Post-Mortem RAM Forensics - CanSecWest

More documents

Recommendations

Info

<strong>CanSecWest</strong>2007 6 IR: Current Process • Currently there are two main states a system could be in at IR time. • “Dead” System – Duplicate drives (non-volatile stores) • “Live” System –? Arrive on Scene Is System On? ? Yes No Seize System / Copy Drive VIDAS
<strong>CanSecWest</strong>2007 7 • Live System Current Process – Pull the plug • Better than a ‘shutdown’ – Gather state information • More common in incident response • Interact with the machine – Observing the state changes it Then, of course, the simple act of observing the outcome changes it, so the Heisenberg Uncertainty Principle comes into play here as well. You can't observe the result of an experiment because the act of observing it changes the result. Think of the Schrodinger's Cat. - Professor Farnsworth VIDAS
Page 1 and 2: CanSecWest2007 Post-Mortem RAM Fore
Page 3 and 4: CanSecWest2007 3 NUCIA (obligatory
Page 5: CanSecWest2007 5 Evidence Volatilit
Page 9 and 10: CanSecWest2007 9 • Windows How to
Page 11 and 12: T = 0: “Pre” state T = 1: copy
Page 13 and 14: CanSecWest2007 13 Impact • If a f
Page 15 and 16: CanSecWest2007 15 The caveat • Mi
Page 17 and 18: CanSecWest2007 17 Current Analysis
Page 19 and 20: CanSecWest2007 19 Proof of Concept
Page 21 and 22: CanSecWest2007 21 EPROCESS • The
Page 23 and 24: CanSecWest2007 23 …and smells lik
Page 25 and 26: CanSecWest2007 25 Cross Volatility
Page 27 and 28: CanSecWest2007 27 PoC: Virtual Addr
Page 29 and 30: CanSecWest2007 29 PoC: FileTime •
Page 31 and 32: CanSecWest2007 31 • Create Images
Page 33 and 34: CanSecWest2007 33 PoC: Demo • On
Page 35 and 36: CanSecWest2007 35 PoC: Demo • SO
Page 37 and 38: CanSecWest2007 37 Future work (proc
Page 39 and 40: CanSecWest2007 39 Future work (memo
Page 41 and 42: CanSecWest2007 41 Food for thought:
Page 43 and 44: CanSecWest2007 43 Question #1 from
Page 45: CanSecWest2007 45 Cited • Windows

Post-Mortem RAM Forensics - CanSecWest

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?