SlideShare a Scribd company logo

You suck at Memory Analysis

Francisco Ribeiro
Francisco Ribeiro

From the current offensive and defensive technique arsenal, memory analysis applied to volatile memory is far from being the most explored channel. It is more likely to hear about input validation attacks or attacks against the protocol & cryptography while keys, passphrases, credit card numbers and other precious artifacts are kept unsafely in memory. This analysis arises as a mine waiting to be explored since it is sustained by one of the most vulnerable and unavoidable resource to systems, memory. From Java to Stuxnex, as well as Windows but without forgetting the Cloud, I will try to show some scenarios where these techniques can be applied, its impact as a threat and bring an important and fun subject not just to those who work in forensics but also to penetration testers as myself. Finally, I will also try to show how can this be used for defensive technologies as tools for monitoring and protection in networks with systems in production.

1 of 116
Downloaded 325 times
You suck at Memory Analysis give it up, it’s not worth it
Disclaimer • Contents displayed such as thoughts and opinions are exclusively those of Francisco Gama Tabanez Ribeiro, the author, and do not reflect the viewpoint or policy of any of my employers. • You are free to use these contents for your works as well as make derived works from it as long as you keep visible and explicit references to this website in proper place. • Images and references to other works within this production remain the property of their respective holders. All licenses explicitly applied to individual resources shall override this one.
Who? • Francisco da Gama Tabanez Ribeiro • Penetration Testing @ Portugal Telecom • Certificates that I don’t have: MCITP, MCTS, MCPD, MCA, SSCP, CAP, CSSLP, RHCE, ISO27001, CISA, ITIL, CMIIB, CMIIC, CMIIS, CMIIA, CMIIP, JBCAA, CEH, CHFI, ECSA, CNDA, LPT, ECVP, ECSP, CCNA, CCDA, OSCE, CCNP and CCDP
Agenda • Intro: • Java: • Who? Why? How? • JMX • 1) Memory Acquisition • Web • 2) Memory Analysis • Breaking safes (Truecrypt) • Windows: • Hardware: • memory acquisition • printers • process reconstitution • cold boot attack • malware analysis • Conclusion: where next?
Some of the real experts here. • Michael Cohen • Mike Auty • Brendan Dolan-Gavitt • Michael L. Hale • Jesse Kornblum • Harlan Carvey • Mark Russinovich • Dmitry Vostokov
Dinner @ RIT’s meet-up
Why? • OS & process behavioral tracing • app debugging & profiling • malware analysis (Rootkit Paradox) • mining raw data artifacts • low level monitoring • plays well with Social Engineering • supports the Cloud, VM’s & mobile’s
Why? • OS & process behavioral tracing • app debugging & profiling • malware analysis (Rootkit Paradox) • mining raw data artifacts • low level monitoring suggested reading: Exploiting the Rootkit • plays well with Social Engineering Paradox with Windows • supports the Cloud, VM’s & mobile’s Memory Analysis Jesse D. Kornblum
1) Memory Acquisition
Memory Acquisition Techniques (Software) • Crash Dumps • Hibernation files • Virtual Machine Imaging/Suspend • Physical memory device objects: • Windows (DevicePhysicalMemory, DeviceDebugMemory) • Linux (/dev/mem, /proc/kcore, /dev/crash) • Live kernel debug dumps (NtSystemDebugControl, NtQueryVirtualMemory) • Inferential
Memory Acquisition Tools • MoonSols tools, mdd, dd • memdump, userdump • nigilant32, KNTTools, WMFT • Idetect, Second Look, Goldfish, fmem (Linux, Mac OS X)
Memory Acquisition Tools • MoonSols tools, mdd, dd • memdump, userdump • nigilant32, KNTTools, WMFT • Idetect, Second Look, Goldfish, fmem (Linux, Mac OS X) suggested reading: Tools: Memory Imaging Forensics WiKi
Memory Acquisition Gotchas • memory images taken live may come “blurred” • time required increases with memory size • for faster scans, reduce kernel space size (/3G switch)
Memory Acquisition Gotchas • memory images taken live may come “blurred” • time required increases with memory size • for faster scans, reduce kernel space size (/3G switch) suggested reading: Acquisition and analysis of volatile memory from android devices Digital Investigation
/3GB Startup Switch in 32-bit Win boot.ini file 0xFFFFFFFF 0xFFFFFFFF Kernel Kernel Space Space 0xC0000000 0x80000000 User User Space Space 0x00000000 0x00000000 Default /3GB
/3GB Startup Switch in 32-bit Win boot.ini file 0xFFFFFFFF 0xFFFFFFFF Kernel Kernel Space Space 0xC0000000 0x80000000 User User suggested reading: How to Set the /3GB Startup Space Space Switch in Windows 0x00000000 0x00000000 Technet, Microsoft Default /3GB
Memory Acquisition Techniques (Hardware) • Firewire/DMA • PCI Card (“Tribble”) • Debug ports (JTAG) • Inferential
Memory Acquisition Techniques (Hardware) • Firewire/DMA • PCI Card (“Tribble”) suggested reading: • Debug ports (JTAG) Tools: Memory Imaging • Inferential Forensics WiKi
Piezo-Acoustic iPod Hack
Piezo-Acoustic iPod Hack flickr photo by guanix
Piezo-Acoustic iPod Hack • iPod 4G • firmware dump by playing sounds • ARM code that can read addresses 0 through 65535 • one sound to represent a 1 bit, another for a 0 bit • 64 kb file at 5 bytes/sec • sound recognition/ error detection & correction • iPod-Linux project
2) Memory Analysis
How? • Static • Dynamic
Memory Analysis Tools • Volatility • Memoryze • Windbg • Redline • Volafox
You suck at Memory Analysis
Volatility • an advanced memory forensics framework • extraction of digital artifacts from volatile memory (RAM) samples • plugin based architecture • major releases at present moment: 1.3, 2.0 & NG (Scudette’s branch) • Python
Volatility • an advanced memory forensics framework • extraction of digital artifacts from volatile memory (RAM) samples • plugin based architecture • major releases at present moment: 1.3, 2.0 & NG (Scudette’s branch) • Python suggested reading: suggested reading: An advanced memory Volatility, forensics framework Memory Forensics Volatility Volatile Systems Google Wiki pages
You suck at Memory Analysis
Windows - things you can analyze • processes, threads, sockets, connections, modules • files & DLLs loaded for each process • the hive (registry handles) • process' addressable memory & executables extraction • OS kernel modules • mapping physical offsets to virtual addresses (strings to process) • security access tokens • more, much more...
mimikatz - getting clear text passwords in Windows Client Application SSPI Digest SSP Server Local Security Authority SubSystem (LSASS) LSA Server Digest SSP Service
mimikatz - getting clear text passwords in Windows Client Application SSPI Digest SSP Server Local Security Authority SubSystem (LSASS) LSA Server Digest SSP Service inject sekurlsa.dll 
mimikatz - getting clear text passwords in Windows Client Application SSPI Digest SSP Server Local Security Authority SubSystem TsPkg (LSASS) Wdigest LiveSSP LSA Server Digest SSP Service LsaProtectMemory / inject sekurlsa.dll  LsaUnprotectMemory
You suck at Memory Analysis
mimikatz - getting clear text passwords from Windows • Traitement du Kiwi - injects sekurlsa.dll (LSASS) • TsPkg & Wdigest store encrypted (not hashed) passwords • used for Kerberos, NTLM/LM, HTTP Digest authentication • function LsaUnprotectMemory retrieves clear text password • pass the word > pass the hash
Windows - Process reconstitution • OS walking (KPCR > PsActiveProcessHead > _LIST_ENTRY) > EProcess... (pslist) • pool tags (psscan) • others..
Windows - _EPROCESS structure • image filename • process id, parent process id • create/exit times • base priority • exit status • next/prev process block • image base address • ...
Windows - _EPROCESS structure • image filename • process id, parent process id • create/exit times • base priority • exit status • next/prev process block suggested reading: • image base address struct EPROCESS • ... NirSoft
Windows - process reconstitution PsActiveProcessHead EPROCESS EPROCESS EPROCESS
Windows - process reconstitution EPROCESS EPROCESS EPROCESS LIST_ENTRY LIST_ENTRY LIST_ENTRY Flink Flink Flink Blink Blink Blink
DKOM (Direct Kernel Object Manipulation) EPROCESS EPROCESS EPROCESS Flink Flink Flink Blink Blink Blink detectable by Volatility psscan plugin
You suck at Memory Analysis
Process hollowing • legitimate process loaded into memory to act as a code container • host process is created into a suspended mode • antivirus bypassing • meterpreter ‘-m’ flag • detectable with Volatility plugins pslist + procexecdump combined with fuzzy hashing (ssdeep)
Process hollowing • legitimate process loaded into memory to act as a code container • host process is created into a suspended mode • antivirus bypassing • meterpreter ‘-m’ flag • detectable with Volatility plugins pslist + procexecdump combined with fuzzy hashing (ssdeep) suggested reading: Eternal Sunshine on the Spotless RAM SecurityStreet, Rapid7
Process hollowing Process Process (suspended) (running)
You suck at Memory Analysis
If in doubt, it's an APT. @explanoit
Java Management Extensions (JMX)
Java Management Extensions (JMX) • monitor and manage any Java based applications • automatically exposed by JMX agents • clients like Java Visual VM can connect to it locally and remotely • supports MBeans • tools: Java Visual VM, JConsole, MAT (Eclipse), JmxCli
Java Management Extensions (JMX) • monitor and manage any Java based applications • automatically exposed by JMX agents • clients like Java Visual VM can connect to it locally and remotely • supports MBeans suggested reading: • tools: Java Visual VM, JConsole, MAT (Eclipse), Monitoring and Management Using JMX JmxCli Technology Java SE Monitoring and Management Guide
Java Management Extensions (JMX)
Java Management Extensions (JMX) • no default port but... “statistical” guessing: 3333,6161,9999 • authentication? encryption? not by default! • properties where you can fix that: com.sun.management.jmxremote.port com.sun.management.jmxremote.ssl com.sun.management.jmxremote.authenticate
You suck at Memory Analysis
1) open browser on URL: http://somevictim.com:8080/jmx-console/HtmlAdaptor? action=displayMBeans
1) open browser on URL: http://somevictim.com:8080/jmx-console/HtmlAdaptor? action=displayMBeans
1) open browser on URL: http://somevictim.com:8080/jmx-console/HtmlAdaptor? action=displayMBeans
1) open browser on URL: http://somevictim.com:8080/jmx-console/HtmlAdaptor? action=displayMBeans
1) open browser on URL: http://somevictim.com:8080/jmx-console/HtmlAdaptor? action=displayMBeans
jbossify for JBoss 2) run jbossify: wget https://raw.github.com/blackthorne/Pentest-utils/master/jbossify.py $ python jbossify.py jbossify.py <host> <port> <instance_name> [<properties to extract>] jbossify.py --offline <instance_folder> [<properties to extract>] for offline extraction <properties to extract> - can be 'conn','dd','sql' or 'all' (default is just conn) conn->ManagedConnectionFactoryProperties, dd->deploymentDescriptor Connection Strings! sql->SqlProperties
demo time!
So, Java uses Memory... tell me you were not aware of it?
Truecrypt
Truecrypt • Virtual Encrypted Disks • Partitions & storage devices • Parallelization & Pipelining • Automatic, Real-time & Transparent • Hardware accelerated • Plausible Deniability • Multiple platform
Truecrypt
Truecrypt
Truecrypt
Truecrypt
Truecrypt
Truecrypt
Meanwhile... in a memory chip close, close by...
demo time!
Truecrypt
Truecrypt 1) where? DRIVER_OBJECT address
Truecrypt 1) where? suggested reading: RAM is Key, DRIVER_OBJECT Extracting Disk Encryption address Keys From Volatile Memory by Brian Kaplan, Carnegie Mellon University 2) size? DriverStart DriverStart + DriverSize
Truecrypt ..on a little endian architecture.. 3) what? $ xxd JOHN-2CF071298B-20120512-221220.raw |grep 123asd 88f3060: 0c00 0000 3132 3361 7364 4153 4421 4023 ....123asdASD!@#
Truecrypt ..on a little endian architecture.. 3) what? $ xxd JOHN-2CF071298B-20120512-221220.raw |grep 123asd 88f3060: 0c00 0000 3132 3361 7364 4153 4421 4023 ....123asdASD!@# that’s a 12 passphrase (passphrase length)
Truecrypt ..on a little endian architecture.. 3) what? {length, passphrase} tuples with fingerprint: ????0000 ????????..length 0x00.. length passphrase NULL’s [1..64] ASCII printable [0x20..0x7E]
Truecrypt ..on a little endian architecture.. suggested reading: Cryptoscan plugin Jesse Kornblum 3) what? suggested reading: TrueDecrypt plugin {length, passphrase} tuples Francisco Ribeiro with fingerprint: ????0000 ????????..length 0x00.. length passphrase NULL’s [1..64] ASCII printable [0x20..0x7E]
Cold Boot attacks on encryption keys • explores data remanence in volatile memory • retrieves encryption keys used to encrypt hard drivers • Truecrypt, bitlocker, Filevault
Cold Boot attacks on encryption keys • explores data remanence in volatile memory • retrieves encryption keys used to encrypt hard drivers • Truecrypt, bitlocker, Filevault suggested reading: Lest we remember: Cold Boot Attacks on Encryption Keys Princeton University
MultiFunction Printers? ...stores images of all scanned, copied, printed and e-mailed documents...
MultiFunction Printers? 1) Open it (google: “<your_MFP_model> hardrive replacement” )
MultiFunction Printers? 1) Open it (google: “<your_MFP_model> hardrive replacement” )
MultiFunction Printers? 1) Open it (google: “<your_MFP_model> hardrive replacement” )
MultiFunction Printers? 1) Open it (google: “<your_MFP_model> hardrive replacement” )
MultiFunction Printers? 2) Analyze that   V..éSODX
MultiFunction Printers? 2) Analyze that   V..éSODX suggested reading: Survey of Scanner and Printer Forensics Purdue University suggested reading: Forensic analysis of digital copiers Svein Yngvar Willassen
MultiFunction Printers? 2) Analyze that   V..éSODX suggested reading: Survey of Scanner and flipping bytes Printer Forensics é..VXDOS Purdue University that’s BIGDOS FAT 16! suggested reading: Forensic analysis of digital copiers Svein Yngvar Willassen
MultiFunction Printers? 2) Analyze that   V..éSODX suggested reading: Survey of Scanner and flipping bytes Printer Forensics é..VXDOS Purdue University that’s BIGDOS FAT 16! 3) open Finder suggested reading: Forensic analysis of digital copiers Svein Yngvar Willassen
does your company handles this properly?
STUXNET
STUXNET
STUXNET
STUXNET
STUXNET
STUXNET
STUXNET
STUXNET • source: US-Israel • target: Iran nuclear program • very sophisticated cyber warfare on SCADA • infection by USB thumb drive • exploits Siemens Simatic S7-300 PLC • deceives monitoring, destroys centrifuge machines • ~10,000 lines of code
STUXNET • source: US-Israel • target: Iran nuclear program • very sophisticated cyber warfare on SCADA • infection by USB thumb drive • exploits Siemens Simatic S7-300 PLC suggested reading: • deceives monitoring, destroys centrifuge machines Stuxnet's Footprint in Memory with Volatility 2.0 • ~10,000 lines of code MNIN Security Blog, Michael Ligh MHL
demo time!
What about searching for what you don’t know?
Codetective • an analysis tool to determine the crypto/encoding algorithm used according to traces of its representation • can be used as a volatility plugin or as a generic tool • filters (win, unix, web, win, web, db,unix or other) and level of confidence • supports: shadow and SAM files, phpBB3, Wordpress, Joomla, CRC, LM, NTLM, MD4, MD5, Apr, SHA1, SHA256, base64, MySQL323, MYSQL4+, DES, RipeMD320, Whirlpool, SHA1, SHA224, SHA256, SHA384, SHA512, Blowfish, Java Session IDs, connection strings, Credit Cards, URLs
Codetective • relevant options: -a (analyze) -u (show UUIDs) -v (verbose mode) -t (filters) -p (search for Process ID) -n (search for process name) If neither -p or -n is defined, if will search in all processes. • git clone git://github.com/blackthorne/Codetective.git codetective
Codetective • relevant options: -a (analyze) suggested reading: -u (show UUIDs) codetective plugin github @blackthorne -v (verbose mode) -t (filters) Francisco Ribeiro -p (search for Process ID) -n (search for process name) If neither -p or -n is defined, if will search in all processes. • git clone git://github.com/blackthorne/Codetective.git codetective
demo time!
Where next?
Where next? • Networks (Remote live forensics) • Mobiles • Virtual Machines • Cloud
hostname volatility plugins GRR - remote live forensics age selector status pslist raw disk
You suck at Memory Analysis
Memory Analysis on the Cloud • with virtualization, multiple Virtual Machines share a single physical machine and expose their Volatile Memory in snapshot files (.vmem..) that is acessible on userland • Analyzing IOS iTunes memory allows you to retrieve iCloud credentials. Years ago, that wasn’t that serious but now it’s not just music is it? • What about Dropbox and Google accounts, how complex is your password? Does it really matter? Where is it stored?
My clipboard supports: •mixed case passwords •numbers •special characters and length > 20
Special thanks to: • Michael Cohen • Brendan Dolan-Gavitt
References: • Tools: Memory Imaging, Forensics WiKi • Acquisition and analysis of volatile memory from android devices, Digital Investigation • struct EPROCESS, NirSoft • How to Set the /3GB Startup Switch in Windows - Technet, Microsoft • Eternal Sunshine on the Spotless RAM - SecurityStreet, Rapid7 • Monitoring and Management Using JMX Technology, Java SE Monitoring and Management Guide
References: • RAM is Key, Extracting Disk Encryption Keys From Volatile Memory by Brian Kaplan, Carnegie Mellon University • Cryptoscan plugin, Jesse Kornblum • TrueDecrypt plugin, Francisco Ribeiro • Survey of Scanner and Printer Forensics , Purdue University • Forensic analysis of digital copiers, Svein Yngvar Willassen • Stuxnet's Footprint in Memory with Volatility 2.0, MNIN Security Blog, Michael Ligh MHL
References: • codetective plugin - github @blackthorne, Francisco Ribeiro • Volatility - Memory Forensics, Volatile Systems • Exploiting the Rootkit Paradox with Windows - Memory Analysis, Jesse D. Kornblum • An advanced memory forensics framework - Volatility, Google Wiki pages
You suck at Memory Analysis
Thank you childish wont-let-go nickname: blackthorne blackthorne (geek) bthorne_daily (social) francisco@ironik.org (PGP key: 0xBDD20CF1) http://www.digitalloft.org (homepage)
Ad

Recommended

Rails vs Web2py
Rails vs Web2pyRails vs Web2py
Rails vs Web2py
jonromero
 
web2py:Web development like a boss
web2py:Web development like a bossweb2py:Web development like a boss
web2py:Web development like a boss
Francisco Ribeiro
 
Web Development with Python and Django
Web Development with Python and DjangoWeb Development with Python and Django
Web Development with Python and Django
Michael Pirnat
 
PECL Picks - Extensions to make your life better
PECL Picks - Extensions to make your life betterPECL Picks - Extensions to make your life better
PECL Picks - Extensions to make your life better
ZendCon
 
Django in the Real World
Django in the Real WorldDjango in the Real World
Django in the Real World
Jacob Kaplan-Moss
 
Python & Django TTT
Python & Django TTTPython & Django TTT
Python & Django TTT
kevinvw
 
Zend Framework 2 Components
Zend Framework 2 ComponentsZend Framework 2 Components
Zend Framework 2 Components
Shawn Stratton
 
Php on Windows
Php on WindowsPhp on Windows
Php on Windows
Elizabeth Smith
 
Jumpstart Django
Jumpstart DjangoJumpstart Django
Jumpstart Django
ryates
 
Zend_Tool: Practical use and Extending
Zend_Tool: Practical use and ExtendingZend_Tool: Practical use and Extending
Zend_Tool: Practical use and Extending
ZendCon
 
PHP 7 Crash Course - php[world] 2015
PHP 7 Crash Course - php[world] 2015PHP 7 Crash Course - php[world] 2015
PHP 7 Crash Course - php[world] 2015
Colin O'Dell
 
Django Architecture Introduction
Django Architecture IntroductionDjango Architecture Introduction
Django Architecture Introduction
Haiqi Chen
 
Php Presentation
Php PresentationPhp Presentation
Php Presentation
Manish Bothra
 
Php on the Web and Desktop
Php on the Web and DesktopPhp on the Web and Desktop
Php on the Web and Desktop
Elizabeth Smith
 
PHP on IBM i Tutorial
PHP on IBM i TutorialPHP on IBM i Tutorial
PHP on IBM i Tutorial
ZendCon
 
A JCR View of the World - adaptTo() 2012 Berlin
A JCR View of the World - adaptTo() 2012 BerlinA JCR View of the World - adaptTo() 2012 Berlin
A JCR View of the World - adaptTo() 2012 Berlin
Alexander Klimetschek
 
Php mysql ppt
Php mysql pptPhp mysql ppt
Php mysql ppt
Karmatechnologies Pvt. Ltd.
 
Php go vrooom!
Php go vrooom!Php go vrooom!
Php go vrooom!
Elizabeth Smith
 
Php simple
Php simplePhp simple
Php simple
PrinceGuru MS
 
Mastering Namespaces in PHP
Mastering Namespaces in PHPMastering Namespaces in PHP
Mastering Namespaces in PHP
Nick Belhomme
 
Building a Dynamic Website Using Django
Building a Dynamic Website Using DjangoBuilding a Dynamic Website Using Django
Building a Dynamic Website Using Django
Nathan Eror
 
ZFConf 2012: Capistrano для деплоймента PHP-приложений (Роман Лапин)
ZFConf 2012: Capistrano для деплоймента PHP-приложений (Роман Лапин)ZFConf 2012: Capistrano для деплоймента PHP-приложений (Роман Лапин)
ZFConf 2012: Capistrano для деплоймента PHP-приложений (Роман Лапин)
ZFConf Conference
 
Performance tuning with zend framework
Performance tuning with zend frameworkPerformance tuning with zend framework
Performance tuning with zend framework
Alan Seiden
 
Writing and using php streams and sockets tek11
Writing and using php streams and sockets tek11Writing and using php streams and sockets tek11
Writing and using php streams and sockets tek11
Elizabeth Smith
 
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
James Titcumb
 
Django Framework and Application Structure
Django Framework and Application StructureDjango Framework and Application Structure
Django Framework and Application Structure
SEONGTAEK OH
 
PHP - Introduction to PHP Fundamentals
PHP - Introduction to PHP FundamentalsPHP - Introduction to PHP Fundamentals
PHP - Introduction to PHP Fundamentals
Vibrant Technologies & Computers
 
Java presentation
Java presentationJava presentation
Java presentation
Karan Sareen
 
Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWAS
Luis Grangeia
 
This is the secure droid you are looking for
This is the secure droid you are looking forThis is the secure droid you are looking for
This is the secure droid you are looking for
Cláudio André
 
Ad

More Related Content

What's hot (20)

Jumpstart Django
Jumpstart DjangoJumpstart Django
Jumpstart Django
ryates
 
Zend_Tool: Practical use and Extending
Zend_Tool: Practical use and ExtendingZend_Tool: Practical use and Extending
Zend_Tool: Practical use and Extending
ZendCon
 
PHP 7 Crash Course - php[world] 2015
PHP 7 Crash Course - php[world] 2015PHP 7 Crash Course - php[world] 2015
PHP 7 Crash Course - php[world] 2015
Colin O'Dell
 
Django Architecture Introduction
Django Architecture IntroductionDjango Architecture Introduction
Django Architecture Introduction
Haiqi Chen
 
Php Presentation
Php PresentationPhp Presentation
Php Presentation
Manish Bothra
 
Php on the Web and Desktop
Php on the Web and DesktopPhp on the Web and Desktop
Php on the Web and Desktop
Elizabeth Smith
 
PHP on IBM i Tutorial
PHP on IBM i TutorialPHP on IBM i Tutorial
PHP on IBM i Tutorial
ZendCon
 
A JCR View of the World - adaptTo() 2012 Berlin
A JCR View of the World - adaptTo() 2012 BerlinA JCR View of the World - adaptTo() 2012 Berlin
A JCR View of the World - adaptTo() 2012 Berlin
Alexander Klimetschek
 
Php mysql ppt
Php mysql pptPhp mysql ppt
Php mysql ppt
Karmatechnologies Pvt. Ltd.
 
Php go vrooom!
Php go vrooom!Php go vrooom!
Php go vrooom!
Elizabeth Smith
 
Php simple
Php simplePhp simple
Php simple
PrinceGuru MS
 
Mastering Namespaces in PHP
Mastering Namespaces in PHPMastering Namespaces in PHP
Mastering Namespaces in PHP
Nick Belhomme
 
Building a Dynamic Website Using Django
Building a Dynamic Website Using DjangoBuilding a Dynamic Website Using Django
Building a Dynamic Website Using Django
Nathan Eror
 
ZFConf 2012: Capistrano для деплоймента PHP-приложений (Роман Лапин)
ZFConf 2012: Capistrano для деплоймента PHP-приложений (Роман Лапин)ZFConf 2012: Capistrano для деплоймента PHP-приложений (Роман Лапин)
ZFConf 2012: Capistrano для деплоймента PHP-приложений (Роман Лапин)
ZFConf Conference
 
Performance tuning with zend framework
Performance tuning with zend frameworkPerformance tuning with zend framework
Performance tuning with zend framework
Alan Seiden
 
Writing and using php streams and sockets tek11
Writing and using php streams and sockets tek11Writing and using php streams and sockets tek11
Writing and using php streams and sockets tek11
Elizabeth Smith
 
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
James Titcumb
 
Django Framework and Application Structure
Django Framework and Application StructureDjango Framework and Application Structure
Django Framework and Application Structure
SEONGTAEK OH
 
PHP - Introduction to PHP Fundamentals
PHP - Introduction to PHP FundamentalsPHP - Introduction to PHP Fundamentals
PHP - Introduction to PHP Fundamentals
Vibrant Technologies & Computers
 
Java presentation
Java presentationJava presentation
Java presentation
Karan Sareen
 
Jumpstart Django
Jumpstart DjangoJumpstart Django
Jumpstart Django
ryates
 
Zend_Tool: Practical use and Extending
Zend_Tool: Practical use and ExtendingZend_Tool: Practical use and Extending
Zend_Tool: Practical use and Extending
ZendCon
 
PHP 7 Crash Course - php[world] 2015
PHP 7 Crash Course - php[world] 2015PHP 7 Crash Course - php[world] 2015
PHP 7 Crash Course - php[world] 2015
Colin O'Dell
 
Django Architecture Introduction
Django Architecture IntroductionDjango Architecture Introduction
Django Architecture Introduction
Haiqi Chen
 
Php Presentation
Php PresentationPhp Presentation
Php Presentation
Manish Bothra
 
Php on the Web and Desktop
Php on the Web and DesktopPhp on the Web and Desktop
Php on the Web and Desktop
Elizabeth Smith
 
PHP on IBM i Tutorial
PHP on IBM i TutorialPHP on IBM i Tutorial
PHP on IBM i Tutorial
ZendCon
 
A JCR View of the World - adaptTo() 2012 Berlin
A JCR View of the World - adaptTo() 2012 BerlinA JCR View of the World - adaptTo() 2012 Berlin
A JCR View of the World - adaptTo() 2012 Berlin
Alexander Klimetschek
 
Php mysql ppt
Php mysql pptPhp mysql ppt
Php mysql ppt
Karmatechnologies Pvt. Ltd.
 
Php go vrooom!
Php go vrooom!Php go vrooom!
Php go vrooom!
Elizabeth Smith
 
Php simple
Php simplePhp simple
Php simple
PrinceGuru MS
 
Mastering Namespaces in PHP
Mastering Namespaces in PHPMastering Namespaces in PHP
Mastering Namespaces in PHP
Nick Belhomme
 
Building a Dynamic Website Using Django
Building a Dynamic Website Using DjangoBuilding a Dynamic Website Using Django
Building a Dynamic Website Using Django
Nathan Eror
 
ZFConf 2012: Capistrano для деплоймента PHP-приложений (Роман Лапин)
ZFConf 2012: Capistrano для деплоймента PHP-приложений (Роман Лапин)ZFConf 2012: Capistrano для деплоймента PHP-приложений (Роман Лапин)
ZFConf 2012: Capistrano для деплоймента PHP-приложений (Роман Лапин)
ZFConf Conference
 
Performance tuning with zend framework
Performance tuning with zend frameworkPerformance tuning with zend framework
Performance tuning with zend framework
Alan Seiden
 
Writing and using php streams and sockets tek11
Writing and using php streams and sockets tek11Writing and using php streams and sockets tek11
Writing and using php streams and sockets tek11
Elizabeth Smith
 
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
James Titcumb
 
Django Framework and Application Structure
Django Framework and Application StructureDjango Framework and Application Structure
Django Framework and Application Structure
SEONGTAEK OH
 
PHP - Introduction to PHP Fundamentals
PHP - Introduction to PHP FundamentalsPHP - Introduction to PHP Fundamentals
PHP - Introduction to PHP Fundamentals
Vibrant Technologies & Computers
 
Java presentation
Java presentationJava presentation
Java presentation
Karan Sareen
 

Viewers also liked (20)

Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWAS
Luis Grangeia
 
This is the secure droid you are looking for
This is the secure droid you are looking forThis is the secure droid you are looking for
This is the secure droid you are looking for
Cláudio André
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL Injection
Francisco Ribeiro
 
Business Model Canvas at Fim de semana de empreendedorismo AEFEUP
Business Model Canvas at Fim de semana de empreendedorismo AEFEUPBusiness Model Canvas at Fim de semana de empreendedorismo AEFEUP
Business Model Canvas at Fim de semana de empreendedorismo AEFEUP
Rafael Pires
 
Digital Marketing Journey - Lecture INP & ISG
Digital Marketing Journey - Lecture INP & ISGDigital Marketing Journey - Lecture INP & ISG
Digital Marketing Journey - Lecture INP & ISG
Inês Tomás Mateus
 
Novas Regras Domínios .PT 2014 - DNS.PT
Novas Regras Domínios .PT 2014 - DNS.PTNovas Regras Domínios .PT 2014 - DNS.PT
Novas Regras Domínios .PT 2014 - DNS.PT
Teotonio Leiras
 
Prompt en
Prompt enPrompt en
Prompt en
João Amaral
 
Barriers to the diffusion of the VSM (Nuno Rosa, 2016)
Barriers to the diffusion of the VSM (Nuno Rosa, 2016)Barriers to the diffusion of the VSM (Nuno Rosa, 2016)
Barriers to the diffusion of the VSM (Nuno Rosa, 2016)
Nuno Rosa
 
Apresentação Grão Torrado
Apresentação Grão TorradoApresentação Grão Torrado
Apresentação Grão Torrado
Miguel Monteiro
 
RéSumé
RéSuméRéSumé
RéSumé
Roberto Machado
 
Prosolvers CH
Prosolvers CHProsolvers CH
Prosolvers CH
Marta Oliveira
 
Visions of Portugal by the.pt
Visions of Portugal by the.ptVisions of Portugal by the.pt
Visions of Portugal by the.pt
Pedro D Cardoso
 
Niiiws short
Niiiws short Niiiws short
Niiiws short
João Lopes Martins
 
Incubate Camp 2nd
Incubate Camp 2ndIncubate Camp 2nd
Incubate Camp 2nd
Keisuke Wada
 
Set n'match
Set n'matchSet n'match
Set n'match
Pedro Santos
 
Pt precisa saber sobre FI
Pt precisa saber sobre FIPt precisa saber sobre FI
Pt precisa saber sobre FI
Mário Valente
 
EC-WEB: Validator and Preview for the JobPosting Data Model of Schema.org
EC-WEB: Validator and Preview for the JobPosting Data Model of Schema.orgEC-WEB: Validator and Preview for the JobPosting Data Model of Schema.org
EC-WEB: Validator and Preview for the JobPosting Data Model of Schema.org
Jindřich Mynarz
 
Pitch Like a Boss
Pitch Like a BossPitch Like a Boss
Pitch Like a Boss
Inês Silva
 
Delivering presentations - dicas de apresentação (not!)
Delivering presentations - dicas de apresentação (not!)Delivering presentations - dicas de apresentação (not!)
Delivering presentations - dicas de apresentação (not!)
Pedro Moura
 
Meet-Beat Your Way To Sales Growth and Productivity Improvement
Meet-Beat Your Way To Sales Growth and Productivity ImprovementMeet-Beat Your Way To Sales Growth and Productivity Improvement
Meet-Beat Your Way To Sales Growth and Productivity Improvement
George Evans
 
Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWAS
Luis Grangeia
 
This is the secure droid you are looking for
This is the secure droid you are looking forThis is the secure droid you are looking for
This is the secure droid you are looking for
Cláudio André
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL Injection
Francisco Ribeiro
 
Business Model Canvas at Fim de semana de empreendedorismo AEFEUP
Business Model Canvas at Fim de semana de empreendedorismo AEFEUPBusiness Model Canvas at Fim de semana de empreendedorismo AEFEUP
Business Model Canvas at Fim de semana de empreendedorismo AEFEUP
Rafael Pires
 
Digital Marketing Journey - Lecture INP & ISG
Digital Marketing Journey - Lecture INP & ISGDigital Marketing Journey - Lecture INP & ISG
Digital Marketing Journey - Lecture INP & ISG
Inês Tomás Mateus
 
Novas Regras Domínios .PT 2014 - DNS.PT
Novas Regras Domínios .PT 2014 - DNS.PTNovas Regras Domínios .PT 2014 - DNS.PT
Novas Regras Domínios .PT 2014 - DNS.PT
Teotonio Leiras
 
Prompt en
Prompt enPrompt en
Prompt en
João Amaral
 
Barriers to the diffusion of the VSM (Nuno Rosa, 2016)
Barriers to the diffusion of the VSM (Nuno Rosa, 2016)Barriers to the diffusion of the VSM (Nuno Rosa, 2016)
Barriers to the diffusion of the VSM (Nuno Rosa, 2016)
Nuno Rosa
 
Apresentação Grão Torrado
Apresentação Grão TorradoApresentação Grão Torrado
Apresentação Grão Torrado
Miguel Monteiro
 
RéSumé
RéSuméRéSumé
RéSumé
Roberto Machado
 
Prosolvers CH
Prosolvers CHProsolvers CH
Prosolvers CH
Marta Oliveira
 
Visions of Portugal by the.pt
Visions of Portugal by the.ptVisions of Portugal by the.pt
Visions of Portugal by the.pt
Pedro D Cardoso
 
Niiiws short
Niiiws short Niiiws short
Niiiws short
João Lopes Martins
 
Incubate Camp 2nd
Incubate Camp 2ndIncubate Camp 2nd
Incubate Camp 2nd
Keisuke Wada
 
Set n'match
Set n'matchSet n'match
Set n'match
Pedro Santos
 
Pt precisa saber sobre FI
Pt precisa saber sobre FIPt precisa saber sobre FI
Pt precisa saber sobre FI
Mário Valente
 
EC-WEB: Validator and Preview for the JobPosting Data Model of Schema.org
EC-WEB: Validator and Preview for the JobPosting Data Model of Schema.orgEC-WEB: Validator and Preview for the JobPosting Data Model of Schema.org
EC-WEB: Validator and Preview for the JobPosting Data Model of Schema.org
Jindřich Mynarz
 
Pitch Like a Boss
Pitch Like a BossPitch Like a Boss
Pitch Like a Boss
Inês Silva
 
Delivering presentations - dicas de apresentação (not!)
Delivering presentations - dicas de apresentação (not!)Delivering presentations - dicas de apresentação (not!)
Delivering presentations - dicas de apresentação (not!)
Pedro Moura
 
Meet-Beat Your Way To Sales Growth and Productivity Improvement
Meet-Beat Your Way To Sales Growth and Productivity ImprovementMeet-Beat Your Way To Sales Growth and Productivity Improvement
Meet-Beat Your Way To Sales Growth and Productivity Improvement
George Evans
 
Ad

Similar to You suck at Memory Analysis (20)

淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道
National Cheng Kung University
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Scott K. Larson
 
Defeating Windows memory forensics
Defeating Windows memory forensicsDefeating Windows memory forensics
Defeating Windows memory forensics
lmilkovic
 
Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)
MongoDB
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic Analysis
Takahiro Haruyama
 
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityAndroid Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Joe Sylve
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devices
Nikos Gkogkos
 
Profiling Multicore Systems to Maximize Core Utilization
Profiling Multicore Systems to Maximize Core Utilization Profiling Multicore Systems to Maximize Core Utilization
Profiling Multicore Systems to Maximize Core Utilization
mentoresd
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
Luis Grangeia
 
Advanced Administration, Monitoring and Backup
Advanced Administration, Monitoring and BackupAdvanced Administration, Monitoring and Backup
Advanced Administration, Monitoring and Backup
MongoDB
 
Programming on Windows 8.1: The New Stream and Storage Paradigm (Raffaele Ria...
Programming on Windows 8.1: The New Stream and Storage Paradigm (Raffaele Ria...Programming on Windows 8.1: The New Stream and Storage Paradigm (Raffaele Ria...
Programming on Windows 8.1: The New Stream and Storage Paradigm (Raffaele Ria...
ITCamp
 
Deployment Strategy
Deployment StrategyDeployment Strategy
Deployment Strategy
MongoDB
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Hybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest ProtectionHybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest Protection
Federico Franzoni
 
Linx privx privileges-sudo misconfiguration group and docker daemon privileges
Linx privx privileges-sudo misconfiguration group and docker daemon privilegesLinx privx privileges-sudo misconfiguration group and docker daemon privileges
Linx privx privileges-sudo misconfiguration group and docker daemon privileges
AliBawazeEer
 
Deployment
DeploymentDeployment
Deployment
rogerbodamer
 
Security Onion
Security OnionSecurity Onion
Security Onion
johndegruyter
 
Memory Forensic: Investigating Memory Artefact
Memory Forensic: Investigating Memory ArtefactMemory Forensic: Investigating Memory Artefact
Memory Forensic: Investigating Memory Artefact
Satria Ady Pradana
 
Memory Forensic - Investigating Memory Artefact
Memory Forensic - Investigating Memory ArtefactMemory Forensic - Investigating Memory Artefact
Memory Forensic - Investigating Memory Artefact
Satria Ady Pradana
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Sysdig
 
淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道
National Cheng Kung University
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Scott K. Larson
 
Defeating Windows memory forensics
Defeating Windows memory forensicsDefeating Windows memory forensics
Defeating Windows memory forensics
lmilkovic
 
Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)
MongoDB
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic Analysis
Takahiro Haruyama
 
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityAndroid Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Joe Sylve
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devices
Nikos Gkogkos
 
Profiling Multicore Systems to Maximize Core Utilization
Profiling Multicore Systems to Maximize Core Utilization Profiling Multicore Systems to Maximize Core Utilization
Profiling Multicore Systems to Maximize Core Utilization
mentoresd
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
Luis Grangeia
 
Advanced Administration, Monitoring and Backup
Advanced Administration, Monitoring and BackupAdvanced Administration, Monitoring and Backup
Advanced Administration, Monitoring and Backup
MongoDB
 
Programming on Windows 8.1: The New Stream and Storage Paradigm (Raffaele Ria...
Programming on Windows 8.1: The New Stream and Storage Paradigm (Raffaele Ria...Programming on Windows 8.1: The New Stream and Storage Paradigm (Raffaele Ria...
Programming on Windows 8.1: The New Stream and Storage Paradigm (Raffaele Ria...
ITCamp
 
Deployment Strategy
Deployment StrategyDeployment Strategy
Deployment Strategy
MongoDB
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Hybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest ProtectionHybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest Protection
Federico Franzoni
 
Linx privx privileges-sudo misconfiguration group and docker daemon privileges
Linx privx privileges-sudo misconfiguration group and docker daemon privilegesLinx privx privileges-sudo misconfiguration group and docker daemon privileges
Linx privx privileges-sudo misconfiguration group and docker daemon privileges
AliBawazeEer
 
Deployment
DeploymentDeployment
Deployment
rogerbodamer
 
Security Onion
Security OnionSecurity Onion
Security Onion
johndegruyter
 
Memory Forensic: Investigating Memory Artefact
Memory Forensic: Investigating Memory ArtefactMemory Forensic: Investigating Memory Artefact
Memory Forensic: Investigating Memory Artefact
Satria Ady Pradana
 
Memory Forensic - Investigating Memory Artefact
Memory Forensic - Investigating Memory ArtefactMemory Forensic - Investigating Memory Artefact
Memory Forensic - Investigating Memory Artefact
Satria Ady Pradana
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Sysdig
 
Ad

Recently uploaded (20)

Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 

You suck at Memory Analysis

  • 1. You suck at Memory Analysis give it up, it’s not worth it
  • 2. Disclaimer • Contents displayed such as thoughts and opinions are exclusively those of Francisco Gama Tabanez Ribeiro, the author, and do not reflect the viewpoint or policy of any of my employers. • You are free to use these contents for your works as well as make derived works from it as long as you keep visible and explicit references to this website in proper place. • Images and references to other works within this production remain the property of their respective holders. All licenses explicitly applied to individual resources shall override this one.
  • 3. Who? • Francisco da Gama Tabanez Ribeiro • Penetration Testing @ Portugal Telecom • Certificates that I don’t have: MCITP, MCTS, MCPD, MCA, SSCP, CAP, CSSLP, RHCE, ISO27001, CISA, ITIL, CMIIB, CMIIC, CMIIS, CMIIA, CMIIP, JBCAA, CEH, CHFI, ECSA, CNDA, LPT, ECVP, ECSP, CCNA, CCDA, OSCE, CCNP and CCDP
  • 4. Agenda • Intro: • Java: • Who? Why? How? • JMX • 1) Memory Acquisition • Web • 2) Memory Analysis • Breaking safes (Truecrypt) • Windows: • Hardware: • memory acquisition • printers • process reconstitution • cold boot attack • malware analysis • Conclusion: where next?
  • 5. Some of the real experts here. • Michael Cohen • Mike Auty • Brendan Dolan-Gavitt • Michael L. Hale • Jesse Kornblum • Harlan Carvey • Mark Russinovich • Dmitry Vostokov
  • 7. Why? • OS & process behavioral tracing • app debugging & profiling • malware analysis (Rootkit Paradox) • mining raw data artifacts • low level monitoring • plays well with Social Engineering • supports the Cloud, VM’s & mobile’s
  • 8. Why? • OS & process behavioral tracing • app debugging & profiling • malware analysis (Rootkit Paradox) • mining raw data artifacts • low level monitoring suggested reading: Exploiting the Rootkit • plays well with Social Engineering Paradox with Windows • supports the Cloud, VM’s & mobile’s Memory Analysis Jesse D. Kornblum
  • 10. Memory Acquisition Techniques (Software) • Crash Dumps • Hibernation files • Virtual Machine Imaging/Suspend • Physical memory device objects: • Windows (DevicePhysicalMemory, DeviceDebugMemory) • Linux (/dev/mem, /proc/kcore, /dev/crash) • Live kernel debug dumps (NtSystemDebugControl, NtQueryVirtualMemory) • Inferential
  • 11. Memory Acquisition Tools • MoonSols tools, mdd, dd • memdump, userdump • nigilant32, KNTTools, WMFT • Idetect, Second Look, Goldfish, fmem (Linux, Mac OS X)
  • 12. Memory Acquisition Tools • MoonSols tools, mdd, dd • memdump, userdump • nigilant32, KNTTools, WMFT • Idetect, Second Look, Goldfish, fmem (Linux, Mac OS X) suggested reading: Tools: Memory Imaging Forensics WiKi
  • 13. Memory Acquisition Gotchas • memory images taken live may come “blurred” • time required increases with memory size • for faster scans, reduce kernel space size (/3G switch)
  • 14. Memory Acquisition Gotchas • memory images taken live may come “blurred” • time required increases with memory size • for faster scans, reduce kernel space size (/3G switch) suggested reading: Acquisition and analysis of volatile memory from android devices Digital Investigation
  • 15. /3GB Startup Switch in 32-bit Win boot.ini file 0xFFFFFFFF 0xFFFFFFFF Kernel Kernel Space Space 0xC0000000 0x80000000 User User Space Space 0x00000000 0x00000000 Default /3GB
  • 16. /3GB Startup Switch in 32-bit Win boot.ini file 0xFFFFFFFF 0xFFFFFFFF Kernel Kernel Space Space 0xC0000000 0x80000000 User User suggested reading: How to Set the /3GB Startup Space Space Switch in Windows 0x00000000 0x00000000 Technet, Microsoft Default /3GB
  • 17. Memory Acquisition Techniques (Hardware) • Firewire/DMA • PCI Card (“Tribble”) • Debug ports (JTAG) • Inferential
  • 18. Memory Acquisition Techniques (Hardware) • Firewire/DMA • PCI Card (“Tribble”) suggested reading: • Debug ports (JTAG) Tools: Memory Imaging • Inferential Forensics WiKi
  • 20. Piezo-Acoustic iPod Hack flickr photo by guanix
  • 21. Piezo-Acoustic iPod Hack • iPod 4G • firmware dump by playing sounds • ARM code that can read addresses 0 through 65535 • one sound to represent a 1 bit, another for a 0 bit • 64 kb file at 5 bytes/sec • sound recognition/ error detection & correction • iPod-Linux project
  • 24. Memory Analysis Tools • Volatility • Memoryze • Windbg • Redline • Volafox
  • 26. Volatility • an advanced memory forensics framework • extraction of digital artifacts from volatile memory (RAM) samples • plugin based architecture • major releases at present moment: 1.3, 2.0 & NG (Scudette’s branch) • Python
  • 27. Volatility • an advanced memory forensics framework • extraction of digital artifacts from volatile memory (RAM) samples • plugin based architecture • major releases at present moment: 1.3, 2.0 & NG (Scudette’s branch) • Python suggested reading: suggested reading: An advanced memory Volatility, forensics framework Memory Forensics Volatility Volatile Systems Google Wiki pages
  • 29. Windows - things you can analyze • processes, threads, sockets, connections, modules • files & DLLs loaded for each process • the hive (registry handles) • process' addressable memory & executables extraction • OS kernel modules • mapping physical offsets to virtual addresses (strings to process) • security access tokens • more, much more...
  • 30. mimikatz - getting clear text passwords in Windows Client Application SSPI Digest SSP Server Local Security Authority SubSystem (LSASS) LSA Server Digest SSP Service
  • 31. mimikatz - getting clear text passwords in Windows Client Application SSPI Digest SSP Server Local Security Authority SubSystem (LSASS) LSA Server Digest SSP Service inject sekurlsa.dll 
  • 32. mimikatz - getting clear text passwords in Windows Client Application SSPI Digest SSP Server Local Security Authority SubSystem TsPkg (LSASS) Wdigest LiveSSP LSA Server Digest SSP Service LsaProtectMemory / inject sekurlsa.dll  LsaUnprotectMemory
  • 34. mimikatz - getting clear text passwords from Windows • Traitement du Kiwi - injects sekurlsa.dll (LSASS) • TsPkg & Wdigest store encrypted (not hashed) passwords • used for Kerberos, NTLM/LM, HTTP Digest authentication • function LsaUnprotectMemory retrieves clear text password • pass the word > pass the hash
  • 35. Windows - Process reconstitution • OS walking (KPCR > PsActiveProcessHead > _LIST_ENTRY) > EProcess... (pslist) • pool tags (psscan) • others..
  • 36. Windows - _EPROCESS structure • image filename • process id, parent process id • create/exit times • base priority • exit status • next/prev process block • image base address • ...
  • 37. Windows - _EPROCESS structure • image filename • process id, parent process id • create/exit times • base priority • exit status • next/prev process block suggested reading: • image base address struct EPROCESS • ... NirSoft
  • 38. Windows - process reconstitution PsActiveProcessHead EPROCESS EPROCESS EPROCESS
  • 39. Windows - process reconstitution EPROCESS EPROCESS EPROCESS LIST_ENTRY LIST_ENTRY LIST_ENTRY Flink Flink Flink Blink Blink Blink
  • 40. DKOM (Direct Kernel Object Manipulation) EPROCESS EPROCESS EPROCESS Flink Flink Flink Blink Blink Blink detectable by Volatility psscan plugin
  • 42. Process hollowing • legitimate process loaded into memory to act as a code container • host process is created into a suspended mode • antivirus bypassing • meterpreter ‘-m’ flag • detectable with Volatility plugins pslist + procexecdump combined with fuzzy hashing (ssdeep)
  • 43. Process hollowing • legitimate process loaded into memory to act as a code container • host process is created into a suspended mode • antivirus bypassing • meterpreter ‘-m’ flag • detectable with Volatility plugins pslist + procexecdump combined with fuzzy hashing (ssdeep) suggested reading: Eternal Sunshine on the Spotless RAM SecurityStreet, Rapid7
  • 44. Process hollowing Process Process (suspended) (running)
  • 46. If in doubt, it's an APT. @explanoit
  • 48. Java Management Extensions (JMX) • monitor and manage any Java based applications • automatically exposed by JMX agents • clients like Java Visual VM can connect to it locally and remotely • supports MBeans • tools: Java Visual VM, JConsole, MAT (Eclipse), JmxCli
  • 49. Java Management Extensions (JMX) • monitor and manage any Java based applications • automatically exposed by JMX agents • clients like Java Visual VM can connect to it locally and remotely • supports MBeans suggested reading: • tools: Java Visual VM, JConsole, MAT (Eclipse), Monitoring and Management Using JMX JmxCli Technology Java SE Monitoring and Management Guide
  • 51. Java Management Extensions (JMX) • no default port but... “statistical” guessing: 3333,6161,9999 • authentication? encryption? not by default! • properties where you can fix that: com.sun.management.jmxremote.port com.sun.management.jmxremote.ssl com.sun.management.jmxremote.authenticate
  • 53. 1) open browser on URL: http://somevictim.com:8080/jmx-console/HtmlAdaptor? action=displayMBeans
  • 54. 1) open browser on URL: http://somevictim.com:8080/jmx-console/HtmlAdaptor? action=displayMBeans
  • 55. 1) open browser on URL: http://somevictim.com:8080/jmx-console/HtmlAdaptor? action=displayMBeans
  • 56. 1) open browser on URL: http://somevictim.com:8080/jmx-console/HtmlAdaptor? action=displayMBeans
  • 57. 1) open browser on URL: http://somevictim.com:8080/jmx-console/HtmlAdaptor? action=displayMBeans
  • 58. jbossify for JBoss 2) run jbossify: wget https://raw.github.com/blackthorne/Pentest-utils/master/jbossify.py $ python jbossify.py jbossify.py <host> <port> <instance_name> [<properties to extract>] jbossify.py --offline <instance_folder> [<properties to extract>] for offline extraction <properties to extract> - can be 'conn','dd','sql' or 'all' (default is just conn) conn->ManagedConnectionFactoryProperties, dd->deploymentDescriptor Connection Strings! sql->SqlProperties
  • 60. So, Java uses Memory... tell me you were not aware of it?
  • 62. Truecrypt • Virtual Encrypted Disks • Partitions & storage devices • Parallelization & Pipelining • Automatic, Real-time & Transparent • Hardware accelerated • Plausible Deniability • Multiple platform
  • 69. Meanwhile... in a memory chip close, close by...
  • 72. Truecrypt 1) where? DRIVER_OBJECT address
  • 73. Truecrypt 1) where? suggested reading: RAM is Key, DRIVER_OBJECT Extracting Disk Encryption address Keys From Volatile Memory by Brian Kaplan, Carnegie Mellon University 2) size? DriverStart DriverStart + DriverSize
  • 74. Truecrypt ..on a little endian architecture.. 3) what? $ xxd JOHN-2CF071298B-20120512-221220.raw |grep 123asd 88f3060: 0c00 0000 3132 3361 7364 4153 4421 4023 ....123asdASD!@#
  • 75. Truecrypt ..on a little endian architecture.. 3) what? $ xxd JOHN-2CF071298B-20120512-221220.raw |grep 123asd 88f3060: 0c00 0000 3132 3361 7364 4153 4421 4023 ....123asdASD!@# that’s a 12 passphrase (passphrase length)
  • 76. Truecrypt ..on a little endian architecture.. 3) what? {length, passphrase} tuples with fingerprint: ????0000 ????????..length 0x00.. length passphrase NULL’s [1..64] ASCII printable [0x20..0x7E]
  • 77. Truecrypt ..on a little endian architecture.. suggested reading: Cryptoscan plugin Jesse Kornblum 3) what? suggested reading: TrueDecrypt plugin {length, passphrase} tuples Francisco Ribeiro with fingerprint: ????0000 ????????..length 0x00.. length passphrase NULL’s [1..64] ASCII printable [0x20..0x7E]
  • 78. Cold Boot attacks on encryption keys • explores data remanence in volatile memory • retrieves encryption keys used to encrypt hard drivers • Truecrypt, bitlocker, Filevault
  • 79. Cold Boot attacks on encryption keys • explores data remanence in volatile memory • retrieves encryption keys used to encrypt hard drivers • Truecrypt, bitlocker, Filevault suggested reading: Lest we remember: Cold Boot Attacks on Encryption Keys Princeton University
  • 80. MultiFunction Printers? ...stores images of all scanned, copied, printed and e-mailed documents...
  • 81. MultiFunction Printers? 1) Open it (google: “<your_MFP_model> hardrive replacement” )
  • 82. MultiFunction Printers? 1) Open it (google: “<your_MFP_model> hardrive replacement” )
  • 83. MultiFunction Printers? 1) Open it (google: “<your_MFP_model> hardrive replacement” )
  • 84. MultiFunction Printers? 1) Open it (google: “<your_MFP_model> hardrive replacement” )
  • 86. MultiFunction Printers? 2) Analyze that   V..éSODX suggested reading: Survey of Scanner and Printer Forensics Purdue University suggested reading: Forensic analysis of digital copiers Svein Yngvar Willassen
  • 87. MultiFunction Printers? 2) Analyze that   V..éSODX suggested reading: Survey of Scanner and flipping bytes Printer Forensics é..VXDOS Purdue University that’s BIGDOS FAT 16! suggested reading: Forensic analysis of digital copiers Svein Yngvar Willassen
  • 88. MultiFunction Printers? 2) Analyze that   V..éSODX suggested reading: Survey of Scanner and flipping bytes Printer Forensics é..VXDOS Purdue University that’s BIGDOS FAT 16! 3) open Finder suggested reading: Forensic analysis of digital copiers Svein Yngvar Willassen
  • 89. does your company handles this properly?
  • 97. STUXNET • source: US-Israel • target: Iran nuclear program • very sophisticated cyber warfare on SCADA • infection by USB thumb drive • exploits Siemens Simatic S7-300 PLC • deceives monitoring, destroys centrifuge machines • ~10,000 lines of code
  • 98. STUXNET • source: US-Israel • target: Iran nuclear program • very sophisticated cyber warfare on SCADA • infection by USB thumb drive • exploits Siemens Simatic S7-300 PLC suggested reading: • deceives monitoring, destroys centrifuge machines Stuxnet's Footprint in Memory with Volatility 2.0 • ~10,000 lines of code MNIN Security Blog, Michael Ligh MHL
  • 100. What about searching for what you don’t know?
  • 101. Codetective • an analysis tool to determine the crypto/encoding algorithm used according to traces of its representation • can be used as a volatility plugin or as a generic tool • filters (win, unix, web, win, web, db,unix or other) and level of confidence • supports: shadow and SAM files, phpBB3, Wordpress, Joomla, CRC, LM, NTLM, MD4, MD5, Apr, SHA1, SHA256, base64, MySQL323, MYSQL4+, DES, RipeMD320, Whirlpool, SHA1, SHA224, SHA256, SHA384, SHA512, Blowfish, Java Session IDs, connection strings, Credit Cards, URLs
  • 102. Codetective • relevant options: -a (analyze) -u (show UUIDs) -v (verbose mode) -t (filters) -p (search for Process ID) -n (search for process name) If neither -p or -n is defined, if will search in all processes. • git clone git://github.com/blackthorne/Codetective.git codetective
  • 103. Codetective • relevant options: -a (analyze) suggested reading: -u (show UUIDs) codetective plugin github @blackthorne -v (verbose mode) -t (filters) Francisco Ribeiro -p (search for Process ID) -n (search for process name) If neither -p or -n is defined, if will search in all processes. • git clone git://github.com/blackthorne/Codetective.git codetective
  • 106. Where next? • Networks (Remote live forensics) • Mobiles • Virtual Machines • Cloud
  • 107. hostname volatility plugins GRR - remote live forensics age selector status pslist raw disk
  • 109. Memory Analysis on the Cloud • with virtualization, multiple Virtual Machines share a single physical machine and expose their Volatile Memory in snapshot files (.vmem..) that is acessible on userland • Analyzing IOS iTunes memory allows you to retrieve iCloud credentials. Years ago, that wasn’t that serious but now it’s not just music is it? • What about Dropbox and Google accounts, how complex is your password? Does it really matter? Where is it stored?
  • 110. My clipboard supports: •mixed case passwords •numbers •special characters and length > 20
  • 111. Special thanks to: • Michael Cohen • Brendan Dolan-Gavitt
  • 112. References: • Tools: Memory Imaging, Forensics WiKi • Acquisition and analysis of volatile memory from android devices, Digital Investigation • struct EPROCESS, NirSoft • How to Set the /3GB Startup Switch in Windows - Technet, Microsoft • Eternal Sunshine on the Spotless RAM - SecurityStreet, Rapid7 • Monitoring and Management Using JMX Technology, Java SE Monitoring and Management Guide
  • 113. References: • RAM is Key, Extracting Disk Encryption Keys From Volatile Memory by Brian Kaplan, Carnegie Mellon University • Cryptoscan plugin, Jesse Kornblum • TrueDecrypt plugin, Francisco Ribeiro • Survey of Scanner and Printer Forensics , Purdue University • Forensic analysis of digital copiers, Svein Yngvar Willassen • Stuxnet's Footprint in Memory with Volatility 2.0, MNIN Security Blog, Michael Ligh MHL
  • 114. References: • codetective plugin - github @blackthorne, Francisco Ribeiro • Volatility - Memory Forensics, Volatile Systems • Exploiting the Rootkit Paradox with Windows - Memory Analysis, Jesse D. Kornblum • An advanced memory forensics framework - Volatility, Google Wiki pages
  • 116. Thank you childish wont-let-go nickname: blackthorne blackthorne (geek) bthorne_daily (social) [email protected] (PGP key: 0xBDD20CF1) http://www.digitalloft.org (homepage)