Overview
Explore the current state of memory forensics in this 46-minute conference talk from Louisville InfoSec 2016. Delve into the importance of memory forensics, various memory acquisition options, and typical address space layouts. Learn about software tools for memory acquisition and understand key memory analysis goals and techniques. Discover how to enumerate processes, review network artifacts, and extract files from memory. Examine Windows 10 memory compression and its impact on forensics, as well as the implications of Windows 10 VSM (Virtual Secure Mode) for traditional architecture and malware detection. Gain insights into VSM's effects on memory forensics and acquisition processes. Conclude with a recap of changes in Windows 10 and participate in a Q&A session to deepen your understanding of memory forensics in modern operating systems.
Syllabus
Intro
Memory Forensics - Why?
Memory Acquisition Options
Typical Address Space Layout
Memory Acquisition via Software: Tools
Memory Analysis Goals
Memory Analysis Techniques
Enumerate Processes
Review Network Artifacts
Extract Files from Memory
Windows 10 Memory Compression
Memory Compression & Forensics
Windows 10 VSM
Traditional Architecture
Malware in Secure Mode?
VSM and Memory Forensics
VSM and Memory Acquisition
Recap: Changes in Windows 10
Questions?