Post-Mortem RAM Forensics - CanSecWest
Post-Mortem RAM Forensics - CanSecWest
Post-Mortem RAM Forensics - CanSecWest
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>CanSecWest</strong>2007<br />
31<br />
• Create Images<br />
C<br />
–ddexample<br />
PoC: Demo<br />
• trusted binary’ (live CD, statically linked)<br />
• external Mass storage container<br />
• ‘raw’ type<br />
– Forced Crash condition<br />
• registry keys<br />
• 3rd party testing tool<br />
• External Mass storage container<br />
• proprietary DMP format created on reboot<br />
• Use PERL to parse through a ton of data<br />
– Practical Extraction and Reporting Language<br />
VIDAS