k-dupe is a Ph.D. student at Chonnam National University. He is interested in computer memory forensics and exploitation skill of software vulnerabilities.
Ph.D. hyunuk hwang is a Senior Member of Engineering Staff at The Attached Institute of ETRI, Korea. He has been a family member of Null@Root Hacker Group for a long time. He always likes to analyze new malware by observing the malware activity and his main job is related to digital forensics(especially computer filesystems).
Kibom Kim is a Principal Member of Engineering Staff at The Attached Institute of ETRI, Korea. He is a Advisory Committee Member of Digital Investigation of SPO. He received a doctoral degree of computer science at Korea University in 2001. For over 10 years, his work is related to digital forensics, computer security, network security and incident response.
[Abstract] In this talk, we will show a method of executable and normal file extraction by analyzing information of Windows kernel file object. And we also provide how to analyze the characteristic of physical memory which contains file data. In previous physical memory studies on executable file extraction, especially targeting on running files of memory, it is known as very hard that extracting files from memory as same as original file saved in physical hard disc. But we will present a new method that can extract the same files from memory compared to hdd files.