Difference between pages "Upcoming events" and "Tools:Memory Imaging"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Conferences)
 
m
 
Line 1: Line 1:
<b>PLEASE READ BEFORE YOU EDIT THE LISTS BELOW</b><br>
+
The [[physical memory]] of computers can be imaged and analyzed using a variety of tools. Because the procedure for accessing physical memory varies between [[operating systems]], these tools are listed by operating system. Usually memory images are used as part of [[memory analysis]].
Events should be posted in the correct section, and in date order.  An event should NEVER be listed in more than one section (i.e. Ongoing/Continuous events should not be listed in Scheduled Training).  When events begin the same day, events of a longer length should be listed first.  New postings of events with the same date(s) as other events should be added after events already in the list. If a provider offers the same event at several locations simultaneously, the listing should have a single (ONE) entry in the list with the date(s) and ALL locations for the event. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).<br>
+
<i>Some events may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience.  Such restrictions should be noted when known.</i>
+
  
This is a BY DATE listing of upcoming events relevant to [[digital forensics]].  It is not an all inclusive list, but includes most well-known activities.  Some events may duplicate events on the generic [[conferences]] page, but entries in this list have specific dates and locations for the upcoming event.
+
== Microsoft Windows ==
  
This listing is divided into four sections (described as follows):<br>
+
; [[dd]]
<ol><li><b><u>Calls For Papers</u></b> - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)</li><br>
+
: A version of [[dd]] by George Garner allows an Administrator user to image memory using the ''\device\physicalmemory'' object. Userland access to this object is denied starting in Windows 2003 Service Pack 1 and Windows Vista. This program cannot be used on Windows 2003 SP1 and above.
<li><b><u>Conferences</u></b> - Conferences relevant for Digital Forensics (Name, Date, Location, URL)</li><br>
+
<li><b><u>On-Going / Continuous Training</u></b> - Training opportunities that are either always available online/distance learning format (start anytime) or that are offered the same time every month (Name, date-if applicable, URL)</li><br>
+
<li><b><u>[[Scheduled Training Courses]]</u></b> - Training Classes/Courses that are scheduled for specific dates/locations.  This would include online (or distance learning format) courses which begin on specific dates, instead of the "start anytime" courses listed in the previous section. (Provider, URL) (''note: this has been moved to its own page.'')<br></li></ol>
+
  
The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multimedia Sciences Section Listserv. 
+
; [[hibernation]] files
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
+
: Windows 98, 2000, XP, 2003, and Vista support a feature called hibernation that saves the machine's state to the disk when the computer is powered off. When the machine is turned on again, the state is restored and the user can return to the exact point where they left off. The machine's state, including a compressed image of physical memory, is written to the disk on the System drive, usually C:, as hiberfil.sys. This file can be parsed and decompressed to obtain the memory image.
Requests for additions, deletions or corrections to this list may be sent by email to David Baker <i>(bakerd AT mitre.org)</i>.
+
  
== Calls For Papers ==
+
== Exploits ==  
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! width="30%|Title
+
! width="15%"|Due Date
+
! width="15%"|Notification Date
+
! width="40%"|Website
+
|-
+
|Blackhat Briefings - Washington DC
+
|Jan 01, 2009
+
|Jan 16, 1009
+
|https://www.blackhat.com/html/bh-dc-09/bh-dc-09-cfp.html
+
|-
+
|USENIX '09
+
|Jan 09, 2009
+
|Mar 13, 2009
+
|http://www.usenix.org/events/usenix09/cfp/
+
|-
+
|Hacker Halted USA 2009
+
|Jan 15, 2009
+
|Feb 15, 2009
+
|http://www.eccouncil.org/hhusa/papers/page6.html
+
|-
+
|3rd Edition of Small Scale Digital Device Forensics Journal
+
|Jan 31, 2009
+
|
+
|http://www.ssddfj.org/Call.asp
+
|-
+
|4rd International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE-2009)
+
|Feb 01, 2009
+
|
+
|http://conf.ncku.edu.tw/sadfe/sadfe09/
+
|-
+
|Blackhat Briefings - Europe
+
|Feb 01, 2009
+
|Feb 15, 2009
+
|https://www.blackhat.com/html/bh-europe-09/bh-eu-09-cfp.html.
+
|-
+
|Usenix Security 2009
+
|Feb 04, 2009
+
|Apr 13, 2009
+
|http://www.usenix.org/events/sec09/cfp
+
|-
+
|1st Workshop on Internet Multimedia Search and Mining
+
|Feb 08, 2009
+
|Mar 15, 2009
+
|http://research.microsoft.com/en-us/um/people/xshua/imsm/cfp.html
+
|-
+
|2009 ADFSL Conference on Digital Forensics, Security and Law
+
|Feb 20, 2009
+
|
+
|http://www.digitalforensics-conference.org/callforpapers.htm
+
|-
+
|KDDD 2009
+
|Feb 02, 2009
+
|Apr 10, 2009
+
|http://www.sigkdd.org/kdd2009/
+
|-
+
|DFRWS 2009
+
|Mar 16, 2009
+
|Apr 28, 2009
+
|http://www.dfrws.org/2009/cfp.shtml
+
|-
+
|Layer One - 2009
+
|Apr 01, 2009
+
|Apr 15, 2009
+
|http://layerone.info/
+
|-
+
|ACM CCS 2009
+
|Apr ?? 2009
+
|
+
|http://www.sigsac.org/ccs
+
|-
+
|Usenix Lisa 2009
+
|Apr 30, 2009
+
|Jul 07, 2009
+
|http://www.usenix.org/events/lisa09/cfp/
+
|-
+
|New Security Paradigms Conference 2009
+
|Apr ?? 2009
+
|
+
|http://www.nspw.org/current/
+
|-
+
|IEEE Symposium on Security and Privacy 2010
+
|Nov ?? 2009
+
|
+
|-
+
|ShmooCon 2010
+
|Dec ??, 2008
+
|Jan ??, 2009
+
|http://www.shmoocon.org/cfp.html
+
|-
+
|AusCERT Conference 2010
+
|Dec ??, 2008
+
|Jan ??, 2009
+
|http://conference.auscert.org.au/conf2010/cfp2010.html
+
|-
+
|}
+
  
== Conferences ==
+
At [[CanSec West 05]], [[Michael Becher]], [[Maximillian Dornseif]], and [[Christian N. Klein]] discussed an [[exploit]] which uses [[DMA]] to read arbitrary memory locations of a [[firewire]]-enabled system. The [http://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdf paper] lists more details. The exploit is run on an [http://ipodlinux.org/Main_Page iPod running Linux]. This can be used to grab screen contents.  
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! width="40%"|Title
+
! width="20%"|Date/Location
+
! width="40%"|Website
+
|-
+
|2009 DoD Cyber Crime Conference
+
|Jan 24-30<br>St. Louis, MO
+
|http://www.dodcybercrime.com/
+
|-
+
|5th Annual IFIP WG 11.9 International Conference on Digital Forensics
+
|Jan 25-28<br>Orlando, FL
+
|http://www.ifip119.org/Conferences/
+
|-
+
|ShmooCon 2009
+
|Feb 06-08<br>Washington, DC
+
|http://www.shmoocon.org/
+
|-
+
|American Academy of Forensic Sciences Annual Meeting
+
|Feb 16-21<br>Denver, CO
+
|http://www.aafs.org/default.asp?section_id=meetings&page_id=aafs_annual_meeting
+
|-
+
|Blackhat DC
+
|Feb 16-19<br>Washington, DC
+
|https://www.blackhat.com/html/bh-dc-09/bh-dc-09-main.html
+
|-
+
|24th Annual ACM Symposium on Applied Computing - Computer Forensics Track
+
|Mar 08-12<br>Honolulu, HI
+
|http://www.acm.org/conferences/sac/sac2009
+
|-
+
|ARES 2009 Conference
+
|Mar 16-19<br>Fukuoka, Japan
+
|http://www.ares-conference.eu/conf/
+
|-
+
|Security Opus
+
|Mar 17-18<br>San Francisco, CA
+
|http://www.securityopus.com
+
|-
+
|e-Crime Congress 2009
+
|Mar 24-25<br>London, United Kingdom
+
|http://www.e-crimecongress.org/ecrime2009/
+
|-
+
|Blackhat Europe
+
|Apr 14-17<br>Amsterdam, The Netherlands
+
|https://www.blackhat.com/html/bh-europe-09/bh-eu-09-main.html
+
|-
+
|AusCERT2009
+
|May 17-22<br>Gold Coast, Australia
+
|http://conference.auscert.org.au/conf2009/
+
|-
+
|Computer Security Institute: Security Exchange
+
|May 17-22<br>Las Vegas, NV
+
|http://www.csisx.com/
+
|-
+
|ADFSL 2009 Conference on Digital Forensics, Security and Law
+
|May 20-22<br>Burlington, VT
+
|http://www.digitalforensics-conference.org
+
|-
+
|Fourth International Workshop on Systematic Approaches to Digital Forensic Engineering
+
|May 22<br>Oakland, CA
+
|http://conf.ncku.edu.tw/sadfe/sadfe09/
+
|-
+
|LayerOne 2009 Security Conference
+
|May 23-24<br>Anaheim, CA
+
|http://layerone.info/
+
|-
+
|Mobile Forensics World 2009
+
|May 26-30<br>Chicago, IL
+
|http://www.mobileforensicsworld.com
+
|-
+
|2009 Techno Security Conference
+
|May 31-Jun 03<br>Myrtle Beach, SC
+
|http://www.techsec.com/index.html
+
|-
+
|USENIX 2009
+
|Jun 14-19<br>San Diego, CA
+
|http://www.usenix.org/events/usenix09/
+
|-
+
|IEEE ICC Communication and Information Systems Security (CISS) Symposium
+
|Jun 14-18<br>Dresden, Germany
+
|http://www.ieee-icc.org/2009/
+
|-
+
|1st Workshop on Internet Multimedia Search and Mining (IMSM'09)
+
|Jul 03<br>Cancun, Mexico
+
|http://research.microsoft.com/en-us/um/people/xshua/imsm/index.html
+
|-
+
|Blackhat USA 2009
+
|Jul 25-30<br>Las Vegas, NV
+
|https://www.blackhat.com/
+
|-
+
|DefCon 17
+
|Jul 31-Aug 02<br>Las Vegas, NV
+
|http://www.defcon.org/
+
|-
+
|Usenix Security Sypmosium
+
|Aug 10-14<br>Montreal, Quebec, Canada
+
|http://www.usenix.org/events/sec09/
+
|-
+
|Digital Forensic Research Workshop
+
|Aug 17-19<br>Montreal, Quebec, Canada
+
|http://www.dfrws.org
+
|-
+
|Triennial Meeting of the European Academy of Forensic Science
+
|Sep 08-11<br>Glasgow, Scotland, UK
+
|http://www.eafs2009.com/
+
|-
+
|Hacker Halted USA 2009
+
|Sep 20-24<br>Miami, FL
+
|http://www.hackerhalted.com/usa
+
|-
+
|}
+
  
== On-going / Continuous Training ==
+
In theory, this could be used with the ... to send through an exploit code that would cause the system to dump the contents of its hard drive back to the [[iPod]].
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! width="40%"|Title
+
! width="20%"|Date/Location
+
! width="40%"|Website
+
|-
+
|- style="background:pink;align:left"
+
! DISTANCE LEARNING
+
|-
+
|Basic Computer Examiner Course - Computer Forensic Training Online
+
|Distance Learning Format
+
|http://www.cftco.com
+
|-
+
|Linux Data Forensics Training
+
|Distance Learning Format
+
|http://www.crazytrain.com/training.html
+
|-
+
|SANS On-Demand Training
+
|Distance Learning Format
+
|http://www.sans.org/ondemand/?portal=69456f95660ade45be29c00b0c14aea1
+
|-
+
|- style="background:pink;align:left"
+
!RECURRING TRAINING
+
|-
+
|MaresWare Suite Training
+
|First full week every month<br>Atlanta, GA
+
|http://www.maresware.com/maresware/training/maresware.htm
+
|-
+
|Evidence Recovery for Windows Vista&trade;
+
|First full week every month<br>Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Evidence Recovery for Windows Server&reg; 2003 R2
+
|Second full week every month<br>Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Evidence Recovery for the Windows XP&trade; operating system  
+
|Third full week every month<br>Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Computer Forensics Training and CCE&trade; Testing for Litigation Support Professionals
+
|Third weekend of every month(Fri-Mon)<br>Dallas, TX
+
|http://www.md5group.com
+
|-
+
|}
+
 
+
==See Also==
+
* [[Scheduled Training Courses]]
+
==References==
+
* [http://faculty.cs.tamu.edu/guofei/sec_conf_stat.htm Computer Security Conference Ranking and Statistic]
+
* [http://www.kdnuggets.com/meetings/ Meetings and Conferences in Data Mining and Discovery]
+
* http://www.conferencealerts.com/data.htm Data Mining Conferences World-Wide]
+

Revision as of 08:35, 20 May 2006

The physical memory of computers can be imaged and analyzed using a variety of tools. Because the procedure for accessing physical memory varies between operating systems, these tools are listed by operating system. Usually memory images are used as part of memory analysis.

Microsoft Windows

dd
A version of dd by George Garner allows an Administrator user to image memory using the \device\physicalmemory object. Userland access to this object is denied starting in Windows 2003 Service Pack 1 and Windows Vista. This program cannot be used on Windows 2003 SP1 and above.
hibernation files
Windows 98, 2000, XP, 2003, and Vista support a feature called hibernation that saves the machine's state to the disk when the computer is powered off. When the machine is turned on again, the state is restored and the user can return to the exact point where they left off. The machine's state, including a compressed image of physical memory, is written to the disk on the System drive, usually C:, as hiberfil.sys. This file can be parsed and decompressed to obtain the memory image.

Exploits

At CanSec West 05, Michael Becher, Maximillian Dornseif, and Christian N. Klein discussed an exploit which uses DMA to read arbitrary memory locations of a firewire-enabled system. The paper lists more details. The exploit is run on an iPod running Linux. This can be used to grab screen contents.

In theory, this could be used with the ... to send through an exploit code that would cause the system to dump the contents of its hard drive back to the iPod.