Rob Fuller, aka Mubix, of Room362.com joins us to expand on last week's discussion about the Cold Boot attacks. We cover retrieving memory from live systems, analysis with tools like volatility, and file recovery with foremost. Mubix calls it forensics for the gray hat.
Rob Fuller, aka Mubix of Room362.com joins us to expand on last weeks discussion about the cold boot attack.
This time we're imaging memory from live systems. Windows boxes specifically. I point out my favorite open source app win32dd, which allows retrieval of physical memory in a couple of methods. Mubix is a fan of ManTech's MDD. Both of these tools are capable of capturing memory on Windows 2003 SP1 (Vista+) and later machines. More tools can be found at the Forensics Wiki.
Once we've captured our memory it's time to run it through a few tools to extract the good bits. Last week we touched on AESKeyFinder and RSAKeyFinder as well as Strings. This week we're using the epic memory artifact extraction utility Volatility.
This gem allows us to see deep into what a Windows box was doing at time of memory capture, including running processes, open network connections, DLLs loaded for each process, registry handles, and more. The tool can even extract executables from memory. It's a nifty little cross platform tool that's worth a spin. If you're looking to get your feet wet you might want to try it against some example data, courtesy of the NIST.
Best of all, Volatility if a framework that supports third party scripts. One such target="_blank">plugin makes it pretty simple to extract the Windows SAM from a memory sample.
We also cover using foremsot, an excellent tool for recovering data from memory based on headers, footers and data structures. I can say from experience that using the
-t ALLoption on a dump of Mubix's memory that A TON of files are recovered, all nice and neat in their own folders based on extension. Thanks for the mem dump Mubix ;). If you don't have a capture of Mubix's memory you can find samples to play with Foremost at the Digital Forensics Tool Testing Images site.
We'll be back in studio next week with Matt. Of course be sure to send your feedback to feedback@hak5.org, post in the forums or respond in the comments.
And don't forget about our first ever official Hak5 Meetup at Busch Gardens Williamsburg on August 15th. Find all the details at hak5meetup.squarespace.com or RSVP on Facebook.
9 days ago
Employers want social media passwords, US gets a #CPO, and #TheOnion! All that and more this time on #ThreatWire! http://t.co/SrZpicvnt6
12 days ago
#Installing #Solar panels, #Google #Chrome #extensions, and more on @Hak5! http://t.co/QppYLgZpi5
12 days ago
Legalizing #Internet eavesdropping, #LivingSocial is #hacked, and more on this weeks #ThreatWire! http://t.co/xyIxzy8kes
12 days ago
@thescribe I didn't! They were disabled and enabled throughout the segment. Each one has a different icon. - @Snubs
12 days ago
@myraitnetwork thank you!
27 days ago
#PGP #Encrypt your email, back up your #Gmail Account with #Ubuntu, text #messaging your #WiFi #Pineapple On #Hak5! http://t.co/KSZeO4GEPU
