All,
I've posted my slides for GMU2006
http//
There are 3 PPTs…my presentations on Windows memory analysis and USB devices, and the PPT for the opening session.
This is primarily for folks attending GMU2006, but I invite anyone to download the slides. Comments and questions are welcome.
Thanks,
Harlan
Thanks Harlen,
Just reviewed the your slides, great infomation for those that can not attend. It would be nice if windows would log some sort of entry in the system log. Maybe Vista?
Chris
> It would be nice if windows would log some sort of entry in the system log.
Regarding what, specifically?
When you plug in a USB device, Windows does not log any info into the Application, System, or Security Logs. Same applies for removal. In a Corporate Environment, these logs would be useful. At least in my case.
While I haven't seen anything in the Event Log yet, there are other resources, such as the Registry, that are rich in information. In fact, query the Registry of the system, and you can get the device class, serial number (if there is one), friendly name, and the last time it was connected. You may even get the drive letter it was mapped to.
Remember, one way to look at the Registry is like a great big log file.
Harlan
Thanks for the slides - I was all set to go to GMU 2006, but we started having server problems, and they had to cancel my TDY.
bj
Harlen -
Are you the one giving the lecture on the slides that were provided? If so GREAT JOB!!
I was actually looking for someway to demonstrate a buffer overflow in class. I of course can simply chalk and talk about it, then use something like Metasploit to do the demonstration. But what I would like to do is take some kind of memory snapshot of the process before and after the explotation.
I know this is not a Ethical Hacker Forum but some of the concepts are closely intertwined.
If you or anyone else knows of some what to say "colorize" the memory in some sort of display program to make it easy to see where the malicious code was "shoved in" and the legitimate memory was that would be great.
I was hoping to find something that would show all the segments and where a data segment is above the stack segment and what happened when the attack occurred. Maybe show how the NOP sled was created as well.
Sorry if this is technical or off issue for some of the forensics guys but as I said it is helpful to understand these things even from a forensics standpoint.
Thanks to anyone who can help.
Maxwell.
> Are you the one giving the lecture on the slides that were provided? If
> so GREAT JOB!!
Thanks.
Yes, I created the material and the slides, and I will be presenting.