Many companies can't afford costly employee endpoint monitoring software, yet still have the need to figure out how a (potentially) rogue employee is spending his time on the job. Consider a cheaper solution for employee spying- one that makes use of native Windows services and an investigator's ninja memory analysis skills. Whether it be creating a scheduled task to send a machine to hibernate or instantiating an unsuspected memory dump, targeted employee spying can be done on the cheap. Through process enumeration, browsing history reconstruction and memory-mapped file extraction, watch as we piece together what our trusted insider was doing on their company computer, unbeknownst to his boss. Even if you don't have the need to covertly investigate a rogue employee (yet), this talk will arm you the knowledge to know what is within the realm of the possible. Even if your hat tends to be more black than white, the same techniques can be used for post-exploitation operations against your most valuable targets.

Back to BSides Augusta 2014 video list