Covert Post-Exploitation Forensics With Metasploit

Presented at DEF CON 19 (2011), Aug. 5, 2011, 3 p.m. (50 minutes)

In digital forensics, most examinations take place after the hardware has been physically seized (in most law enforcement scenarios) or a preinstalled agent allows access (in the case of enterprise forensics packages). These scenarios imply that the "subject' (the one in possession of the media) is aware of the fact that their data has been seized or subject to remote access. While penetration testing tools allow for surface-level access to the target filesystem, there is a lot of potential data that is being missed in unallocated space that could be accessed by file system forensic tools such The Sleuth Kit. In this presentation, Wesley will present a new set of tools that will allow forensic examiners and pentesters alike to image remote filesystems of compromised systems, or perform examinations directly on remote filesystem with forensic tools on the attacking machine by mapping remote drives to local block devices. This is the integration of Metasploit with a large body of existing digital forensic tools.

Presenters:

  • Wesley McGrew - Research Associate, Mississippi State University National Forensics Training Center
    Wesley McGrew is currently a lecturer and researcher at the National Forensics Training Center, which provides free digital forensics training to law enforcement and wounded veterans. He has interests in both penetration testing and digital forensics, resulting in some interesting combinations of the two. He has written tools useful to both fields (NBNSpoof, msramdmp, GooSweep), and tries to stay involved and interactive with the online infosec community. Twitter: @mcgrewsecurity

Links: