advanced code resides. At Black Hat Federal he will release two tools to analyze Windows and Linux memory images, which is a great step forward in the effort to bring these techniques to a wider audience.
Looking at another unusual place to find information, Simson Garfinkel recently completed methodical research regarding recovering data from pre-owned hard drives. With 210 million drives being ‘retired’ this year, the magnitude of the data sanitation problem is growing. Simson found governments, corporations, and private individuals who had inadvertently leaked extremely sensitive information. He also realized that the existing disk forensic tools and methodologies are inadequate for large-scale investigations, so Simson created AFF and tools to support its use along the way.
Finding Digital Evidence in Physical Memory
by Mariusz Burdach posted January 24, 2006
Historically, only file systems were considered as storage where evidence could be found. But what about the volatile memory that contains a huge amount of useful information? Why not dump the content of the memory during data collection from a suspicious computer? How do you analyze the physical memory? Is it possible? I will try to find the answer.
During different forensics presentations everyone surely saw the movies about methods of securing suspicious computers used by the police. In first step, they remove power from the PC and then take care about the machine. It is very easy task, isn't it? But all volatile data and also potential evidence is lost.
I started to look for documents about methods of acquisition and analysis of the volatile memory. But none or very limited information about this subject is available in specialized books and in the internet.
Some methodologies can be found in many incident response guides. These guides describe toolkits that help investigators to collect some data from a compromised machine. But these methods have several disadvantages and are rather useless in serious cases. The ideal solution is dumping a content of whole memory in one step and then starting offline image investigation. I decided to start my investigation from Linux memory images - mostly, because all memory structures are well described and the source code is easily available ;).
Next, I moved to the Windows operating system, which is challenging. But even in this case a lot of interesting information can be extracted from Windows memory image. Moreover, the research provided me some ideas of detecting processes hidden by tools such as root kits.
All detailed information, mentioned in this blog, is well documented in my papers:
"Digital forensics of the physical memory", "An Introduction to Windows memory forensics" which are available at http://forensic.secure.net and my article for SecurityFocus.
500 Hard Drives
by Simson Garfinkel posted January 24, 2006
Simson Garfinkel has purchased 500 hard drives on eBay and analyzed them to learn interesting things about their previous owners. He gave a presentation of his tools and techniques. Amazing.
You can download the tools from http://www.afflib.org/
Disinfecting Your Phone Without Lysol?
I suggest securing your smart phone before attending Black Hat Federal next week or any other time you go out. Sophisticated attackers are now starting to concentrate on mobile platforms. We will soon see attacks going from primitive to advanced, especially considering almost all “important” people now own a smart phone... read more
Post-Exploit Automation
I’m in. Now what? spoonm and company originally built a framework to research and automate advanced exploit techniques. Over time, they realized that the framework could go far beyond just the initial entrance vectors. At Black Hat Federal, spoonm and skape will talk about their new work advancing the state of the art in automated payload delivery. Watching them hide a VNC server inside your running text editor or the LSA service is pretty cool and scary at the same time... read more
The Black Page is always looking for concise and interesting comments from researchers and experts about issues that affect the security community. Contact us here to learn more about submission rules