All times are in Pacific Daylight Time (UTC-0700).

  • Track: Main Channel: Friday 10/09 @ 1030-1125 PDT

Thinking about what traces are left when activities occur on a Windows system? Think past the operating system itself! Everything that occurs within the Windows operating system must cross RAM, making it the vessel of an abundant amount of residual data from user activities. Decrypted versions of encrypted data, internet activity, user communication, network information, evidence of program execution, passwords and encryption keys, and more! Much of this data will only be found in memory, leaving no traces behind on the associated endpoint. This lecture will discuss the intricacies of Windows memory, how data gets stored in RAM, and delve into examples of the type of data you can piece together! There’s so much data to find in memory alone, come have a look!

Tarah Melton, GCFA, GREM, is a digital forensics examiner with a background in the Federal Government, supporting customers focused on counterterrorism, cyber defense, and incident response. Her responsibilities included forensic lab management and conducting digital forensic investigations in both the US as well as overseas, completing two deployments to Afghanistan....

Read More

twitter @melton_tarah

© 2020 ShellCon