Post-Mortem RAM Forensics - CanSecWest
Post-Mortem RAM Forensics - CanSecWest
Post-Mortem RAM Forensics - CanSecWest
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>CanSecWest</strong>2007<br />
40<br />
Future Setbacks<br />
(perceived – opinion)<br />
• Malware that manipulates acquisition<br />
– There are about 3 non-hardware ways to acquire,<br />
trivial to ‘hook’ these and hide during acquisition (of a<br />
live non-rebooted machine)<br />
– Not deny access, simply modify output – similar to<br />
techniques used in rootkits today to hide – processes<br />
from task manager, etc<br />
• Microsoft will continue to make it more and more<br />
difficult to get to ‘RAW’ <strong>RAM</strong><br />
– Restriction to objects<br />
– Other things like VISTA’s randomization<br />
• <strong>RAM</strong> becomes even more scattered that the<br />
current memory model<br />
– Like VISTA’s <strong>RAM</strong> extender (USB) – ReadyBoost<br />
• New architectures<br />
VIDAS