User Assist Data in the RAM Dump
Lately some good information has been posted on the web regarding the importance of the USER ASSIST. Especially by Didier Stevens (http://blog.didierstevens.com/programs/userassist/) and Harlan Carvey...
View Article"Guillotine Method" for RAM Acquisition.
Scenario#1 You come up to a desktop computer that you have legal authority to forensically analyze. The computer is powered up but sitting at the Windows Login Screen. No chance to get an image of the...
View ArticleGuillotine Steps and Conditions
Conditions: • Machine is On but Not Logged In. • Machine is On / Logged On / Not Running Encryption. (Bitlocker, Best Crypt…). (If running encryption make logical image immediately.) • You Have...
View ArticleSpeaking Engagement
I am presenting a two-day course on RAM Acquisition and RAM Analysis at the International Association of Computer Investigative Specialists (IACIS) 2008 CFCE Course between April 28, 2008 through May...
View ArticleXPSP3 - How this is going to affect RAM Analysis?
Well to sum up XPSP3 (for RAM Analysis) I’d say the prognosis is great. The key offsets that I look for in the EPROCESS (Page Directory Base, Create Time Low, Create Time High, Exit Time Low, Exit Time...
View Article“Lest We Remember: Cold Boot Attacks on Encryption Keys"
Seems like a team of Princeton students have put together a very well done website, research paper (pdf) and video regarding acquiring RAM. The jist of these items shows: Information stays in RAM after...
View ArticleFifteen Minute Malaware Analysis
Tools:1. VMWARE Workstation or VMWARE Server (Sever=free)2. Windows 2000 (Small$)3. TextScan - Free (by AnalogX)http://www.analogx.com/contents/download/program/textscan.htm4. PtfinderFE - Free...
View ArticlePractical of “15 Minute Virus Analysis”
I want to show a practical of my “15 Minute Virus Analysis” You must download the RADA Virus if you want to “play” along. The RADA Virus is a REAL VIRUS SO BE CAREFUL… The RADA VIRUS was created...
View ArticleRAM Enscript Version 1.0
RAM ENSCRIPT UPDATED!!! DownloadThe new RAM Enscript contains:OS IdentificationProcesses (Exited / Running)Registry Remnants (UserAssist)MSHTML Remnants MFT Parser. Runs against RAM Dumps from Windows...
View ArticleBIOS Magic Numbers in RAM (Beta)
A colleague of mine approached me after teaching a class on finding information in RAM. He asked me to prove a particular RAM acquisition came form a particular machine. My first thought was to run to...
View ArticleArticle 11
I am presenting a two-day course on RAM Acquisition and RAM Analysis at Digital Intelligence. The course is June 10-12, 2008 and is FREE. The following is a quick synopsis of the training:RAM Analysis...
View ArticleWinen.exe - RAM Imaging Tool Included in New Version of Encase
Today when I downloaded the latest version of Encase (6.11.0.43) I discovered winen.exe in the Encase Program Folder. Apparently winen.exe is the new RAM Acquisition Tool Provided by Guidance....
View ArticleArticle 9
Using Volatility (1.3_Beta), Volatility Plugin from Moyix, a test RAM Image (xp-laptop-2005-06-25.img) and a Windows Hash/Password Finder (SamInside or Cain and Abel) identify the passwords for the...
View ArticleVMWare Running? Better Check for Different Windows Operating System's...
Identify Multiple Windows OS Versions in a Single RAM Capture if the Host Machine is Running VMWare Machines.I often run VMWare Machines, on my host machine,so I can easily grab the machine's RAM...
View ArticleSandman Shell: Batch files to Define environment variable _NT_SYMBOL_PATH
I had the following a question from Mr Anonymous about Matthieu Suiche's Sandman Shell Project:“...the same happens with hibrshell. When I execute the command it crashes while "Retrieving Kernel Image...
View ArticleVolatility Batch File Maker
The Tool: VolatilityBatch File Maker DownloadI wanted to take the text output of the various tools (Ptfinder, PtFinderFE and Volatility >PsScan2) which identifies all the offsets for (running)...
View ArticleWalk-Through: Volatility Batch File Maker and Volatility's ProcDump
1. Download the following files from Hogfly (Website)exemplar6.tar.gz.001exemplar6.tar.gz.002exemplar6.tar.gz.003In my example I placed the files in e:\exemlar6\ directory2. Add the downloaded files...
View ArticleWalk-Through: Volatility Batch File Maker and Volatility's VadDump
*********** The First 5 Steps are exactly the same as my last posted regarding Walk-Through: Volatility Batch File Maker and Volatility's ProcDump. The Walk-through Portion is repeated here for future...
View ArticleThe Mystery of ROT (-29)
I know if your reading my blog you've seen ROT13 and know it is used by Microsoft in the UserAssist Registry Key.But now I’ve found Microsoft using ROT(-29) or Rotate Minus 29 which is considerably...
View ArticleNew Win7 Process Enscript (Beta)
I updated my Basic Memory Analysis Enscripts (Version 6) and rolled them out at the 2010 WACCI Conference. The newest addition is an Enscript to carve for Windows 7 Processes (Exited and...
View ArticleEnScripts (EnPacks) to Carve iPhone SMS Messages
These are tools to find SMS Messages from physical (carve) or logical files, recovered from an iPhone (DOWNLOAD). This tool is really meant to find unallocated SMS Messages in a Raw disk recovery of...
View ArticleWACCI Conference 2012 - Tip and Tricks Notes
Wisconsin Association Computer Crimes Investigator Conference 2012 Tip and Tricks Notes: "Thank you" for all the great input. Digital Intelligence Forensic Scanner RegRipper CERT Tools (Registration...
View ArticleWisconsin Association of Computer Crime Investigators 2013 Conference
"Sup" (...been a long while) PTFinderFE is obsolete do to the new innovations in Volatility. (Updated 10/20/13)My New Volatility Batch File Maker does all that PTFinderFE did and MORE!!! *****Known...
View ArticleKAI OS Forensics for Money and Profit
The last month I have been forensically analyzing the KAI OS 2.5, formally FireFox OS. We are seeing a bunch of these feature phones in our lab. Download KAI OS Forensics for Money and Profit Download...
View Article
