Forensics: Windows 10 memory forensics (WO)

Forensics: Windows 10 memory forensics (WO)

Analyze even the newest versions of an OS

Forensic investigators need to be able to analyze even the newest versions of an OS. Windows 10, a new major version of the Windows OS will be released in 2015. A technical preview version is already available.

The main focus of this internship is Windows 10 memory acquisition and analysis. How are e.g. processes, networking objects and file objects represented in memory on a Windows 10 machine? The first challenge is to make a reliable memory dump for a Windows 10 system. The second step is to analyze the Windows 10 in-memory structures using reverse engineering techniques. Starting from scratch is unnecessary since many data structures will resemble data structures used in preceding Windows versions.

A practical outcome of this research would be the creation of Volatility profiles to perform efficient Windows 10 memory analysis using the Volatility framework. Finally, this entire process should be analyzed to determine which parts of this process could be automated for analyzing in-memory traces of future (sub)versions of Windows. Since this research is quite comprehensive, it could be performed by a group of two students.

Keywords:

  • Detection, Data analytics, Parsing, Databases
  • Duration: 5-10 months
  • Context: HBO/WO thesis

Context:

Having lots of data and searching through it all is hard. This is especially true if there is unstructured data from multiple different types of systems and protocols. How can we best solve this problem?

Activities:

Research into structuring and analysing unstructured data
Produce a PoC on how this could work with data coming from a multitude of sources such as network data logs, host based
logs, file data logs, DNS logs, and other sources.

Interested?!

Please share your CV and motivation with us (vacature[at]fox-it.com). In case of questions please send us an email (vacature[at]fox-it.com).

 

 

Neem contact op

+31 (0) 15 284 79 99

fox@fox-it.com

Delft