I'm headed to the DoD Cybercrime Conference in St. Lous, MO, next week. I'll be presenting at 0830 on Thursday morning. It turns out that there are a total of four presentations on Windows memory analysis at this conference. Wow. Had I known, I might have submitted on something else, like Registry analysis. The other presenters include Jesse Kornblum, Tom Goldsmith, and Tim Vidas. I'm sure that there will be some overlap, but I also think that this will be a very interesting conference.
Jesse was nice enough to set up a BoF/BYO on Memory Analysis on Thursday evening...swing by and say hi.
Addendum, 27 Jan: Okay, I'm back, safe and sound. I only regret that I did not get to spend as much time as I would have liked with the folks I met at the conference, but work called...
6 comments:
Very good presentation at St. Louis. Thanks for taking the time to put it together.
Matt,
Thanks. I hope it was helpful, and that someone finds that information in the presentation useful.
Thanks,
H
Hey Harlan, just to let you know your FSP has been mentioned in a book I've read.
The Forensics Server Project is another approach to automate the collection of volatile information from live systems. The Forensics Server Project uses many of the same utilities from Foundstone and Sysinternals but differs in that the utilities are tied together through Perl scripting rather than through Windows batch files. The Forensic Server Project Web site can be found at htt://patriot.net/~carvdawg/fsproj.html.
Investigators should remember that the tools used to create the volatile extraction toolkit, as well as those found in the Forensics Server Project, are freeware tools from a variety of sources that provide limited to no support. Many of the tools used provide full source code, allowing the investigator to enhance or modify the tool as needed.
Computer Evidence Collection and Preservation by Christopher L.T. Brown
A lot of the book just rehashes the same material found in other books, but if someone was just starting out and wanted to know more about the collection and preservation of digital evidence then I'd recommend this book.
Adam,
Thanks, I have a copy of that book myself.
Note that the location for the FSP is now on the SourceForge site. I don't maintain the PatriotNet site any longer, and found SourceForge to be a better site for this sort of thing.
Another thing...many of the tools that can be used by the FSP don't require any support.
Looking forward to your report form the conference...
Sorry, no report. Not long after my presentation, I had to take a customer call, and I was in my room on the phone all afternoon, and out the door, headed to the airport, the next morning. I did get to meet some great folks, particularly the first evening I was there, and I did make it to the BoF that Jesse set up, but I really didn't get to attend any of the presentations.
Post a Comment