Recovering Executables from Windows Memory Images
DoD Cyber Crime Conference, 2007

Slides (pdf)    

An introduction to Windows memory analysis and its benefits. Specifically, an overview of the kinds of information that can be recovered, the indicators of suspicious activity, and steps to gather more information from suspicious processes. These include gathering an accurate picture of everything currently and recently happening on the machine, complete with any “hidden” processes. The speaker will also demonstrate how to recover the executables and libraries from those processes so that they can be analyzed using traditional techniques.

Home     Publications     Presentations     Utilities     Tools     Blog