NYC4SEC

February 16, 2012 7:00 PM. 20 attended.

How To Acquire "Locked" Files From a Running Windows System

This month we will have a presentation from Pär Österberg Medina who recently did a write up on acquiring those pesky "locked" files from live Windows systems. This will be an on going challenge for DF/IR responders as we come across systems that can't go down. The angry look the admin will give you when you tell him one of his systems will have to power off for collection will make you appreciate alternatives.

Windows systems offer a variety of special files that contain important pieces of information that are useful in a forensic investigation. Some obvious examples include the pagefile.sys, event log, registry hives, and NTFS-specific files such as the Master File Table ($MFT). It is a common misconception of many forensic investigators and incident responders that collecting these special files from a live system is cumbersome and impossible to do via the command line. This presentation will demonstrate several ways we can bypass the protection mechanism that Windows holds on these files, making it possible to include them in our data acquisition from a running system.

Pär Österberg Medina has worked with computer security for over 15 years. Having a background in both system administration and penetration testing, he currently works as an Incident Response Consultant for McAfee and Foundstone Professional Services, specializing in Malware Analysis and Memory Forensics. Prior to joining Foundstone, Pär spent the last 8 years working as an Incident Handler, investigating computer intrusions and coordinating security related incidents for CERT-SE, the national Computer Security Incident Response Team for Sweden.

So please join us on Wednesday November, 16th, 7:00pm at John Jay College of Criminal Justice, 899 Tenth Avenue (59th St. and 10th Ave.) in Room 630T for this exciting meet-up.

Big thank you as always for John Jay College of Criminal Justice for being such gracious hosts for NYC4SEC! Check out the list of upcoming events on The Center for Cybercrime Studies website:

http://www.jjay.cuny.edu/centers/cybercrime_studies/index.php

Douglas Brush
Pär was kind enough to post the slides of his presentation:
http://www.opensecurityresearch.com/files/NYC4Sec.pdf

Posted February 27 at 12:41 PM
You must be a member to post a comment. Join or login.

20 attended

4.503 (3 ratings)

Event Host

Douglas Brush
Organizer

Thanks again to Par for the great presentation.
Event Host

jamie levy
Assistant Organizer
John Peel

It was my first NYC4SEC meetup, and I was not disappointed. Par delivered a brief, enjoyable, informative presentation. He provided useful tool demonstrations using real-world examples that made sense. Looking forward to more meetups.
J-Michael Roberts
Roger Francis
Mike McGowan
Iveta
Maylin Peterson
Christian
Tae Yuk
Douglas Forbes
Estelle
Mary
Phil Elliot

+1 guest
Nancy
Philip Didier
Dan
Jonathan N. Winters

Checked-in
Vinayak
Mike
Paul A. Gallo
Doug Goroway
Chinnonye Okafor
Justin Prosco
Sherwyn
rich sang
Richard
Anthony Pitre
Marius
Matt Southworth

+1 guest

New York, NY

Founded Dec 18, 2009

People in this
Meetup are also in:

The DCNYC Hacking Meetup Group

362 DCNYC Group
Google NYC Tech Talks

4,117 Members
DDD-NYC

441 Domain-Driven Designers

Next Meetup:
Wednesday, Jun 06
NY Tech Meetup

23,790 NYC Technologists

Next Meetup:
Tuesday, Jun 05
The New York City MySQL Group

2,657 MySQL Users

Next Meetup:
Wednesday, May 30
NY Tech Mixer

3,108 Members

NYC4SEC

February 16, 2012 7:00 PM. 20 attended.

How To Acquire "Locked" Files From a Running Windows System

Our Sponsors

The Digital Forensic Group

Membership perks

Log in

Sign up