Friday, February 8, 2013

The Analysis of Process Token Privileges

My presentation at the 2012 Open Source Memory Forensics Workshop:


Reverse engineering windows systems nowadays involves looking at static data, such as executables, symbols, pdbs, and/or dynamic data when debugging with a tool like windbg. Determining data structures and the meaning of their content has proven to be time consuming, especially when dealing with undocumented objects. This presentation tackles the problem by describing a novel approach, which utilizes the Volatility Framework and F-response to monitor changes taking place on a live system’s RAM that appear as a result of manipulating the targeted structures’ content. The technique is used in the discovery of the process privileges on Windows operating systems and the development of a new plugin. The presentation also provides examples of how the new plugin is used to discover malicious activity.

The privileges plugin can be found in the latest version of the Volatility Framework.

Thursday, February 7, 2013

Sneaking into networks with the Demyo Power Strip


Let's see if this silicon blade is sharp enough to cut through the security cheese! 

Some intros: The Demyo Power Strip (DPS) is a covert penetration testing device built by Demyo Sec made to be used for penetration tests. While not being the first of its kind out there, is a strong competitor to other existing tools, such as Power Pwn, and the PlugBot etc. The DPS gives you the ability to launch attacks over ethernet, WiFi and Bluetooth.


  • Based on Raspberry Pi
  • CPU 700Mhz, boostable to 1Ghz, 512MB RAM, 32GB SD
  • Ethernet (10/100), WiFi b/g/n and Bluetooth connectivity
  • Runs Debian Linux
  • CLI (via SSH) and GUI (via VNC)
  • Physical dimensions 14″ x 2.25″ x 8.25″ or 35.56cm x 5.72cm x 20.96cm 
  • Actually functions as a real power strip