Post-Mortem RAM Forensics - CanSecWest

More documents

Recommendations

Info

CanSecWest2007 10 Problem • Volatile stores like RAM change constantly • Image cannot be validated as it can in the non-volatile world – We instead get a “time-sliding view” – Pre/post md5’s are meaningless as it is expected that RAM will be different by the time it is compared – Possibly use something like hash windows to show that two images made ‘quickley’ are ‘similar’ (or ssdeep…prob not needed) • The act of creating the copy changes the state of the machine • No write blocker installed VIDAS
T = 0: “Pre” state T = 1: copy is made T = 2: “Post” state Objects in the last half were both removed and created before being copied, and an object in the first half was removed after it was copied (but before the copy completed CanSecWest2007 T = 3: copy reflects neither state 11 Time Sliding Window VIDAS
Page 1 and 2: CanSecWest2007 Post-Mortem RAM Fore
Page 3 and 4: CanSecWest2007 3 NUCIA (obligatory
Page 5 and 6: CanSecWest2007 5 Evidence Volatilit
Page 7 and 8: CanSecWest2007 7 • Live System Cu
Page 9: CanSecWest2007 9 • Windows How to
Page 13 and 14: CanSecWest2007 13 Impact • If a f
Page 15 and 16: CanSecWest2007 15 The caveat • Mi
Page 17 and 18: CanSecWest2007 17 Current Analysis
Page 19 and 20: CanSecWest2007 19 Proof of Concept
Page 21 and 22: CanSecWest2007 21 EPROCESS • The
Page 23 and 24: CanSecWest2007 23 …and smells lik
Page 25 and 26: CanSecWest2007 25 Cross Volatility
Page 27 and 28: CanSecWest2007 27 PoC: Virtual Addr
Page 29 and 30: CanSecWest2007 29 PoC: FileTime •
Page 31 and 32: CanSecWest2007 31 • Create Images
Page 33 and 34: CanSecWest2007 33 PoC: Demo • On
Page 35 and 36: CanSecWest2007 35 PoC: Demo • SO
Page 37 and 38: CanSecWest2007 37 Future work (proc
Page 39 and 40: CanSecWest2007 39 Future work (memo
Page 41 and 42: CanSecWest2007 41 Food for thought:
Page 43 and 44: CanSecWest2007 43 Question #1 from
Page 45: CanSecWest2007 45 Cited • Windows

Post-Mortem RAM Forensics - CanSecWest

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?