Re: Memory, Elephantine

[Nick Petroni <npetroni () cs umd edu>]

While on the topic of memory forensics, the Python enthusiasts in
the crowd may be interested in a new extensible research framework for
analyzing volatile memory images that we will be releasing at an upcoming
(yet to be determined) venue.

For more information, check out: http://www.4tphi.net/fatkit/

peace,
nick


On Fri, 3 Mar 2006, Dave Aitel wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I think it's interesting that Maniant (aka RedCliff) released a memory
> forensics tool recently (http://www.mandiant.com/features.htm) - this
> is also something we see people doing a lot more with CANVAS these
> days. The main benefits of using an exploitation framework for such
> things is that:
> 1. We can use the same exploitation path an attacker would use to
> obtain access to the machine. This means we're completely in memory
> and haven't messed up the disk at all. (Or we can remotely install as
> a service, copy a file over, whatever.)
> 2. You get the power of MOSDEF for doing the hard work...i.e. you can
> inject into processes, grab all the memory on the system from every
> process, etc.
>
> Of course, the downside is that you have to use MOSDEF to do the hard
> work. :>
>
> The other side of the story is that as an exploitation framework, you
> now need to clean/encrypt memory up as you go along. And you can do
> "remote forensics" as you go - I can look at other processes and see
> if someone else is also using CANVAS or anything similar on this box...
>
> - -dave
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iD8DBQFECH9pB8JNm+PA+iURAvJpAJ48qV13TcPpRiFXXu1yWCsffoQxpQCcDOBf
> 37ykn9FpdVIJbVClewwiKLo=
> =lYqp
> -----END PGP SIGNATURE-----