Memory Forensics "For the Win" Workshop

Memory Forensics 

"For the Win" 


Presenter:  Alissa Torres

Nearly everything that happens on a system must traverse physical memory.  This makes the contents of RAM invaluable to forensic examiners when working investigations, whether they be criminal/employee cases or enterprise intrusions.

Forensic investigations of all types have grown increasingly more complex, requiring advanced forensic techniques to identify trace file system artifacts and memory-resident evidence. The prevalence of encryption and user applications that do not log to disk, such as privacy-mode browsers and instant messaging clients, points to the increasing sophistication of today’s average user and raises the bar for investigators charged with working Acceptable Use Policy (AUP) employee cases or criminal investigations. Proof of the current or past existence of rogue applications can be found by parsing registry artifacts found in memory, as well as with traditional file system forensics.  Evidence of execution, be it from registry keys or from terminated/active processes, can be the smoking gun needed to prove a system was involved in an intrusion investigation or to reconstruct a suspect’s deliberate activity on a system. Clearly, memory forensics has an enormous impact in the outcome of today’s DFIR investigations.   

During this session, attendees will be introduced to key concepts in Windows memory forensics and walked through the identification of malware based on hooking and injected code detection using several different analysis tools. In addition, we will wield memory parsing tools in the pursuit of uncovering what a user did (or is actively doing) on a system.  We will introduce powerful stream and structure-based forensic analysis techniques that target user artifacts, some of which can only be found in physical memory.  Sample memory images and a memory analysis methodology will be provided to all attendees.



Alissa Torres is a certified SANS instructor, specializing in advanced computer forensics and incident response. She is the lead author of the SANS FOR526: Memory Forensics In Depth course.  Her industry experience includes serving in the trenches as part of the Mandiant Computer Incident Response Team (MCIRT) as an incident handler and working on an internal security team as a digital forensic investigator. She has extensive experience in information security, spanning government, academic and corporate environments and holds a Bachelors degree from University of Virginia and a Masters from University of Maryland in Information Technology. Alissa has taught as an instructor at the Defense Cyber Investigations Training Academy (DCITA), delivering incident response and network basics to security professionals entering the forensics community. She has presented at various industry conferences and numerous B-Sides events. In addition to being a GIAC Certified Forensic Analyst (GCFA), she holds the GCFE, GPEN, GREM, CISSP, EnCE, CFCE, MCT and CTT+.

Posted April 3, 2014 by Computer Science Department