The release reminds us that with any security tool, it can be used for good and evil. From the defender's standpoint, Meterpreter is pure evil. If Meterpreter stays in memory and doesn't touch the disk, then what evidence will you have of what an attacker did? Peter Silberman and Steve Davis have an answer by Metasploit Forensic Framework or MSFF) that pulls out artifacts found in memory that show what the attacker did through a Meterpreter session.
This MSFF very powerful and a huge step forward for incident responders and forensic investigators...provided they acquire memory during the IR process. The downside is that Peter said HD Moore would be releasing an update on Sunday that defeats their tool, but they would be looking into how to get around the upcoming protections.
Keep an eye out for upcoming features such as Metaphish, which is being discussed this afternoon.
John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.