What's left behind? Memory traces you may not know you leave...

Presented at ShellCon 2020 Virtual, Oct. 9, 2020, 10:30 a.m. (55 minutes).

Thinking about what traces are left when activities occur on a Windows system? Think past the operating system itself! Everything that occurs within the Windows operating system must cross RAM, making it the vessel of an abundant amount of residual data from user activities. Decrypted versions of encrypted data, internet activity, user communication, network information, evidence of program execution, passwords and encryption keys, and more! Much of this data will only be found in memory, leaving no traces behind on the associated endpoint. This lecture will discuss the intricacies of Windows memory, how data gets stored in RAM, and delve into examples of the type of data you can piece together! There's so much data to find in memory alone, come have a look!


Presenters:

  • Tarah Melton
    Tarah Melton, GCFA, GREM, is a digital forensics examiner with a background in the Federal Government, supporting customers focused on counterterrorism, cyber defense, and incident response. Her responsibilities included forensic lab management and conducting digital forensic investigations in both the US as well as overseas, completing two deployments to Afghanistan. She holds a BS in Digital Forensics from Bloomsburg University of Pennsylvania. Tarah is currently a Forensic Consultant at Magnet Forensics, where she provides support to customers with her combined knowledge of Magnet tools and digital forensics, as well as assisting with the development of Magnet products.

Links:

Similar Presentations: