DFRWS 2008 - Registry Forensics in Memory
I'm pleased ecstatic to announce that my paper, Forensic Analysis of the Windows Registry in Memory, has been accepted into the 8th annual Digital Forensics Research Workshop! The full program is available, and it looks like there are a lot of really cool presentations scheduled. Memory analysis is heavily featured this year, and has been given a whole session.
As usual, all the papers will be posted on the DFRWS website once the conference begins. Until then, here's the abstract of my paper:
This paper describes the structure of the Windows registry as it is stored in physical memory. We present tools and techniques that can be used to extract this data directly from memory dumps. We also provide guidelines to aid investigators and experimentally demonstrate the value of our techniques. Finally, we describe a compelling attack that modifies the cached version of the registry without altering the on-disk version. While this attack would be undetectable with conventional on-disk registry analysis techniques, we demonstrate that such malicious modifications are easily detectable by examining memory.
I also want to give my ongoing thanks to AAron Walters, who helped me out a ton by providing comments and suggestions on drafts of the paper. He continues to do great work that enriches the entire memory analysis community.
If you're going to be at DFRWS '08 and want to meet up, drop a note in the comments or send me an e-mail! See you in Baltimore!
Comments