Finding Evil in Live Memory

Expo Theatre (Hall G) October 18, 2011 - Feedback     

Bookmark and Share

Michael J. Graven

Live memory forensics is a fun (and effective) way to find an attacker’s footprints on a machine. Michael will provide a brief introduction to the basics of memory forensics on Windows systems, then show how to use several free tools to investigate a running system (or a memory image) for indications that an attacker has compromised it – and not just strings, grep and awk either. Michael will show real structured data from the kernel that brings shenanigans to light in a way that can be used on one or thousands of machines.

He will also introduce and explain a new technology called MemD5, which allows for in-memory hashing of file object data. There are several uses of this technique, and I’ll briefly cover which ones are win and fail. There will be a free tool you can use for this purpose, as well.