- Bell Aliant
- NHTCU & FBI
- Peter Allor
- Marcel van den Berg
- Rainer Böhme
- Bob Burls
- William Cheswick
- Carlos Cid
- Anton Chuvakin
- Dave De Coster
- Lord Errol
- Boris Goranov
- Martijn de Hamer
- Elly van den Heuvel
- Jaap-Henk Hoepman
- Bart Jacobs
- Sari Kajantie
- Mark Koek
- Jos Kuijpers
- Brett Lambo
- Eric Luiijf
- Scott McIntyre
- Milton Mueller
- Pär Österberg Medina
- Carol Overes
- Richard Perlotto
- David Rice
- Marcus Sachs
- Jacques Schuurman
- Alex Shipp
- Lance Spitzner
- Don Stikvoort
- Gigi Tagliapietra
- Jan Joris Vereijken
- Rémon Verkerk
- Randal Vickers
- David Watson
- Tillmann Werner
- Maurice Wessling
- Colin Whittaker
- Georg Wicherski
- Nicholas Witchell
- Dave Woutersen
Pär Österberg-Medina (CISSP) started his career in Unix and Windows network administration, but quickly migrated into solely security-related work, such as the administration of firewall and intrusion-detection systems. After carrying out penetration testing for various consulting firms for several years, he started to work for the Swedish Gvt CERT (Sitic), where, for the past five years, amongst other things, he has been handling IT incidents.
Finding Rootkits in Memory Dumps Wednesday 17 September, 13:40 - 14:25, Leeuwen Room
With the increasing threat of computer intrusions that avoid writing data to the hard drive and the rise of malware utilizing rootkit technology, we need to include memory analysis in our incident investigation process. This presentation will focus on the different methods and techniques that can be used by an organization in order to find machines on which rootkits have been installed.
First of all, we will start by explaining how a rootkit stays undetected in the system, which tricks it can use and how it can survive a reboot. The next step is to dump the memory of the system that we suspect has been compromised. Different types of memory dumping techniques will be demonstrated, plus how anti-forensics can be used in order to fool the rootkits.
Finally, the presentation will cover how the memory image can be analyzed and how the infection is revealed. There will be live demonstrations of various tools and techniques, how these can be used to find rootkit infections, and help us to find out whether or not a machine has been compromised.