DFIROnline- Memory Forensics with Michael Cohen

17 Jan 2013

A recording of the January DFIROnline meetup with Michael Cohen of Google

Michael is one of the authors of Volatility and has presented a great lab on its' use at quite a few conferences. If you are not familiar with volatility or memory forensics this is not one to miss. The volatility team are also offering training in Windows Memory Forensics, for details see their blog.

Memory forensics and analysis have become very powerful tools for the incident responder. In this workshop we will cover some of the basic ideas behind memory analysis in a practical way focusing on the Volatility Memory Forensics framework - and in particular on the upcoming technology preview branch. The following broad topics will be covered:

1) Memory Acquisition

Volatility contains a full imaging solution for Windows, Linux and OSX systems. In addition to obtaining a fixed memory image, there is support for the analysis of live systems. We describe how to image and analyze live Windows systems and in particular we demonstrate how the running system appears to the forensic examiner with examples of normal and suspicious looking processes.

) Anti-Forensics

We then examine the fundamentals of memory analysis. In particular we look at anti forensic techniques and how they target Volatility (and other) memory analysis tools.

3) The Volatility Framework

We look at some of the plugins for windows memory analysis and how the different techniques can be used to cross check analysis results and potentially uncover hidden malware.