.

OS Detection from a RAM dump

<<

ryan.cartner

User avatar

Newbie
Newbie

Posts: 20

Joined: Tue Aug 15, 2006 12:26 pm

Post Sat Sep 16, 2006 8:48 am

OS Detection from a RAM dump

Harlan Carvey of the Windows-IR blog has finished developement on a utility for determining the OS from a ram dump either dd-style or a VMWare .vmem file.

http://windowsir.blogspot.com/2006/09/o ... ained.html
<<

pcsneaker

Jr. Member
Jr. Member

Posts: 73

Joined: Mon Nov 07, 2005 12:23 pm

Post Sat Sep 16, 2006 10:48 am

Re: OS Detection from a RAM dump

Harlan does a lot of great work - but why should somebody need to determine the OS from a RAM dump ? When you're in front of computer doing a RAM dump in general you know what operating system is running on that box.

What do you think about, perhaps I'm missing something?
MCSA:Security (W2k, W2k3)
MCSE:Security (W2k, W2k3)
CPTS, Network+
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Mon Sep 18, 2006 10:35 am

Re: OS Detection from a RAM dump

I've read Harlan's book cover to cover and I'm a big fan of his. I would have to guess from some of his other projects, like the Windows Forensic Server is that the focus may have been remote. But also, having a tool provides an automated, accurate, and documented way of collecting this data versus, saying that you knew it was <insert OS here> from the logon splash screen or whatever. I guess there are just too many scenarios to say exactly why they would use it, however it may only be just to see if they could actually do it reliably with the least amount of system interaction possible. For me it makes sense because most of the stuff I do is remote, however if you work in an environment where every machine you get has been unplugged and shipped to you for imaging, then its probably not that useful.
<<

ryan.cartner

User avatar

Newbie
Newbie

Posts: 20

Joined: Tue Aug 15, 2006 12:26 pm

Post Tue Sep 19, 2006 2:46 pm

Re: OS Detection from a RAM dump

Well, to me its not so much the tool as it is the methodology.

We now have a perl module that could be integrated into a lot of other tasks. It might be important to know the OS to come to certain conclusions about forensic data, this can now be automated rather than asking the user what os was used. There are probably many other good reasons.

Return to Forensics

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software