There are few people in the world who know more about physical memory acquisition and analysis than Mr. Garner; President of GMG Systems, Inc. and author of KnTTools. At a rare conference appearance, George discussed how he leverages the PFN database to attribute pages of physical memory to owning processes and drivers. This OMFW talk was enlightening, as George shared stories of tracking single UDP packets between hosts in China, his experiences single-stepping through the Windows kernel, and how he tracked a TDI object with an NTFS pool tag in deallocated memory.
Author/Presenter: George M. Garner Jr. (GMG Systems, Inc.)
Direct Link: Mining the PFN Database for Malware Artifacts
No comments:
Post a Comment