Post-Mortem RAM Forensics - CanSecWest
Post-Mortem RAM Forensics - CanSecWest
Post-Mortem RAM Forensics - CanSecWest
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>CanSecWest</strong>2007<br />
26<br />
EPROCESS<br />
PoC: Process Owner<br />
AccessToken<br />
SID and attributes<br />
SID<br />
This can’t actually be decoded further than SID, because the SID<br />
to “human readable” mapping is not held in <strong>RAM</strong>. This is a prime<br />
example of how information from a non-volatile store may be<br />
needed to aide the volatile analysis (registry, SAM, Domain)<br />
VIDAS