Post-Mortem RAM Forensics - CanSecWest

More documents

Recommendations

Info

CanSecWest2007 14 • systeminfo.exe • Psinfo • netstat, • date, • Time • psuptime, • net statistics • pulist, • tlist, • pslist, • listdllsdir, • afind, • macmatch, • autoruns, Minimize impact • handle, • pclipnet • users, • psloggedon, • ntlast, • Dumpusers • ipconfig, • fport, • psservice, • promiscdetect, • netstat, • nbstat, • net, • arp vs dd (or similar) …and the one on the right potentially has more information!! Nolan, O’Sullivan, Branson, Waits. First Responders Guide to Computer Forensics. Carnegie Mellon University 2005. VIDAS
CanSecWest2007 15 The caveat • Minimal impact is appealing, but the information is a requirement • In order to be acceptable, at least the same amount of information that is attainable via interaction, must be attainable via analysis of the copy of the volatile– Information gained: store FromImageFile >= Interactive Response – Impact to system: FromImageCreation
Page 1 and 2: CanSecWest2007 Post-Mortem RAM Fore
Page 3 and 4: CanSecWest2007 3 NUCIA (obligatory
Page 5 and 6: CanSecWest2007 5 Evidence Volatilit
Page 7 and 8: CanSecWest2007 7 • Live System Cu
Page 9 and 10: CanSecWest2007 9 • Windows How to
Page 11 and 12: T = 0: “Pre” state T = 1: copy
Page 13: CanSecWest2007 13 Impact • If a f
Page 17 and 18: CanSecWest2007 17 Current Analysis
Page 19 and 20: CanSecWest2007 19 Proof of Concept
Page 21 and 22: CanSecWest2007 21 EPROCESS • The
Page 23 and 24: CanSecWest2007 23 …and smells lik
Page 25 and 26: CanSecWest2007 25 Cross Volatility
Page 27 and 28: CanSecWest2007 27 PoC: Virtual Addr
Page 29 and 30: CanSecWest2007 29 PoC: FileTime •
Page 31 and 32: CanSecWest2007 31 • Create Images
Page 33 and 34: CanSecWest2007 33 PoC: Demo • On
Page 35 and 36: CanSecWest2007 35 PoC: Demo • SO
Page 37 and 38: CanSecWest2007 37 Future work (proc
Page 39 and 40: CanSecWest2007 39 Future work (memo
Page 41 and 42: CanSecWest2007 41 Food for thought:
Page 43 and 44: CanSecWest2007 43 Question #1 from
Page 45: CanSecWest2007 45 Cited • Windows

Post-Mortem RAM Forensics - CanSecWest

Create successful ePaper yourself

Delete template?

Save as template?