[ISN] New tool could help computer forensics move off the disk and into memory

From: InfoSec News <alerts_at_private>
Date: Thu, 30 Jul 2009 05:16:24 -0500 (CDT)
http://gcn.com/articles/2009/07/29/black-hat-briefings-memory-forensics.aspx

By William Jackson
GCN.com
July 29, 2009

LAS VEGAS - Tools such as Metasploit’s meterpreter for the automated 
delivery of stealthy payloads are making it more difficult for 
researchers to find out after the fact exactly what happened to an 
exploited computer.

Meterpreter can let an attacker upload malware files to a computer that 
do not touch the disk, which is where traditional forensics tools look 
to find evidence of malicious activity.

“Meterpreter breaks all disk forensics,” said Peter Silberman, an 
engineer at Mandiant Inc. So researchers now are looking into memory for 
evidence of wrongdoing. “This is a new frontier in forensics analysis.”

Silberman and Stephen Davis, a Mandiant security consultant, 
demonstrated a new memory analysis tool Wednesday at the Black Hat 
Briefings security conference. By examining traces of memory that can 
remain resident on a computer for surprisingly long times, they can find 
evidence of malicious activity that is not visible elsewhere.

[...]


_______________________________________________      
Attend Black Hat USA, July 25-30 in Las Vegas, 
the world's premier technical event for ICT security experts.
Network with 4,000+ delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com
Received on Thu Jul 30 2009 - 03:16:24 PDT

This archive was generated by hypermail 2.2.0 : Thu Jul 30 2009 - 03:22:05 PDT