HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 107 guests online
EH-Net News Feeds
Latest Additions
 
Advertisement

You are here: Home arrow Forum arrow Ethical Hacking Discussions and Related Certificationsarrow Forensicsarrow OS Detection from a RAM dump
EH-Net
May 26, 2012, 04:19:54 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Advertise on EH-Net!! - Reasonable Rates, Highly Targeted Audience.
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: OS Detection from a RAM dump  (Read 4734 times)
0 Members and 3 Guests are viewing this topic.
ryan
Newbie
*
Offline Offline

Posts: 20



View Profile WWW
« on: September 16, 2006, 08:48:17 AM »
Harlan Carvey of the Windows-IR blog has finished developement on a utility for determining the OS from a ram dump either dd-style or a VMWare .vmem file.

http://windowsir.blogspot.com/2006/09/os-detection-explained.html
Logged
http://yaisb.blogspot.com
pcsneaker
Jr. Member
**
Offline Offline

Posts: 73


View Profile
« Reply #1 on: September 16, 2006, 10:48:08 AM »
Harlan does a lot of great work - but why should somebody need to determine the OS from a RAM dump ? When you're in front of computer doing a RAM dump in general you know what operating system is running on that box.

What do you think about, perhaps I'm missing something?
Logged
MCSA:Security (W2k, W2k3)
MCSE:Security (W2k, W2k3)
CPTS, Network+
oleDB
Recruiters
Full Member
*
Offline Offline

Posts: 236



View Profile WWW
« Reply #2 on: September 18, 2006, 10:35:43 AM »
I've read Harlan's book cover to cover and I'm a big fan of his. I would have to guess from some of his other projects, like the Windows Forensic Server is that the focus may have been remote. But also, having a tool provides an automated, accurate, and documented way of collecting this data versus, saying that you knew it was <insert OS here> from the logon splash screen or whatever. I guess there are just too many scenarios to say exactly why they would use it, however it may only be just to see if they could actually do it reliably with the least amount of system interaction possible. For me it makes sense because most of the stuff I do is remote, however if you work in an environment where every machine you get has been unplugged and shipped to you for imaging, then its probably not that useful.
Logged
ryan
Newbie
*
Offline Offline

Posts: 20



View Profile WWW
« Reply #3 on: September 19, 2006, 02:46:26 PM »
Well, to me its not so much the tool as it is the methodology.

We now have a perl module that could be integrated into a lot of other tasks. It might be important to know the OS to come to certain conclusions about forensic data, this can now be automated rather than asking the user what os was used. There are probably many other good reasons.
Logged
http://yaisb.blogspot.com
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.16 | SMF © 2011, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.101 seconds with 19 queries.
 

gk_static-ad_feb2012.jpg
Global Knowledge: Build Security Skills to Protect & Defend

els_130x200fixed2.gif
eLearnSecurity Student Course Now Live!
5% Off with Code
ELS-EH-5

SANS Deals 4 EH-Netters
$150 OFF Any SANS Course in Any Format!
Coupon Code: EHN_Connect Including SANS Security West 2012 & SANSFIRE 2012
Recent Forum Topics

cbtnuggets_logo_125.jpg
Try CBT Nuggets Free!

Vote For EH-Net

Add to Technorati Favorites
technorati fave

 
         
Advertisement

© 2012 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.