This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Wednesday, July 29 • 11:15am - 12:30pm
Peter Silberman & Steve Davis: Metasploit Autopsy - Reconstructing the Crime Scene

Sign up or log in to save this to your schedule and see who's attending!

Meterpreter is becoming the new frontier of malicious payloads, allowing an attacker to upload files that never touch disk, circumventing traditional forensic techniques. The stealth of meterpreter creates problems for incident responders. Such as how does a responder determine what occurred on a box exploited by meterpreter?
During this talk we discuss accessing physical memory for the purpose of acquiring a specific processes' address space. Process address space acquisition includes DLLs, EXEs, stacks and heaps. This includes memory resident modules. We describe in detail how meterpeter operates in memory and specifically how memory looks when meterpreter scripts/commands are executed and the residue these scripts create in the exploited processes' memory space. Finally, we tie all this knowledge together and discuss how to reconstruct a meterpreter session - completely from memory - and determine what the attacker was doing on the exploited machine.
The talk will conclude with the demonstration of a new tool, the audience will see how an attacker using meterpreter is no longer hidden from the forensic investigator, as we recreate the meterpreter session from memory.

Wednesday July 29, 2009 11:15am - 12:30pm
Florentine 1-2-3-4

Attendees (71)