Memory, Elephantine

[Dave Aitel <dave () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think it's interesting that Maniant (aka RedCliff) released a memory
forensics tool recently (http://www.mandiant.com/features.htm) - this
is also something we see people doing a lot more with CANVAS these
days. The main benefits of using an exploitation framework for such
things is that:
1. We can use the same exploitation path an attacker would use to
obtain access to the machine. This means we're completely in memory
and haven't messed up the disk at all. (Or we can remotely install as
a service, copy a file over, whatever.)
2. You get the power of MOSDEF for doing the hard work...i.e. you can
inject into processes, grab all the memory on the system from every
process, etc.

Of course, the downside is that you have to use MOSDEF to do the hard
work. :>

The other side of the story is that as an exploitation framework, you
now need to clean/encrypt memory up as you go along. And you can do
"remote forensics" as you go - I can look at other processes and see
if someone else is also using CANVAS or anything similar on this box...

- -dave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFECH9pB8JNm+PA+iURAvJpAJ48qV13TcPpRiFXXu1yWCsffoQxpQCcDOBf
37ykn9FpdVIJbVClewwiKLo=
=lYqp
-----END PGP SIGNATURE-----