Full Process Analysis And Reconstitution Of A Virtual Machine From The Native Host presented at CanSecWest 2010

by James Butler (Mandiant),

Summary : In the incident response and forensics business, James is a household name. He works for Mandiant and is an expert in rootkits and malware. He demonstrated the Memoryze and Audit Viewer tools, available for download from Mandiant. His demonstration on gaining access to VMWare guest memory from the host and analysis of that memory using Audit Viewer was impressive. With full access to the memory of a guest without the guest operating system's awareness, it is much easier to observe malicious or suspicious processes, not to mention code and its behavior after being unpacked/decrypted.