Wednesday, August 5, 2009

New Tool could Help Computer Forensics Move off the Disk and into Memory

From Government Computer News:

By examining traces of memory resident on a computer, researchers can find evidence of malicious activity.

Tools such as Metasploit’s meterpreter for the automated delivery of stealthy payloads are making it more difficult for researchers to find out after the fact exactly what happened to an exploited computer.

Meterpreter can let an attacker upload malware files to a computer that do not touch the disk, which is where traditional forensics tools look to find evidence of malicious activity.

“Meterpreter breaks all disk forensics,” said Peter Silberman, an engineer at Mandiant Inc. So researchers now are looking into memory for evidence of wrongdoing. “This is a new frontier in forensics analysis.”

Silberman and Stephen Davis, a Mandiant security consultant, demonstrated a new memory analysis tool Wednesday at the Black Hat Briefings security conference. By examining traces of memory that can remain resident on a computer for surprisingly long times, they can find evidence of malicious activity that is not visible elsewhere.

“What this allows us to do is to determine what meterpreter did while it was resident on the system,” Davis said.

The tool, which works with Mandiant’s Memoryze memory analysis software, is not yet a full production product. “It’s a proof-of-concept that hopefully other people will latch onto,” Davis said. The first target of the tool is Metasploit because that is the de facto standard for creating exploits against security vulnerabilities in computers.

Full article here.

No comments: