I always found myself a believer in the magic. I want to believe that it is magic. The further I take my career, the more I realize; it is really not magic. Arthur Clarke has his three laws of prediction. Law #3 states: any sufficientlyy advanced technology is indistinguishable from magic. I liked that idea of it being magic a lot. As an engineer in my previous life, I used to have a saying: Most people use the MRP (Magic Routing Protocol) as a standard routing protocol. The magic routing protocol concept is simple. You walk into a customer's site, ask them about their network and how it works, and they tell you, they don't know. They just hooked it up and it works, Its magic! I however didn't like magic for that reason. I liked magic for the reason that I wasn't the computer science developer guy. I was the guy that understood how to interconnect large networks. How to secure networks themselves more than someone who studied the inner workings of operating system designs for their career.
Today, I was looking over the new SIFT 2.0 workstation from SANS. The SIFT workstation has a nice listing of all of the software it includes, and some of it peaked my interest. In the RAM analysis section, their are a few tools called pdymail, pdgmail, and pdfbook. These python scripts are used to parse RAM and extract Yahoo! mail (pdymail) email, gmail (pdgmail) emails, and Facebook (pdfbook) chats. I was interested in knowing some of the magic, not all of it, but just some of the magic behind them. Happily, I opened the link to the SANS Forensic blog about pdfbook (http://blogs.sans.org/computer-forensics/2009/11/20/facebook-memory-forensics/) and I noticed the first thing you do was run string against a memory dump.
Strings. Just plain old, pull out the strings from a file, strings. I can't tell you I was a bit heartbroken at that thought. I had considered it was a bit of magic to do this. Maybe it was that you pulled apart pieces of memory, did some fascinating carving of data, look for footers and headers, anything. Nope. Its just plain old strings. The process is explained more and more thoroughly in the blog posts. This article here wasn't meant to be super technical in nature. It is more an expression of my realization.
With that a little bit more of the magic has gone away. I guess I have always been a magician and not so much the audience. Now, back away from my Boom-stick!
Recent Comments