Rewind, Revisit, Reinforce, Retain with OnDemand - Special Offer Available Now


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

Reconstructing User Activity with Memory Forensics

  • Monday, April 14, 2014 at 11:00 PM EDT (2014-04-15 03:00:00 UTC)
  • Alissa Torres

You can now attend the webcast using your mobile device!



Forensic investigations of all types have grown increasingly more complex, requiring advanced forensic techniques to identify trace file system artifacts and memory-resident evidence. The prevalence of encryption and user applications that do not log to disk, such as privacy-mode browsers and instant messaging clients, points to the increasing sophistication of todays average user and raises the bar for investigators charged with working Acceptable Use Policy (AUP) employee cases or criminal investigations. Proof of the current or past existence of rogue applications can be found by parsing registry artifacts found in memory, as well as with traditional file system forensics. Evidence of execution, be it from registry keys or from terminated/active processes, can be the smoking gun needed to prove a suspects deliberate activity on a system. Clearly, memory forensics has an enormous impact in the outcome of todays typical user investigation.

In this session, we will wield memory parsing tools in the pursuit of uncovering what a user did (or is actively doing) on a system. We will introduce powerful stream and structure-based forensic analysis techniques that target user artifacts, some of which can only be found in physical memory.

Speaker Bio

Alissa Torres

Alissa Torres is a SANS Analyst and certified SANS instructor specializing in advanced computer forensics and incident response (IR). She has extensive experience in information security in the government, academic and corporate environments. Alissa has served as an incident handler and as a digital forensic investigator on an internal security team. She has taught at the Defense Cyber Investigations Training Academy (DCITA), delivering IR and network basics to security professionals entering the forensics community. A GIAC Certified Forensic Analyst (GCFA), Alissa holds the GCFE, GPEN, CISSP, EnCE, CFCE, MCT and CTT+ certifications.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.