[Vol-users] Referenced paper

Hi everybody, Jun asked me about a paper I wrote and which Harlan's tools were based. Although I can't send out the full paper, I can show you a slide from my talk at the 2007 DoD Cyber Crime Conference athttp://jessekornblum.com/tmp/determine-os.pdf . The slide shows how you can use the spaces between known values, in this case between the Eprocess header and the name of the process, to identify what OS you're working with. For the record, Volatility looks at each process' Peb, IIRC, which in turn contains a string naming the Service Pack number. The framework records how many processes indicate which string (e.g. 7 say "Service Pack 2" and 2 say (null)). The string encountered the most times is displayed. cheers, -- Jesse jessek(a)speakeasy.net