Microsoft Windows timer objects provide a means to execute code at a certain time or in a periodic interval. From analyzing timers we can make some assumptions about a system's future.
Category "Memory analysis"
My slides from the ZISC Workshop 2010 on Digital Forensics and Security are now available. The speaker notes, unfortunately, are not. I hope my presentation on Recent Advances in Memory Forensics will be interesting anyway.
I'm excited to announce that I will speak at the ZISC 2010 Workshop on Digital Forensics and Security. I will report on the latest advancements in forensic memory analysis on Linux, Mac OS X and Microsoft Windows.The workshop will be held on September 13, 2010 at armasuisse in Berne, Switzerland.
A cross-view analysis compares sets of objects that were enumerated at different API layers or using different techniques. Differences justify a closer examination, though they do not inevitably indicate malicious activity. The Volatility memory analysis framework provides different enumeration methods, like list-walking and scanning, for quite a while. Comparing these lists, however, can be tedious at times. But it's easy to copy&paste some code into a new plugin and let the computer do all the hard work for you.
Four years ago, at the DFRWS 2005, the first tools to analyze Windows memory images were presented in public. These ideas and methods now gradually make it into commercial off-the-shelf forensic products. The latest tool that provides Windows memory analysis capabilities is AccessData's Forensic Toolkit 3.
The PC's BIOS among many other functions also provides a simple routine to read data in from the keyboard. Information about the keys pressed are stored in a ring buffer that provides space for about 16 characters. As Jonathan Brossard has shown in a paper and presented at DEFCON 16, the buffer's contents may be availlable for a while after it has been read by the BIOS. Chances are that passwords of the BIOS or disk encryption software can be recovered.
I feel somewhat sorry for posting such a creepy title in spring. But don't worry, "mutant" is just how a mutex is called in the Windows kernel. A mutex helps to serialize access to a resource. Some applications employ a mutex to ensure that only a single instance is running. And that way, a mutex may lead us directly into the dark realms of some malware. Scary, isn't it?
The concept of symbolic links is widely implemented in file systems. But there is also a symbolic link object for kernel objects. Generally, a symbolic link will make an object accessible under a different and probably much shorter name. But symbolic link objects also provide some forensic value.