Physical Memory Forensics presented at Blackhat USA 2005

by Mariusz Burdach,

Tags: Security Forensics

Summary : Historically, only file systems were
considered as locations where evidence could be found. But what about
the volatile memory which contains a huge amount of useful information
such as the content of clipboards or the SAM database? How long can
volatile data stay in the main memory? What about anti-forensic methods
of defeating disk forensic and incident response tools? Why is the
content of the memory not dumped during the process of data collection
from a suspicious computer? What is the best way to analyze the physical
memory from Windows® and Linux® machines? Is it possible? I will answer
these questions during my Black Hat presentation which is focused on
methods of finding digital evidence in the physical memory of Windows
and Linux machines.