blogs
[EN] seccure blog: seccure.blogspot.com
[PL] CMP blog: www.compfort.pl/blog
[EN] seccure blog: seccure.blogspot.com
[PL] CMP blog: www.compfort.pl/blog
projects
[Hidden] Memory Forensics Debugger Extension for Microsoft Debugging Tools - This extension for
WinDbg allows to detect all hidden processes.
[WMFT] Windows Memory Forensic Toolkit - is a collection of utilities intended for forensic use. WMFT
can be used to perform forensic analysis of physical memory images acquired from Windows
2000/2003/XP machines. There are two versions of toolkit. The version for Windows is written in C#
for .NET technology and can analyze memory images. This version has additional functionally such as
detecting hidden objects. You can download this version from rootkit.com. Also Linux based version is
available. This version has limited functionally and it allows only enumerating internal kernel
structures such as _EPROCESS blocks or driver objects. To configure WMFT it is necessary to
manually locate addresses of some internal kernel objects. So hints and procedures are put together
in document: "An introduction to Windows memory forensics". Also techniques used by WMFT are
discussed in this "how-to" document. Additionally, I recommend to see slides presented at Black Hat
conferences.
[PROCENUM] Hidden Processes Detection - is a small utility to enumerate all user-mode processes.
This tool uses technique which relies on enumerating all page descriptors that are allocated by an
operating system. During enumerating processes some information about internal data structures are
correlated in order to find all structures of active processes. This very generic method allows to
detect all user-mode processes which are hidden by tools using various techniques like patching code,
modifying function pointers or DKOM (Direct Kernel Object Manipulation).
Detailed description of technique used by the procenum can be found in chapter 8 of the following
document: "Digital forensics of the physical memory".
[IDETECT] Linux Memory Forensic toolkit is used to help digital investigators in extracting useful
information from Linux memory image. Current version allows to identify content of files mapped into
memory in the past. This toolkit also displays detailed information about each active process. We can
enumerate any structure related to selected process. Instead of working on memory image it is
possible to use this toolkit against live system!
All necessary information about memory forensic analysis is available in document: "Digital forensics
of the physical memory".
[noname] Simple LKM-based rootkit - This basic rootkit was written for education propose only for the
Hakin9 - hardcover magazine. Detailed "how-to" article is available here (Only German version of an
article is available online:(). Rootkit can be installed on 2.4.x kernel releases. I advice to read my
article about detecting kernel rootkits by using GNU gdb tool. Techniques covered in this article will
lead you through the process of comparing kernel memory with kernel image file (kernel image file
have be trusted). The article "Detecting rootkits and kernel-level compromises in Linux" was published
by SecurityFocus in November 2004.
[Hidden] Memory Forensics Debugger Extension for Microsoft Debugging Tools - This extension for
WinDbg allows to detect all hidden processes.
[WMFT] Windows Memory Forensic Toolkit - is a collection of utilities intended for forensic use. WMFT
can be used to perform forensic analysis of physical memory images acquired from Windows
2000/2003/XP machines. There are two versions of toolkit. The version for Windows is written in C#
for .NET technology and can analyze memory images. This version has additional functionally such as
detecting hidden objects. You can download this version from rootkit.com. Also Linux based version is
available. This version has limited functionally and it allows only enumerating internal kernel
structures such as _EPROCESS blocks or driver objects. To configure WMFT it is necessary to
manually locate addresses of some internal kernel objects. So hints and procedures are put together
in document: "An introduction to Windows memory forensics". Also techniques used by WMFT are
discussed in this "how-to" document. Additionally, I recommend to see slides presented at Black Hat
conferences.
[PROCENUM] Hidden Processes Detection - is a small utility to enumerate all user-mode processes.
This tool uses technique which relies on enumerating all page descriptors that are allocated by an
operating system. During enumerating processes some information about internal data structures are
correlated in order to find all structures of active processes. This very generic method allows to
detect all user-mode processes which are hidden by tools using various techniques like patching code,
modifying function pointers or DKOM (Direct Kernel Object Manipulation).
Detailed description of technique used by the procenum can be found in chapter 8 of the following
document: "Digital forensics of the physical memory".
[IDETECT] Linux Memory Forensic toolkit is used to help digital investigators in extracting useful
information from Linux memory image. Current version allows to identify content of files mapped into
memory in the past. This toolkit also displays detailed information about each active process. We can
enumerate any structure related to selected process. Instead of working on memory image it is
possible to use this toolkit against live system!
All necessary information about memory forensic analysis is available in document: "Digital forensics
of the physical memory".
[noname] Simple LKM-based rootkit - This basic rootkit was written for education propose only for the
Hakin9 - hardcover magazine. Detailed "how-to" article is available here (Only German version of an
article is available online:(). Rootkit can be installed on 2.4.x kernel releases. I advice to read my
article about detecting kernel rootkits by using GNU gdb tool. Techniques covered in this article will
lead you through the process of comparing kernel memory with kernel image file (kernel image file
have be trusted). The article "Detecting rootkits and kernel-level compromises in Linux" was published
by SecurityFocus in November 2004.
materials::conferences
[*] "Black Hat USA", 2006, Las Vegas, Physical Memory Forensics (PDF), DEMO (ZIP)
[*] "Black Hat Federal", 2006, Washington, DC, Finding Digital Evidence in Physical Memory (PDF)
[*] "Innovations in Digital Forensic Practice", 2006, Washington, DC, Physical Memory Analysis (PDF)
[*] "Black Hat USA", 2006, Las Vegas, Physical Memory Forensics (PDF), DEMO (ZIP)
[*] "Black Hat Federal", 2006, Washington, DC, Finding Digital Evidence in Physical Memory (PDF)
[*] "Innovations in Digital Forensic Practice", 2006, Washington, DC, Physical Memory Analysis (PDF)
| 2004-2009 forensic.seccure.net |
mariusz . burdach @ seccure . net
articles
[] 2008, TAPT-11, Physical Memory as anti-forensics weapon
[] 2005, Digital forensics of the physical memory
[] 2005, An introduction to Windows Memory Forensics
[] Hakin9, 2005, Write your own rootkit [DE]
[] SecurityFocus, 2004, Forensic Analysis of a live linux system part II
[] SecurityFocus, 2004, Forensic Analysis of a live linux system part I
[] SANS Institute, 2004, Analysis of the FU rootkit
[] SecurityFocus, 2004, Detecting rootkits and kernel-level compromises in Linux using GDB
[] rootkit.com, 2004, Simple method of offline raw memory analysis
[] HoneyNet, 2003, Network Forensics - the honeynet challenge #28
[] SecurityFocus, 2003, Hardening the TCP/IP stack to SYN attacks
[] 2002, Solaris Administrator's Security Guide [PL]
[] 2008, TAPT-11, Physical Memory as anti-forensics weapon
[] 2005, Digital forensics of the physical memory
[] 2005, An introduction to Windows Memory Forensics
[] Hakin9, 2005, Write your own rootkit [DE]
[] SecurityFocus, 2004, Forensic Analysis of a live linux system part II
[] SecurityFocus, 2004, Forensic Analysis of a live linux system part I
[] SANS Institute, 2004, Analysis of the FU rootkit
[] SecurityFocus, 2004, Detecting rootkits and kernel-level compromises in Linux using GDB
[] rootkit.com, 2004, Simple method of offline raw memory analysis
[] HoneyNet, 2003, Network Forensics - the honeynet challenge #28
[] SecurityFocus, 2003, Hardening the TCP/IP stack to SYN attacks
[] 2002, Solaris Administrator's Security Guide [PL]
| digital investigation http://forensic.seccure.net |