Push the Red Button

When a user-mode application crashes in Windows, a built-in debugger known as " Dr. Watson " steps in and captures some basic information that can be sent back to developers to help debug the crash. As part of this process, it creates what's called a minidump that contains portions of the process's memory and a great deal of extra information about the state and attributes of the process. Among the information available is: CPU state for each thread. A list of loaded modules, including their timestamps. The Process Environment Block (PEB) for the process. Basic system information, such as the build number and service pack level of the perating system. The process creation time, and how long it has spent executing in kernel and user space. Detailed information on the exception that was raised. Using the userdump.exe utility provided by Microsoft, it is also possible to take a complete snapshot of the memory of any running process. This tool also, as i...

I'm pleased ecstatic to announce that my paper, Forensic Analysis of the Windows Registry in Memory , has been accepted into the 8th annual Digital Forensics Research Workshop ! The full program is available, and it looks like there are a lot of really cool presentations scheduled. Memory analysis is heavily featured this year, and has been given a whole session. As usual, all the papers will be posted on the DFRWS website once the conference begins. Until then, here's the abstract of my paper: This paper describes the structure of the Windows registry as it is stored in physical memory. We present tools and techniques that can be used to extract this data directly from memory dumps. We also provide guidelines to aid investigators and experimentally demonstrate the value of our techniques. Finally, we describe a compelling attack that modifies the cached version of the registry without altering the on-disk version. While this attack would be undetectable with conventional on...