'Dementia' Wipes Out Attacker Footprints in Memory
By Kelly Jackson Higgins
Forensics increasingly encompasses the analysis of potentially valuable clues and intelligence in the physical memory of an infected machine. But like anything in infosec, it's a constant cat-and-mouse game, with attackers finding new ways to hide their tracks in memory from incident response handlers trying to get to the bottom of a breach.
A researcher has developed a new tool called Dementia that cheats forensics tools that inspect attacker’s footprints in a Windows computer's memory. Dementia basically renders a phony image of the infected machine's memory as a way to hide evidence of an attacker's movements. The tool removes "specific artifacts from the memory or the image being created. While the image itself is correct — it can be analyzed — specific artifacts are not present, which can hide traces of attacker's activities," says Luka Milkovic, who developed the tool. Milkovic, who is a information security consultant with Croatia-based Infigo, recently demonstrated the tool at the CCC conference in Hamburg, Germany.
Source: Dark Reading