Black Hat Briefings, Las Vegas 2006 [audio] Presentations From The Security Conference

"Historically, only file systems were considered as locations where evidence could be found. But what about the volatile memory which contains a huge amount of useful information such as the content of clipboards or the SAM database? How long can volatile data stay in the main memory? What about anti-forensic methods of defeating disk forensic and incident response tools? Why is the content of the memory not dumped during the process of data collection from a suspicious computer? What is the best way to analyze the physical memory from Windows® and Linux® machines? Is it possible? I will answer these questions during my Black Hat presentation which is focused on methods of finding digital evidence in the physical memory of Windows and Linux machines. During the presentation, methods of investigations of the physical memory from a compromised machine will be discussed. Through these methods, it is possible to extract useful information from the memory such as the full content of .dll and .exe files, various