Technique to Interrogate an Image of RAM

Abstract

Using Mr. Aaron Walters' Python script, nistpe.py, which generates hash values for sections within Microsoft Windows portable executables (PE), I will present a technique allowing industry, academia, law-enforcement, and other government bodies to create custom reference sets that detect sections within a raw bit image of random access memory. The technique identifies PE sections within a raw bit image of random access memory by comparing SHA-1 hash values from page-aligned segments to SHA-1 reference file entries. This technique expands on the “immutable sections of known executables” reported earlier. Being able to identify PEs by hash values may facilitate volatile memory analysis and warn of malicious logic.