Post-Mortem RAM Forensics - CanSecWest
Post-Mortem RAM Forensics - CanSecWest
Post-Mortem RAM Forensics - CanSecWest
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>CanSecWest</strong>2007<br />
37<br />
Future work<br />
(process specific)<br />
• Compare the Brute force list to a list<br />
obtained by walking the list<br />
– ‘cross view diff’ off the untrusted list with the<br />
‘more trusted’ list – red flags<br />
• “unification of virtual memory”<br />
– Swap all pages ‘in’ kinda, then defrag it?!<br />
• Good, OS version auto detection<br />
• Automate correlation with other sources<br />
of information<br />
– If you supply a Registry hive, auto process<br />
owner from SID<br />
• Automatically and/or selectively extract<br />
executables<br />
VIDAS