Post-Mortem RAM Forensics - CanSecWest
Post-Mortem RAM Forensics - CanSecWest
Post-Mortem RAM Forensics - CanSecWest
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>CanSecWest</strong>2007<br />
38<br />
Future work<br />
(process specific)<br />
• Flag processes/threads that aren’t<br />
“playing by the rules”<br />
– Window title, path, pointers, parent, etc<br />
• Follow the entire tree<br />
– Attribute every thread to a process, every<br />
page to what allocated it, parent/child<br />
link…etc. Then what’s left?<br />
• Support the /PAE and /3G boot switches<br />
• Vista support (right now, parsing looks to<br />
be easy, acquisition looks to be hard)<br />
• Non i386 support<br />
• Parsing from within EnCase?<br />
VIDAS