What's left behind? Memory traces you may not know you leave... presented at ShellCon.io 2020

by Tarah Melton,

Summary : Thinking about what traces are left when activities occur on a Windows system? Think past the operating system itself! Everything that occurs within the Windows operating system must cross RAM, making it the vessel of an abundant amount of residual data from user activities. Decrypted versions of encrypted data, internet activity, user communication, network information, evidence of program execution, passwords and encryption keys, and more! Much of this data will only be found in memory, leaving no traces behind on the associated endpoint. This lecture will discuss the intricacies of Windows memory, how data gets stored in RAM, and delve into examples of the type of data you can piece together! There’s so much data to find in memory alone, come have a look!