Difference between pages "Windows Memory Analysis" and "Internships"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Updated to include info on Volatility)
 
 
Line 1: Line 1:
Analysis of [[physical memory]] from [[Windows]] systems can yield significant information about the target operating system. This field is still very new, but holds great promise.
+
This page describes internship opportunities in the field of computer forensics. Please feel free to add your own.
  
== Sample Memory Images ==
+
=Comments=
  
Getting started with memory analysis can be difficult without some known images to practice with.
+
By Chet Uber, March 8, 2007
  
* The 2005 [[Digital Forensic Research Workshop]] [http://www.dfrws.org/2005/challenge/ Memory Analysis Challenge] published two Windows 2000 Service Pack 1 memory images with some [[malware]] installed.
+
A PROBLEM
 +
----------
 +
In the Nebraska Cyber Crime Task Force and issue arose which stopped college students from being allowed to work as interns and this was that they do not have the formal training that official forensic officers do; and can damage critical evidence. This was a valid comment by the director of the State Patrol's Forensic Lab. A number of is in the room ran through ways to do away with this potential problem (please note this is not at all related to releasing confidential information, but rather the destruction of the original foresnic evidence.
  
* The [http://dftt.sourceforge.net/ Digital Forensics Tool Testing] project has published a few [http://dftt.sourceforge.net/test13/index.html Windows memory images].
+
A SOULTION THAT WORKS
 +
----------------------
 +
The disk is duplicated, and the duplicate is given to the Universities Forensic Lab Manager, who assigns cases. The intern then performs forensics and records offsets, or other methods to form a "recipe" to find what they found. This receipe can then be passed back to Law Enforcement and they can recreate the examination. This method saves LE a lot of time, and gives good experience to not just one student intern, but can be given to many interns. For more information on this novel solution contact:
  
== See Also ==
+
Dr. Blaine Burnham (bburnham@mail.unomaha.edu)
* [[Pagefile.sys]]
+
Executive Director, Nebraska University Consortium on Information Assurance
  
== History ==
+
Dr. Burnham is the Director of NUCIA and a Senior Research Fellow for the College of Information Science and Technology. Most recently, he was the Director of the Georgia Tech Information Security Center. Previously, Burnham worked in a variety of information assurance roles at the National Security Agency (NSA), Los Alamos National Laboratory, and Sandia Laboratory.
  
During the 1990s, it became a [[best practice]] to capture a [[Tools:Memory_Imaging|memory image]] during [[Incident Response|incident response]]. At the time, the only way to analyze such memory images was using [[strings]]. Although this method could reveal interesting details about the memory image, there was no way to associate what data came from what program, let alone what user.
+
To see the top class labs that are available at this institution see:
  
In the summer 2005 the [[Digital Forensic Research Workshop]] published a ''Memory Analysis Challenge''. They distributed two memory images and asked researchers to answer a number of questions about a security incident. The challenge produced two seminal works. The first, by [[Chris Betz]], introduced a tool called [[memparser]]. The second, by [[George Garner]] and [[Robert-Jan Mora]] produced [[kntlist]].
+
http://nucia.unomaha.edu/steal/labs.php
  
At the [[Blackhat (conference)|Blackhat Federal]] conference in March 2007, [[AAron Walters]] and [[Nick Petroni]] released a suite called [[volatools]]. Although it only worked on [[Windows XP]] Service Pack 2 images, it was able to produce a number of useful data. [[volatools]] was updated and re-released as [[Volatility]] in August 2007, and is now maintained and distributed by [https://www.volatilesystems.com/ Volatile Systems].
+
<-END COMMENT->
  
== External Links ==
+
=USA=
; Jesse Kornblum Memory Analysis discussion on Cyberspeak
+
 
: http://cyberspeak.libsyn.com/index.php?post_id=98104
+
1. Check out this page: http://www.rit.edu/~gtfsbi/forensics/internships.htm it has a load of internships although all are not stipend paying
; Memory Analysis Bibliography
+
2. Internet Crimes Against Children.  ICAC has offices in almost every state.
: http://www.4tphi.net/fatkit/#links
+
3. Check with companies that do computer forensics. Examples include Kroll and Pinkerton.
 +
4. Explore the Scholarship for Service and Scholarship for Work programs offered by the US Government.
 +
 
 +
==Vermont==
 +
Vermont ICAC (Internet Crimes Against Children). http://www.vtspecialcrimes.org/
 +
 
 +
Vermont State Patrol. They are almost always understaffed, and may have suggestions working with Counties and Cities. It requires a that you are not a felon and can pass a 7-year background check -- but a lot of places are so backlogged they are putting on reserve deputies to work cyber crime. http://www.dps.state.vt.us/vtsp/bci.html

Revision as of 22:19, 8 March 2007

This page describes internship opportunities in the field of computer forensics. Please feel free to add your own.

Comments

By Chet Uber, March 8, 2007

A PROBLEM


In the Nebraska Cyber Crime Task Force and issue arose which stopped college students from being allowed to work as interns and this was that they do not have the formal training that official forensic officers do; and can damage critical evidence. This was a valid comment by the director of the State Patrol's Forensic Lab. A number of is in the room ran through ways to do away with this potential problem (please note this is not at all related to releasing confidential information, but rather the destruction of the original foresnic evidence.

A SOULTION THAT WORKS


The disk is duplicated, and the duplicate is given to the Universities Forensic Lab Manager, who assigns cases. The intern then performs forensics and records offsets, or other methods to form a "recipe" to find what they found. This receipe can then be passed back to Law Enforcement and they can recreate the examination. This method saves LE a lot of time, and gives good experience to not just one student intern, but can be given to many interns. For more information on this novel solution contact:

Dr. Blaine Burnham (bburnham@mail.unomaha.edu) Executive Director, Nebraska University Consortium on Information Assurance

Dr. Burnham is the Director of NUCIA and a Senior Research Fellow for the College of Information Science and Technology. Most recently, he was the Director of the Georgia Tech Information Security Center. Previously, Burnham worked in a variety of information assurance roles at the National Security Agency (NSA), Los Alamos National Laboratory, and Sandia Laboratory.

To see the top class labs that are available at this institution see:

http://nucia.unomaha.edu/steal/labs.php

<-END COMMENT->

USA

1. Check out this page: http://www.rit.edu/~gtfsbi/forensics/internships.htm it has a load of internships although all are not stipend paying 2. Internet Crimes Against Children. ICAC has offices in almost every state. 3. Check with companies that do computer forensics. Examples include Kroll and Pinkerton. 4. Explore the Scholarship for Service and Scholarship for Work programs offered by the US Government.

Vermont

Vermont ICAC (Internet Crimes Against Children). http://www.vtspecialcrimes.org/

Vermont State Patrol. They are almost always understaffed, and may have suggestions working with Counties and Cities. It requires a that you are not a felon and can pass a 7-year background check -- but a lot of places are so backlogged they are putting on reserve deputies to work cyber crime. http://www.dps.state.vt.us/vtsp/bci.html