Up until August 2013, a complete Windows memory analysis only required forensic tools to parse physical memory and fill in any missing gaps from the pagefile. In Windows 8.1 Microsoft upended this paradigm with the introduction of memory compression. Pages that had been previously located in a pagefile on disk were now being stored in an undocumented location. 

As a result, the introduction of compressed memory has led to incomplete memory inspection on major operating systems. To enable a more complete memory analysis on Windows 10, FireEye’s FLARE team has analyzed the operating system’s memory manager. 

This presentation discusses the application of that research in finding malware from real investigations that had previously been inaccessible in memory snapshots. The presentation coincides with the release of FireEye’s Win10 memory decompression plug-ins for Volatility & Rekall. Attendees can expect to gain an understanding of the issues faced by current forensic utilities; the general algorithm used to locate and decompress pages; and the means to leverage this research in practice via open-source software. An example forensic analysis/investigation of a Windows 10 memory image will demonstrate the additional capabilities the new solutions provide compared to existing tools. 

Omar Sardar (@osardar1), Reverse Engineer, FireEye (FLARE)

Blaine Stancill (@MalwareMechanic), Reverse Engineer, FireEye (FLARE)