ADD -- Complicating Memory Forensics Through Memory Disarray

Presented at ShmooCon X (2014), Jan. 18, 2014, 5 p.m. (60 minutes)

In this presentation, we'll present ADD (attention deficit disorder), a tool that litters Windows physical memory with (configurable amounts and types of) garbage to disrupt memory forensics. Memory forensics has become so mainstream that it's catching too many malware authors during routine investigations (making Jake a sad panda). If memory forensics were much harder to perform, then attackers would retain an upper hand. ADD increases the cost of memory forensics by allocating new structures in memory that serve only to disrupt an investigation.

We'll present some basic memory forensics techniques (just to set the stage for those who aren't familiar with the concepts). We'll explain how volatility, a core memory forensics tool, actually performs its analysis. In particular, we'll show how it locates hidden processes, drivers, and modules.

Next, we'll show how running ADD on a machine under investigation completely changes the memory forensics landscape. We'll show how an investigator must weed through astounding numbers of false positives before identifying the investigation targets.

Finally, Alissa will show how all is not lost. Even though ADD may confuse junior analysts, she'll show the invariants in memory that analysts should always be able to come back to complete their forensic analysis.


  • Jake Williams
    Jake is the Chief Scientist at CSRgroup where he does lots of offensive and defensive research. He is also a SANS instructor and member of the DFIR author team. Occasionally, CSRgroup still lets Jake do penetration tests (where he feels like a kid in a candy store).
  • Alissa Torres
    Alissa is a digital forensics examiner and incident response consultant for Sibertor Forensics. Also a SANS Instructor, she teaches hundreds of security professionals a year how to find evil in the form of trace artifacts and hidden processes.

Similar Presentations: