IT-Defense 2006: Computer Forensik - Live-Analyse
On this page you can find some information about the "Computer Forensik - Live-Analyse" speech I held at the IT-Defense 2006 conference.
Slides
(zipped PDF, in german): here
Summary
In this speech I presented several new tools to assist forensic live analysis. Furthermore I showed an exploit payload that is capable to find and extract an SSL private key as well as the certificate from a compromised process (e.g. apache).
Tools
Here are the tools I presented. Some of them are available for public download.
Process Dumper (pd) - This tool allows you to make a dump of a running process.
Memory Parser (MMP) - Memory Parser can be used to analyse process dumps made with pd.
Malicious Code Profiler - IDA Pro plugin to analyse the data mappings of a process (stack, heap, ...) regarding malicious code (exploit payload, etc.)
NOP Sled Detector - IDA Pro plugin to analyse the data mappings of a process (stack, heap, ...) regarding NOP sleds
RAMparser - This proof of concept tool allows to parse and analyze a dump of the physical memory.