iPad Air 2, Samsung Galaxy Tab A, or $350 Off with SANS Online Training Right Now!

Albuquerque 2014

Albuquerque, NM | Mon, Sep 15 - Sat, Sep 20, 2014
This event is over,
but there are more training opportunities.

Extracting User Credentials using Memory Forensics

  • Alissa Torres
  • Tuesday, September 16th, 8:15pm - 9:15pm

Though Windows credential extraction and password cracking are often categorized as offensive skills, used by pentesters and sophisticated attackers, digital forensic examiners and incident responders can also put these techniques to use to further their investigations. Just by parsing a physical memory image of a Windows system, local and domain user account password hashes can be pulled from the registry hives and plaintext credentials can be extracted from the wdigest in the lsass process for logged on users. For employee or criminal investigations, cracking a user's logon password can allow the examiner access to encrypted files or accounts due to frequent password re-use by users. Likewise, in intrusion cases, being able to dump credentials from a compromised system allows the IR team to assess what accesses the attacker was able to acquire, providing for better scoping of the intrusion. This webcast walks through several practical forensics use cases for Windows credential extraction from memory and includes excerpts from the SANS FOR526: Memory Forensics In-Depth class.


Bonus Sessions

The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:

  • SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.
  • Special Events: SANS-hosted events and other non-technical recreational offerings. This category includes, but is not limited to, Receptions and Information Tables.
Monday, September 15
Session Speaker Time Type
General Session - Welcome to SANS Paul A. Henry Monday, September 15th, 8:15am - 8:45am Special Events
Evolving Threats Paul A. Henry Monday, September 15th, 7:15pm - 9:15pm Keynote
Tuesday, September 16
Session Speaker Time Type
The 13 Absolute Truths of Security Keith Palmgren Tuesday, September 16th, 7:15pm - 8:15pm SANS@Night
Extracting User Credentials using Memory Forensics Alissa Torres Tuesday, September 16th, 8:15pm - 9:15pm SANS@Night
Wednesday, September 17
Session Speaker Time Type
Debunking the Complex Password Myth Keith Palmgren Wednesday, September 17th, 7:15pm - 8:15pm SANS@Night
Thursday, September 18
Session Speaker Time Type
Bust a cap in a web app with ZAP Adrien de Beaupre Thursday, September 18th, 7:15pm - 8:15pm SANS@Night