Live memory forensics is a fun (and effective) way to find an attacker’s footprints on a machine. Michael will provide a brief introduction to the basics of memory forensics on Windows systems, then show how to use several free tools to investigate a running system (or a memory image) for indications that an attacker has compromised it – and not just strings, grep and awk either. Michael will show real structured data from the kernel that brings shenanigans to light in a way that can be used on one or thousands of machines.
He will also introduce and explain a new technology called MemD5, which allows for in-memory hashing of file object data. There are several uses of this technique, and I’ll briefly cover which ones are win and fail. There will be a free tool you can use for this purpose, as well.