Using windows crash dumps for remote incident identification

With the proliferation of defense mechanisms built into Windows Operating System,, such as ASLR, DEP, and SEHOP, it is getting more difficult for malware to successfully exploit it. The Microsoft Enhanced Mitigation Exploitation Toolkit further increases the difficulty. A common symptom of a failed exploit is a crash. A crash dump is generated whenever this happensa crash happens. The Windows operating system has a built--in error reporting mechanism to troubleshoot such instabilities. It is possible for an enterprise running Windows--based servers to leverage on this mechanism to collect the volatile memory of client machines for offsite investigation. This would allow system administrators to remotely determine if the crash is due to a badly programmed application (event), or a real malware exploitation attempt (incident). This is advantageous to an enterpriseenterprise, as an incident handling team need not be dispatched on-site to perform incident identification. This paper will provide detailed steps on how to configure the enterprise network to facilitate such an analysis. In addition, a python memory analysis script is included,, which when run against the collected memory, would indicate the percentage probability that a machine is infected with malware.