First up, Andreas Schuster has just released a wonderful set of slides on using Volatility to do memory forensics. The slides include:
- Great background material on the how, what, and why of memory acquisition and forensics.
- A refresher on some OS basics you need to really understand memory analysis.
- An amazing and comprehensive walkthrough on how to use a number of Volatility modules plugins in an investigation (including a few of my own tools, like ssdt.py and VolReg).
- Great information on the internals of Volatility, including a tutorial on creating your own plugins.
Second, I wanted to let everyone know once again that I'm going to be speaking at the SANS WhatWorks Summit in Forensics and Incident Response in Washington, DC on how to combine registry analysis and memory forensics for more effective incident response. I'm really looking forward to this event, as it promises to bring together a lot of luminaries from the forensics community, such as Harlan Carvey, Jesse Kornblum, and Chris Pogue, as well some people with a lot of knowledge and experience with offensive techniques like Jamie Butler and Peter Silberman.
If you're planning on attending, or are in the DC area, drop me a note and perhaps we can meet up at the summit!