The Defendant, Wesley McGrew
I just received these two pictures via email from my major professor, and thought I’d share. They’re from a series of mock trials that were held for this past fall semester’s computer forensics class. The students had the opportunity to take the stand and present expert witness testimony regarding the evidence that they had examined [...]
msramdmp Now Available as a Bootable ISO
A lot of older computers have issues with booting from USB. I have computers that I can’t boot from USB, and so do some people that have wanted to experiment with msramdmp. I have had a few people ask about booting msramdmp from a CD (and an email from one person who did it themselves!), [...]
Followup to my interview with SC Magazine
Yesterday I did an email interview with SCMagazineUS.com reporter Sue Marquette Poremba, and the article was published later in the day here:
Home-grown scanner mimics Princeton’s “cold-boot” tool
It’s not a bad article by any stretch of my imagination, but there were some points that I felt were important, and brought up in the interview, that didn’t [...]
Whups! Small bug in msramdmp!
Matthew Geiger was kind enough to point out to me a very silly typo I had made when writing msramdmp. Rather than grabbing 8192 bytes every time I went through the loop in the first section of memory it dumps, it was only going through 8182. Ugh. This means that it was [...]
Another way to get a memory dump…
…Firewire.
Kind of like the RAM remanence phenomenon that I wrote msramdmp to utilize, this is also something that I thought people already knew about. Firewire devices have direct access to the main memory of hosts that they are connected to, and you can use this access to dump sections of memory from computers you [...]
Integrating msramdmp into your existing USB toolkit
I’ve been in email contact with a gentleman that’s wanting to get msramdmp integrated into his incident response USB toolkit. Here’s some of my thoughts on how one might could accomplish that, straight from my response to him:
To keep this thing very-low-footprint, it runs straight from the bootloader and accesses the disk directly through [...]
Tool Release: msramdmp – Image RAM after a cold boot
The Princeton guys that I mentioned in my last post have not released the tools that they used in their paper, yet. I wanted to play around with the way PC’s tend to retain memory, so I’ve written my own implementation of the RAM dumper they describe and show in their videos:
msramdmp – The [...]
Looking at Remote-File-Inclusion attempts
For some attackers, it’s just a matter of casting it out there to every possible target and hope something sticks. This sort of thing turns up fairly often in my logs, and probably yours too. This time, I’m going to use it to illustrate just how much intelligence you can gather about your [...]
In Defense of MediaDefender?
I’ve been posting on the Binary Revolution Forums a bit lately, mostly in threads with a technical theme. I’m mostly doing it to sort of contribute to a place that’s popular among people just starting out in the field. Today, a link was posted about the recent attacks against MediaDefender, where a large [...]
Published in Advances in Digital Forensics III
The paper that I presented at the IFIP WG 11.9 digital forensics conference, “Using Search Engines to Acquire Network Forensics Evidence” (using my tool GooSweep) has been published as a chapter of the new hardcover “Advances in Digital Forensics III” from IFIP and Springer. I just received my copy today, and I’m quite [...]