The reviewers at Black Hat have notified me that my submission has been accepted and I will be speaking at BlackHat USA 2011 in Las Vegas this year. As you can imagine, I’m thrilled, as I was not able to attend BlackHat or Defcon last year. I’m looking forward to being there as a speaker this time, interacting with all the great folks I met two years ago there, and anyone new I meet.
The title of my talk is “Covert Post-Exploitation Forensics With Metasploit”, which will be accompanied by the release of a set of meterpreter scripts and a white-paper that details how they can be used. The abstract of my work has been posted on the Briefings page at the USA 2011 site:
In digital forensics, most examinations take place after the hardware has been physically seized (in most law enforcement scenarios) or a preinstalled agent allows access (in the case of enterprise forensics packages). These scenarios imply that the”subject” (the one in possession of the media) is aware of the fact that their data has been seized or subject to remote access. While penetration testing tools allow for surface-level access to the target filesystem, there is a lot of potential data that is being missed in unallocated space that could be accessed by file system forensic tools such The Sleuth Kit.
In this presentation, Wesley will present a new set of tools that will allow forensic examiners and pentesters alike to image remote filesystems of compromised systems, or perform examinations directly on remote filesystem with forensic tools on the attacking machine by mapping remote drives to local block devices. This is the integration of Metasploit with a large body of existing digital forensic tools.
The associated scripts and more information will be released with the conference proceedings, and here on this site at the time of my talk (probably also a coordinated release into the Metasploit trunk, but I haven’t talked to those guys about it yet.).
At this point, you’ll have to take my word for it, but I assure you this isn’t a typical “Yet Another Metasploit Talk”. I would hope that the submission reviewers at Black Hat would not have accepted it if they felt this was the case. What I’m demonstrating is a way to use a whole suite of useful and mature tools in a penetration test (or other scenario) through Metasploit.
Assuming I’m not scheduled to present at the same time as Barnaby Jack, Dan Kaminsky, or the like, I’d definitely recommend showing up, as I think it’ll be a very fun talk and demonstration. See you at Caesars Palace!
congrats – really excited to have stumbled upon your site. hope that you will release additional information for those who are unable to attend.
Thanks Matt,
The whitepaper and tools will be published on this site (and on the Black Hat site) at the time of my talk, or shortly thereafter, and videos of past conference talks are published by Black Hat several months after the conference usually.
git yo shine on playa
Great news mate ! Great topic too.
Great Idea of presentation this could be interesting to see your tool interact with digital forensics framework .
Awesome
…I wish I could come there too 
Wesley,
Using metasploit as a legit forensics/investigative tool is a great topic with little coverage. Looking forward to hearing the presentation.
-Eric
Thanks Eric, hope to see you there!
offensive security and forensics combined? is that even ethical? . If i read this correct, your talking about theoretically exploiting some vulnerabilities to gain unauthorized access to a remote machine, and then remotely mapping a disk to run standardized forensics tools?
You read correct, and like anything dealing with offensive security research, the ethics are in how it’s used. For example, Penetration testing is perfectly ethical by any imaginable standard, and this tool and method would allow penetration testers to vastly improve their post-exploitation capabilities.
As for other situations, I’m not familiar with the legal wrangling needed to make it legit, but with the technology in place, there may be a use-case for law enforcement. In the same vein as wiretapping and surreptitious entry/search, this technique might be used against criminals that would have countermeasures (traps, automatic wiping, etc) that would make a normal seizure undesirable. Also, this may be useful for intelligence agencies to use against other nation-states.
Also, like anything involving offensive security, the defensive side of things can look to it to see what advanced attackers may already have the capability to do to them. This might encourage some to securely wipe their sensitive data on servers, rather than simply delete them from filesystem metadata.
In short, I don’t have a problem with the ethics of it.
Sounds like its going to be an exciting talk , your can be one scary dude sometimes. only because Im a tad familiar with your capabilities. I would hate to think what you might be capable of you werent concerned about ethics.
I would imagine any seasoned forenics expert would know, and have SOP or w/e. when a drive began to wipe itself and immediately power off a system to preserve the contents of a disk I would presume. It takes several house to properly wipe a disk with multiple passes, I cant see a bunch of FBI agents sitting around waiting for the HD LED to stop activity before shutting down a machine, realistically, mmm now about automatic wiping, hmmm, I suppose there are mechanical methods to automatically destroy a drives contents , perhaps some neodinium magnet deadfall with some sort of a trigger, perhaps a small ammount of well placed explosives, hehe…
While it can take a long time to wipe a drive completely, it takes only seconds to wipe the metadata (FAT, MFT, and equivalent for other filesystems) for the filesystem, which increases the time that an examiner has to take to analyze a drive by a significant amount. Targeted wiping of sensitive data can also be done in a very small amount of time.
The technique and tools I will be presenting may also be of use if you cannot physically locate the subject/computer in question.
“house” I meant hours
This should be a very interesting talk. It’s a shame I won’t be able to attend this year.
Hoping you provide a recording of this here. Hint. hint.
Thanks