HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 76 guests and 2 members online
 
Advertisement

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Forensicsarrow OS Detection from a RAM dump
EH-Net
May 18, 2013, 10:50:01 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: OS Detection from a RAM dump  (Read 5150 times)
0 Members and 1 Guest are viewing this topic.
ryan
Newbie
*
Offline Offline

Posts: 20



View Profile WWW
« on: September 16, 2006, 08:48:17 AM »
Harlan Carvey of the Windows-IR blog has finished developement on a utility for determining the OS from a ram dump either dd-style or a VMWare .vmem file.

http://windowsir.blogspot.com/2006/09/os-detection-explained.html
Logged
http://yaisb.blogspot.com
pcsneaker
Jr. Member
**
Offline Offline

Posts: 73


View Profile
« Reply #1 on: September 16, 2006, 10:48:08 AM »
Harlan does a lot of great work - but why should somebody need to determine the OS from a RAM dump ? When you're in front of computer doing a RAM dump in general you know what operating system is running on that box.

What do you think about, perhaps I'm missing something?
Logged
MCSA:Security (W2k, W2k3)
MCSE:Security (W2k, W2k3)
CPTS, Network+
oleDB
Recruiters
Full Member
*
Offline Offline

Posts: 236



View Profile WWW
« Reply #2 on: September 18, 2006, 10:35:43 AM »
I've read Harlan's book cover to cover and I'm a big fan of his. I would have to guess from some of his other projects, like the Windows Forensic Server is that the focus may have been remote. But also, having a tool provides an automated, accurate, and documented way of collecting this data versus, saying that you knew it was <insert OS here> from the logon splash screen or whatever. I guess there are just too many scenarios to say exactly why they would use it, however it may only be just to see if they could actually do it reliably with the least amount of system interaction possible. For me it makes sense because most of the stuff I do is remote, however if you work in an environment where every machine you get has been unplugged and shipped to you for imaging, then its probably not that useful.
Logged
ryan
Newbie
*
Offline Offline

Posts: 20



View Profile WWW
« Reply #3 on: September 19, 2006, 02:46:26 PM »
Well, to me its not so much the tool as it is the methodology.

We now have a perl module that could be integrated into a lot of other tasks. It might be important to know the OS to come to certain conclusions about forensic data, this can now be automated rather than asking the user what os was used. There are probably many other good reasons.
Logged
http://yaisb.blogspot.com
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.051 seconds with 23 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Free Business and Tech Magazines and eBooks

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.