Black Hat //Webcast Series

security research in real time

Black Hat Webcast No. 13

New Frontiers in Forensics

Thursday, October 29, 2009: 1300 hrs PST/ 1600 hrs EST • FREE

Speaker:

  • Matthieu Suiche: New Frontiers in Forensics



Overview:

Physical memory is definitely a goldmine of information and its analysis is part of several games including troubleshooting, forensics investigation, etc. This webcast aims at explaining one major point and step: Why using Microsoft Crash Dump file format is way more efficient than a common raw dump under a Windows machine for forensics analysis.

And for this, the author is going to talk about his x64/x86 Windows physical memory acquisition utility called windd. (Also known as win32dd or win64dd)

Matthieu Suiche

Matthieu Suiche is a security researcher and Microsoft MVP Enterprise Security. Matthieu is mainly known for his work on reverse code engineering associated to volatile memory forensics. He had been speaker in various security conferences such as PacSec, BH USA and law enforcement meeting like EUROPOL High Tech Crime Meeting or ENFSI. His previous work includes Windows Hibernation file documentation and windd Windows physical memory acquisition utility. He is reachable through his website at www.msuiche.net