There are some interesting events coming up this summer (and beyond) that I wanted to point out to folks...
DFRWS is this summer (11-13 Aug), but the Open Memory Forensics Workshop (OMFW) will be held just prior (info here, update here). OMFW looks like a great opportunity...it's a half-day event, but looking at the list of speakers and panelists...wow! If you haven't already, grab books off of your bookshelf (I *know* most of you recognize author names...) and get your copies signed! OMFW is brought to you by the letters M and S, and these guys.
If anything, this really shows how the interest in analysis of physical memory is really picking up. More than anything, I'd have to say that the interest is really been driven by the guys over at Volatile Systems, along with a host of other names. There is a great deal of extremely valuable information available in physical memory (RAM), and these guys are leading the way in showing us what's there, and providing tools for getting at it and making it available, but more importantly, useful to analysts.
As a side note, if you look around the community/industry, there is a big piece that's missing right now...collection. That's right...there are open source and commercial tools (from Mandiant and HBGary...and HBGary is apparently partnering with GSI) that provide the ability to parse, comb through and analyze a physical memory dump, but very few that provide the ability to extract the contents of RAM from Windows 2003 SP1 and above (e.g., Vista, Win2K8) systems. I even received an email from a friend at MS yesterday asking me if I knew of any such tools. One would naturally assume that we'd eventually see such a tool from MS/SysInternals. One way to go about changing this...buy more F-Response!
Note: Paraben is having an Innovations Conference in Utah in Nov, 2008. They also let you vote for a company or product that you feel is most innovative for 2008...I voted for F-Response.
Okay, back on track...what was I talking about? Oh, yeah...
Looking at the program for DFRWS 2008...yet another impressive line-up. I'm hoping to go...working for a large corporate (think "glacial") entity (think Borg cube), these requests are always in limbo. However, I'm very interested in Timothy Morgan's talk, as well as a couple of others. It also looks as if some of the speakers from OMFW are going to be on deck for DFRWS, as well. Maybe a good opportunity to ply familiar faces and famous names with some of the locally brewed beverages.
Interestingly enough, the local RCFG conference (which overlaps with DFRWS this year) has been cancelled. That's too bad...this conference is held on the GMU campus and for the most part is a nice, smaller conference. However, with the right leadership, it has the potential to really be a premier conference...not just for local LE, but in general. In fact, an interesting thought would be that since some folks are going to be in the area anyway, talking about the same topic...
Also, in Jan 2009, there is the DoD CyberCrime Conference...Jesse mentioned the CfP here. It's too early to list the speakers, but I had an opportunity to visit the conference in 2007 and it was a good one...lots of attendees, lots of events, lots of really great speakers.
5 comments:
You can't discuss physical memory acquisition and not mention George M. Garner's KNTTools! George has a very robust solution, probably one of the best out there. It is a stable and mature product, unlike other companies that were mentioned, who are new kids on the block.
Well, I wasn't going to discuss it in this post, but you're quite correct...George M. Garner Jr's knttools is one of the only solutions available right now for retrieving a memory dump from Windows Vista systems.
Love your work and I find your information from a beginners side of the fence :P very easy to digest. But the acronyms in this post had my head spinning so badly I bumped my head on the keyboard. *_*
Odd...all of the acronyms have links at one point or another.
Just be glad that this wasn't a post about the USN...those guys are acronym happy! =)
Thanks for informing me about OMFW and Volatility. DFRWS has been in my plans, now I plan to goto OMFW and I'm interested in Volatility!
Post a Comment