Secure Application Development

Wietse presents lessons learned about the persistence of information in file systems and in main memory of modern computers - not only how long information persists, but also why this happens, and what the limitations of that information are. Many examples are from UNIX/Linux systems, but some examples cover Windows as well (and illustrate that Windows and *NIX aren't fundamentally different).

This presentation includes content from the "Forensic Discovery" book that was co-authored with Dan Farmer.

Outline:

After an introduction to the basic concepts of volatility and persistence, Wietse presents examples of how to recover time line information from a variety of network and host-based sources.

After a walk-though of a post-mortem file system analysis, the presentation ends with results from file and memory persistence measurements. The results are based on measurements of a variety of UNIX and Linux systems, with some results for Windows/XP, including how to recover encrypted files without knowing the key.

PDF slides

Recording part 1:

To view a recording of this session Get Adobe Flash player

Recording part 2:

To view a recording of this session Get Adobe Flash player

Partners:
Solvay Business School K.U. Leuven L-SEC
Sponsors:
ENISA Atos Worldline
Affiliates:
SANS OWASP ISSA-BE ISACA Belux
webmaster Login Creative Commons License
Contents of the secappdev.org web site
is licensed under a
Creative Commons
Attribution-Noncommercial 3.0 License.