I apologize to those in my talk (and throughout the rest of the cons last week) that asked about availability of the tools I describe in my talk. I stated that they should’ve been in the Metasploit trunk on the day of my Black Hat USA talk this past Wednesday, backed by assurances from Rapid7 that it would be there. Apparently I was talking to someone at Rapid7 that was unable to make those assurances, so it looks like I’ll be starting over the process of getting it available in the main distribution today. Edit: It’s in now.  If you svn update metasploit, enum_drives and imager will be in “modules/post/windows/gather” and nbd_server will be in “modules/post/windows/manage”.

In the meantime, you can drop the following files into your own copy of Metasploit to use the tools introduced in my talk today:

  • enum_drives.rb – Enumerates physical disks and logical volumes for use in the other two modules
  • imager.rb – Images physical/logical drives over a meterpreter shell. Options are similar to those that forensics folk use in dd
  • nbd_server.rb – Maps a remote physical/logical drive to a local network block device server.  You can then mount and/or use any forensics tools you’d like on it.

Also, here are the final slides as I presented them, and the whitepaper that I originally submitted with my talk proposal:

Video of both the Black Hat USA and DefCon versions of the talk will be available at some point.


This is just a quick post to remind readers that I will be in Vegas for Black Hat and DEFCON this week, and I’m looking forward to meeting as many of you as possible. I will be giving a talk at both Black Hat and DEFCON:

  • Wednesday, August 3rd, 3:15 PM – Black Hat USA 2011 – Track 7
  • Friday, August 5th, 3:00 PM – DEFCON 19 – Track 2

My talk is entitled “Covert Post-Exploitation Forensics With Metasploit”, and I’ll be talking about a set of Metasploit Post-modules that I have developed for performing forensic analysis of machines over a meterpreter connection. With these modules, penetration testers (as well as other roles) will be able to run currently-available/popular forensic tools on remote drives in the same way that forensic examiners currently use them on local drives. Through some protocol trickery and using Railgun to pipe the Windows API over meterpreter, you can essentially make a local block device that maps to the victim’s. I’ll have some discussion, including a basic introduction to disk/file-system forensics for penetration testers, a demo, and some time for questions and discussion.

The presentation and tools will be available on the disc, as well as “latest” versions on here as soon as I can manage to put them on here after my talk. The modules ought to be available in the Metasploit SVN soon as well.

I’ll also be actively attending/prowling around the conference, so feel free to track me down to talk shop about breaking things, forensics, etc. I have lots of fun stories that aren’t appropriate for the blog/twitter.


I will also be bringing 20 of the challenge coins we normally hand out at the end of the Advanced Forensics class at the Mississippi State University National Forensics Training Center. If you want one, track me down at Black Hat or DEFCON and offer me something cool/interesting for one ;) :

Double Secret Edit:

I also have fun 0-day for Tiny Tower on all IOS devices (iPhone, iPad, iPod Touch), which I will disclose to attendees for the price of one drink and a handshake Non-Disclosure Agreement (negotiable). You’re not going to be hacking the Gibson with this one anytime soon, but it’s *fun*.

© 2012 McGrew Security Suffusion theme by Sayontan Sinha