Physical memory forensics has gained a lot of traction over the past five or six years. While it will never eliminate the need for disk forensics, memory analysis has proven its efficacy during incident response and more traditional forensic investigations.
Previously, memory forensics, although useful, focused on a process' address space in the form of Virtual Address Descriptors (VADs) but ignored other rich sources of information. In the past, some techniques of process reconstitution have been auspicious at best and erroneous at worst. This presentation will build upon lessons learned and propose more thorough ways to reconstruct process contents, and therefore a process' address space. By using the methods presented, it will be possible to further reduce the data you care about in an incident response or forensic investigation and to better apply the traditional computer security techniques such as reverse engineering, hash matching, and byte pattern or signature matching such as those provided by ClamAV and VxClass.
Justin Murdock is a student at the Rochester Institute of Technology. He will be receiving his Bachelor of Science degree in Computer Science, and has a deep interest in computer security. Currently, he is working as a software engineering co-op at MANDIANT in Washington, DC.