SlideShare ist ein Scribd-Unternehmen logo
1 von 29
Downloaden Sie, um offline zu lesen
Memory
Forensics
THE THEORY
Forensics
Forensic science is the scientific method of
gathering and examining information about the
past.
Computer Forensics
 Is to examine digital media in a forensically sound manner
with the aim of
Identifying
Preserving
Recovering
Analyzing
And presenting
Facts
and Opinions
about the digital information
Analysis Process
Preparation
Acquisition
Identification
Extraction
Analysis
Reporting
Analysis Types
Storage
Analysis
Volume
Analysis
File system
Analysis
Application
Analysis
Database
Analysis
Swap
Analysis
Memory
AnalysisNetwork
Analysis
Analysis Types
Storage
Analysis
Volume
Analysis
File system
Analysis
Application
Analysis
Database
Analysis
Swap
Analysis
Memory
AnalysisNetwork
Analysis
Forensic Techniques
Cross-drive Analysis
Live Analysis
File Recovery
Stochastic Analysis
Stegnograpy
Sources
Physical Disks
Packet Capture
Swap/Pagefile
Hibernation File
Firmware
Volatile Memory
Sources
Physical Disks
Packet Capture
Swap/Pagefile
Hibernation File
Firmware
Volatile Memory
Memory
Storage
Volatile
Temporary Data
Fast Access
RAM
Swap/Pagefile
Memory Acquisition
Acquisition of Volatile Memory Contents (RAM) bit-by-bit to a Non-
Volatile Storage (Image File).
Hardware Based Tools
WindowsSCOPE CaptureGUARD PCIe
Goldfish (Firewire/ Mac)
Software Based Tools
Memoryze
KntDD
FTKImager
LiME
OSXPMem
…
 Requires Kernel Mode/Physical Access
Real(Physical) Memory
Actual RAM Hardware
Shared
◦ Devices
◦ Kernel
◦ Drivers
◦ Processes
System wide address space
◦ Defined by H/W capability
Managed by OS Memory Manager
Virtual Memory
 An abstraction of Real Memory
 Per-process Isolation
 Shared if required
 Shared by process
Code
Data
 Per-process address space
User Mode
Kernel Mode
Managed by Process
Virtual  Real Mapping
Conversion of Virtual Address to Read Address
◦ RAM
◦ Swap/Pagefile
Page : Fixed size allocation unit
◦ Virtual Memory
◦ Real Memory
Page Table
◦ A table to convert virtual page to real page
Page Directory
◦ A list of page tables
◦ Level2 Pages
32bit Address Space
Forensic Tools
0th Generation
◦ Before 2004
◦ ‘strings’
◦ ‘grep’
1st Generation
◦ 2004-2005
◦ Tools for structured analysis
◦ Parsing OS structures
◦ Crash dump analysis
Forensic Tools
2nd Generation
◦ 2005-2010
◦ Generic, automated tools
◦ Multiple OS support
◦ Volatality
◦ Rekall
3rd Generation
◦ 2010 & Later
◦ Emphasis on Visualization
◦ Cloud/VM based
◦ MoonSols LiveCloudKd
◦ Microsoft LiveKd
Volatility
A advanced memory forensics framework.
Written in python.
Follows modular plug-in architecture.
Supports many systems and architectures.
Open source.
Current release 2.4.1
Community plugins to automate volatility.
Dump formats
Also known as AddressSpaces in volatility
Define organization of memory content from H/W perspective
◦ Virtual  Real Mapping
◦ Location of PDE
Supported
◦ intel (x86)
◦ amd64(x64)
◦ Crashbmp (Window Kernel Crash Dump)
◦ elfcoredump(Linux Core Dump)
◦ MachO (Mac OSX)
◦ vmem (VMWare/Vbox)
Profiles
Organization/Location of memory content from Operating System
perspective.
Locations of important Objects
◦ KDBG
◦ _KPROCESS
◦ _EPROCESS
◦ PTE
◦ SSDT
◦ IDT
KDBG
Kernel Debugger Block (Windows)
Setup at system startup to support kernel level debugging.
Contains pointers to
◦ PsActiveProcessHead  All Processes
◦ PsLoadedModuleList  All Drivers
Helps in identifying physical address of “ntoskrnl.exe”
DEMO : pslist, modules, kdbgscan
_EPROCESS
Executive Process Structure
Links to
◦ PEB (User Mode Structure)
◦ _KPROCESS (Kernel Mode Structure)
KDBG->PsActiveProcessHead points to a list (LIST_ENTRY) of _EPROCESS
structures
pslist traversed this list to discover all processes.
PEB
Process Environment Block
User mode part of _EPROCESS
Exclusive process access.
Pointers for
◦ Ldr
◦ InInitializationOrderModuleList
◦ InLoadOrderModuleList
◦ InMemoryOrderModuleList
DEMO: “dlllist –p” traversed these lists to discover loaded modules.
Hooking
User Mode
◦ IAT
◦ Inline
◦ Event
◦ Virtual Method
Kernel Mode
◦ IAT
◦ SSDT
◦ IRP
SSDT
System Service Dispatcher Table
◦ Handling System Calls
SysemCall
◦ A request to kernel for executing privileged code.
◦ EAX  System Call Number
SSDT
◦ Pointers to System Call handler routines
◦ SystemCall  Index in the table
Malware hooks(Overwrites) handler to hide itself.
◦ Files
◦ Registry Keys
_KTHREAD/_ETHREAD points to SST
DEMO: ssdt, theads
IDT
Interrupt Descriptor Table
◦ List of interrupt handlers
◦ Interrupt number  index
User Callable interrupts
◦ Int3
◦ Int4
◦ …
Malwares hook(overwrite) to handle interrupts themselves
◦ Intercept debugger breakpoints
DEMO: idt
Anti Forensics
Unlinking PEB->Ldr.* lists
Hide selected DLL from Loaded Modules List.
ldrmodules indicates dlls missing from lists
Unlinking _EPROCESS list
Unlink _EPROCESS to hide selected process from taskmanager.
Defeated by correlating from Active Threads list.
Unlinking PsLoadedModuleList
Can hide Drivers from showing up in list
Challenges
Malwares running is kernel mode can interfere with dumping process
◦ Omit selected pages
◦ Omit selected structures
◦ Corrupt output
Footprints of dumping process.
Unavailability of Swap/Pagefile.
THATSITFORNOW

Weitere ähnliche Inhalte

Was ist angesagt?

Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory ForensicsAndrew Case
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testingSanthosh Kumar
 
Email investigation
Email investigationEmail investigation
Email investigationAnimesh Shaw
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptxAmbuj Kumar
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Logchuckbt
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - NotesKranthi
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenesprimeteacher32
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic toolsSonu Sunaliya
 

Was ist angesagt? (20)

Email Forensics
Email ForensicsEmail Forensics
Email Forensics
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testing
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
 
Email investigation
Email investigationEmail investigation
Email investigation
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
 
Computer forensic
Computer forensicComputer forensic
Computer forensic
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
E mail Investigation
E mail InvestigationE mail Investigation
E mail Investigation
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Log
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
 
05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
 
Eventlog
EventlogEventlog
Eventlog
 
Database forensics
Database forensicsDatabase forensics
Database forensics
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenes
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic tools
 

Andere mochten auch

(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk   an introduction to linux memory forensics(120513) #fitalk   an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensicsINSIGHT FORENSIC
 
Linux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityLinux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityAndrew Case
 
Dark Data In Live Forensics
Dark Data In Live ForensicsDark Data In Live Forensics
Dark Data In Live ForensicsRob Zirnstein
 
katagaitaictf7_hw_ysk
katagaitaictf7_hw_yskkatagaitaictf7_hw_ysk
katagaitaictf7_hw_yskysk256
 
Reverse eningeering
Reverse eningeeringReverse eningeering
Reverse eningeeringKent Huang
 
Windows Kernel Debugging
Windows Kernel DebuggingWindows Kernel Debugging
Windows Kernel DebuggingThomas Roccia
 
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsREMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsRhydham Joshi
 
Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseVolatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseTakahiro Haruyama
 
katagaitai CTF 勉強会 #5 -関東 |med おまけ問題 Parlor (Plaid CTF 2014) @m1z0r3勉強会
katagaitai CTF 勉強会 #5 -関東 |med おまけ問題 Parlor (Plaid CTF 2014) @m1z0r3勉強会katagaitai CTF 勉強会 #5 -関東 |med おまけ問題 Parlor (Plaid CTF 2014) @m1z0r3勉強会
katagaitai CTF 勉強会 #5 -関東 |med おまけ問題 Parlor (Plaid CTF 2014) @m1z0r3勉強会sonickun
 
Research Paper on Rootkit.
Research Paper on Rootkit.Research Paper on Rootkit.
Research Paper on Rootkit.Anuj Khandelwal
 
Shadow_Hunter Rootkit windows7 xcon2011 Scott
Shadow_Hunter Rootkit windows7 xcon2011 Scott Shadow_Hunter Rootkit windows7 xcon2011 Scott
Shadow_Hunter Rootkit windows7 xcon2011 Scott Sc0tt
 
Anti-Forensic Rootkits
Anti-Forensic RootkitsAnti-Forensic Rootkits
Anti-Forensic Rootkitsamiable_indian
 
katagaitai CTF勉強会 #5 Crypto
katagaitai CTF勉強会 #5 Cryptokatagaitai CTF勉強会 #5 Crypto
katagaitai CTF勉強会 #5 Cryptotrmr
 

Andere mochten auch (17)

(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk   an introduction to linux memory forensics(120513) #fitalk   an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensics
 
Linux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityLinux Memory Analysis with Volatility
Linux Memory Analysis with Volatility
 
Dark Data In Live Forensics
Dark Data In Live ForensicsDark Data In Live Forensics
Dark Data In Live Forensics
 
Memory forensics and incident response
Memory forensics and incident responseMemory forensics and incident response
Memory forensics and incident response
 
katagaitaictf7_hw_ysk
katagaitaictf7_hw_yskkatagaitaictf7_hw_ysk
katagaitaictf7_hw_ysk
 
Reverse eningeering
Reverse eningeeringReverse eningeering
Reverse eningeering
 
Windows Kernel Debugging
Windows Kernel DebuggingWindows Kernel Debugging
Windows Kernel Debugging
 
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsREMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of Artifacts
 
Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseVolatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident Response
 
About rootkit
About rootkitAbout rootkit
About rootkit
 
katagaitai CTF 勉強会 #5 -関東 |med おまけ問題 Parlor (Plaid CTF 2014) @m1z0r3勉強会
katagaitai CTF 勉強会 #5 -関東 |med おまけ問題 Parlor (Plaid CTF 2014) @m1z0r3勉強会katagaitai CTF 勉強会 #5 -関東 |med おまけ問題 Parlor (Plaid CTF 2014) @m1z0r3勉強会
katagaitai CTF 勉強会 #5 -関東 |med おまけ問題 Parlor (Plaid CTF 2014) @m1z0r3勉強会
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
Research Paper on Rootkit.
Research Paper on Rootkit.Research Paper on Rootkit.
Research Paper on Rootkit.
 
Shadow_Hunter Rootkit windows7 xcon2011 Scott
Shadow_Hunter Rootkit windows7 xcon2011 Scott Shadow_Hunter Rootkit windows7 xcon2011 Scott
Shadow_Hunter Rootkit windows7 xcon2011 Scott
 
20110415 detour
20110415 detour20110415 detour
20110415 detour
 
Anti-Forensic Rootkits
Anti-Forensic RootkitsAnti-Forensic Rootkits
Anti-Forensic Rootkits
 
katagaitai CTF勉強会 #5 Crypto
katagaitai CTF勉強会 #5 Cryptokatagaitai CTF勉強会 #5 Crypto
katagaitai CTF勉強会 #5 Crypto
 

Ähnlich wie Memory forensics

Persistent Memory Development Kit (PMDK) Essentials: Part 1
Persistent Memory Development Kit (PMDK) Essentials: Part 1Persistent Memory Development Kit (PMDK) Essentials: Part 1
Persistent Memory Development Kit (PMDK) Essentials: Part 1Intel® Software
 
Persistent Memory Development Kit (PMDK) Essentials: Part 2
Persistent Memory Development Kit (PMDK) Essentials: Part 2Persistent Memory Development Kit (PMDK) Essentials: Part 2
Persistent Memory Development Kit (PMDK) Essentials: Part 2Intel® Software
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseTakahiro Haruyama
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisTakahiro Haruyama
 
IMC Summit 2016 Breakout - Ken Gibson - The In-Place Working Storage Tier
IMC Summit 2016 Breakout - Ken Gibson - The In-Place Working Storage TierIMC Summit 2016 Breakout - Ken Gibson - The In-Place Working Storage Tier
IMC Summit 2016 Breakout - Ken Gibson - The In-Place Working Storage TierIn-Memory Computing Summit
 
Java File I/O Performance Analysis - Part I - JCConf 2018
Java File I/O Performance Analysis - Part I - JCConf 2018Java File I/O Performance Analysis - Part I - JCConf 2018
Java File I/O Performance Analysis - Part I - JCConf 2018Michael Fong
 
Os4 2
Os4 2Os4 2
Os4 2issbp
 
CS9222 Advanced Operating System
CS9222 Advanced Operating SystemCS9222 Advanced Operating System
CS9222 Advanced Operating SystemKathirvel Ayyaswamy
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smartJeff Beley
 
Capturing comprehensive storage workload traces in windows
Capturing comprehensive storage workload traces in windowsCapturing comprehensive storage workload traces in windows
Capturing comprehensive storage workload traces in windowsBruce Worthington
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityAndrew Case
 
Visual comparison of Unix-like systems & Virtualisation
Visual comparison of Unix-like systems & VirtualisationVisual comparison of Unix-like systems & Virtualisation
Visual comparison of Unix-like systems & Virtualisationwangyuanyi
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
 
Introduction to OS LEVEL Virtualization & Containers
Introduction to OS LEVEL Virtualization & ContainersIntroduction to OS LEVEL Virtualization & Containers
Introduction to OS LEVEL Virtualization & ContainersVaibhav Sharma
 
Introduction to Memory-Style Storage in Linux
Introduction to Memory-Style Storage in LinuxIntroduction to Memory-Style Storage in Linux
Introduction to Memory-Style Storage in LinuxClay (Chih-Hao) Chang
 

Ähnlich wie Memory forensics (20)

Persistent Memory Development Kit (PMDK) Essentials: Part 1
Persistent Memory Development Kit (PMDK) Essentials: Part 1Persistent Memory Development Kit (PMDK) Essentials: Part 1
Persistent Memory Development Kit (PMDK) Essentials: Part 1
 
Persistent Memory Development Kit (PMDK) Essentials: Part 2
Persistent Memory Development Kit (PMDK) Essentials: Part 2Persistent Memory Development Kit (PMDK) Essentials: Part 2
Persistent Memory Development Kit (PMDK) Essentials: Part 2
 
Operating system
Operating systemOperating system
Operating system
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic Analysis
 
IMC Summit 2016 Breakout - Ken Gibson - The In-Place Working Storage Tier
IMC Summit 2016 Breakout - Ken Gibson - The In-Place Working Storage TierIMC Summit 2016 Breakout - Ken Gibson - The In-Place Working Storage Tier
IMC Summit 2016 Breakout - Ken Gibson - The In-Place Working Storage Tier
 
Basic Linux Internals
Basic Linux InternalsBasic Linux Internals
Basic Linux Internals
 
Java File I/O Performance Analysis - Part I - JCConf 2018
Java File I/O Performance Analysis - Part I - JCConf 2018Java File I/O Performance Analysis - Part I - JCConf 2018
Java File I/O Performance Analysis - Part I - JCConf 2018
 
Os4 2
Os4 2Os4 2
Os4 2
 
CS9222 Advanced Operating System
CS9222 Advanced Operating SystemCS9222 Advanced Operating System
CS9222 Advanced Operating System
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smart
 
Capturing comprehensive storage workload traces in windows
Capturing comprehensive storage workload traces in windowsCapturing comprehensive storage workload traces in windows
Capturing comprehensive storage workload traces in windows
 
Mem forensic
Mem forensicMem forensic
Mem forensic
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with Volatility
 
Visual comparison of Unix-like systems & Virtualisation
Visual comparison of Unix-like systems & VirtualisationVisual comparison of Unix-like systems & Virtualisation
Visual comparison of Unix-like systems & Virtualisation
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
 
Chapter 22 - Windows XP
Chapter 22 - Windows XPChapter 22 - Windows XP
Chapter 22 - Windows XP
 
4. linux file systems
4. linux file systems4. linux file systems
4. linux file systems
 
Introduction to OS LEVEL Virtualization & Containers
Introduction to OS LEVEL Virtualization & ContainersIntroduction to OS LEVEL Virtualization & Containers
Introduction to OS LEVEL Virtualization & Containers
 
Introduction to Memory-Style Storage in Linux
Introduction to Memory-Style Storage in LinuxIntroduction to Memory-Style Storage in Linux
Introduction to Memory-Style Storage in Linux
 

Mehr von Sunil Kumar

Basics of Cryptography
Basics of CryptographyBasics of Cryptography
Basics of CryptographySunil Kumar
 
3Es of Ransomware
3Es of Ransomware3Es of Ransomware
3Es of RansomwareSunil Kumar
 
Http2 Security Perspective
Http2 Security PerspectiveHttp2 Security Perspective
Http2 Security PerspectiveSunil Kumar
 
n|u Dharamsala Humla : Memory Forensic by Tenzin Chokden
n|u Dharamsala Humla : Memory Forensic by Tenzin Chokdenn|u Dharamsala Humla : Memory Forensic by Tenzin Chokden
n|u Dharamsala Humla : Memory Forensic by Tenzin ChokdenSunil Kumar
 
Jsonp null-meet-02-2015
Jsonp null-meet-02-2015Jsonp null-meet-02-2015
Jsonp null-meet-02-2015Sunil Kumar
 
Dt5 varenni win_pcapdosdonts
Dt5 varenni win_pcapdosdontsDt5 varenni win_pcapdosdonts
Dt5 varenni win_pcapdosdontsSunil Kumar
 
Nullcon 2011- Behaviour Analysis with DBI
Nullcon 2011- Behaviour Analysis with DBINullcon 2011- Behaviour Analysis with DBI
Nullcon 2011- Behaviour Analysis with DBISunil Kumar
 

Mehr von Sunil Kumar (7)

Basics of Cryptography
Basics of CryptographyBasics of Cryptography
Basics of Cryptography
 
3Es of Ransomware
3Es of Ransomware3Es of Ransomware
3Es of Ransomware
 
Http2 Security Perspective
Http2 Security PerspectiveHttp2 Security Perspective
Http2 Security Perspective
 
n|u Dharamsala Humla : Memory Forensic by Tenzin Chokden
n|u Dharamsala Humla : Memory Forensic by Tenzin Chokdenn|u Dharamsala Humla : Memory Forensic by Tenzin Chokden
n|u Dharamsala Humla : Memory Forensic by Tenzin Chokden
 
Jsonp null-meet-02-2015
Jsonp null-meet-02-2015Jsonp null-meet-02-2015
Jsonp null-meet-02-2015
 
Dt5 varenni win_pcapdosdonts
Dt5 varenni win_pcapdosdontsDt5 varenni win_pcapdosdonts
Dt5 varenni win_pcapdosdonts
 
Nullcon 2011- Behaviour Analysis with DBI
Nullcon 2011- Behaviour Analysis with DBINullcon 2011- Behaviour Analysis with DBI
Nullcon 2011- Behaviour Analysis with DBI
 

Memory forensics

Hinweis der Redaktion

  1. Relevent
  2. Interested in
  3. DEMO: pslist
  4. KeServiceDescriptorTable KeServiceDescriptorTableShadow
  5. DEMO: ldrmodules, psxview