Forensics increasingly encompasses the analysis of potentially valuable clues and intelligence in the physical memory of an infected machine. But like anything in infosec, it’s a constant cat-and-mouse game, with attackers finding new ways to hide their tracks in memory from incident response handlers trying to get to the bottom of a breach.
A researcher has developed a new tool called Dementia that cheats forensics tools that inspect attacker’s footprints in a Windows computer’s memory. Dementia basically renders a phony image of the infected machine’s memory as a way to hide evidence of an attacker’s movements. The tool removes “specific artifacts from the memory or the image being created. While the image itself is correct — it can be analyzed — specific artifacts are not present, which can hide traces of attacker’s activities,” says Luka Milkovic, who developed the tool. Milkovic, who is a information security consultant with Croatia-based Infigo, recently demonstrated the tool at the CCC conference in Hamburg, Germany.
‘Dementia’ Wipes Out Attacker Footprints in Memory | DFI News.