Corpus ID: 117224506

Live forensics on the Windows 10 secure kernel.

@inproceedings{Brendmo2017LiveFO,
  title={Live forensics on the Windows 10 secure kernel.},
  author={Hans Kristian Brendmo},
  year={2017}
}
The field of Digital Forensics is always changing together with developments in computer hardware and operating systems. In June of 2015 Windows 10 was released to consumers offering numerous changes to the operating system. One of the most interesting features from the perspective of Digital Forensics is a feature known as Device Guard. Device Guard is said to offer protection from advanced malware such as rootkits, polymorphic viruses and even zero day exploits. Device Guard accomplishes this… Expand

Figures and Tables from this paper

Hypervisor Memory Introspection and Hypervisor Based Malware Honeypot
TLDR
This work proposes a hypervisor based memory acquisition tool that supports ASLR and Modern operating systems which is an innovation compared to past methods and extends the hypervisor assisted memory acquisition by adding mass storage device honeypots for the malware to cross and proposing hiding thehypervisor using bluepill technology. Expand
Identifying rootkit stealth strategies
Rootkits provide a collection of tools allowing for low level actions on a system. With these capabilities, attackers can gain full access of a computer and even modify the way the core system itselfExpand
Hypervisor-assisted Atomic Memory Acquisition in Modern Systems
TLDR
This work describes a hypervisor-based memory acquisition method that solves the two aforementioned deficiencies and analyzes the memory usage and performance of the proposed method. Expand
Information Systems Security and Privacy: 5th International Conference, ICISSP 2019, Prague, Czech Republic, February 23-25, 2019, Revised Selected Papers
TLDR
This paper presents a decentralized platform for signing and verifying digital documents that is based on the previously presented SPROOF platform and additionally supports attribute-based authentication. Expand

References

SHOWING 1-10 OF 19 REFERENCES
When hardware meets software: a bulletproof solution to forensic memory acquisition
TLDR
Experimental results show that the time SMMDumper requires to acquire and transfer 6GB of physical memory of a running system is reasonable to allow for a real-world adoption in digital forensic analyses and incident responses. Expand
The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
Memory forensics provides cutting edge technology to help investigate digital attacks Memory forensics is the art of analyzing computer memory (RAM) to solve digital crimes. As a follow-up to theExpand
Security Resilience: Exploring Windows Domain-Level Defenses Against Post-Exploitation Authentication Attacks
TLDR
A way to trigger the removal of all previously issued authentication credentials for a client, thus preventing its use by attackers is discovered, which could become the basis for a response Windows system administrators could use to halt the spread of a detected attack. Expand
Lest we remember: cold-boot attacks on encryption keys
TLDR
It is shown that dynamic RAM, the main memory in most modern computers, retains its contents for several seconds after power is lost, even at room temperature and even if removed from a motherboard, and this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access to a machine. Expand
Memory Forensics over the IEEE 1394 Interface
The IEEE 1394 “FireWire” interface provides a means for acquiring direct memory access. We discuss how this can be used to perform live memory forensics on a target system. We also presentExpand
Show Stopper!: The Breakneck Race to Create Windows NT and the Next Generation at Microsoft
From the Publisher: The phenomenal success of Bill Gates and his Microsoft Corporation hinges, above all, on an ability to look to the future. Not content with holding a bulging share of the marketExpand
Programming the Microsoft Windows Driver Model
Battle of skm and ium - how windows 10 rewrites os architecture
  • Blackhat
  • 2015
Run hyper-v in a virtual machine with nested virtualization
  • Technical report, Microsoft,
  • 2016
Bypassing application whitelisting by using windbg/cdb as a shellcode runner
  • http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner. html
  • 2017
...
1
2
...