Recovering Executables from Windows Memory Images
DoD Cyber Crime Conference, 2007
An introduction to Windows memory analysis and its benefits. Specifically, an overview of the kinds of information that can be recovered, the indicators of suspicious activity, and steps to gather more information from suspicious processes. These include gathering an accurate picture of everything currently and recently happening on the machine, complete with any “hidden” processes. The speaker will also demonstrate how to recover the executables and libraries from those processes so that they can be analyzed using traditional techniques.