By Andreas Schuster
Copyright © 2011 int for(ensic){blog;}. All rights reserved. Reproduction for commercial purposes (including online advertisement) interdicted.

My slides from the ZISC Workshop 2010 on Digital Forensics and Security are now available. The speaker notes, unfortunately, are not. I hope my presentation on Recent Advances in Memory Forensics will be interesting anyway.

The presentation features the following papers (in no particular order):

• Takahiro Haruyama's port of Volatility to EnCase/EnScript, because it brings volatile data analysis techniques to a widely deployed analysis environment
• Matthieu Suiche's paper on Mac OS X Physical Memory Analysis, because it opens up access to volatile data on a new software platform
• Treasure and tragedy in kmem_cache mining for live forensics investigation by Andrew Case, Lodovico Marziale, Cris Neckar, and Golden G. Richard III, because their paper describes a new and efficient method to locate important kernel objects on Linux
• Robust signatures for kernel data structures by Brendan Dolan-Gavitt, Abhinav Srivastava, Patrick Traynor, and Jonathon Giffin, because their work significantly improves the robustness of scanner signatures
• Ruichao Zhang, Lianhai Wang, and Shuhui Zhang, because their paper "Windows Memory Analysis Based on KPCR" combines the concepts of scanning for a data structure and list traversal in order to locate data structures, that were hard to detect otherwise (with a mention of Damien Aumaitre and Bradley Schatz)