Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced Malware

  • View
    543

  • Download
    1

Embed Size (px)

DESCRIPTION

My presentation from RSA 2013 on using memory forensics to defeat advanced malware, encryption, and skilled attackers

Text of Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced Malware

  • 1. Session ID: Session Classification: HTA-W22 Advanced

2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. $ python vol.py -f ds_fuzz_hidden_proc.img psxview Volatile Systems Volatility Framework 2.3_alpha Offset(P) Name PID pslist psscan thrdproc pspcdid csrss session deskthrd ---------- ---------------- ------ ------ ------ -------- ------- ----- ------- ------- 0x01a2b100 winlogon.exe 620 True True True True True True True 0x01a3d360 svchost.exe 932 True True True True True True True 0x018a13c0 VMwareService.e 1756 True True True True True True True 0x018e75e8 spoolsv.exe 1648 True True True True True True True 0x019dbc30 lsass.exe 684 True True True True True True True 0x0184e3a8 wscntfy.exe 560 True True True True True True True 0x018af860 VMwareTray.exe 1896 True True True True True True True 0x01a4bc20 network_listene 1696 False False True True True True True 0x01843b28 wuauclt.exe 1372 True True True True True True True 0x01a59d70 svchost.exe 844 True True True True True True True [snip] 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. Grrcon: What type of access did the attacker gain? 29. 30. 31. 32. 33. 34.