Post-Mortem RAM Forensics - CanSecWest
Post-Mortem RAM Forensics - CanSecWest
Post-Mortem RAM Forensics - CanSecWest
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>CanSecWest</strong>2007<br />
16<br />
Analysis<br />
• As the area matures, the analysis of<br />
volatile stores will be able to recreate all<br />
the information regularly attained with all<br />
the previously mentioned commands<br />
• It is essentially a combination of Reverse<br />
Engineering, Kernel Debugging… with a<br />
healthy dose of memory management<br />
and a dash of coding<br />
• Information from non-volatile stores may<br />
be required / helpful to analysis<br />
– Pagefile comparison and/or “unification”<br />
– Another slide on this later on…<br />
VIDAS