Post-Mortem RAM Forensics - CanSecWest
Post-Mortem RAM Forensics - CanSecWest
Post-Mortem RAM Forensics - CanSecWest
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>CanSecWest</strong>2007<br />
8<br />
Why copy <strong>RAM</strong><br />
• Drive Encryption<br />
– OneHalf virus<br />
• Completely memory resident malware<br />
– Nimda, SQLslammer<br />
• Recovery of ‘un-reallocated’ space<br />
– Similar to recovery of deleted files.<br />
…but in memory<br />
• Easier than unpacking manually<br />
– In some cases<br />
• The Hacker Defense<br />
• Strings luckiness (of course)<br />
• Why not?<br />
VIDAS