Presentation Material
Abstract
This talk is inspired by an episode of Black Mirror. I will be demonstrating a live demo creating a bot who talks like me and can be used to impersonate me online and do social engineering. I will be showing a live demo of how to create such bots over text, voice, or video and walk through various techniques that the attendees can use to create such smart social engineering attacks.
I will also release my GitHub of the AI notebooks as open-source for the attendees to try out and experiment.
AI Generated Summary
This talk addresses Windows RAM forensics, focusing on the persistence of user and application data in volatile memory even after deletion from other storage locations. The research explains that all data processed by the CPU must pass through RAM, meaning extensive activity traces—including files accessed, URLs visited, decrypted data, and process execution—can be recovered from memory dumps.
Key technical concepts covered include Windows virtual memory management, where a process’s data is fragmented across physical RAM frames via page tables. Paging to the pagefile.sys or swapfile introduces further scatter, complicating recovery from full system memory dumps. The speaker demonstrates that analyzing individual process memory (using Volatility plugins like memdump or procdump) reassembles a process’s virtual address space linearly, yielding significantly more complete data—such as full recovered JPEG images—compared to fragmented results from a full RAM dump.
Practical techniques highlighted include keyword searching for artifacts like file:// paths and ROT13-obfuscated executable references (common in UserAssist registry data). Alternate memory sources like hiberfil.sys and crash dumps can be converted to raw format for analysis. Tools mentioned include DumpIt for acquisition and Volatility for analysis, all freely available.
The implications are significant for both forensic examiners and offensive security practitioners. Memory analysis can reveal user activity, malware behavior, and network connections even when disk artifacts are absent or cleaned. Understanding process memory reconstruction is critical for recovering fragmented data and building a comprehensive timeline of system activity.