Artwork

Inhoud geleverd door Black Hat and Jeff Moss. Alle podcastinhoud, inclusief afleveringen, afbeeldingen en podcastbeschrijvingen, wordt rechtstreeks geüpload en geleverd door Black Hat and Jeff Moss of hun podcastplatformpartner. Als u denkt dat iemand uw auteursrechtelijk beschermde werk zonder uw toestemming gebruikt, kunt u het hier beschreven proces https://nl.player.fm/legal volgen.
Player FM - Podcast-app
Ga offline met de app Player FM !

Darren Bilby: Defeating Windows Forensic Analysis in the Kernel (Japanese)

55:26
 
Delen
 

Manage episode 152728406 series 1069451
Inhoud geleverd door Black Hat and Jeff Moss. Alle podcastinhoud, inclusief afleveringen, afbeeldingen en podcastbeschrijvingen, wordt rechtstreeks geüpload en geleverd door Black Hat and Jeff Moss of hun podcastplatformpartner. Als u denkt dat iemand uw auteursrechtelijk beschermde werk zonder uw toestemming gebruikt, kunt u het hier beschreven proces https://nl.player.fm/legal volgen.
"It is 4pm on a Friday, beer o'clock. You're just eyeing up your first beer and thinking about where the fish will be biting tomorrow. The phone rings, something "funny" is happening on a client's web server. A lot of money passes through the server and it looks like it could be serious. IDS on the network picked up a crypted command shell heading outbound from the server. You break out the security incident response manual and head to the scene. Being the process oriented and reliable chap you are, you load up your forensic toolkit and take forensic copies of current memory and disk. You kick off your tools to analyse the forensic copies you've taken, nothing. All the processes are good, no apparent hooks, all hashes match verifiable sources. You check the forensic copying process, it worked perfectly. What have you missed? How could it not be in memory or on disk? Someone is playing you for a fool, and it's probably someone in kernel land. Your forensic image has been faked, and yet any court in the country would accept your process as sound. This talk will be a low level talk aimed at forensic analysts, investigators, prosecutors and administrators. It will show new techniques and a previously unreleased working implementation called DDefy which anyone involved in forensic analysis should be aware of. The demonstration will show defeating live forensic disk and memory analysis on Windows systems exposing fundamental flaws in popular forensic tools. Attendees should preferably have an understanding of the live forensics process and some background in modern rootkit technologies. Knowledge of NTFS internals will also aid in understanding."
  continue reading

15 afleveringen

Artwork
iconDelen
 
Manage episode 152728406 series 1069451
Inhoud geleverd door Black Hat and Jeff Moss. Alle podcastinhoud, inclusief afleveringen, afbeeldingen en podcastbeschrijvingen, wordt rechtstreeks geüpload en geleverd door Black Hat and Jeff Moss of hun podcastplatformpartner. Als u denkt dat iemand uw auteursrechtelijk beschermde werk zonder uw toestemming gebruikt, kunt u het hier beschreven proces https://nl.player.fm/legal volgen.
"It is 4pm on a Friday, beer o'clock. You're just eyeing up your first beer and thinking about where the fish will be biting tomorrow. The phone rings, something "funny" is happening on a client's web server. A lot of money passes through the server and it looks like it could be serious. IDS on the network picked up a crypted command shell heading outbound from the server. You break out the security incident response manual and head to the scene. Being the process oriented and reliable chap you are, you load up your forensic toolkit and take forensic copies of current memory and disk. You kick off your tools to analyse the forensic copies you've taken, nothing. All the processes are good, no apparent hooks, all hashes match verifiable sources. You check the forensic copying process, it worked perfectly. What have you missed? How could it not be in memory or on disk? Someone is playing you for a fool, and it's probably someone in kernel land. Your forensic image has been faked, and yet any court in the country would accept your process as sound. This talk will be a low level talk aimed at forensic analysts, investigators, prosecutors and administrators. It will show new techniques and a previously unreleased working implementation called DDefy which anyone involved in forensic analysis should be aware of. The demonstration will show defeating live forensic disk and memory analysis on Windows systems exposing fundamental flaws in popular forensic tools. Attendees should preferably have an understanding of the live forensics process and some background in modern rootkit technologies. Knowledge of NTFS internals will also aid in understanding."
  continue reading

15 afleveringen

Alle afleveringen

×
 
Loading …

Welkom op Player FM!

Player FM scant het web op podcasts van hoge kwaliteit waarvan u nu kunt genieten. Het is de beste podcast-app en werkt op Android, iPhone en internet. Aanmelden om abonnementen op verschillende apparaten te synchroniseren.

 

Korte handleiding