Re: [Vol-users] 29c3 defeating windows memory forensics

Hi George, Nice find, thanks for posting. What ever happened to Tribble? A few things that appear to be missing, virtualisation and "cold boot". The greatest challenge is the ability to acquire physical memory remotely or within a sensible time. A certain amount of preparedness is required which is sadly lacking when it comes to system hardening. Jon. ________________________________ From: George M. Garner Jr. <ggarner_online(a)gmgsystemsinc.com> To: vol-users(a)volatilityfoundation.org Sent: Saturday, December 29, 2012 8:13 PM Subject: [Vol-users] 29c3 defeating windows memory forensics This paper may be of interest to the list: http://events.ccc.de/congress/2012/Fahrplan/attachments/2231_Defeating%20Wi…. It is nice to see someone looking critically at the subject matter, even if in an over-simplistic manner.  The gist of the article is that you can easily scrub evidence from a memory dump as it is being written (in plain text) to disk or to the net.  Duh! A few comments on the author's conclusions: 1. Acquisition tools should utilize drivers correctly! Duh! 2. Use hardware acquisition tools, e.g. firewire. However, hardware-based acquisition also can be defeated.  At a minimum you can program an upper limit on the memory address that the firewire is allowed to access and then place your rootkit above that address. Most new computer systems have more than 4 GiB of memory nowadays. 3. Use crash dumps (native!) instead of raw dumps. Should maybe introduce the author to all those rootkits (e.g. Sinowal) that remove themselves from crashdump as it is being written. 4. Perform anti-rootkit scanning before acquisition? Easier said than done.  Just ask A/V industry. 5. Live forensic is inherently insecure! Duh!  Real question is not whether or not you can cheat memory acquisition software.  It is whether you can cheat memory acquisition software and have no one know about it.  Knowing that a system is infected is 90% of the battle even if you don't know how.  Once I know that a system is infected I will find the rootkit. _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilesystems.com/mailman/listinfo/vol-users