Dailydave mailing list archives
Re: Palladium, Memory Forensics, Clouds.
From: Matthieu Suiche <msuiche () gmail com>
Date: Wed, 27 May 2009 21:39:47 +0200
Do the DD.exe and similar tools go underneath the memory handlers? I assume modern rootkits are memory handlers (or hypervisors). I'm not sure how acquisition really works against that.
I guess, you mean software-based acquisition. Moreover, Loic Duflot, BSDeamon, folks from Invisible Things and folks from University of Central Florida demonstrated SMM mode is more privileged than Virtualization mode. So I assume modern physical memory acquisition tools take care of this problem. Im not sure how memory handling really works against that. More seriously last time I publicly heard about a rootkit using anti forensics tricks against physical memory acquisition was Rustock.C which used KeRegisterBugCheckCallback() function to clean its memory if a BSOD was invoked. -- Matthieu Suiche _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Palladium, Memory Forensics, Clouds. Dave Aitel (May 20)
- Re: Palladium, Memory Forensics, Clouds. Joanna Rutkowska (May 21)
- Re: Palladium, Memory Forensics, Clouds. Curt Wilson (May 21)
- Re: Palladium, Memory Forensics, Clouds. Dave Aitel (May 22)
- Re: Palladium, Memory Forensics, Clouds. Joanna Rutkowska (May 22)
- Re: Palladium, Memory Forensics, Clouds. Dave Aitel (May 22)
- Re: Palladium, Memory Forensics, Clouds. James Butler (May 25)
- Re: Palladium, Memory Forensics, Clouds. dave (May 27)
- Re: Palladium, Memory Forensics, Clouds. Matthieu Suiche (May 27)
- Re: Palladium, Memory Forensics, Clouds. Dominique Brezinski (May 27)
- Re: Palladium, Memory Forensics, Clouds. dave (May 27)