Slides are available here. Not rocket science but very interesting to see how efficient results can be obtained if we put different exciting and performant technologies together.

PowerShell script used to retrieve erased EPROCESS entries from PspCidTable is available here.

Figure 1 – Screenshot of the powershell script in action
Magic command (.\FUto.ps1 | Out-GridView)

And here is win32dd v1.2.1.20090608 – If you want more information about the update go here.

PS. Do not copy win32dd in the System32 directory and run it as Administrator. I think I’ll write a HOWTO document soon.

8.00 PM (yeah it’s late)
I had almost 7 hours of time travel in Train from Paris to Goettigen. It was really exhausting but it was a good opportunity to talk with pretty girls visiting Europa :)

This year, SambaXP conference hold in Freizeit Hotel (Free time in English) in Goettingen (Germany) from 14th to 18th April.
During the dinner, I met Samba Team, OpenChange Team and sponsors people.

I had a really interesting discussion with the folks of Samba about Protocol Freedom Information Foundation (PFIF).

My main question was : What’s the difference between semi-private documentation provided by PFIF since December 2007 and public documentation provided by MSDN since March?
Technically, the content is the same. But if you look the law part PFIF grants extra patents protections.
For instance, if someone uses PFIF docs then Microsoft has a limited number of patents they can assert against the developer but if he uses MSDN docs then he doesn’t have patent protection.

I strongly recommend you to read links I posted above. That’s really an impressive work they did since 1992.

Weather in Germany is cold! I even wonder if it’s colder than North France one.

During the dinner, I had the occasion to meet Tom Hanrahan from Port 25 (MSFT) who works as Director of Linux Interoperability.

I’d like to share an interesting reference from Dan to a speech of Eben Moglen about “The Global Software Industry in Transformation: After GPLv3″. (Audio, Txt).

Andrew Tridgell (Samba Team), Samba and the PFIF renamed Samba and Microsoft to focus on new relationship between Samba and Microsoft engineers.

Andrew gave a quick review of the relationship with Microsoft timeline from early 90’s to now including the antitrust action in Europe during (99 – 07), WSPP/PFIF agreement (late 2007) to actual open cooperation publicly release of documentation MSDN (MSFT interoperability initiative).

PFIF (Protocol Freedom information foundation) has been introduced. For people who never heard about PFIF, it’s a legal entity that allows free software projects to take advantage of the WSPP protocol program. It makes protocol documentation available under a NDA but compatible with GPL. With an additional guarantees provided for at least 5 years of updates and corrections. Andrew also talked about the recent errors discovered in the documentation and the fact that Microsoft is now close to developers to fix it.

As you probably know, WSPP and MCPP documents are now public under a liberal license. It means Samba can now build an open community for cooperation on protocol knowledge. All previous secret on WSPP/PFIF is finished because the documentation is now available to everyone. PFIF also provides some additional guarantees on documentation updates and corrections.

As Andrew said, it means a good technical cooperation because lawyers are now sidelined and engineers have taken over. He also mentioned there is now a public forum for protocol discussion where PFIF members and MS Engineers can talk.

Tridge also highlighted two notable events for 2008:

Samba’ll be participing file system plugfest at Microsoft in June.

Microsoft will actively participate in the CIFS plugfest in August.

Julien Kerihuel (OpenChange): When OpenChange assimilates the Borg
OpenChange is 5 years old project build over Samba 4 infrastructure, two members of Openchange belong to Samba Team. Julien mostly talks about the libmapi client implementation This library provides an interface for NSPI & EMSMDB protocol.

*Party!*

This day is composed of three simultaneous room for three simultaneous talks.

There is a presentation I really appreciated, entitled Samba Encryption by Jeremy Allison (Google & Samba Team). The talk was about SMB protocol internal and some programming stuff.

[JP] http://www.msuiche.net/pres/psj07ruffsuiche-jp.pdf
[EN] http://www.msuiche.net/pres/PacSec07-slides-0.4.pdf

An overview of hibernation file format is explained and the forensics library we called Sandman is introduced.

Sandman status is reachable here :
http://sandman.msuiche.net/

The PacSec Agenda had been released! http://www.securityfocus.com/archive/1/482602/30/0/threaded
Speaker list:
http://www.pacsec.jp/speakers.html

Talk selections for PacSec 2007 - November 29 and 30 - Aoyama Diamond Hall

------

The topic is talking about forensic/hiberation under Windows. More information will be available in November…

The translation can be found at the following link : Windows Vista Kernel Security – [EN].ppt

I’m writting an article about it which will be released very soon.

Happy merry xmas !

Today I did a presentation at the French Engineer School named Ecole Normal Supérieur. French Slides can be found at the following link OSSIR – Windows Vista Kernel Security.

In this presentation I’m showing an alternative theory to Patchguard on Windows Vista 32/64bits.

An article will be soon available.