tag:blogger.com,1999:blog-9518042.post689853969264462380..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Book Review: "The Art of Memory Forensics" Unknownnoreply@blogger.comBlogger16125tag:blogger.com,1999:blog-9518042.post-34270113434215104232014-08-31T06:17:41.009-05:002014-08-31T06:17:41.009-05:00Thorsten,
Maybe you just need to be patient. I k...Thorsten,<br /><br />Maybe you just need to be patient. I know that several of the Volatility team were in Australia recently, teaching for a week. Teaching can be arduous, if not exhausting...couple that with the flights to and from Australia, and I would bet that they're recovering. I remember going to Singapore a couple of years ago, and spent 15 hrs in one seat. <br /><br />Two days ago was Friday here on the East Coast of the US...give the Volatility folks some time get back and get settled and rested. H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-5327608562574450962014-08-31T06:13:18.274-05:002014-08-31T06:13:18.274-05:00Hi Harlan,
my sources are
http://download.micro...Hi Harlan,<br /><br />my sources are <br /><br />http://download.microsoft.com/download/9/9/4/994592CB-C248-464F-93A6-A50E339BE19B/Windows%208%20Security%20-%20ASLR.pdf<br /><br />and<br /><br />http://digital-forensics.sans.org/blog/2014/02/17/malware-analysis-and-aslr-on-windows-8-1<br /><br />I brought this up to the Volatility Foundation two days ago, but didn´t get any answer yet.Anonymoushttps://www.blogger.com/profile/06867465118151236013noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-17606607507786978462014-08-31T05:50:39.934-05:002014-08-31T05:50:39.934-05:00Thorsten,
Do you know if this is so?
No, I don&...Thorsten,<br /><br /><i>Do you know if this is so? </i><br /><br />No, I don't. Do you have a link or some reference? Have you brought this up with the good folks over at the Volatility Foundation?H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-58244061091627952092014-08-31T05:17:12.604-05:002014-08-31T05:17:12.604-05:00Hello,
I read that on Windows 8 ASLR can be disa...Hello,<br /><br /><br />I read that on Windows 8 ASLR can be disabled in HKLM\SYSTEM\CurrentControlSet\SessionManager\MemoryManagement with inseration of the new Key MoveImages and the values of 0.<br /><br /><br />On Windows 8.1 there is MemoryManagement in Registry Key:<br /><br /><br />HKLM\CurrentControlSet\Control\SessionManager\Memory Management.<br /><br /><br />Then I read on another site that on Windows 8.1 disabling of ASLR is not possible.<br /><br /><br />Do you know if this is so? <br /><br />I tried to do the same on Windows 8.1 but it doesn’t work.<br /><br /><br />Thanks und many Greetings,<br /><br /><br />Thorsten KaufmannAnonymoushttps://www.blogger.com/profile/06867465118151236013noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-55605035228401693212014-08-18T13:20:50.742-05:002014-08-18T13:20:50.742-05:00> if an analyst were validating their findings,...> if an analyst were validating their findings,<br />> they wouldn't copy it directly into a court report without validating the information first.<br /><br />So then the question becomes what if a "authoritative source" e.g. a forensics book says you should interpret your findings in a certain way. And you've been thought your findings should be interpreted in the same way. And what if a large part of the forensics community gives their public support to the book. Why not just assume the book is correct, since "THE top minds in the field" are saying so.<br /><br />In this case there are sources that contradict the book, and you as an analyst can find out about them. But what if there are none?<br /><br />> the only other "option" anyone could come away with is to invalidate<br />> the current edition of the book and wait for the revised edition.<br />Not sure I'd reason in such absolute terms as "only"; it is quibbling about semantics. I think the point is clear. If you're serious about reading this book wait until it has been scrutinized more.<br />Joachim Metzhttps://www.blogger.com/profile/14169983450780601879noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-33718772069021103632014-08-18T12:22:18.047-05:002014-08-18T12:22:18.047-05:00...not sure how you derived that.
Pretty simply, ...<i>...not sure how you derived that.</i><br /><br />Pretty simply, actually. You'd said, "...and my option of the book, wait for the errata or the revised version." Given that you had submitted the errata already (which was already available), the only other "option" anyone could come away with is to invalidate the current edition of the book and wait for the revised edition.<br /><br />I think that it is also interesting that you'd say, "What if someone copied this and it ended up in a court report?<br />What if this book is used as course material and people are thought incorrect?", and then shortly thereafter say, "...show that forensics is about validating your findings." <br /><br />I completely agree with your last statement, but I would think that it would obviate the first two...if an analyst were validating their findings, they wouldn't copy it directly into a court report without validating the information first.<br />H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-63648215646765384092014-08-18T11:55:35.555-05:002014-08-18T11:55:35.555-05:00The error made is, from the perspective of digital...The error made is, from the perspective of digital forensics, so fundamentally incorrect it does not suit to be in a "forensic" book.<br /><br />Questioning the validity of the of the book is not the same as "invalidate the book"; not sure how you derived that. My statement is that one is better of for it to be reviewed a bit more, especially from the forensic point of view.<br /><br />What if someone copied this and it ended up in a court report?<br />What if this book is used as course material and people are thought incorrect?<br /><br />You mentioned before that we as a community should take responsibility for mentoring/educating the next generation of DFIR specialist. Let's make sure we do that correctly, and show that forensics is about validating your findings.Joachim Metzhttps://www.blogger.com/profile/14169983450780601879noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-53137960042810947792014-08-18T10:23:08.177-05:002014-08-18T10:23:08.177-05:00Joachim,
I'm at a bit of a loss here...how do...Joachim,<br /><br />I'm at a bit of a loss here...how does the errata listed at http://downloads.artofmemoryforensics.com/errata.txt invalidate the entire book?<br /><br />You suggested in your first comment that folks wait for the corrected book to come out...I'm a bit unclear as to how just those items listed in the errata.txt file would invalidate the book...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-54175990745031748972014-08-18T01:59:32.055-05:002014-08-18T01:59:32.055-05:00Luckily the authors are quick to put an errata onl...Luckily the authors are quick to put an errata online: http://downloads.artofmemoryforensics.com/errata.txt<br /><br />But seeing I did not read it detailed attention, I wonder how much more of these are in there.Joachim Metzhttps://www.blogger.com/profile/14169983450780601879noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-20095041498516758942014-08-17T23:32:11.459-05:002014-08-17T23:32:11.459-05:00E.g. have a look at http://wiki.sleuthkit.org/inde...E.g. have a look at http://wiki.sleuthkit.org/index.php?title=Mactime_output and the same section in the book explaining the mactime output. Tell me what is wrong in the book and tell me why this mistake is problematic in a book with "forensics" in the title.Joachim Metzhttps://www.blogger.com/profile/14169983450780601879noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-63316939608508671242014-08-17T20:44:55.032-05:002014-08-17T20:44:55.032-05:00@bosti:
2.4 can be downloaded from here:
http://...@bosti:<br /><br />2.4 can be downloaded from here:<br /><br />http://www.volatilityfoundation.org/#!24/c12wa<br /><br />and the Github repo is here:<br /><br />https://github.com/volatilityfoundation/volatility<br /><br />@joachim:<br /><br />The errata you found is already posted on the book's page:<br /><br />http://www.memoryanalysis.net/#!amf/cmg5<br /><br />http://downloads.artofmemoryforensics.com/errata.txtAndrew Casehttps://www.blogger.com/profile/11014708860635242525noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-79848290146441365002014-08-17T20:06:49.719-05:002014-08-17T20:06:49.719-05:00Joachim,
Can you elaborate?Joachim,<br /><br />Can you elaborate?H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-87250188360775718652014-08-17T04:29:33.481-05:002014-08-17T04:29:33.481-05:00I had a quick read of the content and my option of...I had a quick read of the content and my option of the book, wait for the errata or the revised version.<br /><br />There are errors in the current version book that should not be made by "THE top minds in the field".<br />Joachim Metzhttps://www.blogger.com/profile/14169983450780601879noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-75778716019784183012014-08-02T05:00:22.021-05:002014-08-02T05:00:22.021-05:00Hello! Can you help me please, I am working with v...Hello! Can you help me please, I am working with volatility and can t find ver. 2.4 just released!<br />ThnxAnonymoushttps://www.blogger.com/profile/05363256115469812408noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-12320944997441907522014-08-01T18:24:53.064-05:002014-08-01T18:24:53.064-05:00Nice review! I've been not so patiently awaiti...Nice review! I've been not so patiently awaiting my copy of the book and it finally arrived yesterday. I've only had time to read the introduction so far, but I have no doubt this will be a great learning experience.Ken Pryorhttps://www.blogger.com/profile/06777221347861058406noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-24832139985414591552014-07-31T12:19:43.184-05:002014-07-31T12:19:43.184-05:00Thanks for posting your review. I am going to orde...Thanks for posting your review. I am going to order my copy now.mtju74https://www.blogger.com/profile/13171505122597339666noreply@blogger.com