Defeating Windows memory forensics

Luka Milkovic

Playlists: '29c3' videos starting here / audio / related events

Aside from further development of traditional forensic techniques which involve post-mortem hard disk analysis, in the last couple of years the field of computer forensics has been marked by significant development of live forensic techniques and tools.

Memory forensics is composed of two main activities: memory aquisition/capture and analysis. This presentation will give an overview of the memory acquisition and analysis techniques and tools on the Windows operating systems. The main part of the presentation will cover current exploitation techniques and methods for defeating both acquisition and analysis phase of the memory forensics, as well as present a new approach for hiding specific artifacts from forensic tools. Based on the covered exploitation techniques, some suggestions and improvements of the current tools will be given.