Advances in Linux Process Forensics Using ECFS

DEF CON 23

Presented by: Ryan O'Neill
Date: Sunday August 09, 2015
Time: 14:00 - 14:50
Location: Track Three

Many hackers today are using process memory infections to maintain stealth residence inside of a compromised system. The current state of forensics tools in Linux, lack the sophistication used by the infection methods found in real world hacks. ECFS (Extended core file snapshot) technology, https://github.com/elfmaster/ecfs is an innovative extension to regular ELF core files, designed to be used as forensics-friendly snapshots of process memory. A brief showcasing of the ECFS technology was featured in POC||GTFO 0x7 (Innovations with core files).

Ryan O'Neill

Ryan 'elfmaster' O'Neill is a computer security researcher at Leviathan Security and the maintainer of Bitlackeys.org, a hub for much of his independent research. He is a Reverse engineer, and a Software engineer, who also specializes in the ELF binary format, and delivers on going workshops in this area to interested parties, including the US government. Ryan has worked on many security technologies including but not limited to: Ryan has produced alot of research and publications in areas pertaining to Linux kernel and userland malware, such as "Linux kprobe instrumentation from phrack 66", and is author of soon to be released book "The art of Linux binary analysis" which focuses on everything from ELF internals to Linux Viruses, and Binary protection techniques. Ryan has been involved in the computer security scene since 1999.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats