Category Archives: Presentations

Challenge of Windows physical memory acquisition and exploitation

(Honolulu, HW) – Here is a quick post to provide ressources presented this afternoon at Shakacon 2009.
This talks aims at showing to win32dd users (forensics engineers, investigators, incident response engineers, ..) why physical memory analysis is important, and mainly covers how to rethink memory acquisition and exploitation in a more efficient way.

Slides are available here. Not rocket science but very interesting to see how efficient results can be obtained if we put different exciting and performant technologies together.

PowerShell script used to retrieve erased EPROCESS entries from PspCidTable is available here.

hidden process
Figure 1 – Screenshot of the powershell script in action
Magic command (.\FUto.ps1 | Out-GridView)

And here is win32dd v1.2.1.20090608 – If you want more information about the update go here.

PS. Do not copy win32dd in the System32 directory and run it as Administrator. I think I’ll write a HOWTO document soon.

Samba eXPerience conference – Germany


  • Day 1 :: Workshop
  • 8.00 PM (yeah it’s late)
    I had almost 7 hours of time travel in Train from Paris to Goettigen.

    This year, SambaXP conference hold in Freizeit Hotel (Free time in English) in Goettingen (Germany) from 14th to 18th April.
    During the dinner, I met Samba Team, OpenChange Team and sponsors people.

  • Day 2 :: Workshop
  • I had a really interesting discussion with the folks of Samba about Protocol Freedom Information Foundation (PFIF).

    My main question was : What’s the difference between semi-private documentation provided by PFIF since December 2007 and public documentation provided by MSDN since March?
    Technically, the content is the same. But if you look the law part PFIF grants extra patents protections.
    For instance, if someone uses PFIF docs then Microsoft has a limited number of patents they can assert against the developer but if he uses MSDN docs then he doesn’t have patent protection.

    I strongly recommend you to read links I posted above. That’s really an impressive work they did since 1992.

  • Day 3 :: Tutorials
  • Weather in Germany is cold! I even wonder if it’s colder than North France one.

    During the dinner, I had the occasion to meet Tom Hanrahan from Port 25 (MSFT) who works as Director of Linux Interoperability.

    I’d like to share an interesting reference from Dan to a speech of Eben Moglen about “The Global Software Industry in Transformation: After GPLv3″. (Audio, Txt).

  • Day 4 :: Conference
  • Andrew Tridgell (Samba Team), Samba and the PFIF renamed Samba and Microsoft to focus on new relationship between Samba and Microsoft engineers.

    Andrew gave a quick review of the relationship with Microsoft timeline from early 90’s to now including the antitrust action in Europe during (99 – 07), WSPP/PFIF agreement (late 2007) to actual open cooperation publicly release of documentation MSDN (MSFT interoperability initiative).

    PFIF (Protocol Freedom information foundation) has been introduced. For people who never heard about PFIF, it’s a legal entity that allows free software projects to take advantage of the WSPP protocol program. It makes protocol documentation available under a NDA but compatible with GPL. With an additional guarantees provided for at least 5 years of updates and corrections. Andrew also talked about the recent errors discovered in the documentation and the fact that Microsoft is now close to developers to fix it.

    As you probably know, WSPP and MCPP documents are now public under a liberal license. It means Samba can now build an open community for cooperation on protocol knowledge. All previous secret on WSPP/PFIF is finished because the documentation is now available to everyone. PFIF also provides some additional guarantees on documentation updates and corrections.

    As Andrew said, it means a good technical cooperation because lawyers are now sidelined and engineers have taken over. He also mentioned there is now a public forum for protocol discussion where PFIF members and MS Engineers can talk.

    Tridge also highlighted two notable events for 2008:

      Samba’ll be participing file system plugfest at Microsoft in June.
      Microsoft will actively participate in the CIFS plugfest in August.

    Julien Kerihuel (OpenChange): When OpenChange assimilates the Borg
    OpenChange is 5 years old project build over Samba 4 infrastructure, two members of Openchange belong to Samba Team. Julien mostly talks about the libmapi client implementation This library provides an interface for NSPI & EMSMDB protocol.


  • Day 5 :: Conference
  • This day is composed of three simultaneous room for three simultaneous talks.

    There is a presentation I really appreciated, entitled Samba Encryption by Jeremy Allison (Google & Samba Team). The talk was about SMB protocol internal and some programming stuff.

    Enter Sandman – Japan Pacsec 2007

    For people who wasn’t (or was :)) at PacSec the last week. Slides of Sandman lecture can be found in Japanese[PPT] or in English (updated – last version) [PDF].


    An overview of hibernation file format is explained and the forensics library we called Sandman is introduced.

    Sandman status is reachable here :

    Enter sandman… :)

    The PacSec Agenda had been released!
    Speaker list:

    Talk selections for PacSec 2007 - November 29 and 30 - Aoyama Diamond Hall

    - Programmed I/O accesses: a threat to virtual machine monitors? -
    Loic Duflot,

    - Developing Fuzzers with Peach -
    Michael Eddington, Leviathan Security

    - Cyber Attacks Against Japan -
    Hiroshi Kawaguchi, LAC

    - Windows Localization: Owning Asian Windows Versions -
    Kostya Kortchinsky, Immunity

    - TOMOYO Linux -
    Toshiharu Harada, NTT Data

    - IPV6 Demystified -
    Jun-ichiro itojun Hagino , IPv6Samurais

    - Automated JavaScript Deobfuscation -
    Alex Rice, Websense Security Labs

    - Enter Sandman (why you should never go to sleep) -
    Nicolas Ruff & Matthieu Suiche, EADS

    - Agent-oriented SQL Abuse -
    Fernando Russ & Diego Tiscornia, Core

    - Bad Ideas: Using a JVM/CLR for Intellectual Property Protection
    Marc Schoenefeld, University of Bamberg

    - Heap exploits are dead. Heap exploits remain dead. And we have killed them.
    Nicolas Waisman, Immunity

    - Deploying and operating a Global Distributed Honeynet
    David Watson, Honeynet Project

    - Office 0days and the people who love them
    TBA, Microsoft
    (I would also like to thank Colin Delaney and Stephen Ridley as standby


    The topic is talking about forensic/hiberation under Windows. More information will be available in November…