Finding evil in live memory using free tools

Michael J. Graven

Type of lecture: lecture
Language: EN
Held on 2011-06-18 14:20:00 (length: 50 min)
Location: Area 2

Live memory forensics is a fun way to find an attacker's footprints on a machine. I'll provide a brief introduction to the basics of memory forensics on Windows systems, then show how to use several free tools to investigate a running system (or a memory image) for indications that an attacker has compromised it - and not just strings, grep and awk either. I'll show real structured data from the kernel that brings shenanigans to light in a way that can be used on one or thousands of machines.

Michael J. Graven is a director at Mandiant, a leading incident response firm for Fortune 500 companies, governments and financial institutions. Michael has worked on internetworks and system security since 1989, in environments as large as AT&T and Netscape and as small as twenty-person start-ups. He earned degrees at Northwestern University and Stanford University. He is a native Californian and a snowboarder, but he does not surf.

A more in-depth description of this talk is to follow within the upcoming weeks, please stay tuned!

Attached files: All slides in pdf format