Technical Tuesday – 10 December 2013 – Dumping in the Dark: Gaining Insight into your Memory Acquisition Tools and Techniques by Alissa Torres of the SANS Institute

Posted by on Dec 10, 2013 in Events Archive | No Comments

Digital forensic and incident response professionals unanimously agree on the vital importance of physical memory acquisition and analysis in investigations, whether they center around the reconstruction of user activity or the isolation of malicious code. Most computer incident response teams have preferred tools for such acquisition that are part of their standard operating procedures invoked during live response or evidence acquisition. We all use these tools, but how many of us can describe how they work? This talk takes a deeper look at the differences found in those memory image files tied directly to the specific tools and techniques used in the acquisition process. Does every tool acquire physical memory utilizing the same technique – and which technique provides a more accurate view of current system state? Are there evidential consequences in acquiring memory remotely versus locally? Alissa will present tips for optimal acquisition and a checklist useful in determining what acquisition techniques to use when.

Presented by: Alissa Torres of the SANS Institute

Alissa Torres is a certified SANS instructor, specializing in advanced computer forensics and incident response. Her industry experience includes serving in the trenches as part of the Mandiant Computer Incident Response Team (MCIRT) as an incident handler and working on an internal security team as a digital forensic investigator. She has extensive experience in information security, spanning government, academic, and corporate environments and holds a Bachelors degree from University of Virginia and a Masters from University of Maryland in Information Technology. Alissa has taught as an instructor at the Defense Cyber Investigations Training Academy (DCITA), delivering incident response and network basics to security professionals entering the forensics community. She has presented at various industry conferences and numerous B-Sides events. In addition to being a GIAC Certified Forensic Analyst (GCFA), she holds the GCFE, GPEN, CISSP, EnCE, CFCE, MCT and CTT+.

Slides and Recording of Webcast

Here is a link where you can download a PDF version of the slides:
https://www.dropbox.com/s/y4af5gye7ibfc6u/Dumping_in_the_Dark.pdf

If you would like to listen to an earlier version of the presentation, there is one maintained on the SANS webcast archives site here:
https://www.sans.org/webcasts/dumping-dark-gaining-insight-memory-acquisition-tools-techniques-97260