[Vol-dev] Re: Pylint and code questions
Michael Felber
MichaelFelber at gmx.net
Sat Sep 12 15:53:30 CDT 2009
Hello Mike,
thanks a lot for the efforts you spent on that code optimization. I am a programming noob (I am a forensics guy) but will look at it too to learn.
The firewire-access is quite funny but doesn't work with Vista at the moment (the raw1394 is unable to see the Vista PC).
I have applied an extension (idea found at https://www.moonloop.org/bin/view/Moonloop/Stream?tag=ida) to winlockpwn so it works fine with any uptodate SP3 system I have testet.
But a live analysis of the memory may be not the best idea because its to volatile, even a memory dump is not as consistent as a hiberfil.sys or memory.dmp would be. I would suggest making a memory dump first before analysis, except code injection techniques. ;-)
Btw. Do you know how to extract the LSA-key from a SP3 registry, see cachedump.py.
Jon,
F-Response is a real great tool, you're right. It uses the iSCSI-protocol for communication and silently drops every write attempt.
Both ways (FW / iSCSI) give the investigator the unlimited remote access to the 'living' memory of the target. F-response prevents writing but needs it own memory space, firewire does create a new device on the target system but does not consume memory. The main danger for changing evidences is its ability to write to the target.
Cu
Mic
--
Jetzt kostenlos herunterladen: Internet Explorer 8 und Mozilla Firefox 3 -
sicherer, schneller und einfacher! http://portal.gmx.net/de/go/chbrowser
More information about the Vol-dev
mailing list