Something to trigger the mood to read and write

it has been ages since my last determination to continue on with research in memory analysis. Prof has been 'advising' me a lot on writing a paper for publication.  i decided to put up some pics from my previous trip to Netherlands, to recall the spirit, the determination of all those researchers that I met.  All the pics below were taken on our way to Delft University of Technology and on the campus site.

This building caught my eyes..

Delft University of Technology

Postdoc researcher, Dr Laurens with his presentation

Bob presenting topic on pattern recognition

Capturing memory with our Prof main mentor..Dr Bob Duin

Delft city

Getting the 'feel' of back in school..

UTM researchers team (on left) and TU Delft team

What I do over the Weekend

I was planning on visiting my supervisor at her home! to discuss progress of my research.  But it came out, I couldn't get the report completed over the weekend.  I felt that I need another month to really understand the windows memory structure before I can confidently present my 'proof of concept' research work.  OK now i narrow down my analysis to process, thread and string..I was happy to see from my pslist output of my 1st memory dumps show significant traces of process from the portable vm.  In the 2nd memory dump, as expected all the process are gone..and this is challenging part as I need to dig deeper, to look at the threads. And I just finished my reading on ETHREAD about an hour ago.
Not too mention, my Saturday was not going well, I had my migraine the whole day, and i end up sleeping from morning until i dont know what time. I woke up few times during the sleep to attend to my boy(poor him ..playing and watching movie alone).  There are so many things I plan to make up after my paper is completed..and among the IMPORTANT ones is spending more time with my family..especially with my little hero

May Allah smooth my journey till this Friday..

Switching tool at the very last minute

i decided to "upgrade", the correct term instead of switching for my FMA tool from Volatililty 1.3 beta to Volatility 1.4 SVN.  In the previous version of Vol, I stumbled upon few errors with the plugins..  ident, filescan, fileobjscan, etc.  In the process of getting my upgraded FMA tool up, again I face problems when installing Pycrypto in my Python folder.  I have Python 2.7 installed previously when using the previous version of Vol.   I struggle too with the  pycrypto installation.

Well..one thing for sure, I always learn things through hard way..And now, again..Pycrypto installation always get my way with the problems i know nothing

understanding memory structure

first time in my last 10 years I sat and dig on one topic for hours..from 12noon till now 7pm. I also juggle with Volatility tool trying to make sense of some of the plugins. I had dump a 2GB of memory for analysis purpose. For a 32bit mode, there is always a 4GB block of memory addresses. So..what happened to my other 2GB of data? I leave that for later headache. Since my project is to trace remnants of portable virtual machine that was unplugged from the host machine, I am looking at traces of evidence, and not the complete evidence itself. This is more like a proof of concept that I still can find traces.

I have to look for exist process that most probably can be found from the kernel data..

image taken from http://duartes.org/gustavo/blog/post/anatomy-of-a-program-in-memory

Daughtry - September

i once a while like to 'tune off'' from my project for a while.  And here it goes..

I solved it

Thank to God
I almost gave up on the error message  'produced' in Volatility.
Finally, after some digging in moyix blog http://moyix.blogspot.com/2009/01/registry-code-updates.html, 'walk the list' of plugins, the 'culprit' were from two areas.
Apparently, my crypto folder was in a wrong directory(thanks to Mr Ruud for pointing this out), and second I was not using binary package for my pyCrypto

clean slit of Vol!

Netherlands - Second Day of Visit

I was supposed to update yesterday's visit to Netherlands Forensic Institute.  It was a great moment. We had a chance to meet some of the researchers in our field.  I was one lucky person as I got to meet one of the researchers I referred to.
The meeting started with Mr Ruud presenting topic on memory analysis.  He updated on the latest tool used for memory acquisition and memory analysis.  Followed by my presentation on memory analysis of portable virtual machine.  I was hoping for an encouraging feedback, however, it was not my day. Mr Ruud has not explored the area that I am working on. Alas....I still get good advice from him.

Can't wait for the turn to present..:)

Relief plus joy...I am done!

Prof. Dr Azizah presenting token from UTM to Mrs Rietveld, Head of DT & Biometric, NFI

Discussion with NFI research scientist, Mr Coert

Netherlands Forensic Institute

Again..NFI at the back

Some pics while we were in NFI.................