Re: [Vol-users] Referenced paper
31 Oct
2008
31 Oct
'08
8:39 a.m.
Jesse,
athttp://jessekornblum.com/tmp/determine-os.pdf. The
slide shows how you
can use the spaces between known values, in this case between the
Eprocess header and the name of the process, to identify what OS you're
working with.
Hmm. The slide does not seem accessible. You may need to fix the
permissions. I'm sure the community would appreciate you submitting a
plugin to demonstrate the technique in practice (slideware->volware).
Would you care to comment on possible issues with this approach and
discuss techniques that can be used to address those issues? (ie Can you
guarantee the spacing will change and uniquely identify an OS? What about
finding different EPROCESS objects with different spacings in memory? Is
this possible and if so why? Can this technique be used to determine the
Service Pack?). I believe there was also another presentation at
CyberCrime 2007 that used a similar technique. Maybe that presenter would
care to comment as well.
For the record, Volatility looks at each process'
Peb, IIRC, which in
turn contains a string naming the Service Pack number. The framework
records how many processes indicate which string (e.g. 7 say "Service
Pack 2" and 2 say (null)). The string encountered the most times is
displayed.
It's good to see people becoming familiar with the Volatility code. I'm
hoping that means we should be expecting more plugins. This was added to
provide an example of a technique that can be used to differentiate
between Service Packs not Operating Systems. In data mining and
forensics, sampling is a very useful technique for dealing with anomalies.
In this case, we were sampling different processes but it is a good idea
to leverage as many potential sources as possible to support your
conclusions.
Thanks,
AW