Authors: Andrew Case (Volexity) and Golden Richard III, Ph.D. (Louisiana State University)
DFRWS USA 2016
Abstract
Major advances in memory forensics in the past decade now allow investigators to efficiently detect and analyze many types of sophisticated kernel-level malware. With operating systems vendors now routinely enforcing driver signing and integrating strategies for protecting kernel data, such as Patch Guard, userland attacks are becoming more attractive to malware authors, as evidenced in the notorious Crisis malware. We, therefore, turn our attention to improving memory forensics techniques for analysis of malware in userland.