Building Stack Traces From Memory Dump Of Windows x64

Yuto Otsuki discusses his research at DFRWS EU 2018.

Yuto: Thank you, chairperson. I am Yuto Otsuki, a researcher at NTT Secure Platform Laboratories in Japan.

Today, I’d like to talk about building stack traces from memory dump of Windows x64. Now, as you know, malware is widely used for various cyberattacks. To fight against such attacks, forensic analysis is a conventional approach. And stack traces play an important role in memory forensics, as well as program debugging. Stack traces become a clue to uncover what malware has actually done on the host. However, unfortunately, traditional techniques don’t work for memory dump of Windows x64 environment.

We propose a new method for building stack traces from such memory dump. I’ll start talking from background.

Read More

Leave a Comment