Physical memory forensics has gained a lot of traction over the past five or six years. While it will never eliminate the need for disk forensics, memory analysis has proven its efficacy during incident response and more traditional forensic investigations. Previously, memory forensics, although useful, focused on a process' address space in the form of Virtual Address Descriptors (VADs) but ignored other rich sources of information. In the past, some techniques of process reconstitution have been auspicious at best and erroneous at worst. This presentation will build upon lessons learned and propose more thorough ways to reconstruct process contents, and therefore a process' address space. By using the methods presented, it will be possible to further reduce the data you care about in an incident response or forensic investigation and to better apply the traditional computer security techniques such as reverse engineering, hash matching, and byte pattern or signature matching such as those provided by ClamAV and VxClass.
Jamie Butler is a highly respected member of the information security community with fourteen years of experience in operating system security. He is a recognized leader in attack and detection techniques and has focused in recent years on memory analysis research. Jamie is the Director of Research and Development at MANDIANT and formerly led its Endpoint Security Team on its enterprise product MANDIANT Intelligent Response®. Prior to joining MANDIANT, Jamie was the Chief Technology Officer of Komoku, Inc. and Director of Engineering at HBGary. His experience also includes Host Intrusion Detection Systems (HIDS) development at Enterasys Networks and over five years of experience at the National Security Agency. Jamie is the co-author of the bestseller, Rootkits:Subverting the Windows Kernel. (Addison-Wesley, 2005). In addition, he has authored numerous articles for publication and is a frequent speaker at the foremost computer security conferences. He is the co-author and instructor of the popular security courses Advanced Memory Forensics in Incident Response, Advanced 2nd Generation Digital Weaponry, and Offensive Aspects of Rootkit Technology. Jamie's unique knowledge of Windows' internal structures resulted in the free, cutting edge memory analysis tool Memoryze, which he co-authored with Peter Silberman. Jamie holds a Master of Computer Science degree from the University of Maryland, Baltimore County. He also holds a Bachelor of Science degree in Computer Science and a Bachelor of Business Administration degree in Computer Information Systems from James Madison University.